[Senate Hearing 113-550]
[From the U.S. Government Publishing Office]
S. Hrg. 113-550
A STATUS UPDATE ON THE DEVELOPMENT OF VOLUNTARY DO-NOT-TRACK STANDARDS
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
APRIL 24, 2013
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
93-065 PDF WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
BARBARA BOXER, California JOHN THUNE, South Dakota, Ranking
BILL NELSON, Florida ROGER F. WICKER, Mississippi
MARIA CANTWELL, Washington ROY BLUNT, Missouri
FRANK R. LAUTENBERG, New Jersey MARCO RUBIO, Florida
MARK PRYOR, Arkansas KELLY AYOTTE, New Hampshire
CLAIRE McCASKILL, Missouri DEAN HELLER, Nevada
AMY KLOBUCHAR, Minnesota DAN COATS, Indiana
MARK WARNER, Virginia TIM SCOTT, South Carolina
MARK BEGICH, Alaska TED CRUZ, Texas
RICHARD BLUMENTHAL, Connecticut DEB FISCHER, Nebraska
BRIAN SCHATZ, Hawaii RON JOHNSON, Wisconsin
WILLIAM COWAN, Massachusetts
Ellen L. Doneski, Staff Director
James Reid, Deputy Staff Director
John Williams, General Counsel
David Schwietert, Republican Staff Director
Nick Rossi, Republican Deputy Staff Director
Rebecca Seidel, Republican General Counsel and Chief Investigator
C O N T E N T S
----------
Page
Hearing held on April 24, 2013................................... 1
Statement of Senator Rockefeller................................. 1
Statement of Senator Thune....................................... 3
Statement of Senator McCaskill................................... 4
Statement of Senator Heller...................................... 5
Statement of Senator Johnson..................................... 6
Statement of Senator Blumenthal.................................. 64
Witnesses
Harvey Anderson, Senior Vice President, Business and Legal
Affairs, Mozilla............................................... 6
Prepared statement........................................... 8
Luigi Mastria, CIPP, CISSP, Managing Director, Digital
Advertising Alliance........................................... 14
Prepared statement........................................... 15
Justin Brookman, Director, Consumer Privacy, Center for Democracy
& Technology................................................... 24
Prepared statement........................................... 26
Adam Thierer, Senior Research Fellow, Mercatus Center, George
Mason University............................................... 33
Prepared statement........................................... 35
Appendix
Response to written questions submitted to Harvey Anderson by:
Hon. John D. Rockefeller IV.................................. 69
Hon. Barbara Boxer........................................... 69
Hon. Frank R. Lautenberg..................................... 71
Hon. Amy Klobuchar........................................... 72
Hon. Brian Schatz............................................ 72
Hon. Ron Johnson............................................. 73
Response to written questions submitted to Luigi Mastria by:
Hon. John D. Rockefeller IV.................................. 74
Hon. Barbara Boxer........................................... 75
Hon. Ron Johnson............................................. 78
Response to written questions submitted to Justin Brookman by:
Hon. John D. Rockefeller IV.................................. 86
Hon. Barbara Boxer........................................... 88
Hon. Frank R. Lautenberg..................................... 89
Hon. Amy Klobuchar........................................... 90
Hon. Brian Schatz............................................ 91
Hon. Ron Johnson............................................. 93
Response to written questions submitted to Adam Thierer by:
Hon. Barbara Boxer........................................... 96
Hon. Frank R. Lautenberg..................................... 97
Hon. Ron Johnson............................................. 97
A STATUS UPDATE ON THE DEVELOPMENT OF VOLUNTARY DO-NOT-TRACK STANDARDS
----------
WEDNESDAY, APRIL 24, 2013
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The committee met, pursuant to notice, at 2:38 p.m., in
room SR-253, Russell Senate Office Building, Hon. John D.
Rockefeller IV, Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV,
U.S. SENATOR FROM WEST VIRGINIA
The Chairman. All right. This hearing will come to order.
In February 2012, the Digital Advertising Alliance pledged
that the online advertising industry would honor Do-Not-Track
requests made by consumers. That commitment was supposed to
happen by the end of the year which is called 2012. We are past
that time.
What it was supposed to mean, what that statement was
supposed to mean was that when consumers made it clear they did
not want advertisers to collect information about their
Internet activities, the advertisers would respect their
wishes. It is now April 2013, and consumers are still waiting
for these Do-Not-Track standards.
Advertising folks are continuing to ignore Do-Not-Track
headers and consumers' requests for privacy. There is a broad
feeling that the advertisers, brokers, et cetera, data brokers,
are just dragging their feet, and I believe they are, and I
believe they are doing it purposely.
I personally have long expressed skepticism about the
ability or the willingness of companies to regulate themselves
on behalf of consumers when it affects their bottom line. It is
just the way I am made. It is my experience. And my service in
West Virginia makes me have that--and my service on this
committee really makes me feel very strongly about that.
And that is why for the past two Congresses, I have
introduced legislation that would create meaningful Do-Not-
Track standards for consumers. I do not believe that companies
with business models based upon the collection and monetization
of personal information will voluntarily stop these practices
if it negatively impacts their profit margins. I just think
that is the way corporations, with obviously a number of
exceptions, are run.
They are there to make money. And consumers, particularly
when you get something like the Internet, which everybody
wants, worships, and loves, that is even more so.
Having said that and disclosed what is a genuinely
troublesome feeling that I have about the nature of
corporations with a chance to make money, particularly when
people don't know what they are doing, in spite of that, I want
to be open-minded today. I want to do my best, Senator Thune,
to be open-minded. And I want to hear all sides on the matters
at hand.
For months, industry stakeholders, consumer groups,
academics, and other interested parties have been in
negotiation with the World Wide Web Consortium, known as W3C,
attempting to reach an agreement on voluntary Do-Not-Track
standards. But conflicting reports about W3C negotiations
continue to surface.
On one side, I hear that online advertising industry is
deliberately dragging its feet, moving the goal posts, and
refusing to stop collection practices that undermine the very
essence of a meaningful Do-Not-Track standard. On the other
side, I hear two software developers, in particular Microsoft
and Mozilla--which I know are not necessarily popular with all
of those at the desk that I am looking at in front of me--have
prevented the W3C from forging consensus on voluntary Do-Not-
Track standards.
In other words, people who want to do it by default, which,
in many ways, I think is the best way to go, they don't want to
put up with that. So there is a meeting coming up in May, in
Sunnyside, California. And I think the same problems will be
stopping us then as are now.
Today, I want to get to the bottom of this controversy, and
I have got a great prosecuting attorney over there ready to
jump in. I want the witnesses to publicly explain exactly what
they believe has gone wrong and what they are prepared to offer
to make Do-Not-Track a reality for consumers, as they said they
were going to do.
However, while I want to be fair and hear from all sides, I
do not want to hear some of the familiar talking points that
deliberately serve no purpose but to confuse the debate. I will
interrupt if that stuff starts coming up.
I do not want to hear that Do-Not-Track would jeopardize
antifraud efforts, cybersecurity, or the Internet itself with a
strict prohibition on any collection of information because it
is simply not true, and you know it is not true because we have
written that into our latest bill. Small companies will be
protected.
Everyone acknowledges that some limited collection of
information is necessary in order to fulfill basic functions.
My own bill clearly provides for this.
Furthermore, I do not want to hear assertions that the
current self-regulatory scheme fulfills Do-Not-Track requests.
You can try it. After I have heard it one and a half times, I
will just stop it.
A meaningful Do-Not-Track standard prohibits the collection
of online information except for a few narrow purposes, and we
all know what those are. Under the current Ad Choices Campaign
operated by the advertising industry, companies continue to
collect vast amounts of consumer information and only promise
to not use this information for specific purposes, such as
targeted advertising.
In addition to my concerns that consumer choices are not
being honored, I am also worried about the escalating rhetoric
that we have witnessed in the past few months, that Chairwoman
Ramirez was subject to when she spoke recently at a meeting,
basically online advertisers about Web browser developers.
Browsers are attempting to provide consumers with greater
privacy protections, and ad networks are resisting these
efforts. If you can say that I am wrong, please prove it to me.
I am disturbed with the rhetoric from advertisers that
suggest they might try to circumvent the sensible privacy
protections that Web browsers are providing consumers. The
nuclear option or the destruction--the end of the Internet, all
this kind of stuff that you hear constantly from people who
don't want to do what they need to do.
I urge everybody to take a deep breath, myself included,
and tone down the rhetoric. We all need to remember that this
debate is about consumers and their choices. That is what we do
on this committee.
Consumers who may be happy to have their information
collected for targeting advertising in some situations, but who
may want advertisers to completely leave them alone at other
times. It is their choice.
In this regard, I believe all sides should be prepared to
compromise in order to maximize protection for consumers. And I
urge all of the witnesses today to spend less time attacking
their opponents and spend more time thinking about how we can
honor and respect consumer preferences.
That is the end of my statement.
I call upon my distinguished and most excellent colleague,
Senator Thune.
STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
Senator Thune. Thank you, Mr. Chairman, and thank you for
holding this hearing as the Committee discusses and evaluates
consumer habits in the digital online economy.
Thank you also to all of the witnesses who are here today
for providing testimony.
Online commerce and Internet use are a substantial and
growing part of our overall economy and everyday lives.
According to the research firm eMarketer, nearly 150 million
Americans were digital buyers in 2012, collectively spending
more than $340 billion online. To court this growing consumer
base, more than $37 billion was spent last year on digital
advertising.
As large as the online market already is, estimates for
coming years predict continued growth. Both digital advertising
and consumer spending are projected to grow by more than 50
percent by 2016, when 25 million more Americans are expected to
be digital consumers.
The growing digital advertising industry provides thousands
of small Web publishers, the so-called long tail of the market,
with the revenue that they need to maintain their online
presence. Contextual advertising, like an ad for running shoes
on a website catering to runners, and general display ads make
sense for some websites, but don't necessarily make sense for
all websites.
The market has responded by developing new and innovative
ways to deliver relevant ads and content to Internet users, but
this has raised questions about consumer expectations and
privacy.
It is my hope that today's hearing will be a thoughtful
discussion on how we can provide consumers with greater choice
of services and products, as well as increased confidence that
their Internet experiences will be safe. Federal Trade
Commission Chairman--as you mentioned, Mr. Chairman--Ramirez
recently gave a speech to the American Advertising Federation
in which she said, and I quote, ``An online advertising system
that breeds consumer discomfort is not a foundation for
sustained growth.'' I agree.
And it is precisely because of that dynamic that I believe
Web publishers, browsers, social networks, data analysts, and
advertisers have an incentive to develop their practices to
meet the evolving interests of consumers. I am interested to
learn how efforts to regulate and legislate the intricacies of
online commercial activity could impact the digital space.
Will efforts to improve, or I should say will efforts to
impose Do-Not-Track rules better protect consumers and grow
online commerce, or are there situations where they might
diminish consumer privacy, inhibit consumer choice, or raise
barriers to entry for new competitors in the online market? The
largest browsers and publishers have the means to adapt and
survive in any environment, but smaller online companies and
the choices they provide for consumers may not.
I have faith that consumers armed with knowledge will take
the time to make informed decisions in their own best
interests. Consumers expect and seek more transparency,
understanding, and control as they increasingly interact with
online resources, and the market is responding.
New tools are being presented and refined in response to
consumers' expectations. This spurs growth and innovation,
which benefits both consumers and producers.
I am interested in our witnesses' views on the dynamic
Internet ecosystem and the value and the status of industry-
developed standards for online conduct.
I thank all the--again, the witnesses for being here today.
I look forward to hearing your testimony and to interacting
with you as we ask you some questions.
Thank you, Mr. Chairman.
The Chairman. Thank you, sir.
And now Senator McCaskill, who is Chair of the
Subcommittee, and then Senator Heller.
STATEMENT OF HON. CLAIRE McCASKILL,
U.S. SENATOR FROM MISSOURI
Senator McCaskill. I am just a little nervous because I am
afraid you are going to cut me off.
The Chairman. I doubt that.
[Laughter.]
Senator McCaskill. You doubt that I am nervous, or you
doubt that you are going to cut me off?
The Chairman. I have never seen you nervous.
Senator McCaskill. I have not prepared any opening
statement. I am anxious to question the panel.
I think privacy is an all-American goal, but so is the most
vibrant part of our economy. And what tech has done, the
Internet has done for our economy is huge, and I want to make
sure that we are balanced as we look at this issue in a way
that protects consumers, but also makes sure that we don't end
up with one or two or three giant Internet companies with none
of the little guys.
Thank you, Mr. Chairman.
The Chairman. Thank you.
Senator Heller?
STATEMENT OF HON. DEAN HELLER,
U.S. SENATOR FROM NEVADA
Senator Heller. Thank you, Mr. Chairman. Thanks for taking
time on this important issue. I know it is important to you.
I want to thank our witnesses for being here also today,
and those who are interested in today's discussion.
I appreciate this hearing today to understand where the
private sector is on voluntary Do-Not-Track agreements. This
issue crystallizes the transactional nature of using the
Internet.
Whether consumers realize it or not, there is an exchange
taking place when an individual launches their Internet on
whatever device they are using. In exchange for services, such
as free search engines, free e-mail, free content on websites,
free travel to destinations such as Las Vegas, free car rental
bookings in places like Las Vegas----
[Laughter.]
Senator Heller.--free dinner bookings to world-class
restaurants like in Las Vegas, these consumers, whether they
know it or not, are being tracked. Some people don't even know
they are being tracked, and I, frankly, think some people don't
care.
And as we all know, the World Wide Web Consortium, or W3C,
has been working on an international set of standards in an
effort to improve user privacy and user control by defining
what a user should expect when opting for no tracking during
their online sessions.
We have been hearing from some of the W3C--for some time
that W3C is spinning their wheels, unable to come to an
agreement. The W3C, as a majority, has a major opportunity here
on May 6 through 8 in California to come together and decide if
they can reach an agreement, and I hope this will happen. I
think that a result on this issue by the private sector is the
most appropriate way to go.
I would encourage the W3C to try to find to the fullest
extent possible to uphold just a few principles, first being
any solution must be technology neutral. Second, it must be
business model neutral, and third, it must not pick winners and
losers.
I also want to point out how difficult a consensus will be
to achieve. I think it is going to be very difficult. The W3C
is made up of privacy groups, Web browsers, first-party
advertisers, third-party advertising companies, and experts in
the public sphere. There are many, many competing agendas here.
It is important that this committee attempts to better
understand why coming to an agreement here is fleeting and
perhaps encourage that the private sector be able to reach a
consensus. It is also important to understand that any solution
that blocks third-party advertising companies from placing
cookies on the Internet will have economic consequences.
This sector provides many jobs and generates multibillions
of dollars of economic activity, even in Las Vegas.
Understanding exactly what first- and third-party tracking
online and whether the consumer is harmed in some fashion or
even cares is incredibly important for all of us to understand,
especially if a Government solution is being considered. I
think the last thing any member wants is to propose a solution
that chills investment and innovations.
The question really being discussed here is not whether
tracking is happening, because it is. The question is whether
harm actually exists, and what is that harm, and what is the
appropriate solution to that? I believe the goal here is
consumer education and choice, but it should be from the
private sector.
Thank you, Mr. Chairman.
The Chairman. Thank you very much, Senator Heller.
And with no disrespect to you, sir.
STATEMENT OF HON. RON JOHNSON,
U.S. SENATOR FROM WISCONSIN
Senator Johnson. I am fine. Thanks.
The Chairman. OK. Well, I know that.
[Laughter.]
The Chairman. Let us go right to questioning, and I will
start. Oh, no, no, no. I do that all the time.
[Laughter.]
The Chairman. I am so in love with what I have to say that
I just don't even bother listening to the witnesses. So why
don't we try my bothering to listen to the witnesses today.
Let us start with you, Mr. Anderson. Actually, I think that
is the third or fourth time I have done that. Oh, well.
STATEMENT OF HARVEY ANDERSON, SENIOR VICE PRESIDENT, BUSINESS
AND LEGAL AFFAIRS, MOZILLA
Mr. Anderson. Thank you, Chairman, Ranking Member Thune,
and other members of the Committee. We appreciate the
opportunity to testify today on the status of Do-Not-Track.
I am Harvey Anderson. I lead the business, legal, and
public policy teams for Mozilla. Mozilla is the maker of the
Firefox browser used by 450 million people worldwide. We
developed Firefox to bring competition to the browser market
nearly 10 years ago and to promote an open, innovative Web.
We were the first to include Do-Not-Track with the setting
as Do-Not-Track off by default. We try to be an agent for the
user to help users navigate their digital lives in ways that
make sense to them.
A couple comments. The Internet is the most significant
social and technological development of our time. However, the
Internet is very, very young, maybe 9,000 days young. Let us
put that in perspective in terms of the World Wide Web.
So this means that mainstream users do not necessarily have
a historical set of norms or expectations to guide their
digital choices. The Web has also created new and unparalleled
opportunities online that produce unimaginable amounts of data.
At the same time, there are no clear parameters or boundaries
on data practices other than those that are codified by law or
regulatory bodies. So acceptable collection and use norms are
still evolving.
We cannot often not predict what models the current
technology will enable. Lou Montulli and John Giannandrea, they
were colleagues of mine at Netscape, developed the cookie to
solve a very real technical problem, to store state and invent
the notion of a session over several HTTP requests. Few would
have imagined a whole industry built upon the cookie.
The online ad business, as you mentioned, has grown to a
record-breaking $37 billion in 2012. This means change will be
met with resistance by incumbent interests with arguments that
I have heard such as change is bad for competition or that it
will decrease revenue. We should question whether protecting
business models that lack transparency is actually protecting
competition.
Historically, there have been many profitable business
models that have challenged our norms, but profits don't always
justify practices. Similar arguments were made when Firefox
blocked pop-up ads. They said it will destroy the industry, but
it seems it has not hindered the success of the online ad
industry today.
It was nearly a year ago when my colleague Alex Fowler
reported on the status of DNT before this committee, and since
that time, the industry has not moved forward quickly enough,
in our opinion. Consumers have shown increased concern about
online tracking and privacy. More users are sending DNT signals
than ever, and yet the efficacy of the Ad Choices Program
remains questionable.
Consumer concerns over online tracking persists, as shown
by numerous independent studies referenced in our written
testimony. Our own adoption of consumer sentiment data shows
support for DNT. Do-Not-Track adoption by Firefox users in the
U.S. is roughly 17 percent. It is pretty consistent across all
the states.
Consumer engagement with the DAA Ad Choices Program remains
low. Last month, the industry reported more than a trillion ads
per month included the Ad Choices icon, but only 1 million
users have opted out of all interest-based advertising.
The claims that this low opt-out rate prove that consumers
are OK with the tracking and collection belie the facts as
shown by the actual DNT adoption and consumer surveys.
Currently, DNT signals are largely ignored by ad networks. We
estimate that Firefox users send more than 135 million DNT
signals every day. That is more than 4 trillion every month, 4
trillion every month, that go unanswered.
Over the past year, we have observed the trends that
characterize the DNT work of the W3C as part of industry self-
regulation. The W3C is neither the industry nor a self-
regulatory effort on its own. The W3C codifies technical
standards for issues that are either well understood and agreed
upon in advance or problematic for a set of stakeholders
motivated to find a common solution. It is also not designed to
replace regulation and enforcement.
Ultimately, the question here is not about the standards
process, but about responding to the 45 million Firefox users
and IE users who are simply saying don't track me. The DNT
standard doesn't have to be final at the W3C to get started. We
would like to see more of the industry move forward and begin
implementing DNT now.
We applaud leading companies like Twitter, AP, and Jumptap,
and the quiet supporters, many who are DAA members, who adopted
DNT, all without waiting for a final W3C spec. Apparently, it
takes neither a law nor a finalized W3C spec to do the right
thing.
What is at stake is not money here, but trust. To date, the
debate is focused on the threat to those revenue models that
are based on tracking. But the loss of user trust is far more
dangerous than the potential lost revenues.
Trust is the true currency that needs to be protected. The
lack of trust stems from users not understanding the value
proposition of online tracking. This is where industry can
really make a difference. If users don't understand what
happens to their data, how it is used, or the tradeoffs, they
will inevitably seek more protective blocking options.
Efforts to protect the status quo further erode people's
trust, thereby compromising future expansion of commerce and
innovation online. We want to help the ad and publishing
industries create a paradigm of trust that both respects users
and supports commerce.
We recognize the current opt-out system represents
significant efforts. The work the DAA has done is--should be
acknowledged. That is a lot of work to get industry to do one
thing comprehensively.
We also know that legislating technology is risky. Given
the current environment, though, it is clear that more is
required, including continued congressional oversight. As we
and industry thought leaders have observed, there is a better
way to gain the users' trust. Real transparency of data
practices, combined with meaningful user choice, will engender
the confidence users expect.
Thank you again for the opportunity to testify today.
[The prepared statement of Mr. Anderson follows:]
Prepared Statement of Harvey Anderson, Senior Vice President, Business
and Legal Affairs, Mozilla
Chairman Rockefeller, Ranking Member Thune, and other members of
the Committee, thank you for the opportunity to testify on the need for
privacy protections, the status of self-regulation and Do Not Track
(DNT).
I am Harvey Anderson, I lead the business, legal, and public policy
teams for Mozilla. In addition to commercial and legal
responsibilities, this role also captures the intersection of product
and policy initiatives such as DNT, leadership on open Internet issues,
net neutrality, copyright reform, and Internet governance. I have
practiced in the technology sector for the past 20 years, and have
worked in the Internet domain since I first joined Netscape in the mid
1990s.
Mozilla is the maker of the Firefox browser used by 450 million
people worldwide. We developed Firefox to bring competition to the
browser market, and to promote openness, innovation, and opportunity
online. We do not own or operate a search or advertising business, yet
like most online ventures, our revenues are based on advertising and
commerce. We view ourselves as ``an agent of the user'' whose role is
to help users navigate their digital lives in ways that make sense to
them. Mozilla was voted the Most Trusted Internet Company for Privacy
in 2012 by the Ponemon Institute, as well as a top 20 overall trusted
brand for privacy.\1\
---------------------------------------------------------------------------
\1\ 2012 Most Trusted Companies for Privacy, Ponemon Institute,
January 28, 2013; http://www.ponemon.org/local/upload/file/
2012%20MTC%20Report%20FINAL.pdf
---------------------------------------------------------------------------
When we testified here last time on this topic, we told you that:
Industry self-regulation can work when it is a multi-
stakeholder process that reflects the views of all of the
relevant parties involved in data transactions.
Regulatory measures can introduce unintended consequences
that can be harmful to a fragile Web ecosystem.
Enabling economic ecosystems on the Web is essential to a
robust and healthy Internet; however, commercial imperatives
and user choice/control are not mutually exclusive. They can
and must coexist through a combination of technical
capabilities and user-centric business and data practices.
The multi-stakeholder process occurring at the W3C will
result in a consensus on both the meaning of DNT and how
websites should respond.
Those statements stand true today and are still timely for your
consideration. Our goal today is to provide further context, an update
on recent market developments, and insights that can assist your
evaluation of whether current self-regulatory efforts are adequate. To
achieve this, I will touch on the following topics:
The Internet environment;
What has happened since the June 2012 hearing by this
committee on DNT; and
Expectations of the W3C standards process for online
tracking.
My testimony today will not cover Mozilla's current evaluation of a
new third-party cookie policy in Firefox. That work is ongoing as we
engage with the full spectrum of stakeholders, including our users,
developers, advocates and business leaders. We would be pleased to come
back at a later date to update members of this Committee on browser
product features that give more options to manage cookies.
Internet Environment
The Internet is the most significant social and technological
development of our time. However, the Internet is young, very young--
maybe 9,000 days since the evolution of the World Wide Web. As a
result, we are all still finding our way in this evolving environment.
This means that mainstream users do not necessarily have a historical
set of norms or expectations to guide their digital choices, they do
not always understand the consequences of their online actions and the
trade-offs implicit in getting services for ``free,'' or what happens
``behind the scenes'' with their data.
The Web ecosystem has also created new and unparalleled
opportunities online that produce unimaginable amounts of data and
possibility for new products, services and relationships. Google's Eric
Schmidt observed in 2010 that ``we create as much information in two
days now as we did from the dawn of man through 2003.'' \2\ At the same
time, there are no clear parameters or boundaries other than those that
are codified by legislative and regulatory bodies or by industry
practices. So acceptable collection and use norms are still evolving.
Notwithstanding the current entropy in the market, this is a natural
form of evolution which should temper both expectations and desires to
intervene prematurely.
---------------------------------------------------------------------------
\2\ Techonomy Conference, Lake Tahoe, California, August 4, 2010;
http://techonomy.com/
---------------------------------------------------------------------------
Commercial models are also evolving on top of this ever-changing
technological landscape. We often cannot predict what models the
current technology will enable. Consider the models based on the
cookie. Lou Montulli and John Giannandria, colleagues of mine at
Netscape, developed the cookie to solve a very real technical problem--
to store state and invent the notion of a ``session'' over several HTTP
requests. It is safe to say they would have never imagined a whole
industry built upon a technical construct like the cookie and the data
practices it enables.
During this same period, the digital advertising business has
grown, reaching a record-breaking $36.6 billion in 2012 \3\--so there
is real money at stake. This means any change will be met with
resistance by inherent incumbent interests. We have seen these
arguments in this debate expressed as change is bad for competition or
will decrease revenue. We should question whether protecting business
models that lack transparency is ``protecting or promoting
competition''--particularly models that use data in ways that people do
not understand or expect. Historically, there have been many profitable
models that have challenged our norms, but the fact that they were
profitable neither sanctioned them nor justified their preservation. It
is worth pointing out that the widespread adoption of pop-up blocking
by browsers, which Mozilla led many years ago and was initially labeled
``bad for advertising,'' has clearly done nothing to hinder the success
or innovation of online marketers or the operation of websites.
---------------------------------------------------------------------------
\3\ IAB Internet Advertising Revenue Report, Interactive
Advertising Bureau and PricewaterhouseCoopers, April 2013; http://
www.iab.net/media/file/IAB_Internet_Advertis
ing_Revenue_Report_FY_2012.pdf
---------------------------------------------------------------------------
At the same time, a new paradigm has developed that pits ``what can
be done'' against ``what should be done.'' We face this challenge often
at Mozilla. Although we employ privacy by design and use transparency,
choice, and control as guiding principles, the application is not
always easy. For example we internally debate whether the functionality
and configuration for a new product or service provides enough informed
choice, the right choices, which defaults make sense, and whether user
experience is compromised. No doubt this body is no stranger to
extended debate given the vast constituencies you represent. The point
here is that the application of our values is still under development
and that application changes based on context while the values do not.
We all remain in search of that delicate balance that allows for
aggressive innovation and competition, but that also respects user
intent, expectations, and ultimately creates trust. This is part of the
backdrop that should inform what we expect from business solutions,
technical standards and self-regulatory programs.
Developments Since June 2012
It was nearly a year ago when Alex Fowler, my colleague and Chief
Privacy Officer of Mozilla, sat at this table to report on the status
of DNT. Since that time, the industry has not moved forward quickly
enough, consumers have shown increased concern about online tracking
and privacy, more users are sending DNT signals, and yet the efficacy
of the Ad Choice program remains questionable.
Consumer concerns over online tracking persist and continue to
grow. A study published by the prominent industry analyst group Ovum,
found that 68 percent of the Internet users across 11 countries would
select Do Not Track if easily available to them. The group also found
that only 14 percent of respondents believe Internet companies are
honest about their use of consumers' personal data.\4\ Similarly,
research at UC Berkeley's Center for Law and Technology found that over
60 percent of users want DNT to prevent the collection of information
about their online activities.\5\
---------------------------------------------------------------------------
\4\ Ovum predicts turbulence for the Internet economy, as more than
two-thirds of consumers say `no' to Internet tracking, February 6,
2013; http://ovum.com/press_releases/ovum-predicts-turbulence-for-the-
internet-economy-as-more-than-two-thirds-of-consumers-say-no-to-
internet-tracking/
\5\ Privacy and Modern Advertising: Most U.S. Internet Users Want
``Do Not Track'' to Stop Collection of Data About their Online
Activities, Chris Jay Hoofnagle, Jennifer Urban and Su Li, Oct. 8,
2012; http://www.law.berkeley.edu/privacysurvey.htm
---------------------------------------------------------------------------
Our own data continues to show strong user support for and steady
adoption of DNT. We see this in actual adoption and consumer sentiment.
DNT adoption in the U.S. Firefox user base is approximately 17 percent.
Globally, the average is 11 percent. Statewide Firefox DNT adoption
rates are outlined in the table below.\6\
---------------------------------------------------------------------------
\6\ Anyone with a website and access to a web server can start
counting how many users are sending DNT:1, which is how the signal is
expressed via HTTP requests.
---------------------------------------------------------------------------
Table: User Adoption Averages in the U.S. for Do Not Track in Firefox
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Source: Mozilla, April 2013
Consumer concerns over online tracking and privacy are real.
Surveys of our user base consistently show concern about online
privacy. Only 13 percent of respondents believe their privacy is being
respected online. More importantly, over 60 percent of those polled
want DNT to cover both collection and use by companies online in either
a first- or third-party context. At the same time, the prevalence of
non-transparent online tracking continues to grow year over year. A
recent Evidon study showed a 53 percent increase in trackers from the
prior year.\7\ Even more alarming, only 45 percent of the tracking tags
identified by Evidon were placed there by the publisher of the site.
---------------------------------------------------------------------------
\7\ Evidon, a firm that administers the ad industries' Ad Choices
program for more than $2 billion of display media and e-commerce
transactions annually, measured sites across the Internet and found 987
web-tracking tags from ad servers, analytics companies, audience-
segmenting firms, social networks and sharing tools, which represented
a 53 percent increase from the 645 unique trackers found in previous
studies.
---------------------------------------------------------------------------
The efficacy of the Digital Advertising Alliance (DAA) Ad Choices
program, which is still only in beta after several years of
development, remains low. Many stakeholders view this as an indicator
of the inadequacy of the industry-led, self-regulatory program. Last
year, according to one study, the number of users who viewed the icon
was low: 0.0035 percent of users clicked, and only 1 in 20 of those
actually opted out.\8\ Last month, the industry reported that more than
a trillion ads per month include the Ad Choices icon--a blue triangular
icon that when clicked, takes consumers to a page where they can learn
about the ad, and opt out of receiving it. Only five million users have
accessed the choice tool, and 1 million of those have opted out of all
interest-based advertising.\9\ The claims that this low opt-out rate
prove that consumers are ``OK'' with the tracking and collection
practices associated with cookies clearly do not square with the
overwhelming research that consistently finds that the majority of
consumers are concerned with being tracked across the Web. They also do
not square with the 11 percent of Firefox users who have turned on Do
Not Track.\10\
---------------------------------------------------------------------------
\8\ Leon, P. et al., What Do Online Behavioral Advertising
Disclosures Communicate to Users? April 13, 2012; http://
www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab12008.pdf
\9\ ``Opinion: Harnessing the power of digital advertising,'' Lou
Mastria, Politco, March 10, 2013; http://www.politico.com/story/2013/
03/harnessing-the-power-of-digital-advertising-88668.html
#ixzz2QrUsIE1S
\10\ A common practice would be to gather user data to test the
impact of the program. The results of A/B testing and user group
studies on the Ad Choices user experience may be helpful to this
Committee as it seeks to understand the effectiveness of the current
self-regulatory effort.
---------------------------------------------------------------------------
Currently, DNT signals are largely ignored by ad networks. We
estimate that approximately 45 million Firefox users send more than 135
million DNT signals everyday--more than four trillion every month--that
mostly go unanswered. As discussed at the last DNT hearing, Microsoft
adopted DNT and made it a default setting in their latest versions of
Internet Explorer (IE). The position from the ad industry's trade
groups, paraphrasing of course, is that their members can ignore DNT
signals sent by users of IE.\11\ This was followed by a similar
statement by Yahoo! that it intended to disregard DNT signals coming
from IE users.\12\ The rationale: DNT signals from IE do not represent
a real user choice because it is on by default. So, in the interim,
both Firefox users sending DNT signals every day and those IE users for
whom the DNT signal represents their real choice are ignored. It does
not have to be this way. The industry could incrementally respond in
parallel while the standard is being finalized, and could always prompt
an IE user to confirm his/her choice.
---------------------------------------------------------------------------
\11\ DAA Statement on DNT Browser Settings, October 09, 2012;
http://www.businesswire.com/news/home/20121009005980/en/DAA-Statement-
DNT-Browser-Settings
\12\ In Support of a Personalized User Experience, October 26,
2012; http://www.ypolicy
blog.com/policyblog/2012/10/26/dnt/
---------------------------------------------------------------------------
What to Expect from a Standards Process
Over the past year, we have been troubled by a trend to
characterize the ongoing standardization work on DNT by the W3C as a
part of industry self-regulation. First, the W3C is neither the
industry, nor the proper vehicle on its own to establish a self-
regulatory program. It is a technical standards group. The W3C's
Tracking Protection Working Group \13\ is not an extension of the DAA's
Ad Choices program. The W3C is a body that codifies technical standards
for issues that are either well understood and agreed upon in advance,
or problematic for a set of stakeholders who are motivated to find a
common solution. The W3C, or any technical standards group for that
matter, is not intended to develop mechanisms that replace regulation
and enforcement. Most standards groups are intended to be voluntary
with a focus on improving issues like interoperability, efficiency,
performance and transparency. This drives competition toward quality of
implementation (efficiency/performance) and away from fragmentation.
---------------------------------------------------------------------------
\13\ See http://www.w3.org/2011/tracking-protection/
---------------------------------------------------------------------------
The group is currently in the drafting stage which is now co-
chaired by Professor Peter Swire who testified at last year's DNT
hearing. This will be followed by a period of testing at Internet
scale. In fact, our discussions with members of the group reveal that
we may be very close to signing off on the Tracking Preference
Expression specification, which covers the client-server architecture
for DNT.\14\ Stakeholders that are standing by, waiting for the W3C to
``complete'' its work are misguided. Technical standards are adopted
only after drafting, testing, refining and finalizing. But nothing
prohibits de facto adoption during this process. Thus, arguments that
shift blame exclusively to the W3C are dubious. At the same time,
regulatory groups in the U.S. and abroad should not hold back
enforcement of its local laws in deference to the work happening within
the W3C.
---------------------------------------------------------------------------
\14\ See http://www.w3.org/2011/tracking-protection/drafts/
tracking-dnt.html
---------------------------------------------------------------------------
Ultimately, the question here is not about the standards process,
but about responding to the tens of millions of consumers every day who
are sending a DNT signal expressing a concern about their privacy and
online tracking. There are many examples of how other markets react to
guidance from their consumers. For example, car owners expressed
preferences about the need for better gas mileage from their cars. They
might not have immediately perceived that this could have an impact on
the oil industry, influenced manufacturing, or that the solution was
electric or hybrid cars, but the market did not ignore the signals.
Rather, the market provided basic education and responded to the
demand. Here, in the DNT context users are saying, ``do not track me.''
They may not know exactly what it means in every detail or nuance, but
they understand enough without the extensive explanation called for by
some.
The DNT standard does not have to be final at the W3C before
implementation begins. We would like to see more of the industry move
forward and begin implementing DNT now. This is how Web standards are
established--they must be iterative and user/developer-tested. It is
how HTML5 was developed--some set of players adopt an approach that
looks promising, they work out the kinks through use, and over time
codify it. This practice is borne from the experience that if you wait
to work out the perfect specification, you'll never get anything done.
We are encouraged by some publishers, advertisers and other
companies in the ecosystem who have put DNT into effect for their
businesses. We applaud leading companies like Twitter, the Associated
Press and Jumptap who have voluntarily implemented DNT and are trying
to respond to the expression of user intent--all without waiting for a
W3C pronouncement.\15\ We are also aware of many more companies across
the advertising and publishing industries quietly supporting users who
have enabled DNT, including DAA member companies. Apparently, it takes
neither a law nor a finalized W3C specification to do the right thing.
---------------------------------------------------------------------------
\15\ See http://www.donottrack.us/implementations
---------------------------------------------------------------------------
What is at stake is not money, but trust. To date the debate has
focused on the threat to those revenue models that are based on
tracking. But, the loss of user trust is far more dangerous than
potential lost revenues. Trust is the true currency that needs to be
protected.
The lack of trust stems from users not understanding the value
proposition of online tracking. Former IAB Chair, Jim Spanfeller,
recently wrote in an op-ed, ``[B]y doing unto others what we want done
to us, we will enter into a more trusted ecosystem. Business,
information exchange, spontaneous discovery and overall satisfaction
will thrive in ways that have become increasingly difficult due to
black hat activities perpetrated partly in the name of advertising
efficiencies.'' \16\ This trust gives rise to increased participation
and will foster new jobs. Similarly, Pam Horan, the Online Publishers
Association's President, wrote in an op-ed, ``Ultimately this is about
fostering a healthy environment where consumers feel safe online. It is
hard to dispute that without this baseline acknowledgement of
consumers' expectations, our entire ecosystem will be compromised.''
\17\
---------------------------------------------------------------------------
\16\ ``Firefox Cookie-Block Is The First Step Toward A Better
Tomorrow,'' Jim Spanfeller, AdExchanger, March 18, 2013; http://
www.adexchanger.com/the-sell-sider/firefox-cookie-block-is-the-first-
step-toward-a-better-tomorrow/
\17\ ``Relax, Mozilla's Move Will Not Break the Ad-Supported
Internet,'' Pam Horan, Ad Age, April 02, 2013; http://adage.com/
article/guest-columnists/mozilla-move-break-ad-supported-internet/
240663/
---------------------------------------------------------------------------
This is where industry can really make a difference. If users do
not understand what happens to their data, how it is used, or the
trade-offs, they will inevitably seek more protective blocking options.
Conversely, we may see the adoption of more invasive and even less
transparent tracking methods. The impact is that efforts to protect the
status quo further erode people's trust in the ecosystem, thereby
compromising future expansion of commerce and innovative growth of this
ecosystem. Personalized content is good, however, the collective
challenge we face is how to deliver that content transparently.
The future of a viable, innovative Web that continues to contribute
jobs and drive social, educational and economic activity depends on
consumer trust. To develop this trust, transparency, choice and control
are essential. Real transparency of business and data sharing practices
combined with meaningful user choice will engender the confidence users
expect. With this as a baseline, I suspect survey results would be
dramatically different and users may very well even opt-in to forms of
tracking and data collection they understand and find valuable.
We saw a similar reaction in the early years of online commerce.
People were afraid to use credit cards on the Internet until encryption
was readily used and then users began to trust the practices that
supported online electronic purchases. We believe it is in the
industry's own best interest to aggressively seek long-term, privacy-
preserving and economically sound approaches to behavioral targeting
and personalization that foster trust and greater participation and
sharing of data. As the OPA's Pam Horan observed, ``Although change can
be hard for any industry, it can also be a catalyst for better content
services and privacy protections in the Internet ecosystem . . .'' \18\
---------------------------------------------------------------------------
\18\ Ibid.
---------------------------------------------------------------------------
We want to help the advertising and publishing industries create a
paradigm of trust that both respects users and supports commerce. We
recognize that the current opt-out system is in many ways a significant
achievement--it is no small task to achieve comprehensive industry
behavioral change. We also recognize that legislating technology is
challenging and risky--but we can articulate clear values. Given the
low participation rates of the current voluntary opt-out system, the
increasing concern of consumers, and the increasing volume of DNT
signals that remain unanswered from users across the United States, it
is clear that more is required--including continued congressional
oversight. As we and industry thought leaders have observed, there is a
better way to gain the user's trust--through choice, control and
transparency, and meaningful engagement with the user on the benefits
and trade-offs of the current tracking practices.
Thank you, again, Senator Rockefeller, Ranking Member Thune, and
members of the Committee for the opportunity to join you today.
The Chairman. Thank you, Mr. Anderson, very much.
And now Mr. Mastria?
STATEMENT OF LUIGI MASTRIA, CIPP, CISSP, MANAGING DIRECTOR,
DIGITAL ADVERTISING ALLIANCE
Mr. Mastria. Chairman Rockefeller, Ranking Member Thune,
and members of the Committee, thank you for the opportunity to
testify today.
My name is Lou Mastria, and I am the Managing Director of
the Digital Advertising Alliance.
The DAA is a nonprofit organization led by the leading
advertising and marketing trade associations, representing more
than 5,000 U.S. corporations. The DAA administers a
comprehensive program of industry self-regulation for online
data collection that provides enhanced consumer transparency
and choice.
The DAA's Choice program also appropriately preserves
consumers' strong preference for free, ad-supported content
powered by relevant advertising, an approach that has helped
sustain the astonishing growth and ever-expanding variety of
Internet services and content. The DAA is the only program in
the marketplace today that successfully provides an end-to-end
system for controlling Web viewing data collected across
unrelated sites.
This system is backed by strong and credible enforcement by
the Council of Better Business Bureau and the DMA. The DAA
provides enhanced transparency via the ubiquitous triangular
blue icon from which consumers can access the DAA's universal,
easy-to-use choice mechanism.
Since the program's launch, more than 23 million consumers
have visited the DAA portal and education sites to learn about
their choices. More than 8 million have visited the DAA opt-out
tool, and nearly 2 million have taken action to exercise their
choice.
I would like to emphasize five attributes of the DAA
program that are frequently misrepresented by our critics.
First, from its launch, the DAA has offered a simple, easy-to-
use, one-button choice mechanism that works regardless of the
type of browser used.
Second, the DAA principles apply to the collection of all
Web viewing data across unrelated sites, not just data
collected for advertising purposes.
Third, the DAA offers users persistent choice, that is to
say choice that exists even after deletion of cookies.
Fourth, the DAA principles restrict both the collection and
the use of data.
Fifth, the DAA's enforcement applies to all marketplace
participants, regardless of whether they have enrolled in the
DAA program.
At a highly publicized White House event last year
announcing President Obama's framework for privacy, the then
chairman of the Federal Trade Commission and the Secretary of
Commerce, along with White House officials, publicly praised
and endorsed the DAA's initiative. In fact, a senior White
House official stated that the DAA is ``an example of the value
of industry leadership as a critical part of privacy protection
going forward.''
At this event, the DAA announced an agreement to honor the
DAA principles through a browser signal when a consumer both
receives meaningful information about the effect of that choice
and affirmatively makes that choice themselves. Unfortunately,
the DAA agreement at the White House was short-circuited, due
to contrary approaches taken by both Microsoft and Mozilla.
Microsoft subsequently released its new version of IE 10
with what is ``Do-Not-Track'' turned on by default. This is in
direct conflict with the agreement they helped develop at the
White House.
In February this year, Mozilla announced that it will block
third-party cookies. These actions do not advance consumer
choice, and they will have a significant adverse effect on
users' Internet experience.
Cookies set by third parties play a vital role in the
Internet ecosystem by facilitating consumer access to content
and services. Blocking of third-party cookies would simply
disrupt consumer's online experience on the websites they use
by reducing content personalization and the relevancy of ads
that they receive.
This change would harm all Internet content services that
use third-party technologies to understand and protect their
audiences. In particular, it would disproportionately harm the
numerous small publishers that are completely reliant on these
technologies to operate and monetize their sites, thereby
thwarting new job creation and chilling innovation.
For more than 4 years, the DAA has been responsive to the
concerns of consumer advocates, regulators, and legislators.
The DAA's initial advertising principles met the FTC's call for
enhanced transparency. The DAA's multisite data principles
again met the call of regulators and consumer advocates to
extend choice to all Web viewing data.
At the White House, again DAA, responding to regulators,
agreed to honor its principles through a browser setting that
would complement DAA's existing choice mechanism. And soon the
DAA will announce detailed guidance that provides transparency
and control for the mobile Web applications and marketplace.
To be clear, the DAA is the solution provider here, not the
problem. We are the only entity that actually delivered choice
for consumers.
Today, the DAA calls on all stakeholders, including the
FTC, the W3C, Microsoft, and Mozilla, to honor the terms of the
White House announcement and remove impediments that are
preventing implementation of browser-driven choice for
consumers.
Thank you.
[The prepared statement of Mr. Mastria follows:]
Prepared Statement of Luigi Mastria, CIPP, CISSP, Managing Director,
Digital Advertising Alliance
Chairman Rockefeller, Ranking Member Thune, and Members of the
Committee, good afternoon and thank you for the opportunity to speak at
this important hearing.
My name is Lou Mastria. I am Managing Director of the Digital
Advertising Alliance (``DAA'') and I am pleased to report to the
Committee on the substantial progress of our Self-Regulatory Program.
The DAA is a non-profit organization led by the leading advertising
and marketing trade associations including the Association of National
Advertisers (``ANA''), the American Association of Advertising Agencies
(``4As''), the Direct Marketing Association (``DMA''), the Interactive
Advertising Bureau (``IAB''), the American Advertising Federation
(``AAF''), and the Network Advertising Initiative (``NAI'') in
consultation with the Council of Better Business Bureaus (``CBBB'').
These organizations came together in 2008 to start developing the Self-
Regulatory Principles for Online Behavioral Advertising, which were
extended in 2011, beyond advertising, to cover the collection and use
of Multi-Site Data across non-Affiliate sites over time. The DAA was
formed to administer and promote these responsible comprehensive Self-
Regulatory Principles for online data collection and use.
In response to the Chairman's request for a status update on steps
industry stakeholders have taken to fulfill their commitment to honor
Do-Not-Track requests from consumers.\1\ Since the fall of 2010, the
DAA and its participants have been providing uniform choice to
consumers. The DAA Program provides consumers with a one-button choice
mechanism to stop the collection and use of web viewing data. This
choice mechanism, which is consistent with the recommendations of the
Federal Trade Commission (``FTC'') is being implemented: (1) to
universally apply to all parties that collect web viewing data across
nonaffiliated sites over time; (2) to be easy to find, understand, and
use; (3) to make consumers' choices persistent; (4) to be effective and
enforceable; and (5) to apply beyond simply opting out of receiving
interest-based tailored ads.\2\ Furthermore, our program and choice
tools share and meet the goals of the Chairman's legislation--providing
individuals with a simple and easy means to indicate their preference
about the collection of such online viewing data. Unfortunately, some
browser manufacturers have frustrated the DAA desire to extend the DAA
program and tools to a browser setting. Nonetheless, the DAA and its
participants today provide meaningful and effective consumer choice
tools to consumers that with the click of one button provides consumers
with the exact choice that a browser setting could provide. The DAA is
the only system that provides an end to end system that captures all
data viewing behavior, provides enhanced transparency in the form of an
icon, and strong and credible enforcement to ensure compliance. The DAA
stands committed to work with the Committee, these browsers and all
organizations that are willing to join our efforts to provide
meaningful choice while continuing to provide consumers with the
Internet offerings that they cherish.
---------------------------------------------------------------------------
\1\ Hearing Notice: A Status Update on the Development of Voluntary
Do-Not-Track Standards, available at http://www.commerce.senate.gov/
public/index.cfm?p=Hearings&ContentRecord_
id=1cf8fb1a-fb0b-4bf1-958b-1ea3c443a73c.
\2\ ``FTC Report: Protecting Consumer Privacy in a, Era of Rapid
Change--Recommendations for Businesses and Policymakers'', at 53
available at http://www.ftc.gov/os/2012/03/120326
privacyreport.pdf.
---------------------------------------------------------------------------
My testimony today will describe the commitment made by the DAA to
extend its effective choice mechanisms to include browser-based
signals, the threat to the Internet ecosystem posed by the actions of
two browser manufacturers, and how the online advertising industry
continues to successfully work to give consumers transparency and easy,
uniform, and effective tools to control online data collection.
Companies recognize that consumers have different preferences about
online advertising and data collection and want to continue to build
consumer trust in the online experience by ensuring that consumers have
meaningful choices about how data is collected and used
The DAA appreciates the Committee's interest in exploring how
consumer privacy concerns should co-exist with consumers' desire for
innovative products and services. Industry self-regulation coupled with
consumer education effectively achieves this outcome. The DAA standards
empower consumers to make choices about online data collection and use.
Self-regulation is the appropriate approach because it is flexible and
can adapt to rapid changes in technology and consumer expectations,
whereas legislation and government regulation, particularly in such a
rapidly-developing area, can stifle innovation, reduce competition, and
add unnecessary costs.\3\ The business community has a strong incentive
to ensure broad, industry wide compliance with its self-regulatory
principles and achieves this goal through the accountability that is
built into our Self-Regulatory Program.
---------------------------------------------------------------------------
\3\ See: http://cetucker.scripts.mit.edu/docs/law_summary_2011.pdf.
In a congressional hearing on ``Internet Privacy: The Impact and Burden
of EU Regulation,'' Professor Catherine Tucker of the MIT Sloan School
of Management testified about the effect on advertising performance of
the European Union's e-Privacy Directive, which limits the ability of
companies to collect and use behavioral data to deliver relevant
advertising. Professor Tucker's research study found that the e-Privacy
Directive was associated with a 65 percent drop in advertising
performance, measured as the percent of people expressing interest in
purchasing an advertised product. The study also found that the adverse
effect of such regulation was greatest for websites with content that
did not relate obviously to any commercial product, such as general
news websites. Professor Tucker cautions: ``on the basis of this
evidence, it is reasonable to say that privacy regulation could have
sizable effects for the advertising-supported internet.'' Professor
Tucker advises that ``policymaking in the area of privacy regulation
needs to be careful and fulfill the twin aims of protecting consumer
privacy and ensuring that the advertising-supported Internet continues
to thrive.''
---------------------------------------------------------------------------
I. DAA's Commitment to Honor Browser-Based Opt-Out Mechanisms
For more than two years, the DAA has been offering an effective,
one-button choice mechanism that empowers consumers to stop the
collection of web viewing data for by third parties participating in
the program. On February 23, 2012, at a White House event announcing
President Obama's framework for privacy in the 21st Century, the
Chairman of the Federal Trade Commission, the Secretary of Commerce,
and White House officials publicly praised and endorsed the DAA's
cross-industry initiative. In the words of one White House official,
the DAA is ``an example of the value of industry leadership as a
critical part of privacy protection going forward.'' \4\ At this event,
the DAA committed to developing a process to honor browser settings
while providing consumers with the ability to make choices about the
collection and use of web browsing data.
---------------------------------------------------------------------------
\4\ Speech by Danny Weitzner, We Can't Wait: Obama Administration
Calls for A Consumer Privacy Bill of Rights for the Digital Age
(February 23, 2012), available at http://www.white
house.gov/blog/2012/02/23/we-can-t-wait-obama-administration-calls-
consumer-privacy-bill-rig
hts-digital-age (last visited March 16, 2012).
---------------------------------------------------------------------------
A. DAA Commitment to Honor a Users' Choices Through Browser-Based Tools
At the February 2012 White House event, the DAA committed to
recognize browser-based header signals as a means of exercising the
choices provided under the Self-Regulatory Principles. Specifically, at
the event, the DAA read the following commitment reached with the DOC,
FTC, and White House:
The DAA standard and corresponding enforcement of the standard
will be applied where a consumer:
(1) has been provided language that describes to consumers the
effect of exercising such choice including that some data
may still be collected and
(2) has affirmatively chosen to exercise a uniform choice with
the browser based tool.
The DAA standard will not apply in instances where (1) and (2)
do not occur or where any entity or software or technology
provider other than the user exercises such a choice.\5\
---------------------------------------------------------------------------
\5\ DAA Position on Browser Based Choice Mechanism, available at
https://www.about
ads.info/resource/download/DAA_Commitment.pdf.
This framework is tied to an industry-consensus standard known as
the Self-Regulatory Principles for Multi-Site Data that govern the
collection and all uses of web viewing, including interest-based
advertising.\6\ The framework also recognizes that consumers should be
educated as to the effect of their choice, in particular they should be
aware that if they exercise their choice: (1) they will still receive
advertising but that ads may not be relevant to their interest; (2)
consistent with the Self-Regulatory Principles, web viewing data may
still be collected for narrow purposes including operational and system
management purposes, fraud prevention and security, content delivery,
market research, and product development; and (3) that data is vital to
workings of the Internet ecosystem, and limiting collection can result
in a reduced online experience.
---------------------------------------------------------------------------
\6\ DAA Self-Regulatory Principles for Multi-Site Data (November
2011), available at http://www.aboutads.info/resource/download/Multi-
Site-Data-Principles.pdf.
---------------------------------------------------------------------------
The DAA committed to this standard because it provides consumer
transparency, control, and education concerning the scope and effect of
their choice while ensuring that a broad range of companies can
continue to deliver products and services today and to innovate for
tomorrow's marketplace.
B. Browsers' Subsequent Actions
Following the February 2012 White House event, the DAA set out to
work toward implementing browser-based choice by the end of last year.
The DAA efforts were short-circuited due to decisions by Microsoft and
Mozilla. In particular, contrary to the agreement at the White House
which Mozilla and Microsoft supported, they unilaterally chose to
implement browser-based header signals, that they call ``do not track''
signals, in a way inconsistent with the DAA commitment announced with
the FTC, Department of Commerce, and White House.
Microsoft released its new version of Internet Explorer 10
(``IE10'') with a ``do not track'' tool turned ``on'' as a default
setting in direct conflict with the commitment they supported at the
White House that a user--and not the browser manufacturer--choose to
exercise the choice mechanism in the browser setting. Machine-driven
signals with the default on set by Microsoft do not represent user
choice. The existing Microsoft system further compounds this problem by
making it difficult in its settings for consumers to change the
mandated default ``on'' setting. The DAA believes that a choice that
prohibits data collection and use should not be made for the consumer
by a browser or any other party. Allowing browser manufacturers to
determine these choices for users limits the information and experience
received by consumers, and consumers' ability to enjoy the ad supported
Internet provided by DAA participants and hundreds of thousands of
other websites that consumers value. Most importantly, honoring the
approach that Microsoft has elected to put in its browser was not part
of the public commitment at the White House.
Mozilla has implemented what it refers to as a ``do not track''
tool in the current Firefox release also without following the White
House agreement, for example by not describing for consumer the impact
of their choice and creating inaccurate consumer expectations.
Mozilla's interface permits users to check a box to ``Tell websites I
do not want to be tracked.'' Nothing more is provided to users; for
example, consumers are not told that, by exercising such choice some
data may still be collected. This implementation conflicts with the
workable standard developed through industry consensus in 2012 and does
not provide consumers with clear information about the effect of their
choices.
The process for implementing the DAA's commitment has been further
delayed by the Worldwide Web Consortium (``W3C''), a technical
standard-setting organization for web technologies, and its failure to
reach any consensus after nearly two years of dialogue. Because the W3C
is ill-equipped to address such public policy matters, its involvement
has further complicated and protracted efforts to reach consensus on a
standard and implementation for choice offered in the browser settings.
This process is still ongoing and the DAA continues to participate in
this forum.
C. DAA Offers a Universal Choice Mechanism
These browser implementations conflict with the DAA commitment, and
are inconsistent with Chairman Rockefeller's ``Do Not Track Online
Act'' (S. 418). The Chairman's bill calls for a standard by which ``an
individual can simply and easily indicate whether the individual
prefers to have personal information collected.'' \7\ This bill
identifies the type of data subject to the tool and the effect of
choice. The above-described browser implementations contain no standard
for the types of data subject to the choice mechanism or the effect of
exercising a choice. Without a standard governing when a browser-header
signal is activated and what it means, a website or other entity
receiving this signal will not know how to implement it. As a result,
the signal could be ignored or, worse, treated differently by different
signal recipients resulting in the consumer receiving no effect from
the choice or receiving uneven results. This could cause confusion for
consumers instead of comfort and security.
---------------------------------------------------------------------------
\7\ S. 418, ``Do Not Track Online Act, 113th Congress.
---------------------------------------------------------------------------
In contrast, we believe that the DAA's current implementation is
consistent with the Chairman's bill and the recommendations set forth
by the FTC. The DAA Principles, our Self-Regulatory Program, and our
consumer choice tool enforced by credible accountability programs are
the only mechanisms in the marketplace today that provide consumers
with clear transparency, choice, and understanding about how their data
will and will not be used. Through more than 1 trillion ad impressions
served each month with the DAA's Advertising Option Icon (``DAA
Icon''), consumers can access the DAA's universal, easy-to-use choice
mechanism via www.about
ads.info/choices and www.youradchoices.com/control.aspx. This choice
tool provides consumers with a single button to exercise choice against
participating companies, either as a group or individually. When a
consumer exercises choice--whether against all participants or a few--
the affected participants stop collecting and using web viewing data
from the user's browser for interest-based advertising. Since the
program's launch in 2010, more than 23.5 million consumers have visited
the DAA sites to learn about their advertising data choices, and, last
year alone, more than a million consumers have taken action via DAA to
exercise their choice about how advertisers will use their data.
II. Mozilla's Technology Blocking Tool Could Harm Consumers and the
Internet
In an act that is sure to further undercut consumer choice
committed to at the White House and that will break critical Internet
functionality, in February 2013, Mozilla announced that it will block
cookies set by third parties in the upcoming release of its Firefox
browser. Mozilla's decision to block technologies by certain types of
companies will have a significant adverse impact on the Internet by
reducing competition and diminishing the consumer's online experience.
A. Third Party Cookies are Vital to the Internet Ecosystem
Today's Internet is built around the technology of ``cookies''.
Cookies are small text files that websites use to store information in
order to make it easier for users to utilize and access web pages
efficiently. For example, a website might use cookies to keep track of
items a user has placed in a virtual ``shopping cart.'' This well-
established and very transparent technology enables the delivery of
rich content, products, relevant advertising, and security and fraud
prevention services. Recently, Mozilla has decided to selectively deny
access to this technology, in effect picking winners and losers in the
Internet ecosystem. The Internet, however, does not discriminate
against technology based on its source. Affiliated companies operating
differently branded domains could find their cookies blocked as third
parties across these different domains. This blocking approach would
also hurt a company's measures to provide security measures. Companies
often implement security measures through third party domains or even
their own differently branded domains. Mozilla would thwart these
security efforts by preventing companies from setting cookies for
security purposes in these multiple domains. This change harms not only
third parties, but all companies that rely on integrated services,
particularly the large number of small publishers that rely on service
providers to operate and monetize their sites.
The Internet is a complex ecosystem comprised of a diverse set of
actors including web publishers, content providers, ad networks,
analytics firms, security and fraud prevention providers, exchanges,
advertisers, plugin providers, and many other actors. These entities
work seamlessly together to provide content and services to the benefit
of consumers. Cookies set by third parties play a vital role in this
ecosystem by facilitating consumer demand for content and services.
Cookies are also vital to interest-based advertising (``IBA''). IBA
provides consumers with a more relevant online experience by providing
information about products and services that more likely relevant to
their. Blocking third-party cookies will prevent third parties from
fulfilling these roles, in turn disrupting consumer services, lessening
online relevancy and security, and destroying many Internet business
models.
B. Blocking Third Party Cookies Will Restrict Consumers' Access to
Content and Services
Today, hundreds of thousands of publishers deliver mainstream and
niche content for free or at low cost. Web publishers rely on third
parties to help select, provide, and display relevant content to
visitors to their publisher sites. On any given website, content such
as news feeds, weather tools, social plugins, or emergency response and
safety information (e.g., Amber alerts) are often provided by a third
party integrated into the publisher's site for a seamless appearance
and experience for the user. Third parties also enhance content
quality, providing information relevant to the browser user's
interests, and securing the user's safety when browsing or shopping on
a site. All of these essential services are typically delivered through
cookie technology. Mozilla's denial of the use of cookies would prevent
third parties from providing these services resulting in blocked access
to content, and a slower, less optimized, and less safe consumer
experience online. In order to receive the Internet that works
effectively and gives consumers the services they are used to
receiving, it will be time for consumers to change their browser.
Mozilla's cookie-blocking approach will lead U.S. consumers down a
path where a few large companies can control the amount and diversity
of content made available online. Not that long ago, television was
comprised of three networks that selected and delivered all programing
to consumers. Through advances in technology and infrastructure,
consumers may now access a rich diversity of television content. The
Internet delivers an even more stunning array of content because of the
low barriers to entry. Consumers value these choices, and should not
have their online experience be forced back into a 1970s television
construct where a few control the content that consumers can access. In
short, Mozilla's actions could significantly hurt the Internet,
consumer experience and choice to have robust content offerings.
C. Blocking Cookies Disadvantages Small Businesses
Advertising fuels the Internet economic engine. The support
provided by online advertising is substantial and growing despite the
difficult economic times we are facing. The online advertising industry
is a beacon for innovation and job creation. In 2012, Internet
advertising revenues reached a new high of $36.6 billion, an impressive
15 percent higher than 2011's full-year number.\8\ Because of this
advertising support, small and medium-size publishers can provide
consumers with access to a wealth of online resources at low or no
cost. Revenue from online advertising facilitates e-commerce and
subsidizes the cost of content and services that consumers value, such
as online newspapers, weather, Do-It-Yourself websites, blogs, social
networking sites, mobile applications, e-mail, and phone services.
According to a recent poll by Zogby Analytics, 92 percent of Americans
think free content like news, weather and blogs is important to the
overall value of the Internet.\9\
---------------------------------------------------------------------------
\8\ Interactive Advertising Bureau Press Release, ``Internet Ad
Revenues Again Hit Record-Breaking Double-Digit Annual Growth, Reaching
Nearly $37 Billion, a 15 percent Increase Over 2011's Landmark
Numbers'' (April 16, 2013) (reporting results of PricewaterhouseCoopers
study).
\9\ Interactive Survey of U.S. Adults commissioned by the DAA
(April 2013), available at http://www.aboutads.info/resource/image/
Poll/Zogby_DAA_Poll.pdf.
---------------------------------------------------------------------------
This model delights consumers and creates jobs across America,
fostering a competitive marketplace that drives down prices for
consumers and costs for businesses. The Internet is a tremendous engine
of economic growth. It has become the focus and a symbol of the United
States' famed innovation, ingenuity, inventiveness, and entrepreneurial
spirit, as well as the venture funding that flows from these enormously
productive and positive efforts. A 2009 study found that more than
three million Americans in every U.S. state are employed due to the
advertising-supported Internet, contributing an estimated $300 billion,
or approximately 2 percent, to our country's GDP.\10\ There is
employment generated by this Internet activity in every single
congressional district in every state across the United States.\11\
---------------------------------------------------------------------------
\10\ Hamilton Consultants, Inc. with Professors John Deighton and
John Quelch, Economic Value of the Advertising-Supported Internet
Ecosystem, at 4 (June 10, 2009), available at http://www.iab.net/media/
file/Economic-Value-Report.pdf.
\11\ Id. at 53.
---------------------------------------------------------------------------
Recently, more than 700 small publishers signed an open letter to
Mozilla requesting that it reconsider its decision to block third-party
cookies.\12\ These small publishers rely on third party cookies for
content delivery as well as the delivery of advertising that subsidizes
their provision of online services, products, and content through their
websites. Small-business website publishers that cannot afford to
employ advertising personnel to sell their advertising space, and may
not even be on the radar of large brand-name advertising campaigns, can
increase their revenue by featuring advertising that is more relevant
to their users. This is commonly done through third-party platforms,
often offered on a self-serve basis, that allow publishers to add
advertising to their sites efficiently and easily. In turn,
advertising-supported resources help other small businesses to grow.
Small businesses can use free or low-cost online tools, such as travel
booking, long-distance calling, and networking services, to help them
run their companies.
---------------------------------------------------------------------------
\12\ Open Letter to Mozilla, available at http://www.iab.net/
mozilla_petition/.
---------------------------------------------------------------------------
III. DAA Approach Is Successful
The DAA is a broad-based self-regulatory program established by the
leading advertising and marketing industry associations. The program is
led by the 4As, AAF, ANA, DMA, IAB, and the NAI. The DAA program unites
these major trade associations representing thousands of online
companies across the full spectrum of advertising services (including
web publishers, advertisers, third-party ad networks, and exchanges).
The DAA program is based on seven core Self-Regulatory Principles:
education, transparency, consumer control, data security, controls with
respect to material changes to policies and practices, heightened
safeguards for sensitive data, and accountability. The DAA offers
several interrelated mechanisms to deliver consumers enhanced
transparency and a ubiquitous and easy-to-use choice mechanism as
described below.
A. Consumer Disclosure through the Advertising Option Icon
The DAA program has developed a universal icon to give consumers
transparency and control for interest-based ads. The icon provides
consumers with notice that information about their online interests is
being gathered to customize the web ads they see. Clicking the icon
also allows consumers to choose whether to continue to allow this type
of advertising.
The icon is served over one trillion times each month on or next to
Internet display ads on websites covered by the program. The DAA
reached this milestone within a short 18 months from program launch.
This achievement represents an unprecedented level of industry
cooperation and adoption.
B. Consumer Control
At the www.aboutads.info website and accessible from the companion
www.your
adchoices.com website, the DAA program makes available a choice
mechanism that unites the opt-out mechanisms provided by more than 114
different third-party advertisers participating in the program. We
estimate that the DAA program coverage is approaching 100 percent
participation of the interest based ads being delivered. The choice
mechanism offers consumers a ``one-click'' option to request opt outs
from all participants or allows a user to make choices about specific
companies. Consumers are directed to aboutads.info not only from icon-
based disclosures on or around ads, but from other forms of website
disclosure. The site also contains other educational and informational
materials about the DAA program and its participants. Since program
launch, there have been more than 16 million page views of our choice
portal. More than a year ago, the DAA also introduced a suite of
browser plug-ins to help ensure the persistency of these choices.
In 2012, more than 5.2 million unique users accessed the resources
provided at www.aboutads.info. Of those visitors, nearly one million
unique users have exercised choice using the integrated opt out
mechanism provided at that site; nearly two million unique visitors
have opted out since the program launch. Many users visit the website,
learn about their choices, and ultimately choose not to opt out. We
believe that this shows that once consumers understand how online
advertising works, many prefer to receive relevant ads over irrelevant
ads. Research supports this proposition. A recent poll of U.S.
consumers shows that 68 percent of Americans prefer to get at least
some Internet ads directed at their interests with 40 percent of
Americans prefer to get all their ads directed to their interests.\13\
---------------------------------------------------------------------------
\13\ Interactive Survey of U.S. Adults commissioned by the DAA
(April 2013), available at http://www.aboutads.info/DAA-Zogby-Poll.
---------------------------------------------------------------------------
C. Consumer Education
The DAA is deeply committed to consumer education. In 2012, the DAA
launched a dedicated educational site at www.YourAdChoices.com. The
site provides easy-to-understand messaging and informative videos
explaining the choices available to consumers, the meaning of the
Advertising Option icon, and the benefits they derive from online
advertising.
In 2012, companies participating in the DAA program voluntarily
donated more than four billion impressions to support an educational
campaign for www.Your
AdChoices.com. Since the campaign launch in late January 2012, more
than 13.5 million unique users have visited the site, an average of
about one million visitors each month. This site also provides access
to the DAA's user choice mechanism. The combination of the educational
campaign and the ubiquitous availability of the Advertising Option Icon
have significantly increased consumer usage of the DAA program tools.
Indeed, the 5.2 million unique visitors to www.aboutads.info in 2012
are more than three times the 2011 figure.
D. Commitment to Accountability
For the past 40 years, the advertising industry has distinguished
itself through its self-regulatory systems for independent oversight of
compliance and public reporting of enforcement actions. In keeping with
this tradition, a key feature of the DAA Self-Regulatory Program is
accountability. All of DAA's Self-Regulatory Principles are backed by
the robust enforcement programs administered by the Council of Better
Business Bureaus (``CBBB'') under the policy guidance of the
Advertising Self-Regulatory Council (ASRC), and by the DMA under its
Guidelines for Ethical Business Practice. In addition to the oversight
provided by the CBBB and DMA compliance programs, the NAI also has a
strong compliance program. The NAI compliance program includes pre-
certification reviews, ongoing technical monitoring of member
companies' opt-out scripts, annual compliance reviews, mechanisms for
accepting and investigating complaints alleging non-compliance, and
annual reporting. The NAI's compliance program, like the CBBB and DMA
programs, helps members to comply with their self-regulatory
obligations, and to hold them accountable.\14\
---------------------------------------------------------------------------
\14\ NAI 2012 Compliance Report, available at http://
www.networkadvertising.org/2012_
NAI_Compliance_Report.pdf.
---------------------------------------------------------------------------
The CBBB Accountability Program builds on the successful track
records of the other ASRC programs: the National Advertising Division,
operating since 1971; the Children's Advertising Review Unit, operating
since 1974; and the Electronic Retailing Self-Regulation Program,
operating since 2004. These programs feature independent monitoring,
public reporting of decisions and referral to government agencies,
often to the Federal Trade Commission, of any uncorrected non-
compliance. They have extremely high voluntary compliance rates. In
fact, over 90 percent of companies voluntarily adopt the
recommendations of these programs. Those companies that fail to comply
or refuse to participate in the self-regulatory enforcement process are
referred publicly to the appropriate government agency for further
review.
The CBBB administers its Interest-Based Advertising Accountability
Program under the ASRC self-regulatory policy guidance and procedures.
Because of the highly complex, technical and interdependent nature of
interest-based advertising, the Accountability Program receives a
weekly privacy dashboard report based on independent data about more
than 250 companies' compliance with various requirements of the
Principles. The Accountability Program's technical staff analyzes these
data and independently performs further research to determine whether
there may be a violation of the Principles warranting formal inquiry.
Like other ASRC programs administered by the CBBB, the CBBB
Accountability Program also finds potential cases through its own staff
monitoring and investigation, by analysis of consumer complaints and
reviews of news stories and technical reports from academics and
advocacy groups. Where there is a potential compliance issue, the CBBB
initiates formal inquiries and works to ensure the company understands
the Principles and voluntarily implements the requirements of the
Principles. At the end of the process, the CBBB Accountability Program
issues a public decision, which details the nature of the inquiry, the
Accountability Program's conclusions, any recommendations for
correction, and includes a statement from the company in question
regarding its implementation of the recommendations. A press release is
also issued.
The CBBB's Accountability Program has brought 19 cases since
November 2011, and has a 100 percent track record of voluntary industry
compliance with its recommendations. The CBBB Accountability Program
has focused its inquiries on the key concepts of transparency and
choice under the DAA's Self-Regulatory Principles. In its initial round
of cases, the Accountability Program investigated whether companies
were correctly and reliably providing consumers with an effective
choice mechanism. Cases involved defective links to opt-out mechanisms
and opt outs that failed to meet the OBA Principles' five-year minimum
opt-out period.
The CBBB Accountability Program's recent decisions provided
companies with guidance on a range of important compliance issues
involving the DAA's Transparency and Consumer Control Principles. For
example, in a case in which a newly-established company was unaware of
the Principles and therefore out of compliance, the CBBB Accountability
Program made clear that the Principles cover the entire advertising
ecosystem and that all companies are expected to comply with these
requirements. In other cases, the Accountability Program has
demonstrated the flexibility of self-regulation by applying the
Principles to diverse technologies and to evolving business models.
The DMA's enforcement program likewise builds on a long history of
proactive and robust self-regulatory oversight. The DMA's longstanding
Guidelines for Ethical Business Practice (``Guidelines'') set out
comprehensive standards for marketing practices, which all DMA members
must follow as a condition of membership. The DAA Self-Regulatory
Principles are incorporated into these Guidelines.
The DMA's Committee on Ethical Business Practice examines practices
that may violate DMA Guidelines. To date, the DMA Guidelines have been
applied to hundreds of marketing cases on a variety of issues such as
deception, unfair business practices, personal information protection,
and online behavioral advertising. In order to educate marketing
professionals on acceptable marketing practices, a case report is
regularly issued which summarizes questioned direct marketing
promotions and how cases were administered. The report also is used to
educate regulators and others interested in consumer protection issues
about DMA Guidelines and how they are implemented.
The Committee on Ethical Business Practice works with both member
and non-member companies to gain voluntary cooperation in adhering to
the guidelines and to increase good business practices for direct
marketers. The DMA Corporate Responsibility team and Ethics Committee
receive matters for review in a number of ways: from consumers, member
companies, non-members, or, sometimes, consumer protection agencies.
Complaints are reviewed against the Guidelines and Committee members
determine how to proceed. If a potential violation is found to exist,
the company will be contacted and advised on how it can come into full
compliance.
Most companies work with the Committees to cease or change the
questioned practice. However, if a member company does not cooperate
and the Committee believes there are ongoing guidelines violations, the
Committee can recommend that action be taken by the Board of Directors
and can make case results public. Board action could include censure,
suspension or expulsion from membership, and the Board may also make
its actions public. If a non-member or a member company does not
cooperate and the Committees believe violations of law may also have
occurred, the case is referred to Federal and/or state law enforcement
authorities for their review.
The CBBB and DMA programs demonstrate the success of self-
regulation and its many benefits, including the ability for the
regulatory apparatus to evolve to meet new challenges. Importantly,
accountability under the Principles applies to all members of the
advertising ecosystem, not merely ``members'' of the various
organizations.
E. Application of Self-Regulatory Principles to Data Collected on
Mobile Devices
Industry self-regulation is especially appropriate for the
technology sector because it is nimble. The DAA Self-Regulatory Program
is adapting over time and we expect this evolution to continue with
changes in the marketplace driven by technological advancements and
evolving consumer preferences. Currently, the DAA is finalizing new
implementation guidance responding to the fact that companies operate
across a variety of channels including mobile. The guidance will
explain how the Self-Regulatory Principles apply to certain data
practices that may occur on mobile or other devices.
Stakeholders representing all major elements of the mobile
ecosystem participated in the development of this guidance. The
guidance will clarify that the previously-issued Self-Regulatory
Principles apply to the mobile web environment. In addition, the
guidance will explain how the Transparency and Consumer Control
Principles apply to ``Cross-App'' data--data collected from a device
across non-affiliated applications over time. The DAA will build on the
success of its existing web-based uniform choice mechanism by working
with DAA stakeholders to develop and implement, or otherwise specify, a
companion choice mechanism for Cross-App Data. This new tool will offer
consumers an unprecedented level of control over third-party data
collection across applications on a device.
The guidance will also ensure Transparency and Consumer Control for
both Precise Location Data and Personal Directory Data, the term
encompassing calendar, address book, phone and text logs, or photo and
video data created by a consumer that is stored on or accessed through
a device. Any entity engaged in the collection and use of Cross-App
Data, Precise Location Data, or Personal Directory Data will be subject
to the DAA accountability mechanisms. As discussed above, these robust
accountability mechanisms can, and do, review an entity's practices
regardless of whether that company has announced its adherence to the
DAA Self-Regulatory Principles.
F. Benefits of Industry Self-Regulation
The DAA's commitment to self-regulation has put us at the forefront
of new consumer protection initiatives. The DAA believes that self-
regulation is the appropriate approach for addressing the interplay of
online privacy and responsible data collection and use practices. We
appreciate the positive recognition of the White House and the Federal
Trade Commission for our efforts. Our approach has been successful in
addressing consumer concerns while ensuring that the U.S. Internet
economy remains vibrant. Self-regulation provides industry with a
nimble way of responding to new challenges presented by the evolving
Internet ecosystem. For our information-driven economy to thrive and
continue as an engine of job creation, self-regulation led by industry
codes of conduct is the ideal way to balance privacy and innovation.
The DAA is also a global leader in self-regulation. The DAA Program has
been implemented in close to 30 countries including throughout Europe
soon to be launched elsewhere. The success means a standard consumer
experience and universal standards for business operating around the
world.
We believe that our commitment to and success in advancing industry
self-regulation obviates the need for new legislation. We remain
concerned that laws and regulations are inflexible and can quickly
become outdated in the face of extraordinarily rapidly-evolving
technologies. When this occurs, legislation thwarts innovation and
hinders economic growth and can impede a competitive marketplace that
offers a full range of choice to consumers. We believe, however, as we
have noted that our DAA program furthers the goals of the legislation
introduced by Chairman Rockefeller, while allowing for the more rapid
and flexible response to marketplace developments that are so pronounce
in the Internet and new media environment.
The DAA has championed a balanced approach to consumer control that
both accommodates consumers' privacy expectations and supports the
ability of companies to deliver services and continue innovating. This
balance is essential to allow consumers to continue to receive and
enjoy the diverse range of websites and services subsidized by relevant
advertising.
Industry has invested tens of millions of dollars to develop the
DAA program, which is one of the most successful and fastest-developing
consumer choice systems in the world.
The Chairman. Thank you.
And now Mr. Justin Brookman, Project on Consumer Privacy.
STATEMENT OF JUSTIN BROOKMAN, DIRECTOR, CONSUMER PRIVACY,
CENTER FOR DEMOCRACY & TECHNOLOGY
Mr. Brookman. Chairman Rockefeller, Ranking Member Thune,
members of the Committee, thank you very much for the
opportunity to testify here today.
I am Director of Consumer Privacy at the Center for
Democracy and Technology. I am also an editor and a member of
the W3C's working group working on Do-Not-Track.
And this issue of behavioral advertising obviously is one
that we have wrestled with for over 15 years now. And Chairman,
I share your frustration that it is one we haven't gotten
right.
Today, people still don't understand----
The Chairman. Sir, can you bend that down just--there you
go.
Mr. Brookman. I can. Does that help?
All right. People don't understand they are being monitored
online, and users feel less in control and more tracked than
ever. I think people understand the tradeoff that they can view
free content online in exchange for seeing ads. What I think
they don't get and often would not accept is that they are
getting content in exchange for the surveillance of their
reading and browsing habits.
So for a number of years, some privacy advocates argue that
we should have opt-in consent, opt-in consent for these
companies we have no relationship with monitoring our
activities to build up profiles to service ads. And in
response, industry said, no, opt-out is good enough.
And over time, at least here in the U.S., industry won that
fight. Calls for opt-in permission went unheeded, and legal
challenges failed.
But if you are going to have a system based on opt-out
rights, you need a global opt-out so users can opt out all at
once, telling all parties on a site, ``Hey, leave me alone.
Don't track me.'' Users cannot reasonably be expected to track
down every single company that is monitoring them and tell them
to stop individually.
And industry in principle agrees with this, so, as Mr.
Mastria described, the DAA has for a couple of years now
offered a site you can go to, to opt out of behavioral
advertising for member companies. Unfortunately, the system
suffers from a number of fundamental flaws.
One, it is not universal. The choice only applies to DAA
member companies. Companies that don't pay DAA for membership
are not included and receive no indication that an individual
user doesn't want to be tracked.
It is almost always based on cookies. So when you opt out,
DAA member companies put tracking cookies in your device. If
that gets deleted, your opt-outs go away, and companies don't
know that you don't want to be tracked.
And the program does not meaningfully address collection
and retention. Opting out turns off behavioral advertising, but
member companies can still monitor you and collect data about
you for research or product improvement purposes with no data
retention limits.
At the same time, behavioral tracking has expanded
dramatically in the last couple of years. So sites that used to
place one or two cookies on your device are now dropping
hundreds from dozens from different companies.
A recently released study from Evidon shows the number of
tracking companies and websites have gone up 53 percent in the
last year alone. This led one longtime industry insider to
conclude in an op-ed titled ``Suicide by Cookies'' self-
regulation hadn't worked the way we promised Washington it
would.
And so, it was before this committee 3 years ago that then-
Chairman Leibowitz said that users need a reliable, easy to
find, persistent global opt-out like Do-Not-Track. And to their
credit, the browsers reacted pretty quickly. So, today, all
major browsers can easily send Do-Not-Track signals. However,
the advertising industry has been less willing to adapt.
Finally, as you mentioned, Chairman Rockefeller, in
February 2012, four and a half years after advocates first
called for Do-Not-Track and a year and a half after Chairman
Leibowitz called for it here, the DAA said it would ``begin
work'' on letting users use browser settings to express choice.
And at that time, they said, ``The DAA expects that such
functionality will be implemented within 9 months.''
Now it is 14 months later, and only a handful of DAA
companies are responding to DAA headers at all. Efforts to come
up with consensus meaning of Do-Not-Track in the World Wide Web
Consortium have ground to a standstill, and for over a year
now, the group has seen no movement on the key issues, such as
whether cookies can be set when Do-Not-Track is turned on,
whether companies can track for market research when Do-Not-
Track is turned on, whether and how companies need to de-
identify data they get, whether ad networks can reject DNT
settings from browsers that turn on Do-Not-Track by default.
And data retention. I mean, if, at the end of the day, ad
companies can still log and retain individual-level data for
years and years and Do-Not-Track was turned on, what privacy
have we really achieved?
But we are not even to that point yet. Mozilla has been
sending out these signals for over 2 years now for users who go
out of their way to turn on Do-Not-Track, and a few companies,
like Yahoo! and BlueTie, treat it as an opt-out. But most just
ignore it.
Google Chrome has a Do-Not-Track setting that meets every
possible test DAA could want. It is not on by default. There is
explanatory text. There is a link for more information. You
can't just do it with one click, and companies are ignoring
those, too.
I am personally still hopeful that a compromise can be
worked out after all this time because if the industry, the
advertising industry won't agree to a meaningful standard, the
browsers have shown they are going to fight back. So Mozilla
has moved to disable cookies, at least in the short term, so
that the browsers understand unfettered data collection and
retention isn't necessary for the Net to work.
After all, Apple's Safari browser has blocked cookies for
years and is far more restrictive than a negotiated DNT setting
would be, and the Web works just fine on Apple devices. So much
of the privacy debate in this country is focused on just this
one narrow issue, and for years and years, we haven't had
resolution.
Ultimately, we really need to fundamentally rework our
privacy framework in America. Citizens deserve basic privacy
rights over all commercial collection of data, and they need
due process of law before Government access. Only then will
consumers in this country have confidence their privacy is
being protected.
Thank you very much for the opportunity to testify, and I
look forward to responding to the Senators' questions.
[The prepared statement of Mr. Brookman follows:]
Prepared Statement of Justin Brookman, Director, Consumer Privacy,
Center for Democracy & Technology
On behalf of the Center for Democracy & Technology (CDT), I thank
you for the opportunity to testify today. We applaud the leadership the
Chairman has demonstrated in examining the challenges in developing a
consensus Do Not Track standard and appreciate the opportunity to
address the continued insufficiency of self-regulatory consumer privacy
protections.
CDT is a non-profit, public interest organization dedicated to
preserving and promoting openness, innovation, and freedom on the
decentralized Internet. I currently serve as the Director of CDT's
Consumer Privacy Project. I am also an active participant in the
Worldwide Web Consortium's Tracking Protection Working Group, where I
serve as editor of the ``Tracking Compliance and Scope''
specification--the document that purports to define what Do Not Track
should mean.
My testimony today will briefly describe the history of online
behavioral advertising and the genesis of the Do Not Track initiative.
I will then describe the current state of the World Wide Web
Consortium's efforts to create Do Not Track standards and the
challenges going forward to implement Do Not Track tools successfully.
I will conclude with my thoughts on the future of Do Not Track. and why
I believe that this protracted struggle demonstrates the need for the
fundamental reform of our Nation's privacy protection framework for
commercial and government collection and use of personal information.
The Rise of Behavioral Advertising
Online behavioral advertising has been a concern for regulators and
privacy advocates for over fifteen years now. Behavioral advertising,
or more specifically cross-site behavioral advertising, was originally
made possible because of two core capabilities afforded by web
browsers: cookies and referer headers. Cookies are small bits of code
that the operator of a website can store locally on a user's computer--
among other things, they can be used as unique IDs so that a website
can recognize a particular user (or device) when the user returns to a
particular website. Originally conceived as a means for first-party
services to keep remember a user over time, soon advertising networks--
the companies that websites often use to generate ads for them--began
to place unique cookies' on web users' browsers as well. Because web
browsers typically identify the referring site when it passes along a
web request (the ``referer header''), advertising networks were
informed of the precise webpage they served a user a particular
advertisement. Combining cookies and referer headers together,
advertising networks were able to generate detailed logs of the various
websites they encountered a particular user.
Eventually, these companies began analyzing this web history to
help inform decisions about which ads to show particular users. When an
advertiser has a presence on many sites a user may visit, it is able to
develop a trail of past web surfing behavior consisting of a list of
many individual actions a user has taken online. These trails are very
unique in the sense that no two people do exactly the same things
online, so advertisers are able to leverage this very rich, unique view
of each user to make split-second decisions about what ads to show them
that they will have the highest likelihood of noticing and interacting
with. In a nutshell, that's what behavioral advertising is--utilizing
information about previous sites visited by a particular user to
influence decisions about what ads to show in the future.
As the behavioral advertising industry took off, many privacy
advocates complained that users did not understand that their cross-
site behavior was being tracked by companies they had never heard of,
and urged that users should have to affirmatively consent to the
tracking of their web surfing habits. In 2000, a class action suit was
filed against DoubleClick, a leading behavioral advertising company,
arguing that the company's tracking users without consent across
websites violated the Electronic Communications Privacy Act and the
Computer Fraud and Abuse Act. At the same time, the Federal Trade
Commission investigated DoubleClick's behavioral advertising practices,
and the allegations that DoubleClick intended to attach real names to
behavioral profiles. Eventually, the DoubleClick lawsuit was
dismissed,\1\ and the FTC discontinued its investigation of the
company, declining to allege that the company's tracking of users
without explicit consent violated existing law.\2\
---------------------------------------------------------------------------
\1\ In re DoubleClick, Inc. Privacy Litigation, 154 F. Supp. 2d 497
(S.D.N.Y. 2001).
\2\ Letter from the Federal Trade Commission to Christine Varney,
January 22, 2001, Re: DoubleClick, Inc., http://www.ftc.gov/os/
closings/staff/doubleclick.pdf.
---------------------------------------------------------------------------
However, while advocates' call for opt-in consent for behavioral
tracking went unheeded, industry has always acknowledged that users
should at least have the right to opt out of behavioral advertising.\3\
Moreover, for years, there has been general recognition that there must
to be a global way to opt out of all behavioral tracking at once--users
cannot reasonably be expected to locate all potential tracking
companies and one-by-one opt out of their tracking. Thus, already
today, the Digital Advertising Alliance (DAA)--the umbrella self-
regulatory group consisting of the Interactive Advertising Bureau,
Network Advertising Initiative, Better Business Bureau and others--
maintains a site through which users can globally opt out of behavioral
advertising by its member companies.\4\
---------------------------------------------------------------------------
\3\ FTC Staff Report, Public Workshop on Consumer Privacy on the
Global Information Infrastructure, December 1996, http://www.ftc.gov/
reports/privacy/Privacy1.shtm, at II.C.2 (Consumer Choice).
\4\ Digital Advertising Alliance, http://www.aboutads.info/
choices/.
---------------------------------------------------------------------------
Unfortunately, there are several limitations to industry's current
opt-out structure:
It only applies to advertisers that are members of the DAA;
companies that don't sign up and pay for membership are not
included, and receive no indication that a user does not want
to be tracked.
The opt-out is almost always cookie-based. If a user deletes
her cookies--or if they are routinely deleted by her anti-virus
software, as is often the case--the opt-out disappears, and
companies subsequently have no way of knowing that the user
does not want to be tracked.
The opt-out only prevents users from seeing targeted ads,
which are based on information gathered from tracking. However,
it does not prevent tracking itself. While the DAA's Multi-Site
Principles in principle agree with the notion of collection
limitation, in practice, the code's bases for collection are
extremely broad, and any justification to understand ``consumer
preferences and behaviors [or] research about consumers,
products, or services'' could justify individualized data
collection despite the user's opting out.\5\
---------------------------------------------------------------------------
\5\ Digital Advertising Alliance, Self-Regulatory Principles for
Multi-Site Data, http://www
.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf.
The interface through which users are presented their
choices around tracking and opting out both through the
AdChoices icon and on the DAA website are confusing.\6\
---------------------------------------------------------------------------
\6\ A. M. McDonald and Lorrie Faith Cranor, Social Science Research
Network, ``Beliefs and behaviors: Internet users' understanding of
behavioral advertising,'' October 2010, http://papers.ssrn.com/sol3/
papers.cfm?abstract_id=1989092; Pedro G. Leon et al.,Carnegie Mellon
University CyLab, ``Why Johnny can't opt out: A usability evaluation of
tools to limit online behavioral advertising,'' October 2011, http://
www.cylab.cmu.edu/research/techreports/2011/tr
_cylab11017.html.
Coupled with the limitations of the industry's opt-out approach,
industry self-regulation has failed to grapple with the dramatic
expansion of the scope of tracking online. Websites that used to embed
one or two tracking cookies now embed dozens. A Wall Street Journal
report found that the top 50 websites placed over 3,000 tracking files
on a test computer; IAC Interactive's Dictionary.com alone placed 223
tracking files from a variety of third-party companies.\7\ In the past
year alone, the number of web tracking tags on websites has gone up 53
percent, nearly half of which were embedded not by the first-party
publisher, but by ad networks embedding their own tags to transmit data
to still other companies.\8\ Moreover, tracking that used to be
pseudonymous (profiles tied to a device, but not a name) are
increasingly linked or easily linkable to real world identities.\9\
Last December, for example, the Wall Street Journal reported on a
company named Dataium that tracked users by e-mail address, and sent
descriptions of online surfing to offline companies with which users
had shared that same e-mail address.\10\ Industry trade associations
have failed to adapt to address new business models predicated on
expanded and more personal tracking. As one long-time industry player
summarized recently: ``Self-regulation hasn't worked the way we
promised Washington it would.'' \11\
---------------------------------------------------------------------------
\7\ Julia Angwin, ``The Web's New Gold Mine: Your Secrets,'' The
Wall Street Journal, July 30, 2010, http://online.wsj.com/article/
SB10001424052748703940904575395073512989404.html.
\8\ George Simpson, ``Suicide by Cookies,'' MediaPost, February 22,
2013, http://www
.mediapost.com/publications/article/194073/suicide-by-
cookies.html#axzz2REncGaSy.
\9\ Justin Brookman, CDT blog, ``Why Facebook Apps Story is Problem
for Entire Web,'' October 19, 2010, https://www.cdt.org/blogs/justin-
brookman/why-facebook-apps-story-problem-entire-web.
\10\ Jennifer Valentino-Devries and Jeremy Singer-Vine, ``They Know
What You're Shopping For,'' Wall Street Journal, December 7, 2012,
http://online.wsj.com/article/SB10001424
127887324784404578143144132736214.html.
\11\ George Simpson, ``Suicide by Cookies,'' MediaPost, February
22, 2013, http://www
.mediapost.com/publications/article/194073/suicide-by-
cookies.html#axzz2REncGaSy.
---------------------------------------------------------------------------
The Call for Do Not Track
Given the longstanding inadequacy of industry self-regulatory
control options, in October 2007, CDT and other consumer advocacy
organizations called on the Federal Trade Commission to create a Do Not
Track list, similar to the successful ``Do Not Call'' list that allows
users to opt out of telemarketing. Under the original formulation for
Do Not Track, online advertisers would have to self-identify to the
FTC, which would then compile a list of their domains that track
consumers. Browsers that supported Do Not Track would then block any
third-party communications to domains on the FTC's block list.\12\ Only
ad networks that did not use unique identifiers to track users around
the web would be able to serve advertisements. As a result, users who
turned on Do Not Track would simply see ads that were not specialized
for them, since advertisers would not have access to the consumers'
recent history on the Web to surmise their interests.\13\
---------------------------------------------------------------------------
\12\ Tech Law Journal, ``CDT Proposes That FTC Create a Do Not
Track List for Consumer Internet Use,'' October 31, 2007, http://
www.techlawjournal.com/topstories/2007/20071031
.asp.
\13\ Louise Story, The New York Times, ``Consumer Advocates Seek a
`Do-Not-Track' List,'' October 31, 2007, http://www.nytimes.com/2007/
10/31/technology/31cnd-privacy.html?_r=0.
---------------------------------------------------------------------------
Initially, advocates' call for Do Not Track functionality went
nowhere. In July of 2009, researcher Christopher Soghoian and Mozilla
privacy engineer Sid Stamm created a prototype add-on for Firefox,
which reformulated Do Not Track as a persistent HTTP header appended to
all web requests. This would give consumers the option of sending out a
digital signal each time the user visits a website, asking companies to
stop tracking them from site to site. The Do Not Track header was in
many ways an improvement over the original concept, as it did not rely
on tracker self-identification, and did not require a centrally-hosted
list of tracking domains. However, this approach was offered initially
as a proof-of-concept, and was not implemented into the Mozilla Firefox
browser.\14\
---------------------------------------------------------------------------
\14\ Emil Protalinski, The Next Web, ``Everything you need to know
about Do Not Track: Mozilla vs Google & Microsoft,'' November 25, 2012,
http://thenextweb.com/apps/2012/11/25/everything-you-need-to-know-
about-do-not-track-currently-featuring-microsoft-vs-google-and-
mozilla/.
---------------------------------------------------------------------------
In July 2010, then-FTC Chairman Jon Leibowitz testifying before
this Committee effectively resurrected the idea of Do Not Track, and
called upon browser makers and ad networks to work together to
implement this technology.\15\ The FTC formally recommended the
development of Do Not Track in its 2010 draft privacy report,
Protecting Consumer Privacy in an Era of Rapid Change: A Proposed
Framework for Businesses and Policymakers.\16\
---------------------------------------------------------------------------
\15\ Jeffrey S. Edelstein and Linda A. Goldstein, Lexology,
``Privacy Update: Senate bill and FTC ``Do-Not-Track list?'' August 12,
2010, http://www.lexology.com/library/detail.aspx?g=5cf00693-fda7-4d91-
a1b1-61a70f795565.
\16\ Federal Trade Commission Report: Protecting Consumer Privacy
in an Era of Rapid Change: A Proposed Framework For Businesses and
Policymakers, December 2010, http://www.ftc.gov/os/2010/12/
101201privacyreport.pdf. This call was repeated in the final version of
the report issued 16 months later. Federal Trade Commission Report:
Protecting Consumer Privacy in an Era of Rapid Change: Recommendations
For Businesses and Policymakers, March 2012, http://www.ftc.gov/opa/
2012/03/privacyframework.shtm.
---------------------------------------------------------------------------
In response to Chairman Leibowitz's call, browser makers moved
surprisingly quickly to offer Do Not Track features. One week after the
draft report was released, Microsoft announced that Internet Explorer 9
would include Tracking Protection Lists, which give consumers the
option to block communications to all third-party domains listed on a
specific blacklist.\17\ This approach mirrored the advocates' original
2007 conception of Do Not Track, which was predicated on blocking
tracking domains. However, rather than rely on a centralized list of
trackers, Microsoft encouraged others to create and publish their own
list of trackers for users to download.
---------------------------------------------------------------------------
\17\ Josh Lowensohn, CNET, ``Internet Explorer 9 to get tracking
protection,'' December 7, 2010, http://news.cnet.com/8301-10805_3-
20024864-75.html.
---------------------------------------------------------------------------
The next month, Mozilla announced it would implement the header
approach to Do Not Track in its Firefox web browser, allowing users to
send out a persistent header to all websites indicated a preference not
to be tracked. Quickly, popular support within the privacy community
coalesced around the notion that the header approach was the most
viable way to implement Do Not Track, and within several months, all
the major browsers offered users a means to append Do Not Track headers
to all web requests.\18\
---------------------------------------------------------------------------
\18\ Crowd Science, ``A Brief History of Do Not Track (DNT),''
August 2012, http://www
.crowdscience.com/2012/08/a-brief-history-of-do-not-track-dnt/
#!prettyPhoto.
---------------------------------------------------------------------------
Perhaps most significantly, in February of 2012, at a White House
event to announce President Obama's proposed comprehensive privacy
protection framework, the DAA announced that it would begin work to
allow users to opt out of behavioral advertising using browser based
headers. At the time, the DAA stated that it would enforce its self-
regulatory choice principles when a user had been provided information
about ``the effect of exercising such a choice,'' and when the user had
affirmatively chosen to exercise her choice using the browser based
header.\19\ The DAA stated in February of 2012, ``The DAA is committed
to making such choices work for all consumers. . . . The DAA expects
that such functionality will be implemented within nine months.'' \20\
---------------------------------------------------------------------------
\19\ Digital Advertising Alliance, DAA Position on Browser Based
Choice Mechanism, http://www.aboutads.info/resource/download/
DAA_Commitment.pdf.
\20\ Id.
---------------------------------------------------------------------------
Status of Do Not Track Today
However, despite industry's commitment from 14 months ago, today,
only a handful of third-party companies acknowledge and respond to Do
Not Track headers in any way.\21\
---------------------------------------------------------------------------
\21\ Do Not Track, http://donottrack.us/implementations; Yahoo!
Policy Blog, Shane Wiley, Yahoo! Launches Global Support for Do Not
Track, March 29, 2012, http://www.ypolicyblog.com
/policyblog/2012/03/29/yahoo-launches-global-support-for-do-not-track/.
However, the ways in which these companies honor Do Not Track is not
standardized and varies considerably. Moreover, not all Do Not Track
headers are acknowledged: industry trade associations have excused
members from adhering to Do Not Track instructions from Microsoft
Internet Explorer 10 due to disagreement over whether those
implementations reflect user choice. Katy Bachman, ``Take That,
Microsoft: Digital Ad Community's Final Word on Default Do Not Track,''
Ad Week, October 9, 2012, http://www.adweek.com/news/technology/take-
microsoft-digital-ad-communitys-fin
al-word-default-do-not-track-144322.
---------------------------------------------------------------------------
For some time, the delay in implementation was perhaps justified by
a lack of agreement on what exactly the Do Not Track signal should
mean. Much of this debate has taken place within the Tracking
Protection Working Group of the World Wide Web Consortium (W3C). W3C is
a voluntary web standards setting body made up of industry members,
privacy advocates, and academic experts; historically they have
promulgated standards for the Web on a wide range of matters, such as
Web Design and Applications, Web Architecture, and the Semantic
Web.\22\ The Tracking Protection Working Group was established
originally in response to Microsoft's request to standardize Tracking
Protection Lists, but was subsequently chartered to form a standard for
a universal Do Not Track request tool.\23\
---------------------------------------------------------------------------
\22\ W3C, Standards, http://www.w3.org/standards.
\23\ W3C, Tracking Protection Working Group, http://www.w3.org/
2011/tracking-protection/.
---------------------------------------------------------------------------
However, this delay has become less defensible over time as the
Tracking Protection Working Group has failed to come to consensus on a
number of key issues. For well over a year now, the group has
effectively stalled on how to address:
Cookies: Privacy advocates have argued that parties honoring
Do Not Track should be prohibited from using cookies or other
unique identifiers, which would allow those companies to more
easily recognize users across websites. In response, industry
has argued that cookies should be available for limited
purposes (such as fraud prevention or ad frequency capping).
This has been a point of contention within the group from the
beginning, and indeed back to the original call for Do Not
Track in 2007.\24\
---------------------------------------------------------------------------
\24\ W3C Tracking Protection Working Group, Tracking Compliance and
Scope, No Persistent Identifers, http://www.w3.org/2011/tracking-
protection/drafts/tracking-compliance.html#no-persistent-identifiers;
CDT, ``Consumer Rights and Protections in the Behavioral Advertising
Sector,'' October 31, 2007, https://www.cdt.org/privacy/
20071031consumerprotectionsbehavioral
.pdf.
Market research and product improvement: Apart from the
question of what data can be collected despite a Do Not Track
signals is the question of why data may be collected and
retained despite a Do Not Track signal. All parties within the
working group are generally in agreement that some data may be
collected for basic operational purposes, such as ad delivery,
security, frequency capping, and accounting. However, some
working group participants have sought to allow the collection
and use of data for broader purposes such as market research
and product improvement. These purposes are certainly
legitimate and societally worthwhile, but not necessarily
essential to any particular website's functioning, and purposes
for which a Do Not Track user might not necessarily expect her
browsing history to be monitored and retained by third parties
with which she has no relationship. Though the working group is
agreed that research data could not be used to alter any
individual's experience and will ultimately be used in the
aggregate, it would be collected and retained on an
individualized basis for a potentially extensive period of time
(up to 53 weeks per one recent proposal, and longer in others).
At one point, the working group had decided to exclude these
purposes as a permitted use under the standard, but the idea
has recently been reintroduced.\25\
---------------------------------------------------------------------------
\25\ W3C, Tracking Protection Working Group, Tracking Compliance
and Scope, Audience Measurement, http://www.w3.org/2011/tracking-
protection/drafts/tracking-compliance.html#audien
ce-measurement.
Deidentification: All parties are in agreement that if data
has been ``deidentified,'' then it falls outside the scope of
Do Not Track. That is, if a set of data has been stripped of
identifiers and cannot be attributed to a person or device, Do
Not Track should not apply to the data, and the company may use
it as it pleases. However, there is debate over how robust
deidentification must be. Advocates have argued for a test that
largely mirrors the FTC's own test for deidentification: (1)
you must have a reasonable belief that data could not be tied
back to an individual or device, (2) you must promise not to
try to reidentify the data, and (3) anyone you transfer the
data to must also promise not to reidentify it. Some working
group members have pushed back against this model, arguing that
companies should be allowed to retain the technical ability to
reidentify data so long as there are institutional controls in
place to prevent reidentification. Under that approach,
companies could continue to collect behavioral data for
research and modeling purposes so long as the company had
procedures in place to prohibit anyone within the company from
singling out a particular user or device.\26\
---------------------------------------------------------------------------
\26\ W3C, Tracking Protection Working Group, Tracking Compliance
and Scope, Unlinkability, http://www.w3.org/2011/tracking-protection/
drafts/tracking-compliance.html#def-unlinkable.
Browser presentation of Do Not Track options and
consequences for non-compliant browsers: The working group is
generally agreed that a Do Not Track signal should represent
the will of the user--browsers shouldn't send a Do Not Track
signal without the user's understanding and consent. However,
there is an open question over who should be able to evaluate
the validity of a browser's presentation of Do Not Track
choices to users. Some working group participants have argued
that third parties should be able to reject Do Not Track
signals from browsers that they believe do not adequately
obtain consent to turn on Do Not Track from users. Other
working group members have argued that third parties claiming
compliance with Do Not Track should be required to honor
syntactically correct signals and not second-guess a user's
state of mind.\27\
---------------------------------------------------------------------------
\27\ W3C, Tracking Protection Working Group, Tracking Compliance
and Scope, User Agent Compliance, http://www.w3.org/2011/tracking-
protection/drafts/tracking-compliance.html#us
er-agent-compliance; W3C, Tracking Compliance Working Group, Tracking
Compliance and Scope, Noncompliant User Agents, http://www.w3.org/2011/
tracking-protection/drafts/tracking-compliance.html#noncompliant-UA.
Data retention: While all parties recognize the need for
some level of data collection and retention by third parties
when Do Not Track is turned on, there is disagreement on how
long companies should be permitted to retain such data. Some
working group members have argued that financial and auditing
requirements dictate that data should (or must) be retained in
individualized form for up to seven years. Other working group
members have stated that such extensive retention is neither
legally or logistically necessary, and that prolonged and
individualized retention of cross-site data would run counter
to a user's reasonable expectations in turning on Do Not
Track.\28\
---------------------------------------------------------------------------
\28\ W3C, Tracking Protection Working Group, Tracking Compliance
and Scope, Financial Logging and Auditing, http://www.w3.org/2011/
tracking-protection/drafts/tracking-compliance
.html#financial-logging.
Obviously, many of these issues are inter-dependent. Data retention
matters more if companies can use unique cookies to log cross-site
behavior. Companies may be more willing to adopt a robust
deidentification standard if they are allowed to collect and retain
data for market research and product improvement. For a bargain to be
struck, these issues will all likely need to decided as part of a
comprehensive package.
However, to date, most industry working group participants have not
been publicly willing to agree to move much beyond the current DAA
principles for users who opt out of behavioral advertising, which
regulators and advocates have criticized as insufficiently robust.\29\
In some ways, industry proposals are even weaker than the rules
currently in effect. For example, the DAA code arguably has a stronger
definition of deidentification than has been proposed as an alternative
within the Tracking Protection Working Group. Indeed, the DAA recently
appears to have backtracked on the very notion that Do Not Track should
even turn off behavioral advertising--the very purpose for which Do Not
Track was originally proposed.\30\
---------------------------------------------------------------------------
\29\ Federal Trade Commission Report: Protecting Consumer Privacy
in an Era of Rapid Change: Recommendations For Businesses and
Policymakers, March 2012, http://www.ftc.gov/opa/2012/03/
privacyframework.shtm.
\30\ E-mail from Rachel Thomas to Tracking Protection Working,
October 4, 2012, http://lists.w3.org/Archives/Public/public-tracking/
2012Oct/0115.html.
---------------------------------------------------------------------------
The Future of Do Not Track and Behavioral Advertising
Industry's failure to honor Do Not Track signals more than two
years after they were first incorporated within Mozilla's Firefox
browser is frustrating and perplexing. Despite disagreements over the
precise contours of Do Not Track, self-regulatory groups could at least
require members to treat Do Not Track as an opt-out under the DAA code,
as Yahoo! and some other companies do today.\31\ Nor has there been any
particular urgency within W3C (or elsewhere) to define a different
standard for the treatment of Do Not Track users. Although trade
association representatives have increasingly made chicken-little
pronouncements on the effect that Do Not Track will have for the
web,\32\ it is important to remember that they have long supported
industry-wide opt-out rights for consumers online. Do Not Track is
merely an improvement on industry opt-outs that have not proven
sufficiently robust to address user concerns.
---------------------------------------------------------------------------
\31\ Note however that Yahoo! does not honor Do Not Track requests
from Internet Explorer 10, as the company alleges that the user flow
for turning on Do Not Track does not sufficiently ensure that the
signal represents a user's informed choice. Yahoo! Policy Blog, Shane
Wiley, ``In Support of a Personalized Experience,'' October 22, 2012,
http://www.ypolicyblog.com/policyblog/2012/10/26/dnt/.
\32\ Leslie Harris, ``The Bizarre, Belated Assault on Do Not
Track,'' Huffington Post, October 4, 2012, http://
www.huffingtonpost.com/leslie-harris/the-bizarre-belated-
assau_b_1935668.html.
---------------------------------------------------------------------------
Moreover, it is important to note that Safari users have
effectively had Do Not Track turned on by default for several years,
ever since Apple made the decision to prevent third parties from
setting cookies. Apple users can readily attest that apocalyptic
predictions over the effects of Do Not Track have not come true for
them, and that they enjoy the same wide variety of free Web content as
users of other browsers, supported by (non-behaviorally targeted)
advertisements.
Despite the lack of progress, CDT remains hopeful that ultimately
the working group can agree on a strong Do Not Track standard that
allows for some basic operational collection and retention of user data
but limits behavioral retention and use to whatever is strictly
necessary for the web to function. CDT originally proposed such a
compromise approach in January 2011 just after the FTC formally called
for the adoption of Do Not Track.\33\ In April of 2012, we presented a
similar compromise suggestion to the Tracking Protection Working Group
at a face-to-face meeting in Washington, DC. Under our proposal, third
parties would be allowed to use unique identifiers for narrow
operational purposes, but not secondary purposes such as market
research. We support the robust deidentification standard as
articulated by the FTC, but could be willing to allow third parties to
reject certain Do Not Track signals--so long as the rejection is
immediately signaled to the browser. However, to date, these proposals
and other efforts to break the logjam have not gained significant
traction.
---------------------------------------------------------------------------
\33\ CDT, ``CDT Releases Draft Definition of `Do Not Track,' ''
January 31, 2011, https://www.cdt.org/blogs/erica-newland/cdt-releases-
draft-definition-``do-not-track''. CDT subsequently released a slightly
revised version of this definition in April 2012, CDT, ``What Does `Do
Not Track' Mean? A Scoping Proposal from the Center for Democracy &
Technology, April 27, 2011 https://www.cdt.org/files/pdfs/
20110447_DNT_v2.pdf.
---------------------------------------------------------------------------
One important development since Chairman Leibowitz called for Do
Not Track in 2010 has been a stronger commitment to user privacy on the
part of the browser makers. For years, browser vendors seemed more
intent of preserving the business models of behavioral advertising than
in satisfying the demands of their users. However, with increased focus
on privacy issues by the press and by regulators, browser makers have
listened to the demands of their clients--that is, their users--and
have increasingly taken steps to protect users' privacy. As noted
previously, all the major browser makers have implemented means for
users to turn on Do Not Track and send Do Not Track headers to all
websites. In June of last year, Microsoft announced that it would
include Do Not Track options during the install flow for Windows 8 and
Internet Explorer 10--with the recommended setting set to Do Not Track
being on.\34\ In February, Mozilla announced that it would join Apple
in preventing third parties from setting cookies in its browser.\35\
---------------------------------------------------------------------------
\34\ Ed Bott, ``Microsoft sticks to default Do Not Track settings
in IE 10,'' ZDNet, August 7, 2012, http://www.zdnet.com/microsoft-
sticks-to-default-do-not-track-settings-in-ie-10-700000228
9/.
\35\ Justin Brookman, CDT blog, ``Mozilla Says Enough is Enough,''
February 26, 2013, https://www.cdt.org/blogs/justin-brookman/
2602mozilla-says-enough-enough.
---------------------------------------------------------------------------
That browser makers are increasingly competing on privacy and
responding to user's sentiments on behavioral advertising \36\ is a
welcome and important development. For years, privacy advocates have
worried that in an arms race between users and ad networks, users, who
by and large lack the sophistication and technical skills of the ad
networks, were destined to lose. However, with the browsers
increasingly acting in accordance with the desires of their user base,
that result is no longer a foregone conclusion. Do Not Track was
originally offered as a reasonable middle ground to avert an arms
race--where ad networks could collect basic operational information and
still serve (non-targeted) advertisements.\37\ If trade associations
continue to stick their heads in the sand and ignore consumer sentiment
about their practices (instead of establishing a value proposition to
users about behavioral advertising's benefits), moves like Mozilla's
and Apple's to frustrate cross-site tracking will become the norm, and
an inability to set cookies may be the least of their concerns.
---------------------------------------------------------------------------
\36\ Joseph Turow et al., ``Americans Reject Tailored Advertising
and Three Activities that Enable It,'' September 29, 2009, http://
papers.ssrn.com/sol3/papers.cfm?abstract_id=1478214; Wendy Davis,
``Zogby Poll: Web Users Troubled by Behavioral Advertising,''
MediaPost, June 8, 2010, http://www.mediapost.com/publications/article/
129753/#axzz2REncGaSy.
\37\ Leslie Harris, ``The Bizarre, Belated Assault on Do Not
Track,'' Huffington Post, October 4, 2012, http://
www.huffingtonpost.com/leslie-harris/the-bizarre-belated-
assau_b_1935668.html.
---------------------------------------------------------------------------
Ultimately, the tortured Do Not Track saga is a stark demonstration
of why consumers fundamentally need comprehensive privacy law. Unlike
many areas of privacy, behavioral advertising has been under
considerable regulatory and press scrutiny for over fifteen years (and
intense scrutiny for at least the last five), and still despite all
that effort and attention, practices have not meaningfully corrected
and aligned with consumer expectations. In order to ensure that
adequate consumer protections are in place for behavioral advertising--
as well as considerably less examined industries with as least as
extensive privacy implications--consumers deserve a strong but flexible
horizontal privacy law governing all collection, use, and retention of
personal information based on the Fair Information Practice Principles.
Finally, the ever-increasing stores of commercial databases of
personal information about each and every one of us provides a
compelling reason to revisit law enforcement privacy rules as well. For
this reason, CDT has convened the Digital Due Process coalition to
advocate for the reform of the Electronic Communications Privacy Act,
to ensure that these databases are only accessed by the government
under the due process of law.\38\ Absent meaningful protections on
potential government abuse, consumers have all the more reason to
distrust commercial data collection and retention practices.
---------------------------------------------------------------------------
\38\ Digital Due Process, http://digitaldueprocess.org/
index.cfm?objectid=37940370-2551-11DF-8E02000C296BA163.
---------------------------------------------------------------------------
Conclusion
CDT would like to thank Senator Rockefeller and the Committee again
for holding this important hearing on an issue that Americans are
increasingly concerned about. We believe that Congress has a critical
role to play in ensuring the privacy of consumers, through rigorous
oversight of industry practices, and through the long overdue enactment
of reasonable privacy legislation. CDT looks forward to working with
the Members of the Committee as they pursue this and other privacy
issues further.
The Chairman. Thank you, sir.
And then, finally, Mr. Adam Thierer, who is Senior Research
Fellow at George Mason University.
STATEMENT OF ADAM THIERER, SENIOR RESEARCH FELLOW, MERCATUS
CENTER, GEORGE MASON UNIVERSITY
Mr. Thierer. Thank you, Mr. Chairman and members of the
Committee, for inviting me here today to comment on the
important issues of online privacy policy and data collection.
My name is Adam Thierer, and I am a Senior Research Fellow
at the Mercatus Center at George Mason University, where I
study Internet policy issues in the Mercatus Center's
Technology Policy Program.
My message here today, which is condensed from two recent
Law Review articles on these issues, boils down to three key
points. First, no matter how well intentioned, restrictions on
data collection could negatively impact the competitiveness of
America's digital economy, as well as consumer choice.
Second, it is unwise to place too much faith in any one
single silver bullet solution to online privacy, including Do-
Not-Track, because such schemes are often easily evaded or
defeated or fail to live up to their billing.
Finally, with those two points in mind, we should look to
alternative and had less costly approaches to protecting
privacy that rely on education, empowerment, and targeted
enforcement of existing laws. Serious and lasting long-term
privacy protection requires a layered, multifaceted approach
incorporating many solutions.
Let us begin by being more specific about those costs
associated with restrictions on data collection because they
are important. Online advertising and data collection are the
fuel that powers our information economy. Privacy-related
mandates that curtail the use of data to better target adds or
services could have several deleterious effects.
First, data restrictions could raise direct cost to
consumers if walled gardens and pay walls are erected in
response. As Senator Heller has already pointed out, something
has to pay for all the wonderful free sites and services we
enjoy today, and that is advertising and data.
Second, data restrictions could indirectly cost consumers
by diminishing the abundance of content and culture now
supported by data collection and advertising. In other words,
even if prices and pay walls don't go up, overall quality or
quantity could suffer if data collection is restricted.
Third, as Senator McCaskill and Senator Thune have already
pointed out, data restrictions could hurt the competitiveness
of domestic markets. While regulation raises the cost of doing
business for all players in our economy, those costs will
ultimately fall hardest on the small competitors or new start-
ups.
For example, today's app economy has given countless small
innovators a chance to compete on even footing with the biggest
players. Burdensome data collection restrictions could short-
circuit the engine that drives that sort of entrepreneurial
innovation among mom-and-pop companies.
Fourth, data restrictions could undermine America's global
competitive advantage in this space. We should ask ourselves
how it is that America's Internet sector came to be the envy of
the world and why it is so hard to name any major Internet
company from Europe. Our more flexible, light-touch regulatory
regime leaves more breathing room for competition and
innovation compared to Europe's top-down approach.
Generally speaking, when it comes to privacy protection,
therefore, we should avoid placing excessive faith in schemes
like Do-Not-Track because they ultimately could fail, just as
previous techno fixes failed to keep pace with fast-moving
developments in this space.
Even if Do-Not-Track takes root and some consumers do turn
it on, many will be incentivized by ad networks and publishers
to opt right back out into tracking to retain access to the
sites and services they desire. In doing so, they may actually
end up sharing even more information than they do today.
Moreover, that may drive still greater consolidation since
larger players will be in a position to grant Internet-wide
permissions or exceptions while smaller providers cannot.
In light of these trade-offs, we should subject new data
restrictions to strict benefit/cost analysis to ensure we are
not imposing unnecessary burdens on our data-driven economy. We
should simultaneously consider how we might better spend our
time and resources developing a richer mosaic of privacy-
enhancing tools and educational strategies.
Luckily, an extensive array of tools and strategies exist
today to help privacy, and that is made clear by an article
that appeared just this morning on Lifehacker.com entitled,
``The Best Browser Extensions That Protect Your Privacy,''
which ended with the following line. ``You have some solid
options. The tools are at your fingertips. It has never been
easier to take the reins for yourself and make the Web an opt-
in experience instead of an opt-out one.''
Meanwhile, Web browsers continue to provide--or experiment
with different privacy defaults, and while the W3C continues to
pursue a single Do-Not-Track standard, innovators in the
marketplace have already made private Do-Not-Track tools a
reality. It is worth noting that almost all of these tools are
available free of charge to consumers. So no barrier to
widespread adoption exists.
As is the case with online safety concerns, citizens have
access to many tools and methods to let them protect their
privacy as they see fit, and evidence suggests they are already
doing so.
Finally, where serious harms are documented, the FTC
already possesses broad enforcement authority to police unfair
and deceptive practices and has recently been using it more
aggressively. Moreover, State law and class action lawsuits
exist as a backstop and are often used aggressively following
data breaches or privacy violations.
In closing, if we want America's digital economy to remain
open, innovative, and vibrantly competitive, then this sort of
flexible bottom-up approach to privacy protection is the
constructive path forward.
If our fear is that consumers lack enough information to
make informed choices about their privacy, then let us work
harder to educate them while pushing for greater transparency
about online data collection practices.
Finally, we should remember that not everyone shares the
same privacy sensitivities and that citizens also care about
other values, such as cost, convenience, and choice. Moreover,
we must take into account the very strong likelihood that
citizens will adjust their privacy expectations in response to
ongoing technological developments, just as they have many
times before.
I thank the Committee for inviting me here today, and I
would be happy to take questions.
[The prepared statement of Mr. Thierer follows:]
Prepared Statement of Adam D. Thierer, Senior Research Fellow,
Mercatus Center, George Mason University
Mr. Chairman and members of the Committee, thank you for inviting
me here today to comment on the important issues of online privacy
policy and commercial data collection. My name is Adam Thierer and I am
a senior research fellow at the Mercatus Center at George Mason
University, where I study Internet policy issues in the Mercatus
Center's Technology Policy Program.
My message here today, condensed from two recent law review
articles,\1\ boils down to three points:
---------------------------------------------------------------------------
\1\ Adam Thierer, The Pursuit of Privacy in a World Where
Information Control Is Failing, 36 Harv. J. L. & Pub. Pol. 409 (2013),
papers.ssrn.com/sol3/papers.cfm?abstract_id=2234680; Adam Thierer, A
Framework for Benefit-Cost Analysis in Digital Privacy Debates, 20 Geo.
Mason Univ. L. Rev., (forthcoming, Summer 2013).
1. First, no matter how well-intentioned, restrictions on data
collection could negatively impact the competitiveness of
---------------------------------------------------------------------------
America's digital economy, as well as consumer choice.
2. Second, it is unwise to place too much faith in any single,
silver-bullet solution to privacy, including ``Do Not Track,''
because such schemes are easily evaded or defeated and often
fail to live up to their billing.
3. Finally, with those two points in mind, we should look to
alternative and less costly approaches to protecting privacy
that rely on education, empowerment, and targeted enforcement
of existing laws. Serious and lasting long-term privacy
protection requires a layered, multifaceted approach
incorporating many solutions.
Trade-offs Associated with Restrictions on Data Collection
Let's be more specific about the potential costs of restrictions on
data collection. Online advertising and data collection are the fuel
that powers our information economy. Privacy-related mandates that
curtail the use of data to better target ads or services could have
several deleterious effects.\2\
---------------------------------------------------------------------------
\2\ See generally Adam Thierer & Berin Szoka, The Hidden
Benefactor: How Advertising Informs, Educates & Benefits Consumers,
Progress & Freedom Foundation, Progress Snapshot, Feb. 2010; Berin
Szoka & Adam Thierer, Online Advertising & User Privacy: Principles to
Guide the Debate, Progress & Freedom Foundation, Progress Snapshot,
Sept. 2008.
---------------------------------------------------------------------------
First, data restrictions could raise direct costs for consumers if
walled gardens and paywalls are erected in response. Something has to
pay for all the wonderful free sites and services we enjoy today.
Second, data restrictions could indirectly cost consumers by
diminishing the abundance of content and culture now supported by data
collection and advertising. In other words, even if prices and paywalls
don't go up, overall quantity or quality could suffer if data
collection is restricted.\3\
---------------------------------------------------------------------------
\3\ A 2010 study by Howard Beales, the former Director of the
Bureau of Consumer Protection at the FTC, found that ``the price of
behaviorally targeted advertising in 2009 was 2.68 times the price of
run of network advertising.'' That increased return on investment is
important, Beales notes, because it creates ``greater utility for
consumers from more relevant advertisements and clear appeal for
advertisers from increased ad conversion.'' Beales also noted that, ``a
majority of network advertising revenue is spent acquiring inventory
from publishers, making behavioral targeting an important source of
revenue for online content and services providers as well as third
party ad networks.'' Howard Beales, Network Advertising Initiative, The
Value of Behavioral Targeting, at 1 (March 2010),
www.networkadvertising.org/pdfs/Beales_NAI
_Study.pdf.
---------------------------------------------------------------------------
Third, data restrictions could hurt the competitiveness of domestic
markets. While regulation raises the costs of doing business for all
online operators, those costs will fall hardest on smaller operators
and new start-ups.\4\ For example, today's ``app economy'' has given
countless small innovators a chance to compete on even footing with the
biggest players.\5\ Burdensome data collection restrictions could
short-circuit the engine that drives entrepreneurial innovation among
mom-and-pop companies if ad dollars get consolidated in the hands of
only the larger companies that can afford to comply with new rules.\6\
---------------------------------------------------------------------------
\4\ ``In a setting where first-party advertising is allowable but
third-party marketing is not, substantial advantages may be created for
large incumbent firms,'' argue Professors Avi Goldfarb and Catherine
Tucker. ``For example, if a large website or online service were able
to use its data to market and target advertising, it will be able to
continue to improve and hone its advertising, while new entrants will
find it difficult to challenge the incumbent's predominance by
compiling other data or collecting their own data.'' Avi Goldfarb &
Catherine Tucker, Comments on `Information Privacy and Innovation in
the Internet Economy,' Comments to the U.S. Department of Commerce,
Jan. 24, 2011, at 4, http://www.ntia.doc.gov/comments/101214614-0614-
01/attachments/NTIA_comments_2011_01_24.pdf.
\5\ ``The App Economy now is responsible for roughly 466,000 jobs
in the United States, up from zero in 2007 when the iPhone was
introduced.'' Michael Mandel, Where the Jobs Are: The App Economy,
(TechNet, Feb. 7, 2012) http://www.technet.org/wp-content/uploads/2012/
02/TechNet-App-Economy-Jobs-Study.pdf.
\6\ Apple's Safari browser already blocks third-party cookies and
now Mozilla's Firefox browser will as well. This has led to concerns
about how market structure and competition will be impacted. See: Tim
Peterson, The Demise of Third-Party Cookies Could Help Premium
Publishers, AdWeek, Apr. 15, 2013, http://www.adweek.com/news/
technology/demise-third-party-cookies-could-help-premium-publishers-
148573: ``First Safari and now Firefox are blocking third-party
companies from dropping cookies on publishers' sites to protect users'
privacy. Those moves hurt revenues of the smaller publishers that
depend on third parties to sell ads. But, paradoxically, the winners
could be premium publishers and large media companies, especially
Facebook and Google, who will be able to prop up their proprietary
audience data as the ideal alternative. Big traditional publishers
whose ad revenue has shrunk as readers and advertisers shift online
could recoup their losses by parlaying their first-party audience data
into even higher ad rates''; Adam Lehman, Don't Fear the Cookie
Backlash, Digiday, Apr. 17, 2013, http://www.digi
day.com/platforms/dont-fear-the-cookie-backlash: ``Several people have
already pointed out that the Mozilla [third-party cookie restriction]
change will create even greater advantages for the largest players in
digital media.''
---------------------------------------------------------------------------
Fourth, data restrictions could undermine America's global
competitive advantage in this space. We should ask ourselves how it is
that America's Internet sector came to be the envy of the world and why
it is so hard to name any major Internet company from Europe.\7\ Our
more flexible, light-touch regulatory regime leaves more room for
competition and innovation compared to Europe's top-down regime.\8\
---------------------------------------------------------------------------
\7\ Goldfarb and Tucker have also found that ``after the [European
Union's] Privacy Directive was passed [in 2002], advertising
effectiveness decreased on average by around 65 percent in Europe
relative to the rest of the world.'' They argue that because regulation
decreases ad effectiveness, ``this may change the number and types of
businesses sustained by the advertising-supporting Internet.'' The
European Union's experience makes it clear that regulation of online
advertising and data collection can affect market structure,
competitive rivalry, and the global competitiveness of online firms.
This could also have antitrust implications that the FTC or other
agencies would need to take into account when considering new privacy
rules. Goldfarb & Tucker, Comments on `Information Privacy,' 4.
\8\ Adam Thierer, A Better, Simpler Narrative for U.S. Privacy
Policy, Technology Liberation Front, Mar. 19, 2013, http://
techliberation.com/2013/03/19/a-better-simpler-narrative-for-u-s-
privacy-policy.
---------------------------------------------------------------------------
Unintended Consequences of Do Not Track
Generally speaking, when it comes to privacy protection, we should
avoid placing excessive faith in schemes like Do Not Track because they
could fail, just as previous techno-fixes failed to keep pace with
fast-moving developments in this space.
[See Appendix I: ``Techno-`Silver-Bullet' Solutions Don't Work--
Some Case Studies.'']
Even if Do Not Track takes root and some consumers turn it on, many
will be incentivized by ad networks or publishers to opt right back in
to ``tracking'' to retain access to sites and services they desire.\9\
In doing so, they may end up sharing even more information than they do
today.\10\ Moreover, this may drive still greater consolidation since
larger players will be in a position to grant Internet-wide opt-in
exceptions, while smaller providers cannot.\11\
---------------------------------------------------------------------------
\9\ Berin Szoka, The Paradox of Privacy Empowerment: The Unintended
Consequences of ``Do Not Track,'' Position paper for W3C Workshop: Do
Not Track and Beyond Berkeley, California, (Nov. 26-27, 2012), http://
www.w3.org/2012/dnt-ws/position-papers/5.pdf.
\10\ See Nicklas Lundblad & Betsy Masiello, Opt-in Dystopias, 7:1
SCRIPTed 155, (2010), http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/
lundblad.asp, noting that as a result of a push for stronger-opt-in
regimes, ``service providers may attempt to maximise data collection in
every instance that they are forced to use an opt-in framework; once a
user consents to data collection, why not collect as much as possible?
And the increased transaction costs associated with opt-in will lead
service providers to minimise the number of times they request opt-in
consent. In combination these two behaviours are likely to lead to an
excessive scope for opt-in agreements. In turn, users will face more
complex decisions as they decide whether or not to participate.''
\11\ Szoka, The Paradox of Privacy Empowerment, 3.
---------------------------------------------------------------------------
Constructive Alternatives to Regulation
In light of these trade-offs, we should subject new data
restrictions to strict benefit-cost analysis to ensure that we are not
imposing unnecessary burdens on our data-driven economy.\12\
---------------------------------------------------------------------------
\12\ I have explained how to conduct such an analysis in my
forthcoming article, Adam Thierer, A Framework for Benefit-Cost
Analysis in Digital Privacy Debates, 20 Geo. Mason Univ. L. Rev.,
(forthcoming, Summer 2013).
---------------------------------------------------------------------------
We should simultaneously consider how we might better spend our
time and resources developing a richer mosaic of privacy-enhancing
tools and educational strategies. Luckily, an extensive array of such
tools and strategies already exists.\13\
---------------------------------------------------------------------------
\13\ They include: ad preference managers, ``private browsing''
tools, ad-blocking technologies, cookie-blockers, web script blockers,
encryption and web proxy tools, and reputation protection services.
---------------------------------------------------------------------------
[See Appendix II: ``Digital Self-Help Tools.'']
Web browser providers continue to experiment with different privacy
defaults,\14\ and while the World Wide Web Consortium (W3C) continues
to pursue a single Do Not Track standard, innovators in the marketplace
have already made private Do Not Track tools a reality.\15\
---------------------------------------------------------------------------
\14\ Megan Geuss, Firefox 22 Will Block Third-Party Cookies, Ars
Technica, Feb. 23, 2013, http://arstechnica.com/business/2013/02/
firefox-22-will-block-third-party-cookies; Alexis Santos, Microsoft
Sets `Do Not Track' as Default on IE10, Ruffles Feathers, Engadget,
June 1, 2012, http://www.engadget.com/2012/06/01/do-not-track-is-
default-on-ie10.
\15\ Online privacy company Abine offers a ``Do Not Track Plus,''
which it claims blocks more than 600 trackers. See http://
www.abine.com/dntdetail.php.
---------------------------------------------------------------------------
It is worth noting that almost all of these tools are available
free of charge, and no barrier to widespread adoption exists.\16\ As is
the case with online safety concerns,\17\ citizens have access to many
tools and methods that let them protect their privacy as they see fit,
and evidence suggests they already actively do so.\18\
---------------------------------------------------------------------------
\16\ The only serious objection to this bottom-up, user
empowerment-based approach is that it could inconvenience users by
making it more difficult to use some sites or slow down their browsing
experience in some fashion. But it is no more an inconvenience than it
is to use parental control tools so that your kids won't see or
download objectionable content.
\17\ Adam Thierer, Progress & Freedom Foundation, Parental Controls
& Online Child Protection: A Survey of Tools, Version 4.0, Summer 2009,
http://www.pff.org/parentalcontrols.
\18\ The Pew Research Center's Internet & American Life Project has
note that 88 percent of U.S. adults now own cell phones, and 43 percent
say they download cell phone applications or ``apps'' to their phones.
When surveyed, 54 percent of those app users said they had decided to
not install a cell phone app when they discovered how much personal
information they would need to share in order to use it and 30 percent
of them had uninstalled an app that was already on their cell phone
because they learned it was collecting personal information that they
didn't wish to share. ``Taken together,'' Pew notes, ``57 percent of
all app users have either uninstalled an app over concerns about having
to share their personal information, or declined to install an app in
the first place for similar reasons.'' Jan Lauren Boyles, Aaron Smith,
and Mary Madden, Privacy and Data Management on Mobile Devices, (Pew
Research Center's Internet & American Life Project, Sept. 5, 2012),
http://pewinternet.org/Reports/2012/Mobile-Privacy
.aspx.
---------------------------------------------------------------------------
Alternative Enforcement Approaches
Finally, where serious privacy harms are documented, the Federal
Trade Commission already possesses broad enforcement authority to
police unfair and deceptive practices and has recently been using it
more aggressively.\19\ Targeted Federal statutes already exist to
address sensitive issues related to health,\20\ financial,\21\ and
children's privacy.\22\ Enforcement alternatives are also available
through state courts, including torts,\23\ contract law,\24\ and state
statutes.\25\ Class action lawsuit activity is also remarkably intense
following any major privacy violation or data breach.\26\
---------------------------------------------------------------------------
\19\ In its March 2012 Protecting Consumer Privacy in an Era of
Rapid Change report, the FTC noted that, using its Section 5 authority
and other powers, the agency has carried out many privacy and data
security-related actions just since December 2010. See Fed. Trade
Comm'n , Protecting Consumer Privacy in an Era of Rapid Change:
Recommendations for Businesses and Policymakers (2012) at ii, http://
ftc.gov/os/2012/03/120326privacyreport.pdf. The FTC brought several
other privacy and data security-related cases using its Section 5
powers after the 2012 report was released. See: FTC Finalizes Privacy
Settlement with Myspace, Fed. Trade Comm'n, (Sept. 11, 2012), http://
www.ftc.gov/opa/2012/09/myspace.shtm; FTC Halts Computer Spying, Fed.
Trade Comm'n, (Sept. 25, 2012), http://www.ftc.gov/opa/2012/09/
designware.shtm; Tracking Software Company Settles FTC Charges That it
Deceived Consumers and Failed to Safeguard Sensitive Data it Collected,
Fed. Trade Comm'n, (Oct. 22, 2012), http://www.ftc.gov/opa/2012/10/
compete.shtm.
\20\ See Health Breach Notification Rule (2009), 16 C.F.R.
Sec. 318.1 (2012).
\21\ See Truth in Lending Act, 15 U.S.C. Sec. Sec. 1601-1667(f)
(2006); Fair Credit Billing Act, 15 U.S.C. Sec. Sec. 1666-1666(j)
(2006); Fair Credit Reporting Act of 1970, 15 U.S.C. Sec. Sec. 1681-
1681(u) (2006).
\22\ See Children's Online Privacy Protection Act (COPPA) of 1998,
15 U.S.C. Sec. 6501 (2006).
\23\ See Jim Harper, The Privacy Torts: How U.S. State Law Quietly
Leads the Way in Privacy Protection (2002), http://www.privacilla.org/
releases/Torts_Report.html.
\24\ See Jim Harper, Understanding Privacy--and the Real Threats to
It, Cato Policy Analysis, Aug. 4 2004, at 3, www.cato.org/
pub_display.php?pub_id=1652: ``Contract law, for example, allows
consumers to enter into enforceable agreements that restrict the
sharing of information involved in or derived from transactions. Thanks
to contract, one person may buy foot powder from another and elicit as
part of the deal an enforceable promise never to tell another soul
about the purchase.''
\25\ State governments and state attorneys general also continue to
advance their own privacy policies, and those enforcement efforts are
often more stringent than Federal law. Christopher Wolf, Targeted
Enforcement and Shared Lawmaking Authority as Catalysts for Data
Protection, at 3 (2010), http://www.justice.gov.il/NR/rdonlyres/
8D438C53-82C8-4F25-99F8-E3039D40E4E
4/26451/Consumer_WOLFDataProtectionandPrivacyCommissioners.pdf: ``At
the state level, legislatures have become the proving grounds for new
statutory approaches to privacy regulation. Some of these developments
include the enactment of data security breach notification laws . . .
as well as highly detailed data security laws, enacted largely in
response to data breaches. This partnership has resulted in a set of
robust standards for the protection of personal data.''
\26\ Peter Fleischer, Privacy-litigation: get ready for an
avalanche in Europe, Peter Fleischer: Privacy? (Oct. 26, 2012), http://
peterfleischer.blogspot.com/2012/10/privacy-litigation-get-ready
-for.html?m=1: ``Within hours of any newspaper headline (accurate or
not) alleging any sort of privacy mistake, a race begins among privacy
class action lawyers to find a plaintiff and file a class action. Most
of these class actions are soon dismissed, or settled as nuisance
suits, because most of them fail to be able to demonstrate any `harm'
from the alleged privacy breach. But a small percentage of privacy
class actions do result in large transfers of money, first and foremost
to the class action lawyers themselves, which is enough to keep the
wheels of the litigation-machine turning.''
---------------------------------------------------------------------------
Conclusion
In closing, if we want America's digital economy to remain open,
innovative, and vibrantly competitive, then this flexible, bottom-up
approach to privacy protection is the constructive path forward.
If our fear is that consumers lack enough information to make smart
privacy choices, then let's work harder to educate them while pushing
for greater transparency about online data collection practices.
Finally, we should remember that not everyone shares the same
privacy sensitivities and that citizens also care about other values,
such as cost, convenience, and choice.
Moreover, we must also take into account the strong likelihood that
citizens will adjust their privacy expectations in response to ongoing
technological change, just as they have many times before.\27\
---------------------------------------------------------------------------
\27\ See Adam Thierer, Technopanics, Threat Inflation, and the
Danger of an Information Technology Precautionary Principle, 14 Minn.
J. L. Sci. & Tech. 309, 364-73, (2013).
---------------------------------------------------------------------------
[See Appendix III: ``Societal Adaptation, Evolving Cultural Norms &
Privacy.'']
I thank you again for inviting me here today and I would be happy
to take any questions.
Appendix I: Techno-``Silver-Bullet'' Solutions Don't Work--Some Case
Studies
Seeking a simple solution to a complex problem such as online
privacy protection is quixotic. In this sense, the Do Not Track falls
into a long line of proposed silver-bullet or ``universal'' solutions
to complicated technological problems. When it comes to such
information control efforts, there are not many good examples of simple
fixes or silver-bullet solutions that have been effective, at least not
for very long.
Online Pornography: Consider the elusive search for a
universal solution to controlling access to online pornography.
The experience of the W3C's Platform for Internet Content
Selection (PICS) \28\ and the Internet Content Rating
Association (ICRA) \29\ is instructive in this regard. Around
the turn of the century, there was hope that voluntary metadata
tagging and content labeling could be used to screen
objectionable content on the Internet,\30\ but the sheer volume
of material to be dealt with made that task almost
impossible.\31\ The effort was eventually abandoned.\32\ Of
course, the effort did not have a government mandate behind it
to encourage more widespread adoption, but even if it had, it
is hard to believe that all pornography or other objectionable
content would have properly been labeled and screened.
---------------------------------------------------------------------------
\28\ PICS Frequently Asked Questions (FAQ), World Wide Web
Consortium, http://www
.w3.org/2000/03/PICS-FAQ, (last visited Jan. 30, 2013).
\29\ About ICRA, Family online Safety Inst., http://www.fosi.org/
icra, (last visited Jan. 30, 2013).
\30\ See, e.g., Joris Evers, Net labels mean choice, not
censorship, PC Advisor, Oct. 23, 2001, http://www.pcadvisor.co.uk/news/
desktop-pc/1646/net-labels-mean-choice-not-censorship/.
\31\ See Phil Archer, ICRAfail: A Lesson for the Future 9 (2009),
philarcher.org/icra/ICRAfail.pdf: ``The problem with a safety system
that has a label at one end and a filter at the other is that
unlabelled sites can only be treated as a single group, i.e., you
either block them all or allow them all. Since the number of labelled
sites was very small, blocking all unlabelled sites would effectively
shut off most of the Web.''
\32\ Family online Safety Inst., http://www.icra.org, (last visited
Nov. 30, 2012).
Spam: In a similar way, the CAN-SPAM Act \33\ aimed to
curtail the flow of unsolicited e-mail across digital systems,
yet failed to do so. Private filtering efforts have helped stem
the flow to some extent, but have not eliminated the problem
altogether. Royal Pingdom estimates that in 2010, 89.1 percent
of all e-mails were spam.\34\ ``Spam pages'' are also a growing
concern.\35\ In January 2011, Blekko, a new search engine
provider, created a ``Spam Clock'' to track new spam pages and
found one million new spam pages were being created every
hour.\36\
---------------------------------------------------------------------------
\33\ Controlling the Assault of Non-Solicited Pornography and
Marketing (CAN-SPAM) Act of 2003, Pub. L. No. 108-187, 117 Stat. 2699
(codified at various sections of 15 and 18 U.S.C.).
\34\ Internet 2010 in Numbers, Royal Pingdom, Jan. 12, 2011, http:/
/royal.pingdom.com/2011/01/12/internet-2010-in-numbers.
\35\ Spam pages are ``useless pages that contain only a nugget of
relevancy to your query and are slathered in ads.'' Caleb Johnson, Spam
Clock Claims 1 Million Spam Pages are Created Every Hour, Jan. 10,
2011, Switched.com, http://switched.com/2011/01/10/blekko-spam-clock-1-
million-pages-an-hour.
\36\ SpamClock, http://www.spamclock.com, (last visited Jan. 30,
2013); see also Danny Sullivan, Blekko Launches Spam Clock To Keep
Pressure On Google, Search Engine Land.com, Jan. 7, 2011, http://
searchengineland.com/blekko-launches-spam-clock-to-keep-pressure-on-goo
gle-60634.
Privacy: Technical silver-bullet solutions have also been
tried on the privacy front before Do Not Track. The Platform
for Privacy Preferences (P3P) is an earlier W3C project that
began in the 1990s and attempted to make the use of privacy
policies easier for consumers to understand. It sought to do so
by encoding those privacy policies in a standard machine-
readable format. The hope was that this would allow sites ``to
express their privacy practices in a standard format that can
be retrieved automatically and interpreted easily'' by users
and then allow users ``to automate decision-making based on
these practices when appropriate. Thus users need not read the
privacy policies at every site they visit.'' \37\ In theory,
``such a privacy disclosure format could also allow the FTC to
automate enforcement of its existing authority to punish unfair
or deceptive trade practices.'' \38\ Unfortunately, the P3P
project has not been successful. Even though the process got
underway in the mid-1990s and the W3C had a formal process in
place to guide its development by 1997, the project was
suspended in 2007.\39\ A 2009 survey of privacy technologies by
analysts at the UC Berkeley School of Information found that
``to date, the adoption rate of P3P has been fairly low. Our
analysis of the top 100 websites for this project revealed that
only 27 of them provided a P3P policy, and only a subset of
those were valid according to the P3P standard.'' \40\
---------------------------------------------------------------------------
\37\ W3C, Platform for Privacy Preferences (P3P) Project, http://
www.w3.org/P3P (last accessed Apr. 21, 2013).
\38\ Adam Thierer & Berin Szoka, The Progress & Freedom Foundation,
Chairman Leibowitz's Disconnect on Privacy Regulation & the Future of
News at 7, (Jan. 2013), http://papers
.ssrn.com/sol3/papers.cfm?abstract_id=1619470.
\39\ Lorrie Faith Cranor, Necessary But Not Sufficient:
Standardized Mechanisms for Privacy Notice and Choice, 10 J. on
Telecomm. & High Tech. L. 273, 279-82 (2012).
\40\ Joshua Gomez, Travis Pinnick & Ashkan Soltani, UC Berkeley,
School of Information, Know Privacy, at 12 (June 1, 2009).
Similar problems likely await the Do Not Track mechanism.\41\ Also,
Do Not Track ``does not address mobile or app data, nor any data
created outside a traditional web browser,'' notes Michael Fertik, CEO
of Reputation.com.\42\ ``At the same time, the growth in technology and
understanding can render current solutions inadequate. A privacy rule
to limit behavioral advertising today might not work in the future when
more data is available and there are more powerful algorithms to
process it,'' he says.\43\ ``There is no reliable way of ensuring this
technology is being used,'' adds Sidney Hill of Tech News World. \44\
``Ensuring compliance with antitracking rules will become even more
difficult as more users turn to mobile devices as their primary means
of connecting to the Web.'' \45\
---------------------------------------------------------------------------
\41\ Steve DelBianco & Braden Cox, NetChoice Reply Comments on
Department of Commerce Green Paper (Jan. 28, 2011), available at http:/
/www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=1EA98542-
23A4-4822-BECD-143CD23BB5E9, (``It's a single response to an overly-
simplified set of choices we encounter on the web.'').
\42\ Michael Fertik, Comments of Reputation.com, Inc. to the U.S.
Department of Commerce (Jan. 28, 2011), available at http://
www.reputation.com/blog/2011/01/31/reputation-com-comments-commerce-
department-privacy-green-paper.
\43\ Id.
\44\ Sidney Hill, Internet Tracking May Not Be Worth the Headaches,
Tech News World, Dec. 29, 2010, http://www.technewsworld.com/story/
Internet-Tracking-May-Not-Be-Worth-the-Headaches-71543.html.
\45\ Id.
---------------------------------------------------------------------------
Importantly, Do Not Track would not slow the ``arms race'' in this
arena as some have suggested.\46\ If anything, a Do Not Track mandate
will speed up that arms race and have many other unintended
consequences.\47\ Complex definitional questions also remain
unanswered, such as how to define and then limit ``tracking'' in
various contexts.\48\
---------------------------------------------------------------------------
\46\ See Rainey Reitman, Mozilla Leads the Way on Do Not Track,
Elec. Frontier Fund, Jan. 24, 2011, https://www.eff.org/deeplinks/2011/
01/mozilla-leads-the-way-on-do-not-track: ``the header-based Do Not
Track system appeals because it calls for an armistice in the arms race
of online tracking''; Christopher Soghoian, What the U.S. government
can do to encourage Do Not Track, Slight Paranoia, Jan. 27, 2011,
http://paranoia.dubfire.net/2011/01/what-us-government-can-do-to-
encourage.html: ``opt out mechanisms . . . [could] finally free us from
this cycle of arms races, in which advertising networks innovate around
the latest browser privacy control.''
\47\ ``Too often, well-intentioned efforts to regulate technology
are far worse than the imagined evils they were intended to prevent.''
Hal Abelson et al., Blown to Bits: Your Life, Liberty, and Happiness
After the Digital Explosion 159 (2008).
\48\ Lauren Weinstein, Risks in Mozilla's Proposed Firefox ``Do Not
Track'' Header Thingy, Lauren Weinstein's Blog (Jan. 24, 2010, 12:09
AM), http://lauren.vortex.com/archive/000803.html.
---------------------------------------------------------------------------
In sum, in light of the global, borderless nature of online rapid
data flows, the Do Not Track scheme likely will not be effective.\49\
The regulatory experience with spam, objectionable content, and
copyrighted content suggests serious challenges lie ahead for top-down
regulatory efforts.
---------------------------------------------------------------------------
\49\ ``Many behavioral targeting companies are based outside the
U.S.--making legislation ineffective,'' says Doug Wolfgram, CEO of
IntelliProtect, an online privacy management company. Tony Bradley, Why
Browser `Do Not Track' Features Will Not Work, Computerworld, Feb. 10,
2011, http://news.idg.no/cw/art.cfm?id=ACE91A0E-1A64-6A71-
CE2572C981C0204A; Daniel Castro, Policymakers Should Opt Out of ``Do
Not Track'' 1, 3 (2010), www.itif.org/files/2010-do-not-track.pdf:
``Another problem with Do Not Track is that it does not scale well on
the global Internet. . . . To be effective, the proposal would require
a Federal mandate calling for substantive modifications to networking
protocols, web browsers, software applications and other Internet
devices. Besides raising costs for consumers, it is unclear how
effective such a mandate would be outside of the U.S. borders or how
well the proposal would be received by international standard bodies.''
---------------------------------------------------------------------------
Appendix II: Digital Self-Help Tools/Privacy-Enhancing Technologies
The market for digital ``self-help'' tools and privacy enhancing
technologies (PET) continues to expand rapidly to meet new challenges.
These tools can help users block or limit various types of advertising
and data collection and also ensure a more anonymous browsing
experience. What follows is a brief inventory of the PETs and consumer
information already available on the market today:
The major online search and advertising providers offer ``ad
preference managers'' to help users manage their advertising
preferences. Google,\50\ Microsoft,\51\ and Yahoo! \52\ all
offer easy-to-use opt-out tools and educational webpages that
clearly explain to consumers how digital advertising works.\53\
Meanwhile, a relatively new search engine, DuckDuckGo, offers
an alternative search experience that blocks data collection
altogether.\54\
---------------------------------------------------------------------------
\50\ Ads Preferences, Google, http://www.google.com/ads/preferences
(last visited Jan. 30, 2013).
\51\ Ad Choices, Microsoft, http://choice.live.com/Default.aspx and
(last visited Jan. 30, 2013); Personalized Advertising, Microsoft,
https://choice.live.com/AdvertisementChoice/Default
.aspx. (last visited Jan. 30, 2013).
\52\ Ad Interest Manager, Yahoo!, http://info.yahoo.com/privacy/us/
yahoo/opt_out/targeting/details.html. (last visited Jan. 30, 2013).
\53\ Privacy, Microsoft, http://www.microsoft.com/privacy/
default.aspx; (last visited Jan. 30, 2013); Yahoo! Privacy Center,
Yahoo!, http://info.yahoo.com/privacy/us/yahoo; (last visited Jan. 30,
2013); Privacy Policy, Google, http://www.google.com/privacy/ads. (last
visited Jan. 30, 2013).
\54\ Privacy, DuckDuckGo, http://duckduckgo.com/privacy.html. (last
visited Jan. 30, 2013); see also, Jennifer Valentino-DeVries, Can
Search Engines Compete on Privacy?, Wall St. J. Digits Blog (Jan. 25,
2011, 4:02 PM), http://blogs.wsj.com/digits/2011/01/25/can-search-
engines-compete-on-privacy.
Major browser providers also offer variations of a ``private
browsing'' mode, which allows users to turn on a stealth
browsing mode to avoid data collection and other forms of
tracking. This functionality is available as a menu option in
Microsoft's Internet Explorer (``InPrivate Browsing''),\55\
Google's Chrome (``Incognito'') \56\ and Mozilla's Firefox
(``Private Browsing'').\57\ Firefox also has many add-ons
available that provide additional privacy-enhancing
functionality.\58\ ``With just a little effort,'' notes Dennis
O'Reilly of CNET News.com, ``you can set Mozilla Firefox,
Microsoft Internet Explorer, and Google Chrome to clear out and
block the cookies most online ad networks and other Web
trackers rely on to build their valuable user profiles.'' \59\
---------------------------------------------------------------------------
\55\ InPrivate Browsing, Microsoft, http://windows.microsoft.com/
en-US/internet-explorer/products/ie-9/features/in-private (last visited
Jan. 30, 2013).
\56\ Incognito mode (browse in private), Google, http://
www.google.com/support/chrome/bin/answer.py?hl=en&answer=95464 (last
visited Jan. 30, 2013).
\57\ Private Browsing--Browse the web without saving information
about the sites you visit, Mozilla, http://support.mozilla.com/en-US/
kb/Private%20Browsing (last visited Jan. 30, 2013).
\58\ Add-Ons, Mozilla, https://addons.mozilla.org/en-US/firefox/
tag/incognito (last visited Jan. 30, 2013).
\59\ Dennis O'Reilly, Add `do not track' to Firefox, IE, Google
Chrome, CNetNews.com, Dec. 7, 2010, http://news.cnet.com/8301-13880_3-
20024815-68.html.
There are also many supplemental tools and add-ons that
users can take advantage of to better protect their privacy
online by managing cookies, blocking web scripts, and so on.
Like the marketplace for parental control technologies, a
remarkable amount of innovation continues in the market for
privacy empowerment tools, so much so that it is impossible to
document all of them here. However, some of the more notable
privacy-enhancing tools and services include: Ghostery,\60\
NoScript,\61\ Cookie Monster,\62\ Better Privacy,\63\ Track Me
Not,\64\ Collusion,\65\ and the Targeted Advertising Cookie
Opt-Out or ``TACO'' \66\ (all for Firefox); No More Cookies
\67\ (for Internet Explorer); Disconnect (for Chrome);\68\
AdSweep (for Chrome and Opera);\69\ CCleaner \70\ (for PCs);
and Flush \71\ (for Mac). New empowerment solutions are
constantly turning up.\72\ Many of these tools build around the
Do Not Track notion and functionality that the FTC has been
encouraging. For example, Reputation.com's new ``MyPrivacy''
service lets users remove their information from various sites
and helps them create the equivalent of a Do Not Track list for
over 100 online networks.\73\ New tools from Priveazy \74\ and
Privacyfix \75\ offer similar functionality and allow users to
adjust privacy settings for several sites and services at once.
Finally, online privacy company Abine offers a ``Do Not Track
Plus,'' which it claims blocks more than 600 trackers.\76\
Abine also sells a ``PrivacyWatch'' service, which alerts
Facebook users to privacy policy changes on the site,\77\ as
well as a ``DeleteMe'' service that helps users erase personal
information from various other online sites and services.\78\
---------------------------------------------------------------------------
\60\ Ghostery Add-On, Mozilla, https://addons.mozilla.org/en-US/
firefox/addon/ghostery (last visited Jan. 30, 2013).
\61\ No Script Add-On, Mozilla, https://addons.mozilla.org/en-US/
firefox/addon/noscript (last visited Jan. 30, 2013).
\62\ Cookie Monster Add-On, Mozilla, https://addons.mozilla.org/en-
US/firefox/addon/cookie-monster (last visited Jan. 30, 2013).
\63\ BetterPrivacy Add-On, Mozilla, https://addons.mozilla.org/en-
US/firefox/addon/better
privacy (last visited Jan. 30, 2013).
\64\ TrackMeNot Add-On, Mozilla, https://addons.mozilla.org/en-US/
firefox/addon/trackme
not (last visited Jan. 30, 2013).
\65\ Collusion Add-On, Mozilla, http://www.mozilla.org/en-US/
collusion (last visited Jan. 30, 2013).
\66\ Targeted Advertising Cookie Opt-Out (TACO) Add-On, Mozilla,
https://addons
.mozilla.org/en-US/firefox/addon/targeted-advertising-cookie-op/ (last
visited Jan. 30, 2013).
\67\ No More Cookies, CNet.com, http://download.cnet.com/No-More-
Cookies/3000-2144_4-10449885.html (last visited Jan. 30, 2013).
\68\ Disconnect, https://disconnect.me (last visited Jan. 30,
2013).
\69\ AdSweep Add-On, Opera, https://addons.opera.com/addons/
extensions/details/adsweep/2.0.3-3/?display=en (last visited Jan. 30,
2013).
\70\ CCleaner, Piriform, http://www.piriform.com/ccleaner (last
visited Jan. 30, 2013).
\71\ Flush, MacUpdate, http://www.macupdate.com/app/mac/32994/flush
(last visited Jan. 30, 2013).
\72\ David Gorodyansky, Web Privacy: Consumers Have More Control
Than They Think, Huffington Post, Dec. 30, 2010, http://
www.huffingtonpost.com/david-gorodyansky/web-privacy-consumers-
hav_b_799881.html.
\73\ My Privacy, Reputation.com, http://www.reputation.com/
myprivacy (last visited Jan. 30, 2013).
\74\ Priveazy, https://www.priveazy.com (last visited Jan. 30,
2013).
\75\ Privacyfix, https://privacyfix.com (last visited Jan. 30,
2013).
\76\ Do Not Track Plus, Abine, http://www.abine.com/dntdetail.php
(last visited Jan. 30, 2013).
\77\ PrivacyWatch, Abine, http://www.abine.com/
privacywatchdetail.php (last visited Jan. 30, 2013).
\78\ DeleteMe, Abine, http://www.abine.com/marketing/landing/
index.php (last visited Jan. 30, 2013).
The success of one particular tool, AdBlockPlus, deserves
special mention. AdBlockPlus, which lets users blocks
advertising on most websites, is the most-downloaded add-on for
both the Firefox and Chrome web browsers.\79\ As of October
2012, roughly 175 million people had downloaded the Adblock
Plus add-on for the Firefox web browser.\80\ Incidentally, both
Adblock Plus and NoScript, another of the most popular privacy-
enhancing downloads for Firefox, support the Do Not Track
protocol.\81\
---------------------------------------------------------------------------
\79\ AdBlockPlus, https://adblockplus.org/en (last visited Jan. 30,
2013).
\80\ Statistics for Adblock Plus Add-On, Mozilla, https://
addons.mozilla.org/en-US/firefox/addon/adblock-plus./statistics/
?last=30 (last visited Jan. 30, 2013).
\81\ X-Do-Not-Track support in NoScript, Hackademix, http://
hackademix.net/2010/12/28/x-do-not-track-support-in-noscript (Dec. 28,
2010, 5:31 PM).
Finally, pressured by policymakers and privacy advocates,
all three of those browser makers (Microsoft,\82\ Google,\83\
and Mozilla \84\) have now agreed to include some variant of a
Do Not Track mechanism or an opt-out registry in their browsers
to complement the cookie controls they had already offered.
Microsoft has even decided to turn on Do Not Track by default,
although it has been a controversial move.\85\ These
developments build on industry-wide efforts by the Network
Advertising Initiative and the ``Self-Regulatory Program for
Online Behavioral Advertising'' \86\ to make opting out of
targeted advertising simpler. The resulting Digital Advertising
Alliance is a collaboration among the leading trade
associations in the field, including: American Association of
Advertising Agencies, American Advertising Federation,
Association of National Advertisers, Better Business Bureau,
Digital Marketing Association, Interactive Advertising Bureau,
and Network Advertising Initiative.\87\ Their program uses an
``Advertising Option Icon'' to highlight a company's use of
targeted advertising and gives consumers an easy-to-use opt-out
option.\88\ It was accompanied by an educational initiative,
www.AboutAds.info, which offers consumers information about
online advertising.\89\ The independent Council of Better
Business Bureaus will enforce compliance with the system.\90\
Self-regulatory efforts such as these have the added advantage
of being more flexible than government regulation, which tends
to lock in sub-optimal policies and stifle ongoing innovation.
---------------------------------------------------------------------------
\82\ Dean Hachamovitch, IE9 and Privacy: Introducing Tracking
Protection, Microsoft IE Blog (Dec. 7, 2010, 1:10 PM), http://
blogs.msdn.com/b/ie/archive/2010/12/07/ie9-and-privacy-introducing-
tracking-protection-v8.aspx; Dean Hachamovitch, Update: Effectively
Protecting Consumers from Online Tracking, Microsoft IE Blog (Jan. 25,
2011, 2:43 PM), http://blogs.msdn.com/b/ie/archive/2011/01/25/update-
effectively-protecting-consumers-from-online-tracking.aspx.
\83\ Peter Bright, Do Not Track support added to Chrome, arriving
by the end of the year, Ars Technica, Sept. 14, 2012, http://
arstechnica.com/information-technology/2012/09/do-not-track-support-
added-to-chrome-arriving-by-the-end-of-the-year; Sean Harvey & Rajas
Moonka, Keeping your opt-outs, Google Pub. Pol'y Blog (Jan. 24, 2010,
12:00 PM), http://googlepublicpolicy.blogspot.com/2011/01/keep-your-
opt-outs.html.
\84\ See Julia Angwin, Web Tool On Firefox To Deter Tracking, Wall
St. J., Jan. 24, 2011, http://online.wsj.com/article/
SB10001424052748704213404576100441609997236.html; Stephen Shankland,
Mozilla offers do-not-track tool to thwart ads, CNet News Deep Tech,
Jan. 24, 2011, http://news.cnet.com/8301-30685_3-20029284-264.html.
\85\ Natasha Singer, Do Not Track? Advertisers Say `Don't Tread on
Us', N.Y. Times, Oct. 13, 2012, http://www.nytimes.com/2012/10/14/
technology/do-not-track-movement-is-drawing-ad
vertisers-fire.html?_r=1&.
\86\ Self-Regulatory Program for Online Behavioral Advertising,
Digital Advertising Alliance, http://www.aboutads.info (last visited
Jan. 30, 2013).
\87\ Press Release, Network Advertising Initiative, Major
Marketing/Media Trade Groups Launch Program to Give Consumers Enhanced
Control over Collection and Use of Web Viewing Data For Online
Behavioral Advertising (Oct. 4, 2010) [hereinafter Major Marketing],
www.networkadvertising.org/pdfs/Associations104release.pdf.
\88\ Id.
\89\ Self-Regulatory Principles, Digital Advertising Alliance,
http://www.aboutads.info/principles (last visited Jan. 30, 2013).
\90\ Major Marketing, supra note 180, at 2.
Again, this survey only scratches the surface of what is available
to privacy-sensitive web surfers today.\91\ Importantly, this inventory
does not include the many different types of digital security tools
that exist today.\92\
---------------------------------------------------------------------------
\91\ There are many other mundane steps that users can take to
protect their privacy. See, e.g., Kashmir Hill, 10 Incredibly Simple
Things You Should Be Doing To Protect Your Privacy, Forbes, Aug. 23,
2012, http://www.forbes.com/sites/kashmirhill/2012/08/23/10-incredibly-
simple-things-you-should-be-doing-to-protect-your-privacy.
\92\ Online security and digital privacy are related, but are also
distinct in some ways. For example, technically speaking, anti-virus
and other anti-malware technologies are considered security tools, but
they can also help protect a user's privacy by guarding information she
wishes to keep private.
---------------------------------------------------------------------------
What these tools and efforts illustrate is a well-functioning
marketplace that is constantly evolving to offer consumers greater
control over their privacy without upending online markets through
onerous top-down regulatory schemes. Policymakers would be hard-pressed
to claim any sort of ``market failure'' exists when such a robust
marketplace of empowerment tools exists to serve the needs of privacy-
sensitive web surfers.
Importantly, it is vital to realize that most consumers will never
take advantage of these empowerment tools, just as the vast majority of
parental control technologies go untapped by most families.\93\ This is
due to a number of factors, most notably that not every individual or
household will have the same needs and values as they pertain to either
online safety and digital privacy.
---------------------------------------------------------------------------
\93\ Adam Thierer, Who Needs Parental Controls? Assessing the
Relevant Market for Parental Control Technologies, Progress on Point,
Feb. 2009, at 4-6, http://www.pff.org/issuespubs/pops/2009/
pop16.5parentalcontrolsmarket.pdf.
---------------------------------------------------------------------------
Therefore, the fact that not every individual or household uses
empowerment tools should not be used as determination of ``market
failure'' or the need for government regulation. Nor should the effort
or inconvenience associated with using such tools be viewed as a market
failure.\94\ What matters is that these tools exist for those who wish
to use them, not the actual uptake or usage of those tools or the
inconvenience they might pose to daily online activities.
---------------------------------------------------------------------------
\94\ The Supreme Court has held as much in the context of child
safety. See United States v. Playboy Entm't Grp., 529 U.S. 803, 824
(2000): ``It is no response that voluntary blocking requires a consumer
to take action, or may be inconvenient, or may not go perfectly every
time. A court should not assume a plausible, less restrictive
alternative would be ineffective; and a court should not presume
parents, given full information, will fail to act.''
---------------------------------------------------------------------------
Government officials can take steps to encourage the use of PETs,
but it is even more essential that they do not block or discourage
their use.\95\ For example, limitations on encryption technologies or
mandates requiring that web surfers use online age verification or
identify authentication technologies would undermine user efforts to
shield their privacy.\96\
---------------------------------------------------------------------------
\95\ A. Michael Froomkin, The Death of Privacy, Stan. L. Rev. 1461,
1506, 1529 (2000): ``Sometimes overlooked, however, are the ways in
which existing law can impose obstacles to PETs. Laws and regulations
designed to discourage the spread of cryptography are only the most
obvious examples of impediments to privacy-enhancing technology.''
\96\ Adam Thierer, Social Networking and Age Verification: Many
Hard Questions; No Easy Solutions, Progress on Point, Mar. 2007, at 3,
http://papers.ssrn.com/sol3/papers.cfm?
abstract_id=976936.
---------------------------------------------------------------------------
Appendix III: Societal Adaptation, Evolving Cultural Norms & Privacy
Many technologies or types of media that are originally viewed as
culturally offensive or privacy-invasive very quickly come to be
assimilated into our lives, despite initial resistance.\97\ A cycle of
initial resistance, gradual adaptation, and then eventual assimilation
is well-established in the context of popular entertainment.\98\ For
example, the emergence of dime novels, comic books, movies, rock-and-
roll music, video games, and social networking services all lead to
``moral panics'' \99\ or ``technopanics.'' \100\ Over time, however,
society generally came to accept and then even embrace these new forms
of media or communications technologies.\101\
---------------------------------------------------------------------------
\97\ Doug Aamoth, A Bunch of Tech Things People Have Threatened to
Quit Recently, TimeTech, Dec. 18, 2012, http://techland.time.com/2012/
12/18/a-bunch-of-tech-things-people-have-threatened-to-quit-recently.
\98\ Adam Thierer, Why Do We Always Sell the Next Generation
Short?, Forbes, Jan. 8, 2012, http://www.forbes.com/sites/adamthierer/
2012/01/08/why-do-we-always-sell-the-next-generation-short. (``many
historians, psychologists, sociologists, and other scholars have
documented this seemingly never-ending cycle of generational
clashes.'')
\99\ Robert Corn-Revere, Moral Panics, the First Amendment, and the
Limits of Social Science, 28 Communications Lawyer (2011).
\100\ Adam Thierer, Technopanics, Threat Inflation, and the Danger
of an Information Technology Precautionary Principle, 14 Minn. J. L.
Sci. & Tech. 309, 364-73, (2013).
\101\ Id. at 364-8.
---------------------------------------------------------------------------
The same cycle of resistance, adaptation, and assimilation has
played out countless times on the privacy front as well and ``after the
initial panic, we almost always embrace the service that once violated
our visceral sense of privacy.'' \102\ The introduction and evolution
of photography provides a good example of just how rapidly privacy
norms adjust. The emergence of the camera as a socially disruptive
force was central to the most important essay ever written on privacy
law, Samuel D. Warren and Louis D. Brandeis's famous 1890 Harvard Law
Review essay on ``The Right to Privacy.'' \103\ Brandeis and Warren
claimed ``modern enterprise and invention have, through invasions upon
his privacy, subjected [man] to mental pain and distress, far greater
than could be inflicted by mere bodily injury.'' \104\ In particular,
``instantaneous photographs and newspaper enterprise have invaded the
sacred precincts of private and domestic life,'' they claimed, ``and
numerous mechanical devices threaten to make good the prediction that
`what is whispered in the closet shall be proclaimed from the house-
tops.' '' \105\
---------------------------------------------------------------------------
\102\ Larry Downes, Cato Institute, A Rational Response to the
Privacy ``Crisis,'' Policy Analysis, 10, Jan. 7, 2013, http://
www.cato.org/publications/policy-analysis/rational-response-privacy-
crisis.
\103\ Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4
Harv. L. Rev. 193 (1890).
\104\ Id. at 196.
\105\ Id. at 195.
---------------------------------------------------------------------------
The initial revulsion that many citizens felt toward this new
technology was a logical reaction to the way it disrupted well-
established social norms.\106\ But personal norms and cultural
attitudes toward cameras and public photography evolved quite rapidly.
Eventually, cameras became a widely embraced part of the human
experience and social norms evolved to both accommodate their place in
society but also scold those who would use them in inappropriate,
privacy-invasive ways.
---------------------------------------------------------------------------
\106\ Neil M. Richards, The Puzzle of Brandeis, Privacy, and
Speech, 63 Vand. L. Rev. 1295 (2010): ``the rapid adoption of the
portable camera had begun to make people uneasy about its ability to
record daily life away from the seclusion of the photo studio. Old
norms of deference and respect seemed under assault, and there was
great anxiety among elites keen on protecting their status, authority,
and privacy.''
---------------------------------------------------------------------------
That same sort of societal adaptation was on display more recently
following the introduction of Google's ``Gmail'' e-mail service in
2004. Gmail was greeted initially with hostility by many privacy
advocates and some policymakers, some of whom wanted the service
prohibited or tightly regulated.\107\ A bill was floated in California
that would have banned the service.\108\ Some privacy advocates worried
that Google's contextually targeted advertisements, which were based on
keywords that appeared in their e-mail messages, were tantamount to
reading users' e-mail and constituted a massive privacy violation.\109\
Users quickly adapted their privacy expectations to accommodate this
new service, however, and the service grew rapidly.\110\ By the summer
of 2012, Google announced that 425 million people were actively using
Gmail.\111\
---------------------------------------------------------------------------
\107\ Adam Thierer, Lessons from the Gmail Privacy Scare of 2004,
Tech. Liberation Front, Mar. 25, 2011, http://techliberation.com/2011/
03/25/lessons-from-the-gmail-privacy-scare-of-2004.
\108\ See Eric Goldman, A Coasean Analysis of Marketing, Wisc. L.
Rev 1151, 1212 (2006) (``California's reaction to Gmail provides a
textbook example of regulator antitechnology opportunism.'')
\109\ See Chris Jay Hoofnagle et al., Letter to California Attorney
General Lockyer, Electronic Privacy Information Center, May 3, 2004,
http://epic.org/privacy/gmail/agltr5.3.04.html.
\110\ Paul Ohm, Branding Privacy, 97 Minn. L. Rev. 907, 984-5
(2013), (noting that the Gmail case study, ``serves as a reminder of
the limits of privacy law, because sometimes the consuming public,
faced with truthful full disclosure about a service's privacy choices,
will nevertheless choose the bad option for privacy, at which point
there is often little left for privacy advocates and regulators to
do.'')
\111\ Dante D'Orazio, Gmail Now Has 425 Million Total Users, The
Verge, June 28, 2012, http://www.theverge.com/2012/6/28/3123643/gmail-
425-million-total-users.
---------------------------------------------------------------------------
Sometimes companies push too aggressively against established
privacy norms, however, and users push back. This was true for
Instagram in late 2012. On December 17, 2012, the popular online photo
sharing service, which is owned by Facebook, announced changes to its
terms of service and privacy policy that would have allowed it to more
easily share user information and even their photographs with Facebook
and advertisers.\112\ Within hours of announcing the changes, Instagram
found itself embroiled in a consumer and media firestorm.\113\ The
uproar also ``helped a number of [competing] photo-sharing applications
garner unprecedented amounts of traffic and new users.'' \114\ One
rival called EyeEm reported that daily sign-ups had increased a
thousand percent by the morning after the Instagram announcement.\115\
According to some estimates, Instagram ``may have shed nearly a quarter
of its daily active users in the wake of the debacle.'' \116\
---------------------------------------------------------------------------
\112\ Jenna Wortham & Nick Bilton, What Instagram's New Terms of
Service Mean for You, N.Y. Times Bits, Dec. 17, 2012, http://
bits.blogs.nytimes.com/2012/12/17/what-instagrams-new-terms-of-service-
mean-for-you.
\113\ Joshua Brustein, Anger at Changes on Instagram, N.Y. Times
Bits, Dec. 17, 2012, http://bits.blogs.nytimes.com/2012/12/18/anger-at-
changes-on-instagram.
\114\ Nicole Perlroth & Jenna Wortham, Instagram's Loss Is a Gain
for Its Rivals, N.Y. Times Bits, Dec. 20, 2012, http://
bits.blogs.nytimes.com/2012/12/20/instagrams-loss-is-other-apps-gain/
?smid=tw-nytimesbits&seid=auto.
\115\ Id.
\116\ Garett Sloane, Rage Against Rules, N.Y. Post, Dec. 27, 2012,
http://www.nypost.com/p/news/business/
rage_against_Dh05rPifiXBIJRE1rCOyML.
---------------------------------------------------------------------------
Instagram's experience serves as an example of how consumers often
``vote with their feet'' and respond to privacy violations by moving to
other services, or at least threatening to do so unless changes are
made by the offending company.\117\ Just three days after announcing
those changes, Instagram relented and revised its privacy policy.\118\
In an apology posted on its corporate blog, Instagram co-founder Kevin
Systrom noted that ``we respect that your photos are your photos.
Period.'' \119\ Despite the rapid reversal, a class action lawsuit was
filed less than a week later.\120\ Although experts agreed the lawsuit
was unlikely to succeed, such legal threats can have a profound impact
on current and future corporate behavior.\121\
---------------------------------------------------------------------------
\117\ Downes, A Rational Response, 11: ``Often the more efficient
solution is for consumers to vote with their feet, or these days with
their Twitter protests. As social networking technology is coopted for
use in such campaigns, consumers have proven increasingly able to
leverage and enforce their preferences.''
\118\ Declan McCullagh & Donna Tam, Instagram Apologizes to Users:
We Won't Sell Your Photos, CNet News, Dec. 18, 2012, http://
news.cnet.com/8301-1023_3-57559890-93/instagram
-apologizes-to-users-we-wont-sell-your-photos.
\119\ Instagram, Thank You, and We're Listening, Instagram Blog,
Dec. 18, 2012, http://blog.instagram.com/post/38252135408/thank-you-
and-were-listening.
\120\ Zach Epstein, Instagram Slapped with Class Action Lawsuit
over Terms of Service Fiasco, BGR.com, Dec. 25, 2012, http://bgr.com/
2012/12/25/instagram-slapped-with-class-action-lawsuit-over-terms-of-
service-fiasco-267480/?utm_source=dlvr.it&utm_medium=twitter.
\121\ Jeff John Roberts, Instagram Privacy Lawsuit is Nonsense Say
Experts, GigaOm, Dec. 26, 2012, http://gigaom.com/2012/12/26/instagram-
privacy-lawsuit-is-nonsense-say-experts.
---------------------------------------------------------------------------
These episodes show how, time and time again, humans have proven to
be resilient in the face of rapid technological change by using a
variety of adaptation and coping mechanisms to gradually assimilate new
technologies and business practices into their lives.\122\ Other times
they push back against firms that disrupt establish privacy norms and
encourage companies to take a more gradual approach to technological
change.
---------------------------------------------------------------------------
\122\ Adam Thierer, Technopanics, Threat Inflation, and the Danger
of an Information Technology Precautionary Principle, 14 Minn. J. L.
Sci. & Tech. 309, 364-73, (2013).
---------------------------------------------------------------------------
Appendix IV: Why America's Privacy Regime is Worth Defending:
A Better, Simpler Narrative for U.S. Privacy Policy
by Adam Thierer [originally published on the Technology Liberation
Front blog, March 19, 2013]
Last week on his personal blog, Peter Fleischer, Global Privacy
Counsel for Google, posted an interesting essay titled, ``We Need a
Better, Simpler Narrative of U.S. Privacy Laws.'' \123\ Fleischer says
that Europe has done a better job marketing its privacy regime to the
world than the United States and argues that ``the U.S. has to figure
out how to explain its privacy laws on the global stage'' since
``Europe is convincing many countries around the world to implement
privacy laws that follow the European model.'' He notes that ``in the
last year alone, a dozen countries in Latin America and Asia have
adopted euro-style privacy laws [while] not a single country, anywhere,
has followed the U.S. model.'' Fleischer argues that this has
ramifications for long-term trade policy and global Internet regulation
more generally.
---------------------------------------------------------------------------
\123\ Peter Fleischer, We Need a Better, Simpler Narrative of U.S.
Privacy Laws, Mar. 12, 2013, http://peterfleischer.blogspot.com/2013/
03/we-need-better-simpler-narrative-of-us.html.
---------------------------------------------------------------------------
I found this essay very interesting because I deal with some of
these issues in my latest law review article, ``The Pursuit of Privacy
in a World Where Information Control is Failing.'' \124\ In the
article, I suggest that the United States does have a unique privacy
regime and it is one that is very similar in character to the regime
that governs online child safety issues. Whether we are talking about
online safety or digital privacy, the defining characteristics of the
U.S. regime are that it is bottom-up, evolutionary, education-based,
empowerment-focused, and resiliency-centered. It focuses on responding
to safety and privacy harms after exhausting other alternatives,
including market responses and the evolution of societal norms.
---------------------------------------------------------------------------
\124\ Adam Thierer, The Pursuit of Privacy in a World Where
Information Control Is Failing, 36 Harv. J. L. & Pub. Pol. 409 (2013),
papers.ssrn.com/sol3/papers.cfm?abstract_id=2234680.
---------------------------------------------------------------------------
The EU regime, by contrast, is more top-down in character and takes
a more static, inflexible view of privacy rights. It tries to impose a
one-size-fits-all model on a diverse citizenry and it attempts to do so
through heavy-handed data directives and ongoing ``agency threats.'' It
is a regime that makes more sweeping pronouncements about rights and
harms and generally recommends a ``precautionary principle'' \125\
approach to technological change in which digital innovation is more
``permissioned.'' \126\
---------------------------------------------------------------------------
\125\ Adam Thierer, Technopanics, Threat Inflation, and the Danger
of an Information Technology Precautionary Principle, 14 Minn. J. L.
Sci. & Tech. 309 (2013).
\126\ Adam Thierer, Who Really Believes in ``Permissionless
Innovation''? Technology Liberation Front, Mar. 4, 2013, http://
techliberation.com/2013/03/04/who-really-believes-in-permissionless-
innovation.
---------------------------------------------------------------------------
Put simply, the U.S. regime is reactive in character while the EU
regime is more preemptive. The U.S. system focuses on responding to
safety and privacy problems using a more diverse toolbox of solutions,
some of which are governmental in character while others are based on
evolving social and market norms and responses. To be clear, law does
enter the picture here in the United States, but it does so in a very
different way than it does in the European Union. Fleischer actually
explains that point quite nicely in his essay:
What is the U.S. model? People in the privacy profession know
that the U.S. has a dense ``patchwork'' model of privacy laws:
every individual U.S. State has numerous privacy laws, the
Federal government has numerous sectoral laws, and numerous
other ``non-privacy'' laws, like consumer protection laws, are
regularly invoked in privacy matters. Regulators in many
corners of government, ranging from State attorneys general, to
the Federal Trade Commission, and armies of class action
lawyers inspect every privacy issue for possible actions.\127\
---------------------------------------------------------------------------
\127\ Fleischer.
Indeed, in my new law review article, I summarize the litany of
cases the FTC has brought recently on the data security and privacy
front using its authority under Section 5 of the Federal Trade
Commission Act to police ``unfair and deceptive'' practices. State AGs
are active on this front as well, and there is plenty of class action
activity every time there's a privacy or data security screw-up.
Meanwhile, public officials continue to work collaboratively with
privacy advocates, corporations, and educators to develop better
education and awareness-building efforts, including ``best practices''
on safety, security, and privacy issues.
For more details on this U.S. model, please consult pages 436-454
of my article, in which I provide a comprehensive overview of what I
refer to as America's ``3-E Approach'' to dealing with online safety
and digital privacy concerns. The ``3-Es'' refer to education,
empowerment, and targeted enforcement of existing legal standards. As I
note in the article:
[America's ``3-E Approach''] does not imagine it is possible to
craft a single, universal solution to online safety or privacy
concerns. It aims instead to create a flexible framework that
can help individuals cope with a world of rapidly evolving
technological change and constantly shifting social and market
norms as they pertain to information sharing.\128\
---------------------------------------------------------------------------
\128\ Thierer, The Pursuit of Privacy, at 437.
But what frustrates Fleischer is that the U.S model still doesn't
---------------------------------------------------------------------------
translate into a simple narrative for international audiences:
How on earth do you explain U.S. privacy laws to an
international audience? How do you explain the role of class
action litigation to people in countries where it doesn't even
exist? The U.S. privacy law narrative is convoluted. That's a
pity, since almost all of the global privacy professionals with
whom I've discussed this issue agree with me that the sum of
all the individual parts of U.S. privacy laws amounts to a
robust legal framework to protect privacy. (I didn't say
``perfect'', since laws never are, and I'm not grading them
either.) By contrast, Europe's privacy narrative is simple and
appealing. Its laws are very general, aspirational, horizontal
and concise. Critics could say they're also inevitably vague,
as any high-level law would have to be. But, like the U.S. Bill
of Rights, they have a sort of simple and profound universality
that has inspired people around the world. And they are
enforced (at least, on paper) by a single, identifiable,
specialist regulator.\129\
---------------------------------------------------------------------------
\129\ Fleischer.
I understand the frustration Fleischer is expressing here regarding
how to frame the U.S. model for broader audiences. But the crucial
point here is that, as he correctly notes, ``the sum of all the
individual parts of U.S. privacy laws amounts to a robust legal
framework to protect privacy,'' even if it is the case that we will
never achieve anything near perfection when it comes to online privacy
(or online safety for that matter). But it is unfortunate that
Fleischer ignores the many other moving pieces at work here that are
important to the U.S. system, especially the diverse array of
educational and awareness-building efforts, as well as the astonishing
array of empowerment tools that currently exist to help user protect
their privacy to the degree they desire.
Of course, it should also be obvious that the U.S. regime is never
going to appeal to a global audience as much as Europe's privacy regime
for the same reason that many other U.S. policy regimes don't appeal to
certain countries or their leaders: our systems aren't regulatory
enough in character for them! But while those top-down, centralized,
preemptive regulatory regimes will almost always be more
``aspirational, horizontal and concise''--and, therefore, have greater
appeal to activist-minded lawmakers and regulators--that also means
those regimes will likely leave less breathing room for social
evolution (i.e., evolving norms about safety and privacy) and economic
innovation (new digital goods and services that potentially disrupt
those regulatory expectations). That has real consequences for long-
term growth and overall consumer welfare.
Regardless, to the extent we need ``a better, simpler narrative for
U.S. privacy policy'' as Fleischer suggests, I believe we can boil it
down to a few words: bottom-up, evolutionary, flexible, and reactive.
What this means for public policy is clear: We need diverse tools and
solutions for a diverse citizenry, while leaving plenty of breathing
room for ongoing innovation and the evolution of social norms and
market responses. Whether it's online safety or digital privacy, public
policy should take into account the extraordinary diversity of citizen
needs and tastes and leave the ultimate decision about acceptable
online content and interactions to them. We should look to educate and
empower citizens so that they can make decisions about their online
safety and privacy for themselves so that policymakers are not
constantly trying to make decisions on their behalf.
This is a model worth defending, even if it is sometimes hard to
delineate its contours. Please read my Harvard Journal of Law & Public
Policy article for a fuller exploration of that model and a defense of
it.
The Chairman. And I will have one in just a moment.
This is to each witness to answer briefly. The online
advertising industry, as has been pointed out, stood at the
White House last February and made a promise to honor Do-Not-
Track requests from consumers by the end of the year. And yet,
as I sit here today, these promises have been broken.
Do-Not-Track is still just an idea, not a reality, and I
have heard a lot of finger pointing in the press. So my
question is, but now I have you all here, and I would like each
of you to tell me what exactly is the hold-up. Can you come to
the table at the W3C and make good on your word to implement
Do-Not-Track?
Starting with you, Mr. Anderson.
Mr. Anderson. Thank you, Chairman.
Yes, we will come to the table and make good on our
commitment to honor Do-Not-Track. We have.
The DAA said some things just now that I think are actually
specious. The notion that they can't implement Do-Not-Track
because Firefox announced that it was going to explore, test
third-party cookie blocking is--is just--it is offensive,
actually.
The DAA already was not responding to Do-Not-Track. When IE
announced that they were going to turn Do-Not-Track on by
default, they told their members don't respond to it. We are
not doing Do-Not-Track. That was last year. Last year.
This just happened. The third-party cookie thing was in
February. And no, we didn't say--it hasn't happened. We said we
were going to test it. I have spent days meeting with members,
DAA members, members of the ad ecosystem to understand how
third-party cookie blocking would affect them.
By the way, what they have told us is some say, depending
on where they are in the industry, they will have different
answers. Most have said they think the impact would be
negligible. Some, who rely on it purely like the retargeting
folks--retargeting, which is different than BT, behavior
targeting--are extremely concerned.
There is also the sentiment, at least among publishers and
many of the ad ecosystem people, that behavioral targeting, the
effectiveness itself is questionable. This is not to say that
they don't get more money for it, but whether it is actually
effective, it is unclear. At least from that sector, that is
what they have told us.
So you could speak directly when I am done. So, anyway,
that is the answer to my question--to your question.
The Chairman. Very good. Please.
Mr. Mastria. Senator Rockefeller, thank you.
We stand--we sit here today ready to sit and work through
the agreement that we made with the White House. So we
encourage--as we did in our testimony, we encourage Microsoft,
Mozilla, FTC, all the other parties, to sit with us and work
through that for a standard that would meet those conditions.
But let me go back to something you mentioned at your
opening, if I might?
The Chairman. Could you go back to answering my question?
Mr. Mastria. I thought that was your question, Senator.
The Chairman. Why isn't it working?
Mr. Mastria. That, in fact, we stand ready today to work
toward the implementation of the White House agreement for Do-
Not-Track.
The Chairman. Go ahead.
Mr. Mastria. I would like to go back to a point that you
raised, which was that consumers should make that choice. We
agree. We wholeheartedly agree.
What is happening with Mozilla and with Microsoft is that
the browsers are making that choice, not the consumer. And that
is a completely different dynamic.
Perhaps there are competitive reasons. Perhaps there are
other reasons. We don't know. But we know for sure one thing,
that user choice is not being satisfied, and that is something
that we--we deliver on, we promised to deliver on, and we do
on--on a routine basis every single day.
And so, the other point that Mr. Anderson raised that
interest-based advertising is somehow some sort of fringe or
immaterial thing, I would submit that 2X publishers are willing
to pay twice as much for interest-based advertising, and
consumers click through those ads twice as often, which means
that they find it twice as convenient, twice as relevant,
speaks volume for how innovative the product is.
The fact is that there may be other reasons why companies
choose to invest in different parts of privacy, but that is not
what is going on here. We are the ones who are delivering
consumer choice day in and day out. What is being delivered by
the browsers right now is not consumer choice. In fact, it is
browser choice.
The Chairman. Mr. Brookman?
Mr. Brookman. I think it is a good question. I can't answer
why they haven't turned it on or responded to it.
As I mentioned during my testimony, Google Chrome's Do-Not-
Track implementation meets every test they could possibly want.
Those signals are going out from users who go out of their way
to find that setting and turn it on. Industry is not
responding.
Apple Safari, you have to go out of your way to turn it on.
Industry is not responding. There is nothing in the White House
agreement about cookies. Apple hasn't allowed cookies for 10
years. So I am not entirely sure how that is relevant.
CDT has proposed a reasonable middle ground going forward.
Back in January 2011, we have consistently tried to bring both
sides to the table to agree. I think it is in industry's
interest to agree because if they keep taking a hard line in
the sand, it won't be cookies being blocked. It is going to be
ads being blocked, and that is the kind of tools Adam was
talking about.
Those aren't Do-Not-Track tools. They are ad-blocking
tools, which I think are a bad way to go for everybody.
Mr. Thierer. So, Senator, to answer your question, I think
there are many reasons why this process has slowed down, but I
think one of them is a simple truism that setting technical
standards is really hard. And what W3C is doing here is trying
to negotiate something for a very complex and fast-evolving
ecosystem.
I should point out as well, as I pointed out in an appendix
to my testimony, we have sort of been here before with the W3C.
W3C has instituted the Platform for Internet Content Selection,
or PICS, for online objectionable content. It also tried on
privacy--a Platform for Privacy Preferences, or P3P.
These are both good faith efforts to deal with serious
issues of online child safety content, privacy issues.
Ultimately, they did not work so well. And this is what leads
to my skepticism about trying to use these sort of technical
silver bullet schemes, as I call them, to solve these complex
problems, as opposed to a multilayered approach to get at the
issue.
The Chairman. Senator Thune?
Senator Thune. Thank you, Mr. Chairman.
I would direct this to all the witnesses and just ask a
general question, and that is do you believe that a multi-
stakeholder process, whether it is the ongoing W3C effort,
which has been discussed at some length, or a future effort, is
a better way to reach an enduring and broad solution than a
regulatory approach that would be--come down mandated from the
Government?
Mr. Anderson. Go ahead, Justin.
Mr. Brookman. So we have heard a lot about this. I mean, it
is like the approach that we like is a basic comprehensive
privacy law that allows for safe harbor programs like a self-
regulatory model like DAA, like a multi-stakeholder approach
that gets together and comes up with a code and says, hey, for
our industry, if we do this negotiated code, does that mean we
are in compliance with existing law?
I think that is the model that we have advocated. We have
seen it proposed in President Obama's consumer privacy bill of
rights. We have seen it in other legislation. I think that is a
good way to get people into the room to agree to reasonable
standards.
Without a baseline of saying you have to respect users'
privacy, there is not enough incentive, I think, for any
individual company to take the right steps in a lot of cases.
Mr. Mastria. So I would submit that we run a self-
regulatory program. Our program provides meaningful consumer
choice every single day. Consumers do take advantage of it. It
is in prime real estate. We made sure of that.
And so, I think that our program is far superior, much more
nimble than any regulatory mandate. Even today, as we speak, we
are getting ready to launch what would be the guiding
principles for data collection inside the mobile and
applications environment. That is a huge leap forward.
And that is on top of already producing two codes of
conduct and multiple technologies to help consumers manage
their online privacy. We think that we are more nimble, but we
don't take a stance on regulation or legislation.
Senator Thune. There is another question. This, again, can
be open and whoever would care to answer this.
But are there specific and identifiable harms being
witnessed in the marketplace today because of behavioral and
interest-based advertising?
Mr. Thierer. Privacy is an highly subjective condition,
Senator, and obviously, people have different feelings about
it, the same way they do about what is optimal safety or
security. So it is tricky.
But to the extent that there are actual harms that can be
identified, we have many remedies that exist, as I noted in my
testimony, whether they be FTC remedies, unfair and deceptive
practices, targeted laws dealing with very sensitive privacy
issues, such as health, financial, or children issues. And then
we also have State laws as a backdrop, along with class action
activity.
Where there are harms, they are pursued. The FTC has been
incredibly aggressive in recent years and has addressed these
things with consent decrees with some of the biggest players in
the online economy, which sends a pretty powerful message to
other players, I believe.
But for the most part when people talk about these harms,
they usually say things like online advertising or targeted
advertising is ``creepy.'' But it is hard for me to find a real
harm with creepiness. I think a lot of my neighbors are creepy,
but I don't think they are harmful.
So I would say that we need to identify more concrete harm
than creepiness. And we also need to acknowledge the benefits
on the other side of that equation.
Mr. Mastria. I would submit--oh, was that just----
Senator Thune. No, go ahead. So, hopefully, his neighbors
aren't watching this.
[Laughter.]
Mr. Mastria. Senators, I have been at FTC hearings and
workshops where this very issue was addressed, and I have heard
staff ask many times, ``Where is the harm?'' And there hasn't
been any that has been demonstrated.
As Adam suggested, there have been issues of creepiness.
And to be sure, that there are folks who would like to have
control over their privacy experience online, and that is what
we built our tools for, and that is what we see. We see the
same kind of response to those tools that we--that the industry
has seen in preference management tools for a decade.
A lot of consumers come to the tool. Just knowing that the
tool is available oftentimes makes the consumer feel
comfortable. But if there is a consumer who feels that much
more dedicated to exercising a choice, the tool is there, and 2
million folks, nearly 2 million folks with us have, in fact,
exercised that choice.
So I think that that is really the answer to the question.
I think from our perspective, as we talk to consumers, when we
asked them about what is top of mind in terms of privacy for
them, what we hear is viruses, malware, identity theft.
Interest-based advertising is not the top of that list.
Mr. Anderson. Senator Thune, if I could just--I think you
are asking the right question about the harm. It is tough
because the harm in this case potentially is if you undermine
confidence in the ecosystem, then people don't engage and
participate.
And we saw that with online commerce initially. Remember,
people were afraid to put their credit cards on the Web, and
that really held back commerce at first until people started to
rely on the notion of encryption. Whether they knew what it
meant or not exactly or how it worked, they gained more trust.
And now we see a booming online commerce, actual transactions
online.
But there is something else here that we have talked about
choice. It really helps people. The 45 million people on
Firefox that I talked about that have turned on Do-Not-Track,
we didn't set that. The users went into the preference and set
turn Do-Not-Track on themselves.
So that is 45 million people pored through the menus to
turn that on at 17 percent rate of our user base in the U.S.
Mr. Brookman. I think this is really more about consumer
choice and consumer preferences rather than harm. I mean, if a
couple walks into a restaurant and says, ``Hey, can I have a
private booth?'' The maitre d' doesn't turn around and shout,
``What is the harm?'' They try to accommodate them. They try to
them out. They say, ``Yes, OK, you are my customer. I want to
help you out.''
That is what I think the browsers are doing here. They have
heard over and over and over from consumers again that they
don't like this. You can judge them for not thinking through
the harm very well, but they have made a statement, and they
want privacy protection in browsers.
And so, we are seeing the browsers respond to that either
by turning off cookies. Some of them offering ad block add-ons.
Or what we are trying to do is have a middle ground approach of
Do-Not-Track, which is a signal to the company saying, ``Hey,
you can still get some information about me, but don't retain
it, don't build a profile about me.''
And that way, I get the advertising, but I don't get you
knowing a whole lot about me. That is what we are trying to
achieve here. And I think that is what Do-Not-Track is supposed
to do.
Mr. Mastria. If I may answer one question on the point that
Mr. Anderson raised regarding track----
The Chairman. I am sorry. Your time is up. The Senator's
time is up.
You have talked a good deal. The Senator's time is up. I
want to go on to Senator Heller.
Senator Heller. Senator McCaskill?
The Chairman. She looks nervous.
Senator McCaskill. I don't know what to say.
The Chairman. Senator McCaskill?
Senator McCaskill. You may go first.
Senator Heller. It is fine. It is fine.
Senator McCaskill. We are going to get along very well on
our subcommittee, Mr. Chairman.
The Chairman. This is according to who got here first.
Senator McCaskill. Oh, OK. Well, go ahead. I am staying
so----
Senator Heller. I am happy to move forward. Thank you, Mr.
Chairman. Thanks for giving me a couple minutes.
And I want to thank again for those who are testifying, for
being here today and taking time out of a busy schedule.
Mr. Brookman, I have some specific questions. Some of the
things I understand, if I go online and I purchase an item, I
know I am going to be tracked. I know that.
After today's vote, I guess, on the Senate floor, I am also
going to be taxed. But that is a different discussion for
another time.
I also know that third-party advertising companies puts
cookies on my computer. I know that. Let me ask you, do you
believe that the general public understands this?
Mr. Brookman. I don't. I think the ad industry has done a
noble job in trying to move forward with the icon project to
put some notice on all the ads that you can click through and
get information.
Unfortunately, as I have gone around and talked at events
where people come and want to hear about privacy, very, very,
very few understand what that is or have interacted with it or
know what is going on. Talking with people outside of my
industry when I describe what online behavioral advertising is,
they say, ``What?''
I think as targeting is getting better, I think people are
starting to see very targeted ads. So they are seeing more and
more retargeting. So when my wife looks for shoes online, as I
am surfing later, those shoes follow me around the Internet.
I went to the Venetian site once, and the Venetian followed
me around for 6 months. And so, I think people are starting to
become aware something is happening, but I don't think they
understand how it works.
And you see polls after poll after poll is when it is
described to them, a lot of them don't like it. I just want to
give them some choice around it.
Senator Heller. Yes, if you have follow-up?
Mr. Mastria. Yes, specific to the polls. So we asked
consumers not in any inflammatory terms, we asked them simply
what is your preferred online experience? How do you like
getting free content? What do you like about advertising?
And you know what we heard back? What we heard back is that
the preferred online experience is free content with relevant
advertising. Consumers acknowledge that they are going to get
advertising. It might as well be for something that they are
interested in.
I don't like to golf particularly, but I do like to bike
ride. Why not, it would make a lot more sense for me to get
that bicycling ad.
I want to make one last point about the point that Mr.
Anderson raised. The Do-Not-Track that is being set inside the
Mozilla browser does not mean anything. Consumers are being
told Do-Not-Track. Does that mean zero data collection? As you
acknowledged, Chairman, the reality is that there has to be
some data collection for the Internet to work properly.
In the case of Mozilla, in fact, we know 60 percent of
folks would like to have no tracking even on first-party sites.
So does that mean that no first party, if you are looking at
somebody's site, that they cannot collect data on you? What
does it mean?
And I think that that is really one of the challenges here
is that there is no standard definition for what that means,
and therefore, answering that signal, as it has been so simply
put, has been something of a challenge. And so, what we are
looking for is to sit down, go through the White House
commitment that we all agreed to, and map that out, understand
what it means. We have a definition. We have a standard, and we
would be willing to abide by it.
Senator Heller. Let me go back to you, Mr. Brookman--and
thank you for your comments.
There are some that believe that first-party tracking
online tracking is better than third-party tracking, obviously
because of the online introduction. Is that an accurate
assumption?
Mr. Brookman. I think it is more intuitive, right? I mean,
if I go to Amazon.com, I buy a bunch of stuff. Later on, Amazon
says here are the power drills. You asked for that last time. I
kind of get I have a relationship with Amazon. They are showing
me things that I liked before.
Later on, if I read stories about the New York Giants on
Newyorktimes.com, and some company I don't know reads that and
gathers it, and then later, I am at Foxnews.com, and I start
getting Giants ads, I am like, ``Who knows this? Who is this?''
I mean, does Fox News know this? Does some company I never
heard of know this?
So I think that relationship and that contextual
intuitiveness does make first-party tracking a little more
understandable for most users.
Senator Heller. Very good. Thank you, Mr. Chairman.
The Chairman. Thank you, Senator.
Senator McCaskill?
Senator McCaskill. So this is really hard because we have
browsers versus advertisers. We have first party versus third
party. We have big versus little. And the browsers are all
pretty big.
I mean, I know my friend from Mozilla, and I visited there,
and I have a lot of respect for what they are doing. And I get
what Microsoft has done. But a lot of this is about competing
with Google. And Google hasn't been talked about a whole lot
today, and obviously, they are the huge, giant thing in the
room because they are first party, and they have a lot.
So my first question is how did we get to the point that
W3C is deciding all this stuff? I mean, it seems weird to me.
I mean, I am running around here, and we have so many
people worried about the sovereignty of our country and who is
deciding our economic future, and we have all this stuff. I
mean, we have got people in the Senate that actually believe
the United Nations is something that we can't be a party to
anymore, that they are threatening us.
And now the biggest part of our economic growth in this
country, that sector of our economy, we are all saying we are
going to turn it over to W3C. And they have done technical
before, but I don't recall them making huge policy decisions
like this.
And I will be honest with you, I know we are bad at this.
You know, trying to get this done and reconciling browsers
versus advertisers, first party versus third party and big
versus little. But I am a little uncomfortable that all of us
seem to have agreed in the room that we are ceding the
authority to set this policy to some organization I am not even
sure who is in charge of this organization.
Who do they answer to? Who are they, and how did we get to
this point?
Mr. Mastria. Senator, I can tell you based on where the DAA
has been, and I mentioned earlier in my testimony the White
House agreement, which we still hold, the browsers brought W3C
into this.
We sit at the table. We are parties to the negotiation. We
try to be constructive when we can, even to the point of trying
to be educational on things like businesses need to have their
customer data bases. There is no way around that. Right? We had
to make that point.
But browsers brought them in. Again, we are willing to sit
down to make the White House agreement a reality.
Senator McCaskill. OK. Your turn, Mr. Anderson.
Mr. Anderson. Thank you, Senator. That is a good question.
So, as you recall, when DNT was initially launched, the
reason why people couldn't respond to it was because trade
said, well, we don't know what it means. So we said how about a
multi-stakeholder process? Let us use the W3C. They are a
standards body. They are used to doing it and defining it. So
we all agreed let us go there and define it.
Senator McCaskill. But had they done policy before, or had
they just done tech?
Mr. Anderson. No, no. Yes, policy--and I would agree with
you. They don't do policy. They do technical standards.
Senator McCaskill. But isn't this policy?
Mr. Anderson. That is what I have said here, that they had
should be focused on the technical side, but not the self-
regulatory part. The W3C is not a self-regulatory body. At best
it will do is codify an agreement of people that want to create
a common agreement.
Senator McCaskill. So what you are basically saying is this
is just a place to go to try to see if all of you guys can
agree? Couldn't we just set a room somewhere and all of you get
there and try to decide and see if you all agree?
Mr. Anderson. Yes. Well, that is how HTML 5 was set up. So
W3C didn't work for HTML 5. The browser makers got together and
informally created the standard, and once it was sufficiently
understood, you know, 70, 80 percent done, it sort of got
turned over to W3C.
Senator McCaskill. Are we setting the precedent if this
comes from W3C? Are they going to be the policymaking body for
the Internet sector for time immemorial?
Mr. Mastria. I think this is going down----
Senator McCaskill. Let me hear from down here.
Mr. Thierer. I just want to say one brief thing in defense
of the W3C here because I have been critical of some of the
things they have done, including in this process. But no matter
what one thinks of the W3C or this process, I think most people
in the Internet community would agree that it is better
positioned to deal with technical standard-setting processes
than the FTC or other regulatory agencies if for no other
reason that it is a more evolutionary body. It can go with the
flow. It can change.
We might not even have cookies in 5 to 10 years. It might
be something totally different. The W3C process could maybe
evolve to deal with that problem.
So I think it is wrong--it is not a shadowy group that we
need to worry about. They actually do some really good work.
Senator McCaskill. Can you say that about the U.N.? Can we
not worry about the U.N. anymore?
Mr. Thierer. If it was dealing with the Internet, I might
be a little bit concerned. I don't know. But in this process, I
don't think we need to worry too much about this. But I think,
again, it is better that we evolve it through that process than
through a top-down process.
Senator McCaskill. Than through Government?
Mr. Thierer. Than through an FTC process.
Mr. Brookman. Just one thing to point out, the W3C is a
voluntary coalition of--mostly it is a bunch of companies,
right? And the people in the room are Google and Yahoo! and
Microsoft and Adobe and AT&T. I mean, CDT is a member. EFF is a
member. Stanford is a member. But other than that, it is mostly
just large companies trying to get together to talk through
decisions about how the Internet actually functionally works.
Senator McCaskill. OK. Well, I just want to make sure--and
I have had this discussion with several of the folks that have
been mentioned today. I want to make sure that we are not
shutting down something after the big guys have all gotten the
cows out of the barn, and they have got this, and now it is
going to get shut down so all the little ones that can grow and
become the big ones of tomorrow have less of an opportunity to
access the richness that is online commerce. And that is a
concern.
And I know that all of you share it, and we have got to
keep working at this because this is harder than it looks.
Senator Thune. Mr. Chairman, I would say that on behalf of
a number of colleagues on my side that we would be really
worried if W3C is run by the U.N.
[Laughter.]
Senator McCaskill. I gathered that. We will probably have a
vote tomorrow. And next we will say that they are sending out
drones.
[Laughter.]
The Chairman. I think the point here is that W3C, or
whatever it is, it doesn't really make any difference. It has
no authority whatsoever, absolutely none whatsoever. And I
think that some of you have used it as a takeoff place to talk
about it rather than about the questions that we are really
here to solve, and that is how do you protect the vast number
of people who use the Internet and who use through the browsers
of the Web, and they have no idea what is going on?
I will give you an example. This morning, I was with
somebody. We were talking about this. And he said that is
funny. Just last night, I was trying to--I wanted to find out
about something, and I went on. And I began to get an answer,
but then it referred me to the down below part. And the down
below part was all this tiny print, which we on the Commerce
Committee are so familiar with through health insurance
companies and the cruise lines.
I don't want to compare you to the cruise lines. You really
don't want me to compare you to the cruise lines, I promise.
Because what they do, for example, is if you buy a ticket, you
have to buy the ticket. They have a distinguished record, as
you know. And then after you have bought the ticket, you sort
of peel down the part of the ticket, and you discover that you
just ceded all your rights to bring any class action suits
against the cruise line, this kind of stuff.
There is a similarity in the ignorance of a lot of
consumers, not because they are dumb, but just because they
don't have the time to do all of this. And I think probably a
tremendous percentage of those who go onto the Internet with
the idea of buying or whatever, it is situational. I want to
read about France, and so then they start getting ads about the
cheapest flights to France. That is fine.
Others are behavioral. That gets a little bit more serious
because that covers a much broader area of activity, and what
people write on blogs and all kinds of things. And people
really do get to know you very, very well.
But they don't know, the great majority of the people who
use the Internet, which is just so young--Al Gore did such a
good job--and such a good job that today it is the number one
national security threat to the United States of America
through cybersecurity. And we are all trying to figure out in
20 years, how does something like this happen, or 25 years,
whatever it is.
But the point is they don't know. That is the harm that you
are talking about. You are not talking about harm or creepiness
or your neighbors, whatever. The harm is that people don't know
what they are getting into. They don't know whether or not
because they can't find it. It is in small print.
I think it is all of this is rather easy, Senator
McCaskill, not very hard. I just think it is a question of do
people want to say, as a matter of general principle, that
minus the cybersecurity and fraud and stuff that we have built
in to make sure that there is that there, that they want to be
left alone.
They want to do--they want to transact their business. They
don't want to be followed around. They don't want to be
followed up on, and they have no way of doing that. Plus, no
matter what kind of WC3, or whatever it is, W3C--is that it?
Senator McCaskill. It is W3C.
The Chairman. I don't really care. But no matter what, it
is not enforceable, and you can't enforce it. And you don't
enforce it. So you can talk about ``our Do-Not-Track policy.''
You don't have one that you can enforce. Correct? Correct?
Mr. Mastria. Senator, if I might----
The Chairman. No, I am just asking, am I correct?
Mr. Mastria. No, you are not, Senator.
The Chairman. OK. Well, then you tell me all about that.
Mr. Mastria. Yes, absolutely. Our self-regulatory program
actually tracks very closely to the principles that you lay out
in your own bill, number one. Number two, in terms of
compliance, the counsel of Better Business Bureau has brought
19--to date, 19 compliance cases against both members of DAA
and nonmembers, covering the entire marketplace of
participants.
We think that we do offer a single one-button choice to
consumers who choose not to receive relevant advertising and
have their data either collected or used. That is what the DAA
does.
In terms of making it available and education, we are
completely with you, Senator. And in fact, we are so much with
you that we place our icon--we have removed this piece outside
of the traditional privacy policy, and we put it in prime real
estate on top of every ad creative, a trillion times a month.
And this isn't on small ads and little ads that are buried.
This is at the top of many----
The Chairman. The symbol is.
Mr. Mastria. That is right, the symbol is. And if you click
on the symbol, you get a choice to opt out. It is as simple as
that.
I think we have delivered what basically in principle you
have laid out in your bill. We are certainly open to making
modifications where necessary. I know Justin is working on one
with us right now in terms of narrowing the research
description, and we are happy to continue down that path.
But the reality is that we made an agreement last year at
the White House to include browser-based choices as complements
to our system. We still stand by that deal. We still stand by
that agreement. We ask that everybody else who was in that room
also stand by that deal. We think that is fair.
The Chairman. I see it differently, and my time is running
out. I see that the reason that you don't like Mozilla and
Microsoft, et cetera, is that they have gone--they have made it
even easier for the consumer.
We are about consumers here. We are not about how much
money you make. We are into how much money you make, provided
it doesn't harm consumers or take advantage of consumers or
overload them with stuff they don't want.
It is the right of an American to not want to have--you
know, I buy DVDs because I like DVDs, OK? And so, I expect to
get, about a week after I have gotten a slug of DVDs, a
magazine about more DVDs, and I welcome that. Otherwise, I just
don't get much reaction from it. I like that.
I don't want to be tracked. I don't want to be tracked
contextually. I don't want to be tracked behaviorally. And you
do both. And you make--that is the way you have to make your
money. But how do you make your money? You make your money by
selling ads.
What are we talking about here? We are talking about making
it more difficult for you to sell your ads because consumers
would be able to say, ``I don't want this. I want this turned
off. I just simply don't want it. I don't want to be
philosophical about it. I don't want to get in the details of
it. I just don't want it. I want privacy.''
That is a pretty basic American instinct.
Senator Thune?
Senator Thune. Mr. Chairman, if I might, and I would like
to direct this to Mr. Brookman. You mentioned in your prepared
testimony that you believe these ongoing negotiations on Do-
Not-Track technical standards demonstrate, and I quote, ``a
need for fundamental reform of our Nation's privacy protection
framework.''
However, the approach we are currently discussing, both in
the W3C process and in the Chairman's legislation, contemplates
reforms that focus squarely on the activities of third parties.
Do you think that approach that favors the ability of first
parties to collect consumer data raises additional competition
concerns in the marketplace?
Mr. Brookman. I am not a competition lawyer. I do think
comprehensive law should address first-party data collection.
I think the framework we have seen in some of the bills
that have been introduced are that for first-party data
collection, which is more intuitive, I understand I have a
relationship with Amazon. They collect some stuff about me. I
may be able to opt out from that marketing, but not on a global
basis. I can do it on a one-by-one basis.
Whereas for third parties who I don't have a relationship
with, I think the relationship is different. I think the rules
have to be a little bit more stringent for third parties.
I think from an average consumer's experience, they get
Amazon. They don't get a company like the Rubicon Project
because they just don't know who they are. They are not a bad
company. It is just they don't have a relationship with them.
It is harder for them to track them down and say, ``Sorry,
leave me alone.''
Mr. Mastria. Just, Senator, if I may? So Justin earlier
mentioned that only the folks inside the DAA program would be
affected by the one-button opt-out. Let me just clarify that a
little bit.
The folks inside the DAA program are 90 to 97 percent of
the entire Internet ecosystem. We encompass almost the entire
digital advertising ecosystem. And so, a one-stop button for
that is, in fact, what we provide, and we think that we have
developed a system that both provides the preferred user
experience while giving consumers privacy choices they can act
on.
Earlier today, I had soup at lunch. It was Virginia--West
Virginian ramp soup. I had never heard of it. I immediately
searched for it online. Will I get some advertising related to
West Virginia? I probably will.
If it is more to my liking, perhaps it involves biking, I
might take an action on it twice as much as if I didn't get it.
So that is the color that I want to add to Justin's remarks.
Senator Thune. This one will be for Mr. Thierer. It appears
that privacy and consumer tools are increasingly being used as
competitive differentiators in the online market to earn new
users. It also appears, however, that certain tools described
as consumer empowering can also be used to more firmly
establish market power.
Can you speak to the notion of online privacy being used to
both enhance and even perhaps diminish competition?
Mr. Thierer. Well, on the enhancing competition point, it
was just last night I saw the first Microsoft ad that mentioned
Do-Not-Track by name. And Microsoft has been running a series
of ads, basically trying to counter Google in many ways and
differentiate it from Google based on privacy and security.
That is a healthy form of competition in the marketplace that
we are seeing.
Likewise, Mozilla, what they have been doing is doing the
same thing. You may have heard of a very small start-up search
engine called ``DuckDuckGo'' that competes on privacy and has
been putting up billboards in Silicon Valley about how they
don't collect any information when you search on their site.
I am not sure what their business model is. We will see.
But good luck to them. That is great that we have that sort of
competition. The more of that, the better.
In terms of how it could adversely affect the marketplace,
I am not too worried so as long as the marketplace continues to
evolve dynamically and freely and that we are not locking in
any one standard that others may choose.
If it is the case that what Mozilla has chosen to do with
third-party cookies or Microsoft has chosen to do with setting
the default for Do-Not-Track to on, if consumers flock to it,
so be it. They still have other options, and that is good. If
they don't like it, it could end up that that tips the balance
in favor of Google and Chrome because people just don't want to
be bothered with interstitial pop-ups that basically say you
have got to allow us to track you. You have got to allow us to
set a cookie, whatever else, and they just say, ``Forget this,
I am going somewhere else.''
Mr. Mastria. If I may? We have a letter here from 700 small
publishers that have written to Google--written to Mozilla,
apologies, who basically said that the third-party blocking--
which I am hopeful is, in fact, just a test and not a real
thing--would, in fact, impact their business and their ability
to grow.
Senator Thune. Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Thune.
Would Mountain View, California, like to respond to that?
Mr. Anderson. Yes, thank you.
Relative to the third-party cookie blocking proposal, you
know, there is--they sought to create a petition, and you have
700 people sign up that is right on your homepage. There you
go--700, 500, a couple hundred people.
The former Chairman of IAB, we asked him what he thought
about this, and the Online Publishers Association, we asked
them what they thought about the third-party cookie blocking.
And both organizations, they thought that there is a real
problem here, fundamentally, and that is one way to address it.
They didn't have the same concerns. They didn't feel that it
was as disastrous as it has been portended here.
But I think even the discussion of the third-party cookie
piece conflates Do-Not-Track. So it is almost as if we were
saying if there was no proposal for third-party cookie
blocking, just take it off the table because we are just
evaluating it, why aren't we responding to Do-Not-Track now
from the Firefox users who opt in today? Why doesn't that
happen?
Mr. Mastria. If I may? I already answered that. The word
``track'' means nothing inside the Mozilla browser. That is
just the way it is.
And as far as the former chairman of the IAB and the OPA, I
would point out this. That the IAB today does not support the
Mozilla standard and, in fact, the former chairman does not
speak for the IAB. The IAB is the leading trade association for
online publishers. It is a founding member of the DAA.
As far as the OPA goes, we have had a conversation with
their chief executive, and she assures us that, in fact, there
is a problem with the third-party blocking prospect that
Mozilla is talking about.
Senator Heller. Is it my turn?
The Chairman. Yes, I just apologize.
Senator Heller. Thank you, Mr. Chairman. I know this
issue----
The Chairman. You have got a great sense of humor. You know
that? I love that Las Vegas line.
Senator Heller. Do you?
The Chairman. Yes, you were on a roll there.
Senator Heller. Yes, I will keep it going if you want me
to.
The Chairman. No, actually----
[Laughter.]
Senator Heller. Thank you, Mr. Chairman.
I know this issue is important to you, and obviously, it is
important to all of us up here as we are asking these
questions. And clearly, those that are listening to the
testimony are as interested.
And I think you are right. I think you are right. People
don't know. People just don't know. And I think if they knew,
they might care. But we don't know because they don't know.
Mr. Thierer, you talked about some of the members of the
industry advertising, getting billboards out. In fact I noticed
on a Lakers game, I think it was Microsoft came out and said we
are concerned about your privacy, during an NBA playoff game.
So, clearly, industry is understanding, boy, it is time to get
this information out there because more people are becoming
concerned, and I think they have a right to be concerned about
the amount of information that is being collected.
So I think I would like to ask about what information is
collected today and by whom. And to Mr. Mastria, I would like
to direct some of my questions toward you.
Is it a correct statement that third-party advertising
companies who are regulated by Network Advertising Initiative
do not intentionally collect information used or intended to be
used to identify a particular individual, including name,
address, telephone number, e-mail address, financial account,
or Government-issued identifiers?
Mr. Mastria. So the NAI is a founding member of the DAA. I
can't speak for them directly, but it is my understanding that
is correct.
Senator Heller. Are there online advertising companies that
do collect and use such information about their users?
Mr. Mastria. Not that I am aware of for behavioral
advertising or interest-based advertising.
Senator Heller. OK. Mr. Brookman?
Mr. Brookman. May I just interrupt? First of all, I think
the NAI code does not actually prevent the use of PII in that
way. It allows for--it requires opt-in consent for a
retrospective pending PII, but it allow, I think, for using PII
and in collecting behavioral data going forward.
The Wall Street Journal reported end of last year about a
company called Dataium that would track you by e-mail address.
And then I can't remember exactly how it went, but if you were
online looking at cars, they could e-mail back to the car
dealerships you had previously gone to and said, ``Hey, Justin
is in the market for that BMW again. Do you want to give him a
call?''
So, I mean, there has been reporting. And I believe the
code allows for tracking by real name online.
Senator Heller. Let me follow up.
Mr. Mastria. Senator, if I may?
Senator Heller. Go ahead.
Mr. Mastria. Just to clarify, so you asked about the NAI,
but the DAA code actually does prohibit what you described.
Senator Heller. Just to follow up, would you agree that my
name, what I bought, my address, and other very identifiable
pieces of information are collected elsewhere on the Internet,
mostly by first-party and not by most third-party advertising
companies?
Mr. Mastria. Typically, yes.
Senator Heller. Mr. Brookman?
Mr. Brookman. Yes, absolutely. They are the ones who have a
relationship, and they are the ones that you tell. So, yes.
Senator Heller. Any other comments?
[No response.]
Senator Heller. Mr. Chairman, thank you.
The Chairman. Thank you, Senator Heller.
Mr. Anderson, Mozilla did announce that the newest version
of your popular Web browser Firefox would automatically block
most third-party cookies. The move was hailed by many as a
necessary step to protect consumer privacy, particularly in
light of the continued stalemate at W3C.
Will you just tell us why you decided to provide Firefox
users with this protection?
Mr. Anderson. Thank you for the question.
First, the current third-party cookie proposal is under
evaluation. The behavior that would block third-party cookies
when a user goes to a site, unless they interact with them, and
which also grandfathers in existing cookies, which means we are
using that as a proxy for a prior relationship, is under
evaluation right now.
It is in what is called an Aurora build. So about 200,000
users have it, and so we are testing it to see if it works and
at what it breaks. The next step is that it would move into
what is called a Beta build. So there will be several million
users that we would test it on to see if it--how it responds.
But the genesis came from a contributor. So Mozilla is an
open source project. Contributors propose patches and changes
to the Firefox behavior. So this came from a contributor, a
volunteer, earlier this year.
From a technical perspective, it seemed to make sense. It
had a--it was a promising idea. And the goal, as I understand
and as I think about it, is that it creates a Web that reflects
a user's expectations.
Users don't expect that when they go to a site hundreds of
cookies are placed on them. They just don't expect that. We may
find that it is the right way to go. We may find that it is not
the right way to go. I am not sure yet.
And so, we are still gathering information. That is why we
have been spending a bunch of time talking to folks in the ad
and publishing business to understand how it will actually
affect them.
The Chairman. Mr. Mastria, the industry that you represent
was obviously not happy about that development. One
representative called it a ``nuclear first strike.'' I have
heard rumblings that this is the beginning of--this is the
phrase that you all use--technological war between your member
companies and browser developers like Mozilla.
Will your companies thwart Mozilla's privacy initiative by
using other more invasive technologies to collect information
on consumers? Second, if companies like Mozilla respond and
develop other privacy tools--this is sort of like cyber war--
will your companies attempt to get around these tools?
In other words, will your member companies do everything
they can at all costs to subvert default privacy protections on
Web browsers?
Mr. Mastria. Senator, so our members provide transparency
and choice as a way to create trust for interest-based
advertising. That is what we do. Interest-based advertising is
one of the uses that emanates from the use of third-party
cookies. There are hundreds of other uses.
There are third-party cookies on and third-party
technologies on----
The Chairman. Are you going to answer my question?
Mr. Mastria. Yes. No, our commitment is to provide
transparency and choice to consumers, regardless of technology,
whether it is cookie based or any other technology that might
come along. It is technology neutral.
The Chairman. So let me ask again. You will--you will----
Mr. Mastria. We will continue to provide transparency and
choice----
The Chairman.--to rise above whatever technology he may
bring at you. And if he goes up, then you will go up, too.
Mr. Mastria. I don't know what he is bringing. He is saying
that----
The Chairman. Neither does he.
Mr. Mastria. Yes. So, I mean, you are asking me to
speculate. The reality is----
The Chairman. You are going to win this, right?
Mr. Mastria. I am sorry. What?
The Chairman. You are going to win this. You are going to
prevail.
Mr. Mastria. We think that transparency and choice, as has
been discussed here, is, in fact, the appropriate solution to
educate consumers about what is going on online with data. The
reality is that third-party cookies are used, as I said, for a
whole host of reasons--data protection, security, shopping
carts, widgets, et cetera, et cetera. I can go down the line.
The fact that there are many, few, is no indication of
anything other than a Website using multiple--multiple third-
party services to deliver its content. There are no necessarily
nefarious purposes assigned to the cookies simply because they
are there. And that is an unfortunate----
The Chairman. Thank you.
I want to ask Mr. Brookman a question. My time is about to
run out.
One of the things that really disturbs me in privacy, or
the lack of it, is the way that data brokers can go in and buy
all your health records, your financial records--they can get
it one way or another--academic record. I mean, all kinds of
things, what is of you they can have. And then from that,
they--other people make a lot of money out of trying to send
them stuff.
Why is it that I find that--and I know lots of people can
do that. But we are talking about a very, very large industry
here which can decide to do that and which is doing that. Why
is that so repulsive to me?
Mr. Brookman. I will speculate----
[Laughter.]
Mr. Brookman.--that it is deemed on sensitive personal
information by companies with which you have never heard of and
have no relationship and no idea and no control over. Because
if you wanted to right now go find out which data brokers are
selling data about you, you could assign five interns for it,
and you won't be able to do it.
One thing the FTC has actually done--has planned to do, and
I think it is a really good idea, is that they are going to try
to host a potential repository. So any data broker entity would
have to register on the FTC site, and then you can go through
and find out what companies are selling about you.
Again, it is going to be voluntary because we don't have
privacy law in this country. The rest of the free world has
privacy law. The United States and Turkey do not.
I think there should be obligations for companies to tell
you what they have about you. And if it is wrong and it can be
used for important purposes, I think you should have a right to
access and correct it.
The Chairman. So legislation--I keep getting these little
notes. They are not helping me as much as the writers of the
notes are. So that is what legislation would do?
Mr. Brookman. Yes. That is one piece of what legislation
would do, which is why we spent so much time focusing on
behavioral advertising. I mean, there are worse things out
there, and it does fly under the radar.
I mean, data brokers have been around for----
The Chairman. That is the magic, isn't it? Nobody knows it
is out there.
Mr. Brookman. Yes. Yes, there is just no way to find out.
The Chairman. Senator Richard Blumenthal is a distinguished
new member of our committee and was, for 28 years, attorney
general in Connecticut and has a knack of getting to the point.
Senator Blumenthal?
STATEMENT OF HON. RICHARD BLUMENTHAL,
U.S. SENATOR FROM CONNECTICUT
Senator Blumenthal. I am a member of this committee. Thank
you, Mr. Chairman.
I don't know about distinguished, but I am a member of this
committee who has proudly co-sponsored the bill that you have
introduced to establish standards for implementation of the Do-
Not-Track mechanism, very simply a mechanism that consumers can
trust. And I am disappointed that the self-regulatory
agreements that were committed to be done 5 months ago are
overdue, and I would like to ask Mr. Mastria how long Congress
should wait before moving on this legislation?
We have waited for voluntary agreements. How much longer
should we wait?
Mr. Mastria. Senator, we are willing to move today. In
fact, we are still engaged in the W3C process to move forward.
There have been some actions of two browser companies in
particular, which have frustrated those efforts, but we
continue to abide by the White House agreement that we made in
February 2012.
I would also want to go back and touch on the point that
the chairman made when he asked about will the advertising
industry win? Senator, really, the consumers will win, I think,
at the end of the day, because we would give them their
preferred user experience--free, ad-supported content with
relevant advertising.
And I would submit that they would win partly because the
program that we have in place matches very closely to the
program that you and Senator Blumenthal are co-sponsoring.
Senator Blumenthal. Let me bring you back to my question,
if I may, Mr. Mastria?
Mr. Mastria. Sure.
Senator Blumenthal. And I realize that in good faith, maybe
you can't answer it. But I am asking you, whatever the reason
why the commitment hasn't been met, really can we wait much
longer? Isn't it appropriate for Congress to act now, given
that, again, for whatever reason the voluntary agreements don't
seem to be forthcoming?
Mr. Mastria. I think that--I think that we are hopeful that
an agreement can be reached.
Senator Blumenthal. How soon?
Mr. Mastria. I don't think that I could tell you.
Senator Blumenthal. You don't know.
Mr. Mastria. I don't know an exact time.
Senator Blumenthal. That is a fair answer. That is a fair
answer.
Mr. Mastria. But I would also say, I would color that
answer with this does take a little bit of time, and the
reality is that we are working at it and that legislative or
technological fiats are not necessarily what the Internet
needs. It is still growing. It is still evolving.
And we think that a nimble self-regulatory approach, much
like ours, which is about to provide guidance in mobile and the
app environment, is exactly the kind of thing that helps foster
consumer trust while protecting privacy.
Senator Blumenthal. And I would find that answer
satisfactory. And I am not challenging the good faith in
providing that answer, except we are living in a revolutionary
world. We are in the midst of a revolution.
We are debating right now on the floor of the United States
Senate the Marketplace Fairness Act, which takes as a given
that we have $150 billion in Internet sales, a number that
would have been unimaginable maybe just a year ago. And we all
have friends. Some have more friends than others. Many of our
friends don't know as much about us as the people who do
business on the Internet, about our tastes in music or design
or fashion or whatever.
And so, I think consumers have a right to ask whether we
can trust the commitments, the commitment that was made months
ago as part of the President's program, of whether we can trust
that commitment when no one seems to know when the voluntary
standards will be completed.
Mr. Mastria. We can commit to you that we are continuing to
work on it. To put a specific date on it would not be fair. But
I can commit to you that we are working on it.
Senator Blumenthal. Is there something that either Congress
or the FTC can provide to you that would make those voluntary
standards or agreements easier to reach?
Mr. Mastria. Yes, well, as I said in my testimony and I
think I repeated a number of times, the reality is that there
are two browsers that are contravening that agreement right
now. So as soon as we can get some agreement around that, then
we can move forward much more quickly. But the reality is that
we are at the table and willing to move forward.
Senator Blumenthal. And really the only thing that can
force compliance is a law, at the end of the day. Isn't that
what you are telling this committee?
Mr. Mastria. No.
Senator Blumenthal. Well, if those browsers are refusing to
abide by voluntary standards or refusing to be part of an
agreement, isn't a law necessary? Isn't that sort of the
classic----
Mr. Mastria. No, we have an agreement, Senator. I mean, we
just want them to live up to it. That is it. It is as simple as
that.
Senator Blumenthal. Well, when voluntary agreements fail to
provide for compliance, it seems to me that is the classic
instance, assuming that the public interest is involved, where
a law is appropriate.
Mr. Mastria. I would submit, Senator, our program today
delivers the very mechanisms that you and Chairman Rockefeller
have proposed in your bill.
Senator Blumenthal. OK.
The Chairman. Senator Blumenthal, I would just interrupt to
say that what he is talking about, his standards are totally
unenforceable, and he knows it.
Senator Blumenthal. Thank you.
Well, Chairman Rockefeller, I think, has made the point
more succinctly and clearly than I could. But I think that,
unfortunately, is the thrust of what I am hearing at this
committee hearing.
Thank you very much, Mr. Chairman.
The Chairman. You just arrived recently. Do you want to ask
another question?
Senator Blumenthal. I am done. Thank you.
The Chairman. You are done.
Senator Blumenthal. Yes.
The Chairman. Just done. OK. I am going to close this by
going back to what I think, Mr. Anderson, you started with. And
that is that in the long run, most things that work in America
of a commercial nature or which intersect with people's lives
in a personal way--both personal and commercial, therefore--are
where things are trusted.
And that the future of the Internet and its various
transactions, as it weaves in and out of what it gets to know
behaviorally or conceptually about individuals and then uses
that so people can go make money off of it, that the American
people are smart, and the statistics of the number of people
who use the Internet are staggering. The 12 to 17 group is the
highest percentage of users, but it is all staggering. It is
all 85, 90 percent stuff.
So that all those people who are not aware of the practices
of some because it is under the radar are gradually going to
become aware that this is a process. The Internet is very new.
As I said before, I am stunned by the fact that, you know, this
basically--the Internet went usable generally, what, in the mid
1990s, about then? And since then it has done nothing but grow
exponentially.
Then you get Facebook, which actually is interesting
because Facebook is all closed off. Nobody can penetrate them.
It is rather good, I think. You come up with some ideas.
Microsoft comes up with some ideas, actually different from my
bill. I am just thinking maybe they are better than my bill.
Because I think that--well, I don't commit myself to
anything on that, but it seems to me the more we do to make the
consumer's life easier, his right to privacy or her right to
privacy easier, whether you opt out, opt in, whether you do it
by default, which is what you do, which sort of makes them,
allows them to come back and say, ``No, no, I want to be able
to do this.'' But it protects them from the beginning.
And as they want not to be protected, they can make those
adjustments. That ultimately is the kind of thing which builds
the trust, or things of that nature within some radius of what
you are talking about are what ultimately build the trust in
this country toward the Internet that it is going to need.
Popular as it might be, it is stunning how much harm in
real terms through blogging, through bullying, through stuff
that leads to suicides and all that. It is commonly talked
about now. It was not even a subject, obviously, 10 years ago
when I went around West Virginia. It is commonly talked about.
I have lots of roundtable and town meetings on that.
So the American people are smart. They are going to figure
this out. And as they figure it out, they better like what they
see if the Internet wants to prosper.
And with that, the hearing is adjourned.
[Whereupon, at 4:19 p.m., the hearing was adjourned.]
A P P E N D I X
Response to Written Questions Submitted by Hon. John D. Rockefeller IV
to Harvey Anderson
Question 1. Do you believe that the DAA's self-regulatory program
and choice mechanism, in their current form, are sufficient for
consumers? Why or why not?
Answer. No, we do not believe the DAA's program in its current form
is sufficient for consumers. As we outlined in our written testimony,
the efficacy of the Digital Advertising Alliance (DAA) Ad Choices
program remains an open question. Last year, according to one study,
the number of users who viewed the icon was low: 0.0035 percent of
users clicked on the icon, and only 1 in 20 of those actually opted
out. The DAA itself reported that more than a trillion ads per month
include the Ad Choices icon--a blue triangular icon that when clicked,
takes consumers to a page where they can learn about the ad, and opt
out of receiving it. Only five million users have accessed the choice
tool, and reportedly a total of two million of those have opted out of
all interest-based advertising since the program began. Over a three-
month period this equates to an effective rate less than .0000006
percent.
This low opt-out rate seems inconsistent with the 11 percent of
Firefox users who have turned on Do Not Track without prompting or any
conspicuous visual clues in the Firefox user interface (see https://
dnt-dashboard.mozilla.org/). The argument that the current low
participation rate means that consumers are ``OK'' with the current
tracking and collection practices is contradicted by the ample survey
research indicating otherwise.
The user experience for the opt-out and the user education could be
substantially improved. The icon could be more visible, contain less
text, and require fewer clicks--it could be more user-friendly. Still,
even though we believe improvement is warranted, we recognize that the
DAA scheme represents significant effort, coordination, and investment
that overtime can improve through iteration and feedback.
Question 2. Can the DAA's existing self-regulatory scheme be
narrowed or changed in some way as to place reasonable, meaningful
limits on the collection of consumer's information? How?
Answer. Mozilla only has access to the information that is publicly
available concerning the DAA's program and, beyond our comments above,
we do not have sufficient information to provide a detailed response to
this question.
______
Response to Written Questions Submitted by Hon. Barbara Boxer to
Harvey Anderson
Question 1. How do Firefox users find out about the Do Not Track
feature?
Answer. Currently, we believe most Firefox users find out about the
Do Not Track feature by exploring the Firefox preferences. Users may
also learn about the feature through popular media, which has widely
covered development of the feature, and from consumer advocacy groups.
We have also provided users with some information about Do Not Track
through our own blogs, marketing materials and support pages.
To enable Do Not Track in Firefox, a user must first select
``Preferences'' in the menu options, and then select the ``Privacy''
menu shown below to enable Do Not Track.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
We do not promote the feature in the product or provide the user
with visual prompts in the main user interface. This is primarily
because Do Not Track is still under development and we need widespread
industry adoption of the system and the signals for it to provide
meaningful choice and control to users.
Question 2. To what do you attribute the growth in the number of
Firefox users who have turned enabled Do Not Track?
Answer. We attribute the growth in the number of Firefox users who
have enabled Do Not Track to a broad user sentiment that they want more
control in their digital transactions. There are very few easy options
available, and users perceive they are tracked across their web
browsing activities and don't understand how/whether they receive
benefits or direct value from this tracking. Those users who don't want
this to occur or don't understand what's happening with their data set
their browsers to tell sites ``not to track'' them. We expect that
adoption will stabilize over time and we don't necessarily believe the
growth rates will organically continue if adoption remains consistent
with historical patterns. We also believe that the adoption rate may be
affected by how well industry recipients respect Do Not Track signals.
Question 3. Why did Mozilla make the decision to block third-party
cookies by default?
Answer. We continue to evaluate the ``third party cookie patch''
that is currently available in the Aurora build (a special testing
build used by a small number of users) for Firefox. This patch would
create a default setting that blocks third party cookies. Our primary
motivation for considering the patch is to make enhancements to cookie
policies that will help to create the Web experience users expect. The
current feature set matches Apple Safari's third party cookie policy.
We are still gathering feedback on the current proposal and iterating
on other ideas and potential modifications. The new default cookie
policy will remain in our test builds of Firefox until evaluation and
development is complete.
Question 4. How do the expectations of Firefox users differ with
respect to first-party and third-party cookies?
Answer. We believe that Firefox users are more likely to expect
tracking and collection from parties with whom they have intentionally
engaged. This is because users have a better understanding of the value
proposition and the benefits to them. This is often called a first-
party. For example, when you log into Amazon, users expect the service
to remember your name, past history, and to offer experiences based on
information they have collected about you through your interactions
with the service. Conversely, users don't generally expect that parties
with whom they do not have a relationship to collect or track
information about them. The converse is also not necessarily true, all
first parties are not necessarily ``good'' and all third parties are
not necessarily ``bad'' or surprising to users. For example, some
websites engage third parties by contract restricting their collection
and tracking practices, others use third parties for analytics in ways
that would be perfectly acceptable to users, and even other third
parties operate and comply with the laws of the relevant jurisdictions
with strict regulatory prohibitions on profiling without user consent.
Question 5. How does blocking third-party cookies change a user's
browsing experience?
Answer. Through our testing we continue to learn more about what
happens when third party cookies are blocked, but we our review process
is still ongoing. For the most part, blocking third party cookies will
have little overall impact to a user's browsing experience. Users will
still be able to consume content from those websites that have enabled
third party cookies even though those cookies cannot be read--ads will
continue to be displayed, but the user may not be shown targeted ads
based on cookie data. It's also possible that a site may prevent a user
from accessing some content or services without enabling the use of
third party cookies for that site. It is worth pointing out that in
mobile web browsing, fewer sites and apps rely on third party cookies,
so disabling third party cookies by a mobile OS provider has even less
impact on a user's browsing experience.
Question 6. How have users, advertisers, and other stakeholders
responded to Mozilla's announcement regarding its new third-party
cookie policy?
Answer. The response to the proposal has differed widely depending
on the respondent's role in the digital ecosystem. Users have largely
been silent (maybe because the change and impact is not well understood
outside of the ecosystem), yet comments posted to various social sites
and media outlets demonstrate strong support coming from some segments
of our user base. Publishers have expressed concerns about frequency
capping and conversion management, functionality offered by cookies. Ad
tech entities that don't have a direct relationship with the user or
who provide re-targeting services have articulated concern that this
may directly impact their current businesses. Some stakeholders in the
ad tech industry have expressed concern that the proposed change gives
first parties an unfair advantage that may make their inventory more
valuable over time. The brands have not articulated specific concerns,
but generally tell us they don't want to be associated with non-
transparent practices and are concerned about the extent to which third
parties are tracking users outside their stated privacy policies.
Consumer groups have been very supportive of the proposed change
because it increases transparency and user control, reduces emergence
of data inequalities, and the sale of secondary purposes outside of the
user's control and benefit.
There also seems to be a general sentiment among stakeholders that
the current practices of using cookies for collection and tracking are
not long lived and new technological approaches are on the horizon.
Thus, while stakeholders we've met with know change is inevitable with
regard to cookies, there is inherent resistance until a better
alternative is available.
Question 7. Do you anticipate other browser companies following
suit in blocking third-party cookies by default?
Answer. Apple's Safari browser already has implemented a third
party cookie policy that blocks most third party cookies by default,
including on its iOS platform devices like iPhones and iPads. We are
unable to predict what Google and Microsoft will do relative to third
party cookies.
Question 8. How prevalent is the use of digital fingerprinting and
other non-cookie tracking among websites encountered by Firefox users?
Answer. We know various forms of digital fingerprinting are in
practice today, however, we do not have sufficient information to
quantify the extent of the current practices.
Question 9. What does Mozilla do to address the use of these
alternative tracking methods?
Answer. Our primary proposal to address all forms of tracking has
been our work on Do Not Track. We still believe a simple, user-enabled
Do Not Track signal is the best method for providing users and sites a
simple, persistent, automated and effective signal to opt-out of
tracking regardless of whether a site or app is using cookies, unique
IDs, fingerprinting or other tracking methods. We also are continuing
to work to minimize the Firefox user agent string fingerprint where
possible.
Question 10. What role do alternative tracking methods play in the
ongoing World Wide Web Consortium discussions regarding a Do Not Track
standard?
Answer. To date, the scope of the W3C discussions have been focused
on a Do Not Track signal that would be technology-agnostic on the form
of tracking method being deployed by a third party. Barring some change
in the coming weeks, the W3C specification would apply to any type of
third party tracking.
______
Response to Written Questions Submitted by Hon. Frank R. Lautenberg to
Harvey Anderson
Question 1. A 2010 Wall Street Journal series on online privacy
illustrated the extent to which individuals are being tracked and how
the invasive practice can cause real harm. A recent high-school
graduate, who had been identified by advertisers as concerned about her
weight, told the paper she sees weight-loss ads every time she goes on
the Internet. She said, ``I'm self-conscious about my weight. I try not
to think about it . . . then [the ads] make me start thinking about
it.'' Do you believe this qualifies as a real harm?
Answer. We cannot judge how the ad placements may have impacted the
individual interviewed in the WSJ series. Traditionally, legal harm
that results in remedies and legislative action requires a cognizable
and quantifiable loss or injury. The WSJ series demonstrates the real
need for education, transparency and greater trust in advertising data
practices.
Question 2. Many believe the lack of transparency--particularly
with regard to 3rd party cookies--and an individual's inability to know
what personal information is actually being collected can cause real
harm because consumers don't have the ability to understand how to
protect themselves from invasive tracking. Do you agree that this is a
harm?
Answer. Harms in this case are difficult to quantify in a
traditional sense because the real harm is a lost opportunity to
accelerate commerce and more meaningful digital transactions. As stated
in our written testimony before this Committee, we believe that more
education, greater transparency and direct control around these
advertising practices creates trust and demonstrates value to the user
which would ultimately create a better, stronger ecosystem:
``If users do not understand what happens to their data, how it
is used, or the trade-offs, they will inevitably seek more
protective blocking options. Conversely, we may see the
adoption of more invasive and even less transparent tracking
methods. The impact is that efforts to protect the status quo
further erode people's trust in the ecosystem, thereby
compromising future expansion of commerce and innovative growth
of this ecosystem. Personalized content is good, however, the
collective challenge we face is how to deliver that content
transparently.
The future of a viable, innovative Web that continues to
contribute jobs and drive social, educational and economic
activity depends on consumer trust. To develop this trust,
transparency, choice and control are essential. Real
transparency of business and data sharing practices combined
with meaningful user choice will engender the confidence users
expect.''
Question 3. Do you believe that consumers have a basic right to
privacy online?
Answer. Certainly some states like California, and many countries
around the world, have provided constitutional protections for privacy.
To the extent these rights extend to digital environments, we act
consistently with the applicable law. We also believe users have a
right to make choices--that don't punish them--about their information,
habits, relationships, interests, activities, and preferences. This
value is reflected in our product design in ways that users efficiently
and easily navigate the web.
______
Response to Written Question Submitted by Hon. Amy Klobuchar to
Harvey Anderson
Question. It now appears that Mozilla, Apple, and Microsoft are
competing on consumer privacy. Both the FTC and White House reports on
privacy released last year mention the possibility of privacy
practices, including online tracking options, becoming a consideration
for consumers deciding between devices and services. Have you seen data
suggesting consumers already chose services, particularly online, based
on privacy practices? Is this impacting the competition between
browsers and services?
Answer. Privacy practices by the major browser providers are
emerging as a major factor but do not appear to be the driving factor
in product selection. In most markets, privacy is important as a
feature area for browsers, but our research indicates that it still
ranks behind other factors like performance, stability and security.
Part of the challenge for browsers is that privacy is not a mature
area of feature development. Most of the privacy tools and settings
available in browsers are still in early phases of development and
generally are not used by the mainstream user. If more browser
technology existed that was privacy forward, intuitive, and added value
to a user's online experience, more users would seek it out and avail
themselves of it.
______
Response to Written Question Submitted by Hon. Brian Schatz to
Harvey Anderson
Question. I agree with the point that you made in your testimony
that it is important to protect the trust of consumers. I am concerned
that, right now, consumers lack even the most basic tools to
understand, let alone trust, the information collecting activities of
advertisers on the websites they visit. When a consumer is browsing on
the internet, is there any way for that consumer to know on any given
website (1) who is collecting information about that person, (2) for
what purpose that data is being used, and (3) who else might have
access to that data?
Answer. For over a decade, the primary basis for consumers to learn
about any given site's data handling practices has been its posted
privacy policy. Numerous studies have been done over the years showing
that the vast majority of top commercial websites have privacy policies
(see TRUSTe Privacy Index 2011; http://
tctechcrunch2011.files.wordpress.com/2011/11/truste-privacy-index-2011-
websites
.pdf). Some state governments, such as California, have legislated that
websites are required to post a policy that covers the three points you
outlined in your question. The Federal Trade Commission has also
brought a number of deceptive/unfair practice actions against sites
that have wavered from stated data practices.
While there is research showing that consumers don't regularly read
or make sense of these policies, privacy policies are noteworthy sign
posts used to provide information about sites' data practices (see
``The Cost of Reading Privacy Policies,'' A. McDonald & L. Faith
Cranor, I/S: A Journal Of Law And Policy For The Information Society,
2012; http://moritzlaw.osu.edu/students/groups/is/files/2012/02/
Cranor_Formatted_Final.pdf).
As it relates to third party tracking, the current paradigm of
relying on posted privacy policies creates challenges as it becomes
more difficult to describe in detail within these policies how consumer
websites employ third party services, widgets and advertising.
Moreover, because of the need for more transparency about the current
practices in the digital ad tech sector, consumer expectations of what
is occurring on these websites are not being matched.
One of our stated objectives in developing a Do Not Track
specification is to help evolve the notice and choice model to one
where a user states his/her preference and the website is able to
communicate back its relevant tracking practices all without the
consumer needing to read the privacy policy.
______
Response to Written Question Submitted by Hon. Ron Johnson to
Harvey Anderson
Question. What are the harms that are actually occurring to
consumers through anonymous cookie-based ``tracking?'' As indicated in
Mr. Mastria's testimony, the primary privacy concerns for most
consumers online have to do with identity theft, viruses and malware,
and government surveillance. So, what harms are occurring that the FTC
doesn't currently already have the authority to address?
Answer. The question of harms associated with online tracking is a
complicated one to answer, as we stated above in our responses to
Senator Lautenberg. We need to look beyond legal distinctions or
classes of harms to look at the erosion of trust in the ecosystem
resulting from non-transparent tracking of consumers online. Mr.
Mastria's testimony points to some of the privacy concerns of consumers
today. However, we know consumers care about intrusions into their
private lives, not just from hackers or governmental entities, but also
from commercial entities.
To consumers, many types of personal information can be important
to them, including elements that are uniquely identifiable or not,
including de-identified data, that might be characterized as
``anonymous'' meaning not including a person's name or SSN, for
example.
Meaningful distinctions between personally identifiable information
(PII) and non-PII are breaking down.
To a certain extent, much of the data collected from or about a
consumer online could be reasonably considered ``personal'' by that
person. In the context of cookies, calling data associated with a
cookie ``anonymous'' because it doesn't include a person's name, home
address or other PII doesn't mean that there aren't privacy
considerations. Whether data is uniquely identifiable or becomes
subsequently identifiable in combination with other data, or whether
future, novel uses of that data create new contexts with privacy
properties, people can have legitimate interests in wanting to
understand and have a say in a company's data handling practices. For
example, a database generated by a third party company in the ad
ecosystem that is able to associate a consumer's online browsing
history down to a specific product, interest or purchasing intent and
then for that data to cross multiple companies' systems to use that
data across the web to personalize display ads, content or
recommendations can feel personal to that user despite not including
any PII.
On a technical level, there are many, real world examples of so-
called anonymous data being later re-identified. In 2006, AOL released
a large data set for research purposes of 650,000 users' search queries
that it anonymized before posting online. Using a phone book listing,
The New York Times was able to identify individuals from the data.
Since then, a number of researchers have demonstrated that by combining
datasets from public sources with anonymized datasets, it is possible
to re-identify actual individuals sometimes to dramatic effect in some
cases where the once-anonymized dataset includes financial or health
related data.
We shouldn't accept comments made by those trying to minimize
concerns associated with anonymized datasets about users' online
activities, purchases, communications and relationships because the
business interest is only to personalize a display advertisement today.
We have to think more broadly about the future of this data once its
collected, whether it might be compromised by a hacker, resold to other
businesses whose practices may not always be in the consumer's interest
(e.g., employment decisions) or swept up in a government subpoena. We
believe all players in the industry need to recognize the long-term
ramifications and implications of any data being collected online and
establish best practices and technical measures to provide users
greater transparency, choice and control.
______
Response to Written Questions Submitted by Hon. John D. Rockefeller IV
to Luigi Mastria
Question 1. Much of the hearing focused on the DAA's promises at
the February 2012 White House event to honor Do-Not-Track browser-based
header signals. In your testimony, you stated that the DAA committed to
honor a Do-Not-Track header ``where a consumer (1) has been provided
language that describes to consumers the effect of exercising such
choice including that some data may still be collected and (2) has
affirmatively chosen to exercise a uniform choice with the browser
based tool. The DAA standard will not apply in instances where (1) and
(2) do not occur or where any entity or software or technology provider
other than the user exercises such a choice.'' Some browsers, such as
Google's Chrome, appear to currently meet these requirements, yet few
DAA members honor such Do-Not-Track signals. Why do your members not
currently honor Do-Not-Track header signals that meet the very
standards you outlined in your testimony?
Answer. The DAA administers a comprehensive program of industry
self-regulation for the collection and use of web viewing data that
provides enhanced consumer transparency and control. The DAA's
Principles call on companies to provide consumers with choice with
respect to the collection and use of web viewing data. To help
companies implement the Principle of Consumer Control, the DAA
developed, implemented, and maintains a consumer choice page through
which consumers can set their preferences. Since the program's launch,
eight million users visited this choice page with more than two million
exercising their choice. This tool provides meaningful and effective
choice in the marketplace.
The DAA seeks to develop universal standards that deliver a
consistent user experience. For instance, DAA developed principles for
transparency that enumerates the elements of notice and the means by
which such notice is provided. Specifically, DAA calls on companies to
provide transparency outside the privacy policy via the DAA Icon. With
each icon served--at a rate of more than one trillion ad impressions
per month across the Internet--consumers can link to notice concerning
a company's data practices and access a choice mechanism. This approach
provides a consistent user experience for consumers; i.e., when a
consumer clicks on the Icon, the consumer can expect a certain result-
notice of data practices and access to a choice tool.
The DAA seeks similar consistency for consumers with respect to
browser-based choice mechanisms.
In February 2012, the DAA announced an agreement to honor the DAA
Principles through a browser signal when consumers both (1) receive
meaningful information about the effect of that choice, and (2)
affirmatively makes that choice themselves. The DAA standard will not
apply in instances where (1) and (2) do not occur or where any entity
or software or technology provider other than the user exercises such a
choice.
Unfortunately, this agreement has been short-circuited due to
contrary approaches taken by Microsoft and Mozilla. Microsoft
subsequently released its new version of IE 10 with ``do not track''
turned ``on'' as a default setting, in direct conflict with the
agreement they helped develop with the White House.
Mozilla has implemented what it refers to as a ``do not track''
tool in the current Firefox release also without following the White
House agreement, for example by not describing for consumer the impact
of their choice and creating inaccurate consumer expectations.
Mozilla's interface permits users to check a box to ``Tell websites I
do not want to be tracked.'' Nothing more is provided to users; for
example, consumers are not told that, by exercising such choice some
data may still be collected. This implementation conflicts with the
workable standard developed through industry consensus in 2012 and does
not provide consumers with clear information about the effect of their
choices.
Until there is a universal meaning and implementation consistent
with the Agreement at the White House across all browsers, DAA will
continue to call for companies to provide choice via DAA's effective
choice tools and not require companies to adhere to tools that promote
confusion for consumers and do not meet the DAA's consensus standard
for consumer control.
Question 2. I am very concerned that in the absence of a
comprehensive Do-Not-Track agreement, your member companies will
respond to default consumer privacy measures recently considered by
Mozilla, the nonprofit organization behind the popular Web browser
Firefox, and other browser developers. I worry that such a game of one-
upmanship could have a detrimental impact on how consumers experience
the Internet. Will your members thwart default settings that block
third-party cookies by using other, more invasive technologies--such as
browser fingerprinting--to collect information from consumers?
Answer. The DAA's Principles and Program are technology neutral.
The DAA's Principles consist of seven principles: education,
transparency, consumer control, data security, controls with respect to
material changes to policies and practices, heightened safeguards for
sensitive data, and accountability. The principles set standards
designed to provide a consistent user experience. The DAA does not
mandate the use of specific technologies by companies in satisfying
these Principles or in delivering their services, but instead calls for
companies to provide transparency and control with respect to their
practices.
Question 3. If browser companies like Mozilla respond and develop
other privacy tools for consumers that actively prevent the collection
of information, will your members attempt to get around those tools and
subvert default privacy protections on Web browsers?
Answer. It is my understanding that Mozilla has chosen to delay its
plans to block third-party cookies to reassess the impact blacking
would have on the Internet ecosystem. Cookie blocking does not advance
consumer choice and would have a significant adverse effect on users'
Internet experience.
Cookies set by third parties play a vital role in the Internet
ecosystem by facilitating consumer access to content and services.
Blocking of third-party cookies would disrupt consumers' online
experience on the websites they use by reducing content personalization
and the relevancy of advertising they receive--and these moves could
even impact shopping cart and other similar third-party operational
functionality. This change would harm all Internet content and services
that use third party technologies to understand and protect their
audiences. In particular, it would disproportionately harm the numerous
small publishers that are often completely reliant on these
technologies to operate and monetize their sites, thereby thwarting new
job creation and chilling innovation.
The DAA will monitor changes in the marketplace and evaluate the
impact of this type of unilateral decision on the Internet and
advertising ecosystem. The online advertising industry is a beacon for
innovation and job creation. In 2012, Internet advertising revenues
reached a new high of $36.6 billion, an impressive 15 percent higher
than 2011's full-year number.\1\ Because of this advertising support,
small and medium-size publishers can provide consumers with access to a
wealth of online resources at low or no cost. This model delights
consumers and creates jobs across America, fostering a competitive
marketplace that drives down prices for consumers and costs for
businesses. A 2009 study found that more than three million Americans
in every U.S. state are employed due to the advertising-supported
Internet, contributing an estimated $300 billion, or approximately 2
percent, to our country's GDP.\2\ There is employment generated by this
Internet activity in every single congressional district in every state
across the United States.\3\
---------------------------------------------------------------------------
\1\ Interactive Advertising Bureau Press Release, ``Internet Ad
Revenues Again Hit Record-Breaking Double-Digit Annual Growth, Reaching
Nearly $37 Billion, a 15 percent Increase Over 2011's Landmark
Numbers'' (April 16, 2013) (reporting results of PricewaterhouseCoopers
study).
\2\ Hamilton Consultants, Inc. with Professors John Deighton and
John Quelch, Economic Value of the Advertising-Supported Internet
Ecosystem, at 4 (June 10, 2009), available at http://www.iab.net/media/
file/Economic-Value-Report.pdf.
\3\ Id. at 53.
---------------------------------------------------------------------------
______
Response to Written Questions Submitted by Hon. Barbara Boxer to
Luigi Mastri
Question 1. The Digital Advertising Alliance (DAA) created the
AdChoices icon to provide users notice and an opportunity to opt out of
behavioral advertisements. In his written testimony, Mr. Anderson cited
a study from Carnegie Mellon University that found that 0.0035 percent
of users clicked on the AdChoices icon when presented with it and only
1 in 20 of these users proceeded to opt out. Would you say that the
implementation of the AdChoices icon has been successful?
Answer. Yes. The DAA program developed a universal icon to give
consumers transparency and control for interest-based ads. The icon
provides consumers with notice that information about their online
interests is being gathered to customize the web ads they see. Clicking
the icon also allows consumers to choose whether to continue to allow
this type of advertising.
The icon is served more than one trillion times each month on or
next to Internet display ads on websites. The DAA reached this
milestone within a short 18 months from program launch. This
achievement represents an unprecedented level of industry cooperation
and adoption.
The icon serves as the main gateway to the DAA's choice page. With
the rise in the number of icons displayed, visitors to the DAA choice
page have also increased. In 2012, more than 5.2 million unique users
accessed the resources provided at www.aboutads.info, which is more
than three times the 2011 figure. Overall, since program launch, more
than 8 million visitors have accessed the DAA program opt-out tool, and
more than 2 million unique users have exercised choice.
Question 2. How does the DAA measure the effectiveness of the
AdChoices icon as a public education and user empowerment tool?
Answer. The DAA is deeply committed to consumer education. In 2012,
the DAA launched a dedicated educational site at www.YourAdChoices.com.
The site provides easy-to-understand messaging and informative videos
explaining the choices available to consumers, the meaning of the DAA
Icon, and the benefits they derive from online advertising.
In 2012, companies participating in the DAA program voluntarily
donated more than four billion impressions to support an educational
campaign for www.Your
AdChoices.com.
Since the campaign launched in late January 2012, more than 13.5
million unique users have visited this educational site. This site also
provides access to the DAA's user choice mechanism. The combination of
the educational campaign and the ubiquitous availability of the DAA
Icon have significantly increased consumer usage of the DAA program
tools.
In 2012, more than 5.2 million unique users accessed the resources
provided at www.aboutads.info. Of those visitors, nearly one million
unique users exercised choice using the integrated opt out mechanism
provided at that site; moreover, a total of two million unique visitors
have now exercised opt out choices since the program launch. Many users
visit the website, learn about their choices, and ultimately choose not
to opt out. We believe that this shows that once consumers understand
how online advertising works, many prefer to receive relevant ads over
irrelevant ads. Research supports this proposition. A recent poll of
U.S. consumers shows that 68 percent of Americans prefer to get at
least some Internet ads directed at their interests and included in
this total are 40 percent of Americans who prefer to get all their ads
directed to their interests.\4\
---------------------------------------------------------------------------
\4\ Interactive Survey of U.S. Adults commissioned by the DAA
(April 2013), available at http://www.aboutads.info/DAA-Zogby-Poll.
Question 3. Mr. Brookman writes in his testimony that the DAA
AdChoices program is almost entirely cookie-based. In other words, when
a user deletes her cookies, she likely also deactivates her preference
to opt out of tracking by DAA members. Is it true that a user's
preference not to be tracked disappears when she deletes her cookies?
Answer. No. More than a year ago, the DAA developed, at great
expense, a suite of browser plug-ins to make consumer choices
persistent. Through these ``hardened'' opt-outs, a consumer's
preferences will remain active even if she deletes her cookies.
Question 4. Is the DAA taking steps to create a more persistent
opt-out mechanism?
Answer. The DAA currently provides consumers with persistent opt-
out mechanisms.
Question 5. Mr. Brookman also claims in his testimony that opting
out through the AdChoices program prevents only the display of targeted
advertising to a user and not the tracking itself. Are DAA members
permitted to track users who have opted out through the AdChoices
mechanism as long as they do not display targeted advertisements to
those users?
Answer. The DAA's Principles cover both the collection and use of
web viewing data for purposes including, but not limited to, interest-
based advertising. Where a consumer has exercised choice under the DAA
Program, companies should stop the collection and use of data from the
computer or device for any purpose except collection and use for narrow
purposes specified in our Principles and described in our next
response.
Question 6. If so, how may DAA members use the tracking data they
collect from users who have expressed a preference to opt out from
behavioral advertising, and how are these data used in practice?
Answer. In November 2011, the DAA extended its Principles beyond
advertising to cover the collection and use of all Multi-Site Data
except collection for narrow purposes including operational and system
management purposes, fraud prevention and security, content delivery,
market research, and product development, and data that has been de-
identified. Some collection of data is vital to workings of the
Internet ecosystem, and limiting collection of this data would result
in a reduced online experience for consumers.
Significantly, the DAA Multi-Site Data Principles prohibit the use
of Web viewing data for employment eligibility, credit eligibility,
healthcare treatment eligibility, and insurance eligibility and
underwriting and pricing.
Question 7. In February 2012, the DAA announced plans to implement,
within nine months, policy changes that would respect users' tracking
preferences as expressed through browser header signals. Why has the
DAA not implemented these policy changes?
Answer. For more than two years, the DAA has been offering an
effective, one-button choice mechanism that empowers consumers to stop
the collection of web viewing data by third parties. At a highly-
publicized White House event last year, the DAA announced an agreement
to honor the DAA Principles through a browser signal when consumers
both (1) receive meaningful information about the effect of that
choice, and (2) affirmatively makes that choice themselves. It was
agreed that the DAA standard would not apply in instances where (1) and
(2) do not occur or where any entity or software or technology provider
other than the user exercises such a choice.\5\
---------------------------------------------------------------------------
\5\ DAA Position on Browser Based Choice Mechanism, available at
https://www.aboutads
.info/resource/download/DAA_Commitment.pdf.
---------------------------------------------------------------------------
Unfortunately, the White House agreement was short-circuited due to
contrary approaches taken by Microsoft and Mozilla.
Microsoft subsequently released its new version of IE 10 with ``do
not track'' turned ``on'' as a default setting, in direct conflict with
the agreement they helped develop with the White House.
Mozilla has implemented what it refers to as a ``do not track''
tool in the current Firefox release also without following the White
House agreement, for example by not describing for consumer the impact
of their choice and creating inaccurate consumer expectations.
Mozilla's interface permits users to check a box to ``Tell websites I
do not want to be tracked.'' Nothing more is provided to users; for
example, consumers are not told that, by exercising such choice some
data may still be collected. This implementation conflicts with the
workable standard developed through industry consensus in 2012 and does
not provide consumers with clear information about the effect of their
choices.
Question 8. Are DAA members currently acknowledging browser-based
signals from users?
Answer. The DAA's Principles call on companies to provide consumer
with choice with respect to the collection and use of web viewing data.
To help companies implement the Principle of Control, the DAA
developed, implemented, and maintains a consumer choice page through
which consumers can set their preferences.
Until there is a universal meaning and implementation consistent
with the Agreement at the White House across all browsers, DAA will
continue to call for companies to provide choice via DAA's effective
choice tools and not require companies to adhere to tools that that
promote confusion for consumers and do not meet the DAA's consensus
standard for consumer control.
Question 9. If not, what prevents them from doing so?
Answer. The DAA seeks to develop universal standards that deliver a
consistent user experience. Unfortunately, Microsoft and Mozilla
implemented browser based choice mechanisms in ways that are
inconsistent with the consensus achieved with the White House, Federal
Trade Commission, the Department of Commerce, and the browser
community.
Until there is a universal meaning and implementation consistent
with the Agreement at the White House, DAA will continue promote its
current, effective choice tools and not require companies to adhere to
tools that do not meet the DAA's consensus standard for consumer
control.
______
Response to Written Questions Submitted by Hon. Ron Johnson to
Luigi Mastria
Question 1. What are the harms that are actually occurring to
consumers through anonymous cookie-based ``tracking?'' As indicated in
Mr. Mastria's testimony, the primary privacy concerns for most
consumers online have to do with identity theft, viruses and malware,
and government surveillance. So, what harms are occurring that the FTC
doesn't currently already have the authority to address?
Answer. I am unaware of any consumer harm caused by the use of
cookies to associate online data across sites and over time or any
empirical evidence to support the idea that consumers are harmed from
the collection and disclosure of this anonymized, aggregate data.
Despite this lack of evidence of concrete harms, DAA-participating
companies recognize that consumers have different preferences about
online advertising and data collection. To continue to build consumer
trust in the online experience, the DAA has developed principles that
help ensure consumers have meaningful choices about how data is
collected and used. For those consumers that do not want information
collected via cookies, they may elect to opt out via a simple, easy-to-
use choice mechanism available at www.aboutads.info/choices.
Cookies are a well-established and very transparent technology that
benefits consumers in many ways, such as by facilitating the delivery
of rich content, products, relevant content and advertising, and
security and fraud prevention services.
Cookies are also used to enable online advertising, which fuels the
Internet economic engine. The online advertising industry is a beacon
for innovation and job creation. In 2012, Internet advertising revenues
reached a new high of $36.6 billion, an impressive 15 percent higher
than 2011's full-year number.\1\ Because of this advertising support,
small and medium-size publishers can provide consumers with access to a
wealth of online resources at low or no cost. Revenue from online
advertising facilitates e-commerce and subsidizes the cost of content
and services that consumers value, such as online newspapers, weather,
Do-It-Yourself websites, blogs, social networking sites, mobile
applications, e-mail, and phone services. According to a recent poll by
Zogby Analytics, 92 percent of Americans think free content like news,
weather and blogs is important to the overall value of the Internet.\2\
---------------------------------------------------------------------------
\1\ Interactive Advertising Bureau Press Release, ``Internet Ad
Revenues Again Hit Record-Breaking Double-Digit Annual Growth, Reaching
Nearly $37 Billion, a 15 percent Increase Over 2011's Landmark
Numbers'' (April 16, 2013) (reporting results of PricewaterhouseCoopers
study).
\2\ Interactive Survey of U.S. Adults commissioned by the DAA
(April 2013), available at http://www.aboutads.info/resource/image/
Poll/Zogby_DAA_Poll.pdf.
---------------------------------------------------------------------------
This cookie-based model delights consumers and creates jobs across
America, fostering a competitive marketplace that drives down prices
for consumers and costs for businesses. The Internet has become the
focus and a symbol of the United States' famed innovation, ingenuity,
inventiveness, and entrepreneurial spirit, as well as the venture
funding that flows from these enormously productive and positive
efforts. A 2009 study found that more than three million Americans are
employed due to the advertising-supported Internet, contributing an
estimated $300 billion, or approximately 2 percent, to our country's
GDP.\3\ There is employment generated by this Internet activity in
every single congressional district across the United States.\4\
---------------------------------------------------------------------------
\3\ Hamilton Consultants, Inc. with Professors John Deighton and
John Quelch, Economic Value of the Advertising-Supported Internet
Ecosystem, at 4 (June 10, 2009), available at http://www.iab.net/media/
file/Economic-Value-Report.pdf.
\4\ Id. at 53.
---------------------------------------------------------------------------
To help preserve this vibrant ecosystem, the DAA developed the
Multi-Site Data Principles (``MSD Principles'') to provide consumers
with control with respect to their Web viewing data used for
advertising and non-advertising purposes while preserving commonly-
recognized uses of data, including for operational purposes such as
fraud prevention, intellectual property protection, compliance with
law, authentication and verification purposes, billing, and product or
service fulfillment. The MSD Principles also permit the use of data
that has gone or will within a reasonable period of time from
collection go through a de-identification process, or that is used for
market research or product development. This approach helps ensure the
continued flow of data that is vital to the workings of the Internet,
to the consumer online experience, and for building tomorrow's
Internet.
I have included a recent Zogby poll, which illustrates concrete
concerns among consumers. Specifically, Americans' privacy concerns are
focused on real threats like identity theft, virus, malware, and cyber-
bullying (see attached survey results). These harms are not caused by
anonymous, cookie-based data collection.
Question 2. Response to Written Questions Submitted by Hon. to Mr.
Anderson points out in his testimony that the digital advertising
business has grown, reaching a record breaking $36.6 billion in 2012.
As he puts it, ``there is real money at stake.'' Can you comment on the
impact that government mandates, such as those proposed in several
privacy bills, may have on your industry and the jobs that digital
advertising supports?
Answer. Government mandates and regulation, particularly in such a
rapidly-developing area as the digital space, can stifle innovation,
reduce competition, slow job growth, and add unnecessary costs. In a
congressional hearing on ``Internet Privacy: The Impact and Burden of
EU Regulation,'' Professor Catherine Tucker of the MIT Sloan School of
Management testified about the effect on advertising performance of the
European Union's e-Privacy Directive, which limits the ability of
companies to collect and use behavioral data to deliver relevant
advertising.\5\
---------------------------------------------------------------------------
\5\ Empirical Research on the Economic Effects of Privacy
Regulation, Catherine Tucker (November 8, 2011), available at http://
cetucker.scripts.mit.edu/docs/law_summary_2011.pdf.
---------------------------------------------------------------------------
Professor Tucker's research study found that the e-Privacy
Directive--government mandates impacting the digital advertising
ecosystem--was associated with a 65 percent drop in advertising
performance, measured as the percent of people expressing interest in
purchasing an advertised product.\6\ The study also found that the
adverse effect of such regulation was greatest for websites with
content that did not relate obviously to any commercial product, such
as general news websites. Professor Tucker cautions: ``on the basis of
this evidence, it is reasonable to say that privacy regulation could
have sizable effects for the advertising-supported internet.'' \7\
Professor Tucker advises that ``policymaking in the area of privacy
regulation needs to be careful and fulfill the twin aims of protecting
consumer privacy and ensuring that the advertising-supported Internet
continues to thrive.'' \8\
---------------------------------------------------------------------------
\6\ Id. at 5.
\7\ Id. at 2.
\8\ Id. at 3.
---------------------------------------------------------------------------
As noted above, in 2012, Internet advertising revenues reached a
new high of $36.6 billion, an impressive 15 percent higher than 2011's
full-year number.\9\ In addition, a 2009 study found that more than
three million Americans across the United States are employed due to
the advertising-supported Internet, contributing an estimated $300
billion, or approximately 2 percent, to our country's GDP.\10\ We
remain concerned that laws and regulations are inflexible and can
quickly become outdated in the face of extraordinarily rapidly-evolving
technologies. When this occurs, legislation thwarts innovation and
hinders economic growth and can impede a competitive marketplace that
offers a full range of choice to consumers. We believe that our
commitment to and success in advancing industry self-regulation is the
most efficient and effective way to balance consumers' interests in
privacy and innovation.
---------------------------------------------------------------------------
\9\ Interactive Advertising Bureau Press Release, ``Internet Ad
Revenues Again Hit Record-Breaking Double-Digit Annual Growth, Reaching
Nearly $37 Billion, a 15 percent Increase Over 2011's Landmark
Numbers'' (April 16, 2013) (reporting results of PricewaterhouseCoopers
study).
\10\ Hamilton Consultants, Inc. with Professors John Deighton and
John Quelch, Economic Value of the Advertising-Supported Internet
Ecosystem, at 4 (June 10, 2009), available at http://www.iab.net/media/
file/Economic-Value-Report.pdf.
---------------------------------------------------------------------------
Attachment
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
Response to Written Questions Submitted by Hon. John D. Rockefeller IV
to Justin Brookman
Question 1. The DAA's testimony focused largely on its own self-
regulatory program, the basis of which can be found in its Self-
Regulatory Principles for Multi-Site Data. Mr. Mastria says that the
DAA's choice mechanism is consistent with the recommendations of the
Federal Trade Commission, and that its program and choice tools ``share
and meet the goals'' of my Do-Not-Track legislation. Do you believe
that the DAA's self-regulatory program and choice mechanism, in their
current form, are sufficient for consumers? Why or why not?
Answer. CDT believes that the DAA's self-regulatory program has
made some improvements in recent years in response to concerns voiced
by consumers, regulators, and members of Congress. However, the current
DAA opt-out structure still suffers from a number of fundamental flaws:
It only applies to advertisers that are members of the DAA;
companies that don't sign up and pay for membership are not
included, and receive no indication that indication that a user
does not want to be tracked. Although Mr. Mastria repeatedly
described the DAA program as ``universal'' both in his written
and oral testimony,\1\ at one point he admitted that the
program only covers ``90 to 97 percent'' of the advertising
ecosystem.\2\ Mr. Mastria did not reveal the methodology behind
these numbers.
---------------------------------------------------------------------------
\1\ Testimony of Luigi Mastria before the Senate Committee on
Commerce, Science & Transportation, Hearing on A Status Update on the
Development of Voluntary Do-Not-Track Standards, April 24, 2013, http:/
/www.commerce.senate.gov/public/?a=Files.Serve&File_id=cd2e39e0-6825
-4b8c-9789-40d26a72d457; Draft Transcript, Senate Committee on
Commerce, Science & Transportation, Hearing on A Status Update on the
Development of Voluntary Do-Not-Track Standards, April 24, 2013, at 25-
2.
\2\ Draft Transcript, Senate Committee on Commerce, Science &
Transportation, Hearing on A Status Update on the Development of
Voluntary Do-Not-Track Standards, April 24, 2013, at 70-17.
The DAA opt-out is almost always cookie-based. If a user
deletes her cookies--or if they are routinely deleted by her
anti-virus software, as is often the case--the opt-out
disappears, and even DAA companies subsequently have no way of
knowing that the user does not want to be tracked. Users do
have the opportunity to download and install browser add-ons to
preserve opt-outs on the DAA site, but only if a user clicks on
a vague link entitled ``Protect My Choices'' in the corner of
the page.\3\ The link is offered without any explanation or
context about what ``Protect My Choices'' means. Somewhat
confusingly, the opt-out page later implies that the only
effective approach to protecting one's choices is to
periodically visit the DAA page:
---------------------------------------------------------------------------
\3\ Digital Advertising Alliance, Opt Out from Behavioral
Advertising (Beta), http://www
.aboutads.info/choices/.
The opt out choices you select are stored in opt out
cookies only in this browser, so you should separately
set your preferences for other browsers or computers
you may use. Deleting browser cookies can remove your
opt out preferences, so you should visit this page
periodically to review your preferences, or update to
---------------------------------------------------------------------------
include new participating companies.
The opt-out only prevents users from seeing targeted ads,
which are based on information gathered from tracking. However,
it does not prevent tracking itself. While the DAA's Multi-Site
Principles in principle agree with the notion of collection
limitation, in practice, the code's bases for collection are
extremely broad, and any justification to understand ``consumer
preferences and behaviors [or] research about consumers,
products, or services'' could justify individualized data
collection despite the user's opting out.\4\
---------------------------------------------------------------------------
\4\ Digital Advertising Alliance, Self-Regulatory Principles for
Multi-Site Data, http://www
.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf.
It is not clear how many consumers have noticed the ad icon
or understand that it is intended to signal that behavioral
data collection is occurring. Moreover, the interface through
which users are presented their choices around tracking and
opting out both through the AdChoices icon and on the DAA
website are confusing.\5\ For example, the TrustE interface
lists a handful of tracking companies, but not all for which a
user could opt out. Even then, TrustE's interface does not
allow a user to opt out of all of even this handful--instead a
user is instructed to go to the third-party service to opt out
individually. You can only opt out of all DAA members if you
click through to an undefined link reading ``Industry
Resources'' in the corner of the page:
---------------------------------------------------------------------------
\5\ A. M. McDonald and Lorrie Faith Cranor, Social Science Research
Network, ``Beliefs and behaviors: Internet users' understanding of
behavioral advertising,'' October 2010, http://papers.ssrn.com/sol3/
papers.cfm?abstract_id=1989092; Pedro G. Leon et al., Carnegie Mellon
University CyLab, ``Why Johnny can't opt out: A usability evaluation of
tools to limit online behavioral advertising,'' October 2011, http://
www.cylab.cmu.edu/research/techreports/2011/tr_cylab11017.html.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Question 2. Can the DAA's existing self-regulatory scheme be
narrowed or changed in some way as to place reasonable, meaningful
limits on the collection of consumer's information? How?
Answer. As we have previously advocated,\6\ any global opt out
regime must more meaningfully address data collection and retention
than the current DAA principles do. We believe that product improvement
and market research should not be permitted exceptions that trump a
user's opt out instruction. Furthermore, we believe that DAA should
require companies to state their data retention periods for legitimate
permitted exceptions such as security and fraud prevention.
---------------------------------------------------------------------------
\6\ Center for Democracy & Technology, What Does Do Not Track
Mean?, April 27, 2011, https://www.cdt.org/files/pdfs/
20110447_DNT_v2.pdf; Erica Newland, CDT compromise proposal to the W3C
Washington Face to Face meeting, April 7, 2012, http://lists.w3.org/
Archives/Public/public-tracking/2012Apr/0078.html.
---------------------------------------------------------------------------
However, improvements to the DAA still will not achieve
universality of protection. As I noted at the hearing in response to a
question from Senator Heller, there are ad networks like Dataium that
operate outside of the DAA that use personally identifiable information
to track users' web surfing habits.\7\ Moreover, companies like
Facebook and Twitter--who have more third-party tracking elements on
websites than any ad network--are not DAA members and are not bound by
their principles.\8\
---------------------------------------------------------------------------
\7\ Jennifer Valentino-Devries and Jeremy Singer-Vine, ``They Know
What You're Shopping For,'' Wall Street Journal, December 7, 2012,
http://online.wsj.com/article/SB1000142412788
7324784404578143144132736214.html.
\8\ Digital Advertising Alliance, Participating Companies, http://
www.aboutads.info/participating.
---------------------------------------------------------------------------
Ultimately, we believe that comprehensive data protection law is
needed to ensure that all companies honor user control mechanisms
online and offline. Self-regulatory codes of conduct such as the DAA
principles and Do Not Track could qualify for safe harbor status under
the privacy protection frameworks proposed by President Obama in his
Consumer Privacy Bill of Rights, if the Federal Trade Commission deems
them sufficient to fully protect user privacy. Unfortunately, the
current DAA code, despite significant improvement in recent years,
would be unlikely to merit such a finding today.
______
Response to Written Questions Submitted by Hon. Barbara Boxer to
Justin Brookman
Question 1. In your written testimony, you recommend that third-
party companies be permitted to collect and use unique identifiers from
users for operational purposes but not for secondary purposes. How do
you distinguish operational purposes from secondary purposes?
Answer. We believe that data collection that is reasonably
necessary for the delivery of non-targeted advertising qualifies as a
purpose for which a company may collect data despite a Do Not Track
signal from the user. For example, a third-party ad network needs to
collect a user's IP address as well as information about the user's
device and browser just to be able to render an advertisement. We
believe that cookies may in some cases be reasonably necessary to
meaningfully prevent click-fraud and for accounting and attribution
purposes. However, if those same necessary purposes could be reasonably
accomplished without using cookies, companies should be prevented from
using cookies for those purposes when Do Not Track is enabled.
We believe that purposes such as targeted advertising, market
research, and product improvement are secondary uses that are not
necessary for the mere delivery of advertisements, and should be
prevented when Do Not Track is enabled. While we certainly agree that
there can be societal value from these activities, we believe that a
user's decision to disable cross-site tracking should be honored in
these cases, and all others where the collection and retention of user
data is not actually required for third-party (non-behavioral)
advertising to function.
Question 2. How do consumers' expectations differ with respect to
first-party and third-party tracking?
Answer. First-party tracking is considerably more intuitive than
tracking by third parties. It is not particularly surprising to a user
when Amazon suggests products based on items previously purchased from
the service, when The New York Times recommends stories based on what
you've read on their site, or when Weather.com remembers the locations
for which you've requested weather forecasts. In each of these cases,
the user has made the decision to utilize a service and to
affirmatively provide information to the service, either actively (by
purchasing products or filling out web forms) or at least passively (in
the case of The New York Times above, by clicking on articles).
On the other hand, users often have no relationship whatsoever with
most third-party tracking elements on websites. They have not made the
decision to interact with those services, and have not intended to
provide them with information. Moreover, third-party tracking services
have the capacity to track users over multiple websites, so they have
the ability to glean much more information about a user over a variety
of disparate services, with little to no indication to the user that
the tracking is occurring other than potentially targeted
advertisements. For these reasons, we believe that third-party tracking
is of more privacy concern than first-party tracking, though we believe
that users should have control over first-party tracking as well.
However, Do Not Track was originally formulated as a means to address
just the more vexing third-party tracking issue.\9\
---------------------------------------------------------------------------
\9\ Center for Democracy & Technology, Submission In advance of the
FTC Town Hall, ``Ehavioral Advertising: Tracking, Targeting, and
Technology,'' to be held November 1-2, 2007 in Washington, D.C.,
October 31, 2007, https://www.cdt.org/privacy/20071031consumer
protectionsbehavioral.pdf.
Question 3. Do you support Mozilla's and Apple's decisions to block
---------------------------------------------------------------------------
third-party cookies by default?
Question 4. What steps can be taken to address non-cookie tracking
such as digital fingerprinting?
Answer. Given the proliferation of tracking in recent years \10\
and the lack of reliable control over third-party data collection,\11\
we believe that Mozilla's and Apple's decisions to disable third-party
cookies are justified. Both companies can legitimately claim that the
majority of users do not like behavioral advertising, as Microsoft did
in explaining why it pushes users to turn on Do Not Track during the
installation of Internet Explorer 10.\12\ On the other hand, Google's
decision to enable third-party cookie setting is defensible as well, so
long as there are reliable controls through which users can disable
such cookies. Fortunately, there appears to be sufficient competition
among browsers at the moment to give users a range of options in
balancing privacy and usability.
---------------------------------------------------------------------------
\10\ Julia Angwin, ``The Web's New Gold Mine: Your Secrets,'' The
Wall Street Journal, July 30, 2010, http://online.wsj.com/article/
SB10001424052748703940904575395073512989404.html; George Simpson,
``Suicide by Cookies,'' MediaPost, February 22, 2013, http://www.media
post.com/publications/article/194073/suicide-by-
cookies.html#axzz2REncGaSy.
\11\ See supra pp 1-2.
\12\ Brad Smith, Privacy and Technology in Balance?, Microsoft on
the Issues, October 26, 2012, http://blogs.technet.com/b/
microsoft_on_the_issues/archive/2012/10/26/privacy-and-techno
logy-in-balance.aspx.
---------------------------------------------------------------------------
While we are supportive of Apple's and Mozilla's decision to block
third-party cookie setting by default, that is a short-term solution.
Both browsers still make available other information to ad networks,
including IP address and information about the configuration of the
user's browser, through which companies can identify users across
services with some reliability using digital fingerprinting techniques.
Currently, the only way to reliably prevent fingerprinting is through
preventing third-party connections from websites. Unfortunately, this
results in ad and widget blocking, which prevents publishers from
serving even privacy-protective advertising (non-behavioral ads with
limited data retention). We are hopeful that browsers will ultimately
be able to obscure individual browsers enough--or otherwise limit
information about browsers that can be called by third parties--that
digital fingerprinting will no longer be a reliable tracking technique.
However, until that occurs, users (or software acting on behalf of
users) can justifiably block third parties that do not publicly commit
to honor user requests to stop cross-site tracking.
______
Response to Written Question Submitted by Hon. Frank R. Lautenberg to
Justin Brookman
Question. A 2010 Wall Street Journal series on online privacy
illustrated the extent to which individuals are being tracked and how
the invasive practice can cause real harm. A recent high-school
graduate, who had been identified by advertisers as concerned about her
weight, told the paper she sees weight-loss ads every time she goes on
the Internet. She said, ``I'm self-conscious about my weight. I try not
to think about it . . . then [the ads] make me start thinking about
it.'' Do you believe this qualifies as a real harm?
Many believe the lack of transparency--particularly with regard to
3rd party cookies--and an individual's inability to know what personal
information is actually being collected can cause real harm because
consumers don't have the ability to understand how to protect
themselves from invasive tracking. Do you agree that this is a harm?
Do you believe that consumers have a basic right to privacy online?
Answer. First of all, we do not believe that harm is the
appropriate threshold to meet for when private companies should decide
to comply with user preferences. ``Do Not Track'' is largely intended
to mirror the opt-out regime that the advertising industry already
supports, but with some improvements to durability and scope.
Previously, neither browsers nor advertising companies argued that
users should have to demonstrate harm in order to opt out of behavioral
advertising, or to block or delete third-party tracking elements such
as cookies.
We agree that users can experience some degree of harm through
being reminded that some unknown third parties possess sensitive and
potentially embarrassing information about the user, as in the weight
loss example you suggest. However, more fundamentally, we believe that
a user has a fundamental interest in protecting all their personal
information from being exposed to unwanted parties--including an
interest in shielding information about their web surfing from
advertising companies. Users have a right to read online content
anonymously that stems from a natural desire to preserve a personal
space where our activities and motivations are not recorded, evaluated,
and preserved. Unfortunately, online tracking today is hardly
anonymous. In some cases, behavioral profiles are tied explicitly to
personally identifying information.\13\ In other cases, because those
profiles are persistently linked to individual devices, they
necessarily could be tied to personally identifying information in the
future (either by obtaining identifying information such as a name or
e-mail address from a website that has possesses that information, or
through a subpoena to an Internet service provider for identifying
information associated with an Internet protocol (IP) address.
---------------------------------------------------------------------------
\13\ Jennifer Valentino-Devries and Jeremy Singer-Vine, They Know
What You're Shopping For, Wall Street Journal, December 7, 2012, http:/
/online.wsj.com/article/SB1000142412788
7324784404578143144132736214.html; Jonathan Mayer, Tracking the
Trackers: Where Everybody Knows Your Username, Center for Internet and
Society Blog, October 11, 2011, http://cyberlaw.stanford.edu/blog/2011/
10/tracking-trackers-where-everybody-knows-your-username.
---------------------------------------------------------------------------
We do not believe, however, that this right--or privacy rights in
general--are absolute. Many times they intersect with others' free
expression rights, such as the right of the press to report truthful
factual information about individuals. Other times, we believe that
information about individuals may justifiably be collected on an opt-
out, instead of opt-in basis, based on the sensitivity of the
information at stake. Many categories of behavioral data collection
might fall into rights that are reasonably enforceable only on an opt-
out basis. However, that opt-out right must be robust and scalable, so
that users can stop (or at least meaningfully limit) data collection by
third parties with which a user has no relationship.
______
Response to Written Questions Submitted by Hon. Amy Klobuchar to
Justin Brooman
Question 1. Most consumers would like to believe that their
information is private, secure, and accurate. However, with rapidly
changing technologies and platforms consumers are no longer sure. Can
you discuss how you feel consumers are reacting to the host of privacy
options that are out there and share your views on if they are more or
less trusting when it comes to online information?
Answer. There is ample evidence that users are increasingly
skeptical of online tracking behaviors, and that they reject the basic
behavioral advertising model as illegitimate.\14\ Users are also
starting to take advantage of tools to fight back against the
monitoring of their online activities. A large percentage of users have
installed anti-spyware/anti-virus software that deletes third-party
tracking cookies on a regular basis. The most popular web extension on
the Internet is Ad Block Plus, which prevents third parties from doing
any tracking of users (but also prevents privacy-protective advertising
as well).\15\ And over 17 percent of users have turned on ``Do Not
Track'' in the Firefox web browser--despite the fact that it is not yet
being honored by the majority of third-party trackers--with the
percentage of Firefox mobile users likely to be significantly
higher.\16\
---------------------------------------------------------------------------
\14\ See e.g., Scott Cleland, Americans Want Online Privacy--Per
New Zogby Poll, PUBLIUS' FORUM, June 9, 2010, http://
www.publiusforum.com/2010/06/19/americans-want-online-privacy-per-new-
zogby-poll; Joseph Turow, Jennifer King, Chris Jay Hoofnagle, Amy
Bleakley & Michael Hennessey, Contrary to What Marketers Say, Americans
Reject Tailored Advertising and Three Activities that Enable It (Sept.
2009), http://graphics8.nytimes.com/packages/pdf/business/20090929-
Tailored_Advertising.pdf. See also Alan F. Westin, Majority
Uncomfortable with Websites Customizing Content Based Visitors Personal
Profiles: Level of Comfort Increases when Privacy Safeguards
Introduced, HARRISINTERACTIVE, April 10, 2008, http://www
.harrisinteractive.com/vault/Harris-Interactive-Poll-Research-Majority-
Uncomfortable-withWeb
sites-Customizing-C-2008-04.pdf (in which majority of respondents said
they were not comfortable with online companies using their browsing
behavior to tailor ads and content to their interests even when they
were told that such advertising supports free services); John B.
Horrigan, Use of Cloud Computing Services, PEW INTERNET & AMERICAN LIFE
PROJECT, September 2, 2008, http://www.pewinternet.org/�/media//Files/
Reports/2008/PIP_Cloud
.Memo.pdf.pdf (showing that 68 percent of users of cloud computing
services say they would be very concerned if companies that provided
these services analyzed their information and then displayed ads to
them based on their actions).
\15\ Firefox Add-ons, Mozilla.org, https://addons.mozilla.org/en-
us/firefox/extensions/?sort=
users.
\16\ Alex Fowler, Mozilla's new Do Not Track dashboard: Firefox
users continue to seek out and enable DNT, May 3, 2013, http://
blog.mozilla.org/privacy/2013/05/03/mozillas-new-do-not-track-
dashboard-firefox-users-continue-to-seek-out-and-enable-dnt/; Alex
Fowler, Do Not Track Adoption in Firefox Mobile is 3x Higher Than in
Desktop, Mozilla Privacy Blog, November 2, 2011, http://
blog.mozilla.org/privacy/2011/11/02/do-not-track-adoption-in-firefox-
mobile-is-3x-higher-than-desktop/.
---------------------------------------------------------------------------
Unfortunately, each of these approaches is imperfect. ``Do Not
Track'' was conceived as a middle-ground solution that allows for the
serving of third-party content while significantly limiting the amount
of information that third parties can collect about users. If industry
cannot agree to honor users' Do Not Track signals, then browsers are
likely to take more drastic actions to protect their user base. For
years, privacy advocates have worried that in an arms race between
users and ad networks, users, who by and large lack the sophistication
and technical skills of the ad networks, were destined to lose.
However, with the browsers increasingly acting in accordance with the
desires of their user base, that result is no longer a foregone
conclusion. If trade associations continue to stick their heads in the
sand and ignore consumer sentiment about their practices (instead of
establishing a value proposition to users about behavioral
advertising's benefits), moves like Mozilla's and Apple's to frustrate
cross-site tracking will become the norm, and an inability to set
cookies may be the least of their concerns.
Question 2. What role should the Federal Trade Commission or the
Department of Commerce have regarding Do-Not-Track?
Answer. We believe that the FTC and Department of Commerce have
been right to use the bully pulpit to call for the enactment of a
voluntary Do Not Track standard, but they are otherwise limited in what
they can enforce. CDT has previously argued that the Federal Trade
Commission could interpret its Section 5 authority more aggressively to
implement the full range of Fair Information Practice Principles--to
require transparency, data minimization, and a right to opt out of
certain uses, including behavioral advertising.\17\ However, Section 5
is a vaguely worded statute, and it is not clear that the courts would
agree with such an interpretation: indeed, Wyndham Hotels is certainly
challenging in Federal court the FTC's argument that Section 5 requires
companies to implement reasonable security practices to safeguard
consumer data.\18\
---------------------------------------------------------------------------
\17\ Center for Democracy & Technology, The Role of Privacy by
Design in Protecting User Privacy: Comments of the Center for Democracy
& Technology in regards to the FTC Consumer Privacy Roundtable,
December 21, 2009, http://www.ftc.gov/os/comments/privacyroundtable/
544506-00067.pdf.
\18\ Danielle Walker, Wyndham Hotels challenges FTC security suit
over breaches, SC Magazine, September 11, 2012, http://
www.scmagazine.com/wyndham-hotels-challenges-ftc-security-suit-over-
breaches/article/258559/.
---------------------------------------------------------------------------
We think it would be better for consumers and businesses to have
more certainty about the scope of personal privacy protections, which
is why we have long advocated for the enactment of reasonable, flexible
comprehensive privacy legislation based on the Fair Information
Practice Principles.\19\ We continue to believe that carefully crafted
legislation is the best approach to encouraging legitimate innovation
while preserving user's ability to exercise control over their personal
information. We do see a role for self-regulatory codes of conduct such
as Do Not Track as a potential safe harbor under an omnibus privacy
law, provided that the Federal Trade Commission deems them sufficient
to fully protect user privacy. We are gratified that both the FTC and
the White House have now called for the enactment of such comprehensive
privacy legislation. It is now up to Congress to enact these privacy
protections into law.
---------------------------------------------------------------------------
\19\ Center for Democracy & Technology, Testimony of Leslie Harris
before the House Energy & Commerce Committee, Subcommittee on Commerce,
Trade, and Consumer Protection on The BEST PRACTICES Act of 2010 and
Other Federal Privacy Legislation, July 22, 2010, https://www.cdt.org/
files/pdfs/CDT_privacy_bill_testimony.pdf.
---------------------------------------------------------------------------
______
Response to Written Questions Submitted by Hon. Brian Schatz to
Justin Brookman
Question 1. One of the rallying cries of the online advertising
industry against do-not-track defaults and additional regulation of
online data collection is that, if you prevent online advertisers from
collecting information about consumers online, you will jeopardize the
availability of free content on the internet. Do you think that there
is necessarily a trade-off between a universally recognized do-not-
track system or standard and the availability of free content on the
Internet?
Answer. Behavioral advertising certainly provides some marginal
value to the advertising ecosystem, though it has not been demonstrated
how significant this increase is. It is also not evident how much of
the extra value provided by behavioral advertising is absorbed by the
increased intermediaries in the digital advertising and data broker
infrastructure, and how much trickles down to the first-party
publishers. Given the limited bargaining power of smaller, long-tail
websites, it is not evident that they see much benefit from
advertisements that are personalized based on web tracking.
Moreover, it is important to note that the considerable majority of
web advertising is not behavioral. Stanford research Jonathan Mayer
estimated that behavioral advertising constituted 4 percent of web
advertising in 2009, though that number is likely rising as companies
find more sophisticated and reliable methods to track users.\20\
---------------------------------------------------------------------------
\20\ Jonathan Mayer, Do Not Track Is No Threat To Ad-Supported
Businesses, Center for Internet and Society Blog, January 20, 2011,
http://cyberlaw.stanford.edu/blog/2011/01/do-not-track-no-threat-ad-
supported-businesses.
---------------------------------------------------------------------------
Regardless of the extent of the trade-off, we believe that
consumers should be the ones assessing the relative benefits, not
industry or government. If a user turns on Do Not Track, and sites
start to limit the content they make available to that user, she should
make the decision about whether to continue to block tracking, or to
allow tracking just on this site, or to face the consequences of her
decision and accept less content--or to pay another price. However, we
reject the paternalistic assertions that users should be deprived of
control of their personal information because of a judgment that it is
in their best interests to have their browsing habits invisibly tracked
online--despite significant evidence that consumers broadly reject such
practices.\21\
---------------------------------------------------------------------------
\21\ See supra note 14.
Question 2. In 2009, the FTC called on the online advertising
industry to provide consumers with transparency, notice, and personal
control to control behavioral advertising--in the ensuing three years,
do you think that online advertisers have succeeded in providing that
to consumers?
Answer. The Digital Advertising Alliance has made improvements in
recent years, most notably by enacting the Self-Regulatory Principles
for Multi-Site Data in 2011. The most significant improvement was
around the limitation of purposes for which behavioral data may be
used, including a prohibition on the usage of behavioral data for
employment, credit, health care treatment, and insurance
eligibility.\22\
---------------------------------------------------------------------------
\22\ Self-Regulatory Principles for Multi-Site Data, Digital
Advertising Alliance, November 2011, http://www.aboutads.info/resource/
download/Multi-Site-Data-Principles.pdf.
---------------------------------------------------------------------------
However, those improvements are somewhat separate from
transparency, notice and control. The DAA has embarked on a program to
place an icon in all targeted advertisements as a method to provide
notice to users. However, we are not convinced that this program has
been successful in educating average users about behavioral
advertising. Anecdotally, when asking friends and acquaintances outside
of privacy circles whether they have noticed the icon, the answer has
been universally ``no.'' Moreover, the interface that a user encounters
after clicking on the icon is often confusing and unintuitive.\23\
---------------------------------------------------------------------------
\23\ See supra p 3.
---------------------------------------------------------------------------
The controls over behavioral data collection remain flawed: First,
the opt-out only prevents users from seeing targeted ads, which are
based on information gathered from tracking. However, it does not
prevent tracking itself. While the DAA's Multi-Site Principles in
principle agree with the notion of collection limitation, in practice,
the code's bases for collection are extremely broad, and any
justification to understand ``consumer preferences and behaviors [or]
research about consumers, products, or services'' could justify
individualized data collection despite the user's opting out.\24\
---------------------------------------------------------------------------
\24\ Digital Advertising Alliance, Self-Regulatory Principles for
Multi-Site Data, http://www
.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf.
---------------------------------------------------------------------------
Second, the DAA opt-out is almost always cookie-based. If a user
deletes her cookies--or if they are routinely deleted by her anti-virus
software, as is often the case--the opt-out disappears, and even DAA
companies subsequently have no way of knowing that the user does not
want to be tracked. Users do have the opportunity to download and
install browser add-ons to preserve opt-outs on the DAA site, but only
if a user clicks on a vague link entitled ``Protect My Choices.'' \25\
The link is offered without any explanation or context about what
``Protect My Choices'' means. Somewhat confusingly, the opt-out page
later implies that the only effective approach to protecting one's
choices is to periodically visit the DAA page:
---------------------------------------------------------------------------
\25\ Digital Advertising Alliance, Opt Out from Behavioral
Advertising (Beta), http://www
.aboutads.info/choices/.
The opt out choices you select are stored in opt out cookies
only in this browser, so you should separately set your
preferences for other browsers or computers you may use.
Deleting browser cookies can remove your opt out preferences,
so you should visit this page periodically to review your
---------------------------------------------------------------------------
preferences, or update to include new participating companies.
Question 3. Even if do-not-track is an available option for
consumers, it does not seem to be an effective tool for protecting
consumer's privacy. First, online advertisers largely ignore do-not-
track headers. Second, the lack of consensus on what do-not-track
means, in terms of what data is still collected and for what purpose,
renders do-not-track meaningless.
Is it true that, currently, when a user thinks he or she has opted
out of tracking--whether it is through an opt-out cookie or using a do-
not-track heading on a browser--online advertisers are still collecting
information about that user for advertising purposes?
Answer. Today, when a user turns on Do Not Track or opts out
through the DAA process, behavioral data collection and retention is
unaltered in most cases (some companies, such as Google, use non-unique
opt-out cookies when a user opts out, making it more difficult to
correlate third-party users over time). We remain hopeful that a
meaningful Do Not Track standard can be negotiated that will be adopted
and enforced by major trade associations such as the DAA. However, even
then, participation will be strictly voluntary, and tracking companies
such as Dataium can simply choose not to pay to join a trade
association and could continue to track users both online and off.\26\
Ultimately, we believe that baseline privacy legislation should be
enacted that encourages adoption of codes of conduct such as Do Not
Track by providing safe harbor status and deemed compliance for
programs certified by the Federal Trade Commission.\27\ Only then will
companies be sufficiently incentivized to provide sufficiently robust
privacy protections for users.
---------------------------------------------------------------------------
\26\ Jennifer Valentino-Devries and Jeremy Singer-Vine, ``They Know
What You're Shopping For,'' Wall Street Journal, December 7, 2012,
http://online.wsj.com/article/SB10001424127887
324784404578143144132736214.html.
\27\ See supra, p 4.
---------------------------------------------------------------------------
______
Response to Written Questions Submitted by Hon. Ron Johnson to
Justin Brookman
Question 1. What are the harms that are actually occurring to
consumers through anonymous cookie-based ``tracking?'' As indicated in
Mr. Mastria's testimony, the primary privacy concerns for most
consumers online have to do with identity theft, viruses and malware,
and government surveillance. So, what harms are occurring that the FTC
doesn't currently already have the authority to address?
Answer. The Center for Democracy & Technology is willing to concede
that identity theft and malware may be of greater concern to the
average user than online Internet tracking. However, that does not
logically mean that consumers are not concerned about behavioral
tracking as well; merely because one problem is considered of more
significance than another does not mean we should ignore the lesser
problem. It would not be a valid argument, for example, to argue that
Congress should ignore allegations that the Internal Revenue Service
signaled out tea party groups \1\ because a poll showed that Americans
were relatively more concerned about the economy and job growth. And,
it should be noted, identity theft and malware are currently illegal.
The FTC and private citizens have legal tools to seek redress from bad
actors who engage in those sorts of behaviors.
---------------------------------------------------------------------------
\1\ See Mark Stanley, IRS Targeting of Tea Party Groups Shows Need
for ECPA Reform; CDT Blog, May 10, 2013, https://www.cdt.org/blogs/
mark-stanley/1005irs-targeting-conservative-groups-illustrates-need-
ecpa-reform.
---------------------------------------------------------------------------
On the other hand, users do not have robust tools to address online
behavioral data collection, and a vast majority of Americans still
consider that to be a problem.\2\ Increasingly, we live in a world
where everything we do is observable. Pervasive closed-circuit
television and drone surveillance, and the emergence of facial
recognition, may soon allow companies to persistently track users
across space and over time by their individual identities.\3\ Indeed,
even the privacy that we expect inside our house is threatened by
technological developments. Researchers at the University of Washington
have uncovered ways to determine what television shows are being
watched inside a home by measuring the electromagnetic radiation
emitted from the power lines publicly observable outside your house.\4\
---------------------------------------------------------------------------
\2\ See e.g., Scott Cleland, Americans Want Online Privacy--Per New
Zogby Poll, PUBLIUS' FORUM, June 9, 2010, http://www.publiusforum.com/
2010/06/19/americans-want-online-privacy-per-new-zogby-poll; Joseph
Turow, Jennifer King, Chris Jay Hoofnagle, Amy Bleakley & Michael
Hennessey, Contrary to What Marketers Say, Americans Reject Tailored
Advertising and Three Activities that Enable It (Sept. 2009), http://
graphics8.nytimes.com/packages/pdf/business/20090929-
Tailored_Advertising.pdf. See also Alan F. Westin, Majority
Uncomfortable with Websites Customizing Content Based Visitors Personal
Profiles: Level of Comfort Increases when Privacy Safeguards
Introduced, HARRISINTERACTIVE, April 10, 2008, http://
www.harrisinteractive.com/vault/Harris-Interactive-Poll-Research-
Majority-Uncomfortable-with
Websites-Customizing-C-2008-04.pdf (in which majority of respondents
said they were not comfortable with online companies using their
browsing behavior to tailor ads and content to their interests even
when they were told that such advertising supports free services); John
B. Horrigan, Use of Cloud Computing Services, PEW INTERNET & AMERICAN
LIFE PROJECT, September 2, 2008, http://www.pewinternet.org/�/media//
Files/Reports/2008/PIP_Cloud
.Memo.pdf.pdf (showing that 68 percent of users of cloud computing
services say they would be very concerned if companies that provided
these services analyzed their information and then displayed ads to
them based on their actions).
\3\ See Harley Geiger, The Drones are Coming, CDT Blog, December
21, 2011, https://www.cdt.org/blogs/harley-geiger/2112drones-are-
coming; Harley Geiger, Facial Recognition and Privacy, CDT Blog,
December 6, 2011, https://www.cdt.org/blogs/harley-geiger/612facial-
recognition-and-privacy/.
\4\ Miro Enev, et al, Televisions, Video Privacy, and Powerline
Electromagnetic Interference, Working Paper, http://
abstract.cs.washington.edu/�miro/docs/ccs2011.pdf.
---------------------------------------------------------------------------
There is an incredible amount that we as a society have to gain
from innovative new technologies, but there is also an incredible
amount that we have to lose. Without a framework in place to assure
everyday consumers of the ability to limit the collection and retention
of the minutiae of their lives by unknown third parties, any sense of a
realm of personal privacy may completely evaporate. In short, we may
lose:
Our right to read newspapers unnoticed: to throw a quarter
into the vending box and grab a copy, to privately choose which
articles we read and which we don't, gradually slips away each
time a local paper shutters its presses or halts print
distribution.
Our right not just go for a drive unnoticed, but to talk to
friends unnoticed, to write letters unnoticed,\5\ to read books
unnoticed, to watch a TV show unnoticed, to buy a gift
unnoticed--all of these rights are eroding as these activities
move into the networked world and surveillance technologies
become more sophisticated.
---------------------------------------------------------------------------
\5\ USPS mail currently receives more privacy protections than does
electronic mail. See, Federal Statutes and Regulations Relation to the
Privacy and Security of Mail, http://about.usps.com/who-we-are/privacy-
policy/intelligent-mail-privacy.htm#H7.
Our right to walk down the street unnoticed, whether en
route to a political rally or to a doctor's office, is eroding
as facial recognition technology advances and becomes more
widely deployed.\6\
---------------------------------------------------------------------------
\6\ See Harley Geiger, Facial Recognition and Privacy, CDT Blog,
December 6, 2011, https://www.cdt.org/blogs/harley-geiger/612facial-
recognition-and-privacy/.
The right to read online content anonymously stems from a natural
desire to preserve a personal space where our activities and
motivations are not recorded, evaluated, and preserved. Unfortunately,
online tracking today is hardly anonymous. In some cases, behavioral
profiles are tied explicitly to personally identifying information.\7\
In other cases, because those profiles are persistently linked to
individual devices, they necessarily could be tied to personally
identifying information in the future (either by obtaining identifying
information such as a name or e-mail address from a website that has
possesses that information, or through a subpoena to an Internet
service provider for identifying information associated with an
Internet protocol (IP) address).
---------------------------------------------------------------------------
\7\ Jennifer Valentino-Devries and Jeremy Singer-Vine, They Know
What You're Shopping For, Wall Street Journal, December 7, 2012, http:/
/online.wsj.com/article/SB1000142412788732
4784404578143144132736214.html; Jonathan Mayer, Tracking the Trackers:
Where Everybody Knows Your Username, Center for Internet and Society
Blog, October 11, 2011, http://cyberlaw.stanford.edu/blog/2011/10/
tracking-trackers-where-everybody-knows-your-username.
---------------------------------------------------------------------------
People are understandably concerned with the creation of these
stores of very personal information about what they do online, as the
information could subsequently be exposed through a data breach,
obtained by law enforcement without due process of law (and for
potentially illegitimate and ideologically discriminatory purposes),
viewed internally by employees within the company, or used to offer
differential prices and user experience without transparency. More
fundamentally, many people merely want to have some control over the
sharing of their reading habits--to be able to access the web without
having dozens of companies storing and evaluating what they do online.
Do Not Track is intended an opt-out for those people--a way for
consumers to tell companies that they don't want them looking over
their shoulder. As I noted during my testimony, the advertising
industry has already conceded the need to address such user objections
by offering its own opt-out program; Do Not Track simply offers a more
persistent and scalable solution.
CDT has previously argued that the Federal Trade Commission could
interpret its Section 5 authority more aggressively to implement the
full range of Fair Information Practice Principles--to require
transparency, data minimization, and a right to opt out of certain
uses, including behavioral advertising.\8\ However, Section 5 is a
vaguely worded statute, and it is not clear that the courts would agree
with such an interpretation: indeed, Wyndham Hotels is certainly
challenging in Federal court the FTC's argument that Section 5 requires
companies to implementreasonable security practices to safeguard
consumer data.\9\ We think it would be better for consumers and
businesses to have more certainty about the scope of personal privacy
protections, which is why we have long advocated for the enactment of
reasonable, flexible comprehensive privacy legislation based on the
Fair Information Practice Principles.\10\ We continue to believe that
carefully crafted legislation is the best approach to encouraging
legitimate innovation while preserving user's ability to exercise
control over their personal information.
---------------------------------------------------------------------------
\9\ Danielle Walker, Wyndham Hotels challenges FTC security suit
over breaches, SC Magazine, September 11, 2012, http://
www.scmagazine.com/wyndham-hotels-challenges-ftc-security-suit-over-
breaches/article/258559/.
\10\ Center for Democracy & Technology, Testimony of Leslie Harris
before the House Energy & Commerce Committee, Subcommittee on Commerce,
Trade, and Consumer Protection on The BEST PRACTICES Act of 2010 and
Other Federal Privacy Legislation, July 22, 2010, https://www.cdt.org/
files/pdfs/CDT_privacy_bill_testimony.pdf.
\8\ Center for Democracy & Technology, The Role of Privacy by
Design in Protecting User Privacy: Comments of the Center for Democracy
& Technology in regards to the FTC Consumer Privacy Roundtable,
December 21, 2009, http://www.ftc.gov/os/comments/privacyroundtable/
544506-00067.pdf.
Question 2. You state on the one hand that browsers are
increasingly competing on privacy but on the other hand that we need a
comprehensive privacy law. That doesn't add up to me. If industry is
evolving its self-regulatory approach and browsers like our witness
Mozilla is adopting its own standards, isn't the marketplace working
today? Wouldn't new regulations thwart these important actions industry
is undertaking today?
Answer. We are hopeful that the market will be able to deliver a
comprehensive solution to online behavioral tracking, which is why we
have spent two years within the World Wide Web Consortium trying to
negotiate a reasonable consensus standard for Do Not Track. However, it
is important to place this effort in historical context. We have been
advocating for privacy protections over online behavioral profiles for
over fifteen years now.\11\ Numerous previous efforts to address the
issue have failed.\12\ At the same time, other industries have sprung
up--such as mobile computing--that expose considerably more personal
information than mere behavioral data, with often less control over
that information.\13\ Personal privacy should not be a constant game of
catch-up: trying to append after-the-fact privacy protections to
existing business models after press attention draws scrutiny to
unwanted (and previously unknown) practices.
---------------------------------------------------------------------------
\11\ FTC Staff Report, Public Workshop on Consumer Privacy on the
Global Information Infrastructure, December 1996, http://www.ftc.gov/
reports/privacy/Privacy1.shtm, at II.C.2 (Consumer Choice).
\12\ Pam Dixon, The Network Advertising Initiative: Failing at
Consumer Protection and at Self-Regulation, World Privacy Forum, Fall
2007, http://www.worldprivacyforum.org/pdf/
WPF_NAI_report_Nov2_2007fs.pdf.
\13\ Center for Democracy & Technology, Testimony of Justin
Brookman before the Senate Judiciary Committee, Subcommittee on
Privacy, Technology, and the Law on Protecting Mobile Privacy: Your
Smartphones, Tablets, Cell Phones, and Your Privacy,'' May 10, 2011,
http://www.judiciary.senate.gov/pdf/11-5-10%20Brookman%20Testimony.pdf.
---------------------------------------------------------------------------
A properly crafted privacy law would incentivize companies to build
privacy into products from the beginning. If the United States had a
comprehensive privacy statute such as we have previously supported,\14\
I do not believe this hearing would have been necessary, as companies
would have a legal requirement to recognize a user's opt out request.
That is not to say that a company would necessarily have to abide by
that request. If a company were to insist on third party behavioral
data collection as a condition of providing service to a consumer,
privacy law should not interfere with such a business model in a robust
marketplace. However, a privacy law could require that that business
model be meaningfully messaged to a user--especially in response to an
opt-out request--whereas today, much data collection and usage in not
at all transparent to the average consumer. To the contrary, because
the primary privacy law in this country today is Section 5 of the FTC
Act's prohibition on deceptive practices, companies are meaningfully
deincentivized from making privacy disclosures to consumers, because of
the potential of exposing themselves to liability if they do not live
up to those statements (even inadvertently).\15\
---------------------------------------------------------------------------
\14\ Center for Democracy & Technology, supra note 10.
\15\ Federal Trade Commission, Complaint for Civil Penalties and
Other Relief, United States v. Google, CV 12-04177, August 8, 2012,
http://www.ftc.gov/os/caselist/c4336/120809
googlecmptexhibits.pdf.
---------------------------------------------------------------------------
Privacy law should not try to make choices for users, but should
empower them to make their own decisions about data. Unfortunately,
many voices in the privacy debate insist on making paternalistic
decisions on behalf of users--either prescribing broad swaths of data
collection and usage because consumers do not like the practice, or in
justifying all hidden data collection and usage without user
transparency or choice because it supports content that users might not
want to pay for. We instead prefer a solution where consumers can make
informed decisions about their data, and to which companies in the
marketplace can respond with a range of options. Unfortunately,
consumers today trying to evaluate and choose among the data practices
of various online and offline companies cannot get the information they
desire. A privacy law would, inter alia require usable transparency,
allowing the market to innovate in response to more meaningful signals
about privacy practices and user intent.
______
Response to Written Questions Submitted by Hon. Barbara Boxer to
Adam Thierer
Question 1. In your written testimony, you express support for
alternatives to Do Not Track such as the use of advertisers' ad
preference managers and ``private browsing'' browser settings. Are
these alternative approaches as persistent as a Do Not Track signal?
Answer. First, it is unclear at this stage exactly how persistent
the Do Not Track signal would be because (a) the technical standard has
not been finalized, and (b) it is unclear how many operators
(advertisers, publishers, browser companies, etc) would honor the DNT
request. Moreover, as I noted in my written testimony, even if Do Not
Track takes root and some consumers turn it on, many will be
incentivized by ad networks or publishers to opt right back in to
``tracking'' to retain access to sites and services they desire. In
doing so, they may end up sharing even more information than they do
today.
Regardless, to answer your original question, yes, some of these
alternative approaches are persistent, especially tools like cookie-
blockers and ``private browsing'' browser settings. And, when used in
combination, these tools can provide extremely effective privacy
protection. Of course, it is also true that with each additional layer
of privacy protection a user adds, the browsing experience may grow
more cumbersome.
Question 2. Do consumers understand the extent to which their
activities are tracked online?
Answer. Evidence suggests that many consumers aren't aware of how
online advertising and marketing work. It is also true that most
consumers don't read site privacy policies. However, as I noted in a
recent law review article,\1\ it is also true that most consumers don't
read or fully understand every proviso contained in the stacks of paper
placed in front of them when they sign a home mortgage. The same is
true for life insurance policies, which are full of incomprehensible
provisions and stipulations, even though regulations govern those
policies as well. It is also unlikely that consumers read and
understand every provision of their car loan or warranty. The same is
also true of mandatory Food and Drug Administration disclosures on
pharmaceuticals. In each of these cases, far more is at stake for
consumers than whatever ``risk'' they face by not fully comprehending
online privacy policies. Accordingly, a certain amount of ``rational
ignorance'' about privacy policies should be expected. Consumers will
never be perfectly informed and it remains unclear exactly how much
information they need for online markets to work effectively.
---------------------------------------------------------------------------
\1\ Adam Thierer, The Pursuit of Privacy in a World Where
Information Control Is Failing, 36 Harvard Journal of Law & Public
Policy 409, 446-449 (2013).
Question 3. Do consumers expect to be tracked by third-party
companies with which they have never interacted?
Answer. Probably not, but it is unclear what harm comes from it.
Meanwhile, enormous benefits accrue to those consumers from such
``tracking.'' Specifically, it helps keep the price of online sites and
service low or at zero. Moreover, it allows new products and services
to be targeted to the public. Nonetheless, more could be done to
educate the public about data collection and online ``tracking.''
Question 4. How would you recommend educating consumers about the
alternative privacy-enhancing tools available to them?
Answer. A multi-layered strategy is needed to better educate
consumers and encourage ``digital citizenship.'' For youth, privacy
education begins at home with parental guidance and mentoring about
sensible online practices and behavior. Schools also have an essential
role in mentoring youth about media literacy and acceptable online
practices. Companies and trade associations also have a role here in
that they should be doing more to inform users about what their data is
being used for and how it benefits them. They should also better
explain how to easily opt-out of data collection practices or, more
simply, offer them simple tips for enhancing their online privacy. Many
companies and trade associations already do this and much more.
Finally, government also has an important role in this educational
process. In its most recent Strategic Plan, the Federal Trade
Commission noted that, ``Consumer and business education serves as the
first line of defense against fraud, deception, and unfair practices.''
\2\ The FTC already partners with several other Federal agencies to
offer OnGuardOnline, a site that offers wide-ranging security, safety,
and privacy tips for consumers and businesses. As part of that effort,
the FTC produces dozens of informational videos that are also available
on dedicated YouTube page.\3\ Similarly, the FCC offers smartphone
security advice on its website.\4\ State and local officials can also
take steps to integrate privacy and security lessons and messaging into
school curricula or other public awareness-building programs.
---------------------------------------------------------------------------
\2\ Federal Trade Commission, Federal Trade Commission Strategic
Plan for Fiscal Years 2009 to 2014, 4, http://www.ftc.gov/opp/gpra/
spfy09fy14.pdf.
\3\ http://www.youtube.com/user/FTCvideos.
\4\ http://www.fcc.gov/smartphone-security.
---------------------------------------------------------------------------
______
Response to Written Questions Submitted by Hon. Frank R. Lautenberg to
Adam Thierer
Question 1. A 2010 Wall Street Journal series on online privacy
illustrated the extent to which individuals are being tracked and how
the invasive practice can cause real harm. A recent high-school
graduate, who had been identified by advertisers as concerned about her
weight, told the paper she sees weight-loss ads every time she goes on
the Internet. She said, ``I'm self-conscious about my weight. I try not
to think about it . . . then [the ads] make me start thinking about
it.'' Do you believe this qualifies as a real harm?
Answer. While the individual may take great offense at such
messages, it would be hard to classify them as ``harmful,'' at least in
a legally actionable sense. More importantly, such commercial messages
are protected by the First Amendment since they convey useful
information.
Question 2. Many believe the lack of transparency--particularly
with regard to 3rd party cookies--and an individual's inability to know
what personal information is actually being collected can cause real
harm because consumers don't have the ability to understand how to
protect themselves from invasive tracking. Do you agree that this is a
harm?
Answer. Consumers have the ability to protect themselves from all
forms of online ``tracking,'' even if they do not understand how those
things work in practice. The privacy tools already on the market
today--which are widely available and either free of charge or very
inexpensive--can be extremely effective in terms of protecting user
privacy.
Question 3. Do you believe that consumers have a basic right to
privacy online?
Answer. Citizens have a right to be free of actual harms to
themselves or their property, but privacy has always been a highly
subjective philosophical concept. It is also a constantly morphing
notion that evolves as societal attitudes adjust to new cultural and
technological realities. For these reasons, America may never be able
to achieve a coherent fixed definition of the term or determine when it
constitutes a formal right outside of some narrow contexts.\5\ For
example, some specific uses of highly sensitive personal information
may create harms, but laws already exist to deal with such concerns as
they relate to health and financial privacy, among others.
---------------------------------------------------------------------------
\5\ Adam Thierer, The Pursuit of Privacy in a World Where
Information Control Is Failing, 36 Harvard Journal of Law & Public
Policy 409, 414-417 (2013).
---------------------------------------------------------------------------
______
Response to Written Questions Submitted by Hon. Ron Johnson to
Adam Thierer
Question 1. What are the harms that are actually occurring to
consumers through anonymous cookie-based ``tracking?'' As indicated in
Mr. Mastria's testimony, the primary privacy concerns for most
consumers online have to do with identity theft, viruses and malware,
and government surveillance. So, what harms are occurring that the FTC
doesn't currently already have the authority to address?
Answer. As recent privacy-related enforcement actions against both
Google \1\ and Facebook \2\ illustrate, the FTC already has broad
discretion and plenary authority under Section 5 of the FTC Act to hold
companies to the promises they make to their users as it pertains to
information collection and data security.\3\ In consent decrees with
both those companies, the FTC extracted a wide variety of changes to
their privacy and data collection practices while also demanding that
they undergo privacy audits for the next 20 years.\4\
---------------------------------------------------------------------------
\1\ Alex Howard, Google Reaches Agreement with FTC on Buzz Privacy
Concerns, Gov20.Govfresh, March 30, 2011, http://gov20.govfresh.com/
google-reaches-agreement-with-ftc-on-buzz-privacy-concerns.
\2\ Brent Kendall, Facebook Reaches Settlement with FTC on Privacy
Issues, Wall St. J., Nov. 29, 2011, http://online.wsj.com/article/BT-
CO-20111129-710865.html.
\3\ Berin Szoka, FTC Enforcement of Corporate Promises & the Path
of Privacy Law, Tech. Liberation Front, July 13, 2010, http://
techliberation.com/2010/07/13/ftc-enforcement-of-corporate-promises-
the-path-of-privacy-law.
\4\ Kashmir Hill, So, What Are These Privacy Audits That Google And
Facebook Have To Do For The Next 20 Years? Forbes, November 30, 2011,
http://www.forbes.com/sites/kashmirhill/2011/11/30/so-what-are-these-
privacy-audits-that-google-and-facebook-have-to-do-for-the-next-20
-years; Matthew Sundquist, Online Privacy Protection: Protecting
Privacy, the Social Contract, and the Rule of Law in the Virtual World,
25 Regent U. L. Rev. 153, 173-175 (2012).
---------------------------------------------------------------------------
Thus, the FTC certainly is not lacking the authority to address
these issues. Professors Kenneth A. Bamberger and Deirdre K. Mulligan
note that, ``since 1996 the Federal Trade Commission has actively used
its broad authority under Section 5 . . . to take an active role in the
governance of privacy protection, ranging from issuing guidance
regarding appropriate practices for protecting personal consumer
information, to bringing enforcement actions challenging information
practices alleged to cause consumer injury.\5\
---------------------------------------------------------------------------
\5\ Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the
Books and on the Ground, 63 Stan. L. Rev. 247, 273 (2011).
Question 2. It has been estimated that American websites would lose
$33 billion over five years if Congress mandates EU-style opt-in
consent for interest-based advertising. You stated in your testimony
that restrictions on data collection could undermine America's global
competitive advantage in this space. Is this what you had in mind?
Answer. Yes, that is exactly the sort of danger I was referring to
in my testimony. If the American privacy regime was adjusted to look
more like the one found in the European Union, which is far more
regulatory in character, it is likely that compliance costs would
increase for many online operators. ``If applied to American companies,
these European laws would restrict the breakneck innovation of the
commercial web,'' argues the NetChoice Coalition, which represents a
variety of online vendors.\6\ Thus, privacy regulation could affect the
global competitiveness of U.S. firms and diminish their competitive
advantage in the global digital arena.
---------------------------------------------------------------------------
\6\ Steve DelBianco & Braden Cox, NetChoice Reply Comments on
Department of Commerce Green Paper 7, (Jan. 28, 2011), http://
www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=1EA98542-
23A4-4822-BECD-143CD23BB5E9.
---------------------------------------------------------------------------
Economists have verified this. ``In a setting where first-party
advertising is allowable but third-party marketing is not, substantial
advantages may be created for large incumbent firms,'' argue Professors
Avi Goldfarb and Catherine Tucker.\7\ ``For example, if a large website
or online service were able to use its data to market and target
advertising, it will be able to continue to improve and hone its
advertising, while new entrants will find it difficult to challenge the
incumbent's predominance by compiling other data or collecting their
own data.'' \8\
---------------------------------------------------------------------------
\7\ Avi Goldfarb & Catherine Tucker, Comments on `Information
Privacy and Innovation in the Internet Economy,' Comments to the U.S.
Department of Commerce, Jan. 24, 2011, at 4, http://www.ntia.doc.gov/
comments/101214614-0614-01/attachments/NTIA_comments_2011_01_
24.pdf.
\8\ Id.
---------------------------------------------------------------------------
Goldfarb and Tucker found that ``after the [European Union's]
Privacy Directive was passed [in 2002], advertising effectiveness
decreased on average by around 65 percent in Europe relative to the
rest of the world.'' \9\ They argue that because regulation decreases
ad effectiveness, ``this may change the number and types of businesses
sustained by the advertising-supporting Internet.'' \10\ The European
Union's experience makes it clear that regulation of online advertising
and data collection can affect market structure, competitive rivalry,
and the global competitiveness of online firms.\11\
---------------------------------------------------------------------------
\9\ Avi Goldfarb & Catherine Tucker, Privacy Regulation and Online
Advertising, 57 Management Science 57 (Jan. 2011), http://
papers.ssrn.com/sol3/papers.cfm?abstract_id=1600259. Also see,
Catherine Tucker, Empirical Research on the Economic Effects of Privacy
Regulation, J. on Telecomm. & High Tech. L. 265 (2012)
\10\ Id.
\11\ Quentin Fottrell, Will Privacy Protections Ruin the Internet?
MarketWatch, Feb. 3, 2012, http://www.marketwatch.com/story/will-
privacy-protections-ruin-the-internet-2013-02-05?mod=
wsj_share_tweet.
---------------------------------------------------------------------------
[all]