Copyright 2000 Federal News Service, Inc.
Federal News Service
October 11, 2000, Wednesday
SECTION: CAPITOL HILL HEARING
LENGTH: 36190 words
HEADLINE:
HEARING OF THE TELECOMMUNICATIONS, TRADE, AND CONSUMER PROTECTION SUBCOMMITTEE
OF THE HOUSE COMMERCE COMMITTEE
SUBJECT: PRIVACY
PROTECTIONS FOR CONSUMERS
CHAIRED BY: REPRESENTATIVE W. J. TAUZIN
(R-LA)
LOCATION: 2123 RAYBURN HOUSE OFFICE
BUILDING, WASHINGTON, D.C.
WITNESSES:
REPRESENTATIVE E. CLAY SHAW, JR. (R-FL)
REPRESENTATIVE BOB
GOODLATTE (R-VA)
LINDA D. KOONTZ, DIRECTOR, INFORMATION
MANAGEMENT ISSUES, U.S. GENERAL ACCOUNTING OFFICE;
SALLY KATZEN,
DEPUTY DIRECTOR FOR MANAGEMENT, OFFICE MANAGEMENT AND BUDGET;
ROGER BAKER, CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF COMMERCE;
ROBERT PITOFSKY, CHAIRMAN, FEDERAL TRADE COMMISSION;
JODIE BERNSTEIN, BUREAU DIRECTOR, FEDERAL TRADE COMMISSION;
LARRY CHIANG, CHIEF EXECUTIVE OFFICER, MONEYFORMAIL.COM;
GLEE
HARRAH CADY, VICE PRESIDENT FOR GLOBAL PUBLIC POLICY, PRIVADA;
PARRY AFTAB, SPECIAL COUNSEL, DARBY AND DARBY, P.C.;
MIKE
GRIFFITHS, CHIEF TECHNOLOGY OFFICER;
ANDREW SHEN, POLICY ANALYST,
ELECTRONIC PRIVACY INFORMATION CENTER;
BODY:
REP. W.J. TAUZIN (R-LA): The subcommittee
will please come to order. Today this subcommittee will hold a hearing on the
important developments in the efforts to protect the privacy of American
consumers.
Few issues in this industry generate such strong emotions as
how to deal with the enormous amounts of personal information that are
collected, distributed, stored every day by the Internet. This morning, later,
we will hear from two of our colleagues -- Representative Clay Shaw and
Representative Bob Goodlatte. Representative Shaw will explain to this
subcommittee his legislation, H.R. 4857, the Privacy and Identity Protection Act
of 2000, which has been reported out of the Ways and Means Subcommittee on
Social Security and is currently awaiting action in the subcommittee.
In
addition, the subcommittee will hear from Representative Goodlatte about the
Lansdowne Privacy Summit, which the National Chamber Foundation hosted for House
Republicans in May of this year, and what has come from that. I understand the
foundation also scheduled a similar session with the House Democrats and
unfortunately got cancelled, I believe. Representative Goodlatte co-hosted,
along with my colleagues Chairman Bliley, Representative Ehrlich and myself,
this privacy summit and I personally want to thank him for his efforts in this
endeavor. I also want to thank both of our colleagues for coming this morning
and for sharing their views with us. This subcommittee has been a keen observer,
for many years, of this debate -- holding hearings on this issue both in 1998,
1999 and, again, in 2000. Over the last year we have seen consumer concerns over
privacy heightened and, as a result, specific federal responses. Congress has
adopted two federal laws to deal with specific areas of concern -- the Graham-
Leach-Bliley law, in which financial privacy laws are written, and the
Children's Online Privacy Protection Act.
In addition, Americans have
witnessed the development of a new private sector technology -- in fact, many
technologies -- to help consumers as well as voluntary standards by industry to
self-police and educate consumers. In certain areas the federal government and
commercial entities have come together to achieve cooperative standards to
govern their online conduct. Privacy was not created with the advent of the
Internet. In fact, we have been passing privacy laws, I believe, for the past 30
years. But the Internet adds a level of dissemination beyond what Americans had
ever thought possible and in many circumstances beyond which they feel
comfortable.
While the Internet is still relatively new the issue of
privacy, of course, is not. Prior to the adoption of the GLB and the COPPA laws,
Congress had enacted privacy protections in a dozen other circumstances, indeed,
over that past 30 years, with the Fair Credit Reporting Act in 1970 starting
that process. The sharing of personal information did not begin when the
Internet was established but many people remember party-line telephones and can
recall door-to-door salesmen plying their wares using neighborhood directories.
Businesses for decades have bought and sold their business assets including
their valuable information databases about their customers. There's nothing new
in that.
As I've said many times before, personal information has value
to both consumers and to an information economy. We live in an Internet
information age and obviously information is the lifeblood of that system. A
consumer's purchasing patterns, online behavior, is indeed valuable information
to marketers. But at the same time I believe that consumers should have the
ability to control that information or at least to be potentially compensated
for giving away personal information if it indeed is a valuable asset. One of
our witnesses, who will testify later this morning, has a business model that
operates on consumers being compensated for sharing their personal information.
The issues as we move forward in this debate in coming years are these:
has industry done enough to protect consumer privacy or should government step
in to establish minimum standards to protect against the bad player? And if
there are standards that work for private industry should they also be applied
to government's collection of personal information? After all, I can choose
whether to give information to a private company but in many government agencies
I don't have a choice. I'm obliged to provide them with personal information.
Does the government have a higher standard in play here to protect the privacy
of my information?
Well, hopefully this morning we'll shed some light on
these matters. While a tremendous amount of attention over the past year has
been paid to the privacy of consumers in dealing with private industry, very
little has been paid to the federal government's collection of personal
information. The last time I checked very few consumers, indeed, were providing
information to the IRS strictly voluntarily. Consumers, indeed, can vote with
their feet in the private sector and go to another business if they don't want
to share private information with them. But can you refuse to do business with
the IRS or the EPA or the Medicare program, for that matter? And if you do can
you refuse to provide them with information they require of you in order to do
business with them?
Earlier this year, Representative Dick Armey and I
asked the GAO to conduct a survey of the privacy policies of federal websites
and then compare it to the fair information practices recommended by the FTC for
commercial websites.
In short, we wanted to see if federal websites
would fare any better than the commercial websites if they were held to the
exact same standards that the FTC has held the commercial websites in their
reviews. Was the federal government ready to practice what it has preached?
Well, from the results of the survey -- which we will discuss today --
it appears that the federal government does not practice what it preaches. Our
report is not the only GAO report that has produced failing grades for
government websites and databases. The Horn report on database security and the
Lieberman report on OMB privacy requirements have also both shown that the
government is not doing an adequate job of protecting America's personal
information.
On just two issues in recent weeks the government has
flunked. On the placement of cookies on government websites, the results are
troubling. Despite OMB memoranda in 1999, in June of 2000, prohibiting the
placement of cookies on federal websites, the practice continues today at the
IRS and possibly at other government websites. In fact, we learned in the GAO
report, I think, that 14 percent of the websites surveyed potentially permit
cookies on their federal websites.
And just last Friday the AP reported
that the White House website itself violates COPPA by collecting personal
information from children. While government websites can hide behind different
standards, in these two instances they certainly do not live up to the spirit of
the laws that apply in the commercial world. Chairman Pitofsky of the Federal
Trade Commission has graciously agreed to testify today about the many FTC
reports and activities in the past year dealing with privacy.
We'll also
hear from private sector witnesses who will discuss online profiling and
Children's Online Privacy Protection Act and the use of technology in protecting
privacy. And we will hear from one entrepreneur with an interesting take on
privacy. In short, we'll be looking at both the government sector and the
private sector today and we will examine just how well we stack up. In short,
while there's no obvious time this year for this committee to engage probably in
legislation, the remaining days of this session, this hearing will be
preparatory to activities next year in which we will continue our efforts to
guarantee that both the federal government and the private sector respect the
privacy of American citizens.
I want to close by inviting you -- I
understand the website is down this morning but -- to visit the EPA website. Our
staff visited the EPA website, I believe, yesterday and discovered that there is
on the EPA website a section called "explorers' club" which invites children to
give information about themselves to the EPA. Nowhere on this website is there a
disclosure that children should first get the permission of their parents before
sharing their private information with a government agency. There's something
wrong when federal agencies can't obey the law that we impose on private
citizens.
The chair yields back his time and the chair recognizes the
gentleman from Virginia, Mr. Boucher, for an opening statement.
REP.
RICK BOUCHER (D-VA): Thank you very much, Mr. Chairman. I want to begin by
complimenting you on your handling of the delicate and complex matter of
establishing a federal privacy policy respecting the practices of websites that
collect information from the Internet- using public. The chairman has properly
taken a cautious and deliberative approach toward the development of legislation
in this sensitive area.
In my view, the time for legislation has now
arrived. With the hearing today, I urge the subcommittee to begin the process of
developing a federally-assured baseline set of guarantees for personal
privacy with respect to the information collected by
websites through the use of cookies placed on the hard drives of website
visitors. The requirements which Congress should enact are straightforward and
would be in the nature of minimum guarantees that would be applicable to all
websites.
I suggest that our legislation contain the following five
elements. First, each website should provide a clear notice of what information
is collected from the Internet-using public and how that information is used. If
the information is used internally within the website, that fact should be
stated. If there are circumstances under which the information is transferred to
third parties, that fact should also be stated and those circumstances listed.
Secondly, after reviewing the policy, the website visitor should be able
to limit the information about him which is collected and, in practical terms,
that may mean that he would depart the website with no information being
collected -- a practice that we commonly would refer to as an opt-out.
Third, the Federal Trade Commission should be directed by statute to
create a mechanism to assure compliance with these basic privacy guarantees.
Fourth, the legislation should declare that the policy is the national policy
and preempt any state requirements that are more onerous or inconsistent or in
conflict with the national guarantees as assured in the statute. And, fifth, the
Federal Trade Commission should be instructed to review website practices on an
ongoing basis and recommend any additional legislative steps that may be
appropriate.
I would suggest that a number of benefits would flow from
the passage of this set of minimum statutory guarantees. First, it would assure
that all websites -- whether privately operated or operated by a government
agency -- respect privacy. The larger commercial sites are presently members of
self-regulatory organizations and generally respect the privacy policies
announced by the SROs. Smaller websites in large numbers do not belong to SROs
and government agencies have observed privacy policies in a truly voluntary way
which has been somewhat inconsistent, as the chairman has suggested. In our
view, all sites should be covered by a minimum federal guarantee.
Secondly, the legislation would establish only a minimum set of
guarantees and websites could then offer higher levels of privacy protection and
market that enhanced privacy as a competitive difference. And, so, offering
greater levels of privacy would then become a competitive asset in the
marketplace.
Third, this basic privacy guarantee would encourage the
growth and development of the Internet by creating the confidence in Internet
users that their privacy is being protected. And, fourth, we can assure that the
law is efficient and workable by preventing a patchwork of inconsistent or
conflicting state requirements from arising.
The Federal Trade
Commission has called on the Congress to act and it's time for the Congress to
accept that invitation. And I believe that we can do so with a large consensus
of support from the private sector. Over the course of the last several months I
have watched that consensus grow and it is in support of the kinds of steps that
I'm recommending that we take this morning.
I want to welcome to the
subcommittee today my friend, and Virginia colleague, Bob Goodlatte, with whom I
have the privilege of co-chairing the House Internet Caucus. Eighteen months
ago, Mr. Goodlatte and I put forward legislation which closely resembles the
recommendations that I have made this morning. Our Internet Caucus has also been
active over the course of the last year. We have conducted a technology
demonstration to demonstrate various technical means of protecting personal
privacy for Internet users.
We've also conducted two widely attended
workshops on the question of protecting Internet user privacy. And now we are
planning to take our activities to the next level. During the coming days we
intend to establish a working group of interested members of the House and
Senate, primarily composed, I suppose, of members of the Internet Caucus but
anyone is certainly welcome to participate. And our goal in establishing this
working group will be to help in developing a broad consensus in support of the
elements that should comprise our privacy legislation during the course of the
next Congress.
It's our hope that the consensus building process will
include consultation with the industry and with the Federal Trade Commission,
and we hope to achieve the consensus that we're seeking within a matter of just
several months. So that by January recommendations can be in hand that enjoy the
support of a broad consensus within the stakeholder community and among members
of Congress. I look forward to working with the interested members of this
subcommittee and with my friend, Mr. Goodlatte, and the members of the Internet
Caucus, as we consider the best means of enhancing privacy protections for the
Internet-using public.
Mr. Chairman, I want to commend you for this
timely hearing. I frankly wish it was a little bit better attended because it
truly is an important subject.
And I want to commend you also for the
careful and thoughtful way in which you have addressed it and I look forward to
working with you as we seek to assure that the Internet-using public truly has
its privacy protected. Thank you.
REP. TAUZIN: I thank the gentleman
and, believe me, I feel very similar about the gentleman's involvement. I pledge
to him that -- as I have privately -- we're going to work very closely over the
next several months in preparing for some very serious work on this issue next
session. I thank the gentleman.
The chair recognizes the gentleman from
Illinois, Mr. Shimkus.
REP. JOHN SHIMKUS (R-IL): Thank you, Mr.
Chairman, and I'll be brief. I do believe, as many of us do, that the big issue
of the new millenium will be privacy. It's a great issue because it really
brings the political spectrum of the far left and the far right together as
teammates really trying to address the concerns of the good government types
that want to create new efficiencies for government to provide services with the
possibility of accepting and storing personal data.
So, this is a great
time to have this hearing. I'm concerned over the policies and statements that
we enact at the federal level but I'm more concerned that we follow those
policies and statements which, it seems -- those of us who are not technology
experts, you know, unfortunately, we're a very trustful nation. We trust
everybody and so if an agency says this information is not going to be used, and
they ask for information, well, we think, oh, good for them. But the information
is still being gathered and stored.
I hope that this debate stirs up the
whole issue that I think our founding fathers would be very, very proud of --
the debate of personal privacy -- actually, privacy rights which would be
similar to property rights in that there are some -- they're part of the fabric
of our national culture, that I think (have been ?) lost through a technology
age and an information age, that we need to get back to some privacy rights
issues. Again, I think the founding fathers would be pleased about this debate
and we have a lot of work to do.
I appreciate this hearing and I look
forward to being engaged with my friends from Virginia and members of this
committee as we move forward in the next Congress. I yield back my time.
REP. TAUZIN: I thank my friend. The chair recognizes the gentleman from
Ohio, Mr. Sawyer.
REP. THOMAS C. SAWYER (D-OH): Thank you very much, Mr.
Chairman. I can't help but think our founding fathers would not only be proud
but would be flabbergasted by this debate.
I want to join with my
colleagues in thanking the chairman for this hearing today. As he suggested,
many businesses have -- and many other kinds of entities have long collected
information about Americans for a variety of purposes but today the use of
individual reference services and (lock-up?) services operate computerized
databases on personalized information that have expanded the concept beyond what
most Americans have ever really seriously thought about. But they will be
thinking about them a great deal more in the future.
Most of us are
familiar with the story that Thomas Friedman (sp) likes to tell, the New York
Times columnist who checked into a hotel with his wife and children and as
children are wont, they wanted to go to the hotel pool right away. So they
jumped into their swimsuits, went downstairs and got into the pool. And when it
came time to get out of the pool and go back to their rooms they discovered that
he had left the hotel key in the room. So, dripping wet, with little more than a
bathing suit and a towel, he went up the front desk and asked the manager if he
could get his -- I guess he asked the check-in clerk if he could get an extra
room key. And the clerk said, I'm sorry, if you don't have any identification
with you we can't do that, I'll call my manager.
The manager came out
and he said, Mr. Friedman, I really could not in good conscience -- and you
wouldn't want me to give your key to someone who simply came up in a bathing
suit and said that he was you. And, in the meantime, he's standing there, he's
working with the computer. He said, but I can tell you what room I'm in. He
said, you could have done that in any number of ways but let me ask you this,
you say your kids are with you, what are their names? He told them. What are
their birth dates? He told them. He said, here's your key. He said, why did you
do that? He said because you stayed here nine months ago and we have all of this
information and a whole lot more about you. And he said, thank you very much. He
was gratified but he was dumbfounded by the level of information and the depth
of knowledge they had about him as a product of simply having checked into the
hotel on a previous occasion.
That is chilling information and it is a
remarkable example of why the hearing that we're having today is important. I
appreciate the comments about he relationship between information gathered by
federal agencies and those gathered by businesses. Over the course of the last
couple of days, Mr. Chairman, I've rejoined a discussion that I've been involved
in for the last dozen years. And that is, efforts over the last 210 years to
gain access to private individual information gathered as a product of the
census. It has never been violated in the 210-year history of this nation.
If we're looking for (principle/ principal?) examples of the fundamental
ideas behind which we might seek to guard information, we could do no better
than to turn to the kind of repeated efforts that have been made to penetrate
the census and the efforts that the census has made to guard against that. Not
only other agencies but even, as we learned last spring, in times of war when
efforts were made to individually identify Japanese-Americans living in the
United States, United States citizens. That effort was directly resisted as a
product of the work of the census.
Personal information is our single
most valued possession and the work that we're doing here today could not be
more important. I thank you for that and yield back the balance of my time.
REP. TAUZIN: I thank my friend. By the way, that hotel now has new
personal data on Mr. Friedman, the fact that he loses his hotel key is I'm sure
included now. The gentleman from Maryland, Mr. Ehrlich.
REP. ROBERT L.
EHRLICH, Jr. (R-MD): Real briefly, Mr. Chairman, real brief. Everyone said
really what I can say, this is a timely issue, it's an emerging issue. It's
always been a second tier issue, now rapidly becoming a first tier issue in
American politics. If there's any doubt for anybody in this room that this issue
is very important to the chairman, let me assure you there should be no doubts
because the chairman and I regularly have conversations about this. We've
already had one conference to be followed by many more conferences and hearings
and hopefully good pieces of legislation. I yield back.
REP. TAUZIN: I
thank my friend, also, and thank him for co- hosting the conference with
Chairman Bliley and Mr. Goodlatte and I. And, as you know, we'll hear about that
conference a little later but I again want to thank the gentleman for his
personal involvement because it's going to take a lot of members' involvement
for us to unravel all these issues by next year.
The chair welcomes and
recognizes Mr. Luther for an opening statement.
REP. BILL LUTHER (D-MN):
Thank you, Mr. Chairman, and thank you for holding this important final
subcommittee hearing. I want to thank you and Mr. Markey and Mr. Boucher for
your leadership on this subcommittee and on this issue. I'm pleased to hear you
say that this hearing will only be the beginning on this issue and that
hopefully in the next Congress we can deal with very substantively with this
particular issue for the benefit of America's consumers.
Last November,
I was pleased to join Representative Markey in introducing HR 3321, the
Electronic Privacy Bill of Rights, which would require website operators to
comply with the so-called fair information practice principles. I would also be
remiss if I didn't mention this morning the great work of my colleague and
friend, Congressman Bruce Vento of Minnesota, who passed away yesterday morning.
Bruce introduced two online privacy bills and I want to recognize him for his
hard work on behalf of the American consumer on this issue and on so many other
issues through his lifetime.
REP. TAUZIN: Would the gentleman yield. I
want to -- Mr. Luther, we might ask all our friends for a moment of silence in
memory of Mr. Vento. He was indeed a dear friend of many of us and his passing
is very hard on many of us. I ask you all to join us now in a moment of silence.
Thank you. Mr. Luther.
REP. LUTHER: Thank you, Mr. Chairman. In light of
both the FTC and GAO studies that report that an unacceptable low percentage of
websites comply with the fair information practices, I look forward to hearing
our panelists' opinions. Hopefully their testimony will provide insight as to
what we, as a committee and as a Congress, can do to protect the American
consumer from this wholesale collection and distribution of personal
information. Thank you, Mr. Chairman, and I yield back.
REP. TAUZIN:
Thank you, Mr. Luther. The chair is now pleased to welcome our first witness,
indeed, our good friend from the Judiciary Committee who, I think, spends more
time here than he does with his own committee, the honorable gentleman from
Virginia, Mr. Bob Goodlatte. Bob, I also wanted -- I spoke last night, at
midnight, with your chairman, Mr. Hyde, and he was kind enough to get on the
phone with his staff last night and work out the final details of the Firestone
recall bill that we passed last night, the Tread Act. And I again wanted to
thank all of you members of the Judiciary Committee for the excellent
cooperation your committee provided our committee in resolving the technical
areas of common concern in the bill, and for waiving referral to the Judiciary
Committee. Again, if you'll extend my thanks on behalf of the Commerce Committee
to other members of the Judiciary Committee I would deeply appreciate it.
As you know, the bill passed last night and is now on its way to the
Senate and so we're, again, very grateful for the work of our good friend, Mr.
Goodlatte, on the Judiciary Committee. Mr. Goodlatte, you're recognized, sir.
REP. BOB GOODLATTE (R-VA): Well, thank you, Mr. Chairman. I want to
thank you and other members of the Commerce Committee for similar cooperation
and coordination of legislation that these committees share on many occasions.
You've been very helpful to us so we very much appreciate that and I will extend
your remarks to Chairman Hyde.
I also want to thank you for allowing me
to testify today. I do want to know how many appearances is required before I
can get a guest host status (laughs) but I do very much appreciate the
opportunity to testify on this very important issue. I must also thank you for
your leadership on this. You were very instrumental in organizing the retreat,
which you have referenced, which Congressman Ehrlich and Congressman Bliley and
myself were privileged to co-host with you. I felt that was a very, very
productive retreat for Republican members. And, while this is bipartisan in
nature and we intend to work with our Democratic friends on this as well, that
retreat -- which heard from experts in industry, academia and various think
tanks on this increasingly important issue -- yielded, I think, some very
substantive results. I can say with confidence that it was a great success and I
think members learned a great deal about the issue.
We discussed what
the main privacy concerns of our constituents are -- including unsolicited
direct mail marketing, the collection of personal information on the Internet,
the disclosure of personal financial information by financial institutions, and
identity theft and other criminal uses of personal information for fraudulent
purposes. We also learned about the complexities of how information is used by
commercial entities and that any privacy legislation needs to permit the
beneficial uses of the information as well as address consumer concerns.
And, finally, we learned that we need to use a combination of tools to
address privacy -- targeted legislation that specifically identifies the harm
we're trying to regulate, education to ensure consumers know that their rights
are -- what their rights are and how to exercise those rights, technological
tools on the Internet to allow consumers to control their information better,
and policies that encourage and reward businesses for self-regulation and
protecting consumer privacy at the same time that they extend enormous new
benefits to consumers by making valuable information available to them. We also
have to be careful not to increase identity theft and fraud by making
information unavailable to businesses and law enforcement to detect and stop
crime.
I also want to recognize and thank my colleague from Virginia,
Congressman Boucher, for his dedicated hard work on this issue. We are, as you
well know, the co-chairs of the congressional Internet Caucus. And with the hard
work of Congressman Boucher the caucus has sponsored a number of privacy-related
activities and events in recent years, including several public policy forums, a
technology demonstration of the latest privacy technologies, and a briefing book
for members that outline various positions on the issue of online privacy. As my
colleague mentioned, the caucus will continue to be active on this issue after
we adjourn this year.
Earlier this year, I had the opportunity to lead a
congressional delegation, along with Congressman Boucher, that was attended by
several members of the Commerce Committee -- including Congressman Gordon,
Congressman Stearns and Congressman Pickering -- in which we had the opportunity
to testify before the European Parliament on the issue of privacy as it relates
to electronic commerce. As a part of that testimony we promoted the efforts to
coordinate privacy policy with the European Union. Something that, as you know,
is vitally important. And something that hasn't been mentioned thus far today
but is also important, looking toward our states as well. We have a great
concern that if we have 50 different state privacy policies enacted by our state
legislatures -- many of which are very active on this issue today -- as well as
differing privacy policies around the world, we'll have an unworkable situation
on the Internet. And, so, the effort to promote the safe harbor that allows U.S.
companies to do business in Europe by meeting certain standards while not
requiring the United States to pass legislation that may be contrary to our
interest and the intent of the majority of the members of Congress is vitally
important.
It's also important to recognize the contribution that
industry has made because substantial progress has been made in the area of
self-regulation. At this time the vast majority of Internet sites of major
businesses have good solid privacy policies that are enforced by those
companies. And that progress which would indicate that -- for example, of the
top 100 websites in the country, they have improved from 71 percent having a
good privacy policy to now better than 95 percent, is progress. But obviously
more work needs to be done in this area.
Mr. Chairman, you've noted the
substantial progress we have already made in a number of targeted areas dealing
with children's privacy, financial privacy, medical privacy. And I think that's
the type of approach that we should continue to pursue, not a shotgun approach
but rather a targeted approach to where the problems exist. We believe that
through private initiative and this targeted federal action we have been making
and will continue to make substantial progress toward achieving a balance
between ensuring adequate consumer protection and encouraging the development of
electronic commerce.
As we look ahead, obviously bipartisan support is
vital and I'm pleased to hear so many members on each side of the aisle commit
to that because that is exactly what is called for. There have been several
legislative proposals introduced and considered in the Congress this year and
it's unlikely that we'll see any of them enacted into a general online privacy
law this year. That's a good thing; that's not a bad thing. And I know there
have been those who have been pushing for us to take action before we adjourn
this year but, quite frankly, the Congress must approach the issue of
comprehensive online privacy legislation in a careful and deliberative manner.
And that is exactly what we are doing with your leadership here today.
Lastly, I want to say a little bit more about what Congressman Boucher
mentioned and that is the desire of the Internet Caucus to work with you and
other members of the Congress as we brainstorm, if you will, for ideas on how to
work in this direction. I do think Congressman Boucher has outlined the shape of
a very good potential piece of legislation very similar to what came out of the
privacy retreat which we hosted. And we are moving toward that kind of consensus
but during the time between now and when the Congress reconvenes in January
there is much work to be done. And the Internet Caucus intends to be a part of
that by coordinating a working group of caucus members and others to develop a
statement of principles on Internet privacy.
This working group will
consist of any member of the caucus or others who are interested in the issue of
online privacy. We'll work informally from now until the new Congress convenes
in January to outline those areas the caucus deems important to address in any
legislative initiative. And members who have been leaders on privacy issues from
both sides of the aisle and both sides of the Hill -- from Congressman Asa
Hutchinson to Senator Ron Wyden -- we hope will be actively involved in the
working group.
And we're also hopeful that by working in a bipartisan
manner we can contribute to the process which will begin in your committee and
to ensure that all members of the House -- including new members who are still
looking for information -- are prepared to act on any legislation that is
considered in the early part of this year.
I thank you again for the
opportunity to testify today and look forward to continuing to work with you.
REP. TAUZIN: Thank you again, Mr. Goodlatte. Let me -- first of all, you
mentioned Asa Hutchinson. I want to state publicly that our concern about Asa's
bill to create a commission -- which many of the members of this committee voted
against -- was not, of course, that we don't need an awful lot of work done on
this issue. And, as you pointed out, perhaps even some legislation next year.
But it was our concern that this work ought to be done by members of Congress
rather than some commission. And Asa and I had had many discussions about that.
It was not a -- our opposition was simply that it was a job we had to do and we
needed to get about doing it.
Secondly, I think you will recommend to
our good friends on this side of the aisle the experience of the Lansdowne
conference. I know that the Chamber Foundation has offered to conduct a similar
retreat for members of the Democratic conference or caucus and I would hope that
you'd take advantage of it, frankly. Let's talk about the Lansdowne conference
quickly, Bob.
First of all, it rained all weekend so everybody had to
listen to each other which was pretty good. And after all the meetings, after
all the panels, which included -- as you pointed out -- members of industry,
members of academia, think tanks, consumer representatives -- after everybody
had a chance to listen to one another, wasn't there a major shift in the
conference opinion by the time we left -- the early morning sessions on the
first day until the last session? And didn't that shift represent a sort of
major redefining of our mission here in privacy?
REP. GOODLATTE: Well, I
think that there was definitely a coming together of ideas. And one of the --
speaking about Asa again -- one of the reasons why I also did not vote for his
legislation was in addition to the fact that Congress needs to address this, I
think that the speed with which we need to address it is upon us. And,
therefore, some might take the establishment of a commission that would last for
some lengthy period of time as a putting off of addressing this and I don't
think we can do that. And I think that's one of the things that came out of that
conference, was that we need to act in a comprehensive manner and we need to do
it in such a way that sets a minimum baseline. That there is an opportunity for
legislation here that promotes self-regulation.
REP. TAUZIN: Let's talk
about some of the issues the conference highlighted. One of them was harmonizing
various privacy laws. The conference noted the fact that in some of the state
legislatures of our land there were as many as 200 bills filed. I know most of
them didn't pass but there's a lot of activity going on in state legislatures,
to establish privacy rights, that may be very different from one another and may
create some very different kinds of laws all set on top of an Internet,
interstate, international commerce question. Would you address that quickly for
us?
REP. GOODLATTE: Well, I think we have to -- we have an international
problem here, we have to start by having our own house in order in the United
States. The chairman is absolutely right. One of the things I mentioned earlier
that came out of that was the need to have federal legislation to avoid having
50 different states have 50 different privacy policies that are inevitably going
to conflict with each other. And a company attempting to do business in
interstate commerce on the Internet is going to have to have a consistent
policy. I mean, you can't have a website which has two conflicting requirements
on it. Much less, perhaps, 50 different states with a multitude of different
components of regulation that could collectively make it a totally unworkable
proposition. Particularly for a small business that wants to do something to
supplement their bricks-and-mortar business with some Internet business and then
suddenly find that they have an enormously task of complying with regulations.
So, we need to come up with something simple and understandable and
comprehensive that everyone can comply with and avoid this problem.
REP.
TAUZIN: We also ran into the question of various federal agencies adopting
privacy policies that may or may not be in conflict with one another or in
conflict with those state laws. And businesses that have to comply with more
than one agency privacy policy that may be different from one another. And the
question was, do we need to focus on harmonizing the federal standards as it
applies to private businesses doing business with the federal government.
REP. GOODLATTE: Well, I think that's absolutely correct. And we have to
make sure that the federal government itself -- as you noted earlier -- is
setting the example of protecting the privacy of consumers and not abusing
already existing laws much less --
REP. TAUZIN: And, finally, we're
going to hear from the GAO about the various tests by which websites are judged
or rated. And we'll hear from the FTC about how well privacy is being protected
in the private, commercial sites of America. And we will learn that there are
always going to be some bad actors and bad players. Can we trust on privacy to
be totally protected by private, sort of self-policing organizations? Or will we
need some minimum standard by which -- or something that applies to those sites
that refuse to be members of self-policing organizations.
REP.
GOODLATTE: We're always going to have -- of the millions of commercial websites
-- some that are going to either through neglect, or through deliberate desire
to misuse consumers' privacy, abuse this process in very unacceptable ways that
are going to harm consumer confidence in the entire Internet. And, therefore, it
seems to me that legislation should include a baseline standard to go after
those outliers who are not going to meet that standard. When we do that we have
to be very, very careful that we don't get into the idea that we should dictate
the minutiae of how businesses protect privacy of consumers when we have in fact
a long history, as you cited, of useful information being made available to
consumers through businesses.
REP. TAUZIN: And, finally, Bob, I want to
ask one thing of you -- of the Internet Caucus -- if you don't mind. I would
very much appreciate it if -- before we get to this matter next year -- if you
would perhaps co-host with us a technology demonstration for all members of the
Congress to see the new technology in privacy protection. At the Lansdowne
conference we saw some new software, some new hardware, some new ID systems by
which consumers can and will be able to protect themselves from sites that might
be negligent or intentionally damaging to their privacy. And I think a
demonstration of all those new technologies would probably help us understand
what needs to be done in law and what can be taken care of in technology and
self-policing.
So, I would ask of you that -- the consideration of
perhaps some sort of technology demonstration for our committee, perhaps in
union with the Internet Caucus, perhaps, next year.
REP. GOODLATTE: We
would be delighted to work with you to do just that. We have hosted some similar
demonstrations. And, you know, it's a hard time reaching so many members of
Congress who have such busy schedules so continuing to do that perhaps in
conjunction with the committee here in the committee room, or something, we
could have --
REP. TAUZIN: Well, either they come or we can threaten to
release their private information.
REP. GOODLATTE: There you go.
REP. TAUZIN: We can work that out.
REP. GOODLATTE: Thank you,
Mr. Chairman.
REP. TAUZIN: Mr. Boucher is recognized.
REP.
BOUCHER: Well, thank you very much, Mr. Chairman. Let me echo the comments of
Mr. Goodlatte about our willingness, through the Internet Caucus, to integrate
our activities more closely with those of this subcommittee. Both in terms of
conducting demonstrations and perhaps also in terms of having panel discussions
that are apart from the formal hearing process and through other ways
collaborating in the development of good policy.
I want to commend Mr.
Goodlatte on his superb statement here this morning.
I'll note in
passing that I'm not a particular fan of partisan retreats and so he will not be
surprised if the Democrats do not accept the invitation to have a purely
partisan retreat. I tend to think that the best policy is made in a bipartisan
fashion. But I'm very pleased that the Republican members gained education from
the retreat that they had.
REP. TAUZIN: Was that a -- was that a --
excuse me, would the gentleman yield?
REP. BOUCHER: I'll be pleased to
yield. (Laughter.)
REP. TAUZIN: Was there a note of sarcasm in that?
(Laughter.)
REP. BOUCHER: Oh, no, Mr. Chairman, there was no sarcasm,
the statement speaks for itself. (Laughter.)
Mr. Goodlatte, I enjoyed
very much the visit that we paid to the European Parliament in February of this
year and I'm glad that you mentioned that. I thought it was an informative
exchange on both sides. We did have, as Mr. Goodlatte indicated, the opportunity
to testify before the European Parliament on the concerns that we have on this
side of the ocean about privacy protection. At that time we strongly encouraged
the formation of a safe harbor agreement which subsequently was negotiated. I'm
not sure we can claim much credit for that but we certainly endorsed the
concept.
And I was pleased to hear Mr. Goodlatte mention this morning
that that safe harbor arrangement between the United States and the European
Union is in the nature of a foundation. It is a minimum set of guarantees. It's
in the nature of a floor and it's anticipated that the privacy understandings
between the U.S. and the European Union evolve over time. And I would ask Mr.
Goodlatte if he agrees that adopting a set of guarantees as national policy here
in the United States that would assure the privacy protection of those who are
using the Internet, and visiting websites whether commercial or governmental,
would be in keeping with the spirit of the safe harbor agreement between the
U.S. and the European Union and would serve to strengthen that agreement to the
mutual benefit of U.S. citizens and European citizens alike?
REP.
GOODLATTE: Well, I say that the legislation that you and I introduced earlier
and -- which is a shorter form of legislation that I know the chairman and
others have been formulating in their thinking process -- would provide such a
baseline standard of guarantees. But we have to be careful that we don't try to
-- I think -- micromanage that as the Europeans have done. I think that the
purpose of that safe harbor is to allow us to take our course of action and to
continue to promote privacy in a way very different than the way that the
European Union has taken that approach of basically an opt-in policy. In fact,
an opt-in each time somebody wants to use information. And I would say that that
would be the wrong direction to head.
And if I might give an analogy to
other areas, if I go into a men's clothing store that I frequent every year in
Roanoke, Virginia -- the gentleman's probably familiar with it -- and they were
to remember that I wear a size 40 suit and I like a particular brand of suit and
so on. Here, I'm giving away a lot of my privacy information. And he happens to
remember that, either in his head or by writing it down on a little card and
keeping it in the back room, so when I come in again he tells me about a special
sale they have on this particular type of suit and pulls out the size 40, or
goes directly to size 40 to see what they have in that stock. I'm not in the
least bit offended by that. And I'm also not offended if I go online to
Amazon.com or BarnesandNoble.com and the first screen pops up and it says, we
know you're -- welcome, Mr. Goodlatte, we know that you're interested in
biographies and we have a new biography that we think you might be interested
in. That, to me, is a value to consumers. In fact, in some areas like purchasing
airline tickets or so on and then the -- you're also notified of a potential
reduced rate on a particular hotel room in the city that you're going to with
the airline tickets.
I think most consumers would appreciate having that
information. They should have the opportunity to opt out of that if they don't
like that but I don't think we should get into the business of cutting people
off from that. And I think that's the effect of the policy Europe that we need
to steer away from.
REP. BOUCHER: Mr. Goodlatte, thank you very much. In
the interest of time, I'm going to stop with this but I do want to thank you,
once again, for being here this morning. We always enjoy having you before this
subcommittee and hope that you'll return. Thank you, Mr. Chairman.
REP.
TAUZIN: The chair asks unanimous consent, by the way, that all members' written
statements be made a part of the record including those who are witnesses. Is
there any objection? Without objection, so ordered. The gentleman from Maryland,
Mr. Ehrlich.
REP. EHRLICH: I yield my time, Mr. Chairman.
REP.
TAUZIN: The gentleman from California, Mr. Cox.
REP. COX: Thank you. I
just want to welcome my colleague, Mr. Goodlatte, and likewise thank you for
your informed statement on this and all the hard work and study that you are
putting into this subject. I'd like to ask you -- because of your role also as a
member of the Judiciary Committee -- whether or not you think that it would be
possible to improve choices for consumers and protections for consumers by using
property rights in personal information as the means by which we regulate, as
individuals, the information sharing that goes on both over the Internet and in
other forms of commerce.
I want to stress, too, that I hope we can think
about this in non-technologically bound terms because while the Internet is
certainly today's medium, the Internet wasn't around a few years ago and it may
not be around in recognizable form some years from now. Catalog sellers have
collected financial information long before there was an Amazon.com. Direct
marketers have bought lists of names and mailing addresses long before there was
email. Americans have used the white pages to look up people's names and phone
numbers long before search engines like People Finder were around. So, in that
sense, what the Internet has done is simply to improve vastly the efficiency and
reduce the expense of this kind of data collection and dissemination. And that
development has brought into sharper tension the longstanding tensions between
the desire for privacy on the one hand and the benefits of dissemination of
information on the other.
So, my question is whether or not, as a
consumer, I shouldn't have the opportunity to take advantage of -- as you have
said -- of the opportunities to benefit, in many cases, from sharing my personal
information. But if I'm a consumer who just disagrees with you and, you know,
what suit size I wear is nobody's business but my own and that may be good for
Goodlatte, it may be good for Cox, but it's not good for me, the consumer. You
know, should I have that choice? And can we do this, therefore, on a market
basis, on an individual basis, and give people property rights -- in the form of
laws that we might pass here -- that would permit them in essence to license
this information, sometimes for free or nominal cost, sometimes just for the
benefits of whatever it is that they'd be getting over the Internet, as a means
of implementing this. Because -- I'll leave it to you to think about it and
answer it -- because I so fundamentally agree with what you said about the need
for some predictability and uniformity.
I mean, in the sense that we
don't want to have all these different privacy regimes in place, and so some
uniformity with a national rule might be useful, isn't it true that if you had a
one- size-fits-all policy that the downside of that is that it might not satisfy
consumers. The consumers come in a lot of different shapes and sizes, that's
what markets are all about. What you really want are neutral rules of universal
application that permit the maximum amount of flexibility so we can all have our
own privacy policies. And the Cox privacy policy might be different from the
Goodlatte privacy policy which might be different from the privacy policy of
every member on this panel. But what's the same is the law that gives us the
right to choose and to enforce our choice in a legally binding way so that
everybody leaves a market-based transaction happy because they chose the result.
And so that we avoid the problems with government mandates which are that it's
almost impossible for everybody to leave happy because it's forced on everyone
whether they like it or not.
REP. GOODLATTE: Well, I think you make a
very interesting observation. In fact, I think everyone does have their own
privacy policy. If I don't like the fact that the fellow remembers my suit size,
and so on, I'll go to another store the next time around. And, similarly with
other types of information, if I don't want to be listed in the phone book I
will ask to be de-listed. And if there is an abuse of that information I think
we do need to set the policy to give the consumer that right.
So, that,
for example, when I go into a store or go to visit a website and that website
has information about me that they might want to use to give me more
information, that's different than if that website takes that information and
sells it to somebody else. I need to have the opportunity to know that and make
a decision about whether or not I want to deal with somebody who is going to
turn around and share that information with somebody I may not want to have it
shared with.
Now, there are lots of new technologies that are enabling
people to establish that personal privacy policy and fine tune it to their own
preferences. P3P, for example, is a new technology -- that is growing in its use
on the Internet -- that allows you to set your computer so that when you visit a
website it will tell you whether or not that website has met certain privacy
policies based upon your own criteria that you devise at the outset and will
warn you that this site does not meet all those criteria. And therefore you can
leave the site if you don't want to participate in the standard that they have.
Or you can let them know you don't agree with their standard and negotiate with
them to change that policy as they deal with you.
I think that should be
a part of the opportunity of not only each consumer but also each business to
negotiate as a part of their doing business with you. But when they take that to
the next step of taking that information beyond their own usage of it --
because, after all, the transaction that took place in the past between you and
them is information that both of you and they share in ownership. But if they
then attempt to turn around and sell that to somebody else or give it to
somebody else for whatever reason, I think you need to have the opportunity to
avoid that if you don't want to.
REP. COX: And can I ask you to comment
just briefly on the other part of that question which is whether it is possible
to use property rights as the basis for enforcing this regime of privacy
protection and information sharing? And apply it across all technologies -- pen
and ink, typewriter, telephone, U.S. mail, the Internet, whatever it's going to
be. Can we write a law that says that you have these protections, you have these
rights, businesses also have rights and ways to conduct themselves that are all
clear in advance that aren't dependent upon the Internet.
REP.
GOODLATTE: Well, framing it as a property right, I think we have laws that do
that to a certain extent today. But in limited areas like intellectual property
and so on. Whether you can take that beyond that is a good thinking tool, I
guess, as we move forward to address this. But it would be, I think, a major
change in policy to try to write every use of every piece of information about
anybody as something that cannot be known. There are lots of things that we pick
up just by looking around this room that --
REP. COX: Oh, no, to the
contrary, what I would have in mind is that simply by clarifying that people can
do whatever they want you would have the maximum freedom to exchange information
but also individuals would have the maximum opportunity, if they chose not to
participate in that regime, to pick something else.
REP. GOODLATTE: I
think that's the direction we're headed with an opt-out type of policy here. I
think we share --
REP. COX: And can you extend that to life on the
planet as opposed to just the Internet?
REP. GOODLATTE: Well, we, I
think, should certainly consider that as we move forward. If it is necessary and
appropriate to make sure that we're not singling out the Internet.
REP.
COX: Yeah, I think that if we can do that that would be ideal. Because I worry
always about laws that however well intended end up discriminating against the
Internet. We need to recognize that some of this transcends the technology and a
lot of these things have been going on for an awfully long time.
REP.
GOODLATTE: But we also have some laws in those other areas that in a new
technology we need to make sure that those same protections exist there. So,
yes, I think our objective is the same but how we -- how we achieve --
REP. COX: Thank you, thank you very much.
REP. TAUZIN: Thank
you, gentlemen. The chair recognizes the gentleman from Ohio, Mr. Sawyer, for a
round of questions.
REP. SAWYER: Thank you very much, Mr. Chairman. I am
grateful for the work that both the gentleman from -- well, both of the
gentlemen from Virginia have done not only within this Congress but
internationally. I think the work that you've done internationally may be even
more important than the work that has taken place here, as important as that may
have been.
I was interested in your tailor analogy. My tailor has gone
one step beyond yours. He has been able to project trend lines. (Laughter.) So I
came in -- when I was in the legislature -- at 38 and then when I was a mayor it
was 40 and now as a member of Congress it's 42. And I'm just stunned at his
ability to anticipate this sort of thing.
REP. GOODLATTE: Well, he has
an inflated view of your potential. (Laughter.)
REP. SAWYER: I was out
of the room for a moment. Am I correct -- in hearing the tail end of your
comment to the gentleman from California -- that you believe there ought to be a
distinction between information that is gathered for the internal use of a
vendor of a service and that which is then subsequently offered for sale, for
profit, to others?
REP. GOODLATTE: Well, I think that there very
definitely needs to be a standard set that allows people to know if that
information is going to be used for other purposes to give them the opportunity
to opt out of that. And that's one of the things, that Congressman Boucher
outlined in the formulation of potential legislation, that I think would promote
the Internet at the same time make sure that consumers are aware of some of the
risks of misuse of their information.
REP. SAWYER: Might that be an
appropriate point of distinction between opt out and opt in?
REP.
GOODLATTE: Well, no, because, again, it would be I think the opportunity to find
out if indeed that information was going to be used for those purposes and if so
choose not to do business with that company or have the company agree that in
dealing with you they will not use the information for that purpose.
REP. SAWYER: Let me touch on the subject that both you and Mr. Boucher
talked about in terms of the work that's been done with the European Union.
Clearly that is only one arena in which this kind of problem will arise in a
global market. To what degree do you believe this has served as a template for
broader negotiations with other arenas? And how would you propose to go about
doing this?
REP. GOODLATTE: Well, it's only a starting point, even with
regard to the European Union, because we have such widely divergent approaches
thus far to consumer privacy on the Internet that it only works in the
intermediate term, if you will, to allow --
REP. SAWYER: You're actually
answering my second question --
REP. GOODLATTE: Yes.
REP.
SAWYER: -- rather than the other one. But if you want to go ahead with that -- I
mean, I agree --
REP. GOODLATTE: Well, let me say that I think --
REP. SAWYER: -- there are huge cultural differences between the United
States and Europe in terms of their government business relationships.
REP. GOODLATTE: There are indeed and the Internet is probably the
greatest challenge to the sovereignty of nations and states to insist on a
particular format or standard.
So, I think what we need to do is to
continue to work with parts of the world that have taken the lead in addressing
this issue, like the European Union, with whom we may have substantial
disagreement but attempt to forge a workable solution to that. And, also, show
more leadership in the United States as we continue to evolve this policy so
that then as other countries in the world begin to address this we can have some
influence over that process. Because, again, we'll have the same problem with
150 nations around the world as we have with 50 states in the United States
attempting to have different privacy policies.
REP. SAWYER: Or 13, 14,
18 members of the European Union.
REP. GOODLATTE: Right.
REP.
SAWYER: Thank you, Mr. Chairman. I yield back the balance of my time.
REP. TAUZIN: I thank the gentleman. The gentleman -- Mr. Luther is
recognized.
REP. LUTHER: Mr. Chairman, thank you, I'll pass.
REP. TAUZIN: Ms. McCarthy?
REP. KAREN McCARTHY (D-MO): I thank
the gentlemen, both gentlemen from Virginia, for their efforts to raise and
resolve this very important issue. And, Mr. Chairman, I would like to reserve my
questions for the panelists who are coming.
REP. TAUZIN: I thank the
gentlelady.
Mr. Green, from Texas.
REP. GENE GREEN (D-TX): Thank
you, Mr. Chairman. I have one question I'd like to ask our colleague. I know you
mentioned beneficial uses earlier in your -- in data collection -- and I want to
echo your comments. I think that we in Congress must be careful not to restrict
legitimate business practices. One of the concerns I have on data collection (is
part of it?). Do you believe that Congress should prevent, for example, third
parties from trying to collect an individual's anonymous website visits with
that individual's personal information? You know, because now we're hearing new
technology is being developed every day on how not only -- at one time it was a
cookie so you didn't let the -- you didn't accept that but now there's other
technology that the individual user may not know. You know, again, it's hard to
write laws to stop that when, you know, technology can change from day to day,
week to week. I'd appreciate a comment on third parties just tracking someone.
It may not be a -- have a relationship, a business relationship.
REP.
GOODLATTE: Yeah, I think that is a very great concern. We have in our
constitution protections against governments doing that, in our Fourth
Amendment, and we certainly should have protections against other individuals
who are not engaged in a transaction with you using some technological device to
track your activities and gather information about you without your knowledge or
approval. I think that's a serious problem. I think, quite frankly, that some
existing laws and regulations enforced by the Federal Trade Commission give some
protection in that area but we need to continue to look at that.
And we
also need to have the kind of spotlight on that activity that has, I think, been
effective thus far in pointing out some entities that have stepped over the line
on the Internet. And there's been an outcry and if they are a reputable business
they've backed away from some of these things. I think that's good and that's
important. So, in addition to disclosure to individuals we also to have
prohibitions in any law that we write that says that if you are gathering
information about somebody without their knowledge and not disclosing that to
them that there is a consequence to doing that.
REP. TAUZIN: I thank the
gentleman. The chair again wishes to thank our friend for his patience, for
spending so much time with us. And, again, to pledge to work with him as we
enter the new Congress, hopefully together again where we can continue this
dialogue and eventually a resolution of some of these issues.
REP.
GOODLATTE: Thank you, Mr. Chairman, it's a privilege to work with you.
REP. TAUZIN: Thank you. We'll now welcome our second panel. I want to
preface this second panel with, again, an explanation that the second panel will
discuss with us findings of several reports -- the Horn report, the Lieberman
report, and the recent GAO report, done at the request of Mr. Armey and myself,
in so far as it covers the federal websites and the status of the federal
websites.
In prefacing this panel I want to read to you the results of
that GAO report in brief. As of July 2000, all of the 65 websites in our survey,
conducted by GAO, all of the 65 websites in the survey collected personal,
identifying information from their visitors. Eighty-five percent of the sites
posted a privacy notice. That means 15 percent did not, obviously. The majority
of these federal sites, 69 percent, also met the FTC's criteria for notice.
Which implies that 31 percent did not. However, a much smaller number of sites
implemented the three remaining principles of the FTC: choice -- 45 percent;
access -- 17 percent; and security -- 23 percent.
Few of the federal
sites, three percent, implemented elements of all four of the FTC's fair
information principles. Three percent implemented elements of all four of the
FTC's fair information principles. Finally, a small number of sites, 22 percent,
disclosed that they may allow third-party cookies. Fourteen percent actually
allowed their placement. That is, 14 percent of the sites surveyed by GAO
indicated that they allowed placement of cookies on their federal websites.
In fact, we learned in the news today that the White House itself
discovered that it permitted the collection of information through a cookie
system and has ordered it to be dismantled. Where is that notice? I want to
refer to it. So everybody can see that this is a real problem.
The story
on the web today, "White House on Cookies: Doh!" Cookie dough, I guess. After
being chastised by watchdog groups, the White House has issued an order to all
federal departments and agencies: no more cookies. The White House was
embarrassed last week by the revelation that it used cookies -- bits of consumer
code that track and record users' movements across websites -- on some of its
websites, violating its own privacy policies and possibly violating federal
privacy laws. Check it out on the web -- entitled "White House on Cookies: Doh!"
-- Wired news report.
I'm pleased now to welcome our witnesses. First of
all, Ms. Linda Koontz, the director of information management issues, U.S.
General Accounting Office. Ms. Sally Katzen, deputy director for management of
the Office of Management and Budget. And Mr. Roger Baker, the chief information
officer of the U.S. Department of Commerce, who by the way also, I understand,
chairs a privacy subcommittee of the Federal Chief Information Officers Council.
So, we want to welcome you all. We begin with our first witness, Ms.
Linda Koontz of the U.S. General Accounting Office. Remember, your written
statements are already a part of our record. We would appreciate it if you would
use the five minutes allotted to you to summarize your comments and then to open
yourselves up to a dialogue with us on some of the issues we discussed today.
Let me again thank the GAO, on behalf of Mr. Armey and myself and this
committee, for in fact conducting the survey as we requested it. That
information, combined with the Lieberman and Horn reports, is again the basis of
this panel's discussion. We begin with Linda Koontz.
MS. LINDA D.
KOONTZ: Good morning, Mr. Chairman and members of the subcommittee, thank you.
Thank you for inviting us to discuss online privacy, a subject that has emerged
as one of the key and most contentious issues surrounding the continued
evolution of the Internet.
My testimony today will discuss the findings
in our recent report on Internet privacy which was based on a survey of federal
websites that we conducted, at your request, in July 2000. Specifically, you
asked us to determine how federal websites would fare when measured against the
Federal Trade Commission's fair information principles for commercial websites.
These principles are: notice -- data collectors must disclose their
information practices before collecting personal information from consumers;
choice -- consumers must be given options with respect to whether and how
personal information collected from them may be used for purposes beyond those
which the information was provided; access -- consumers should be able to view
and contest the accuracy and completeness of data collected about them; and,
security -- data collectors must take reasonable steps to ensure that
information collected from consumers is both accurate and protected from
unauthorized use.
Using the methodology that the FTC developed to
evaluate commercial website privacy disclosures, we analyzed a sample of 65
federal websites to determine whether they collected personal information --
such as name, address, email. And, if so, whether the sites included disclosures
to indicate that they met the fair information principles. We did not try to
determine whether the websites actually followed their stated policies.
I should note that federal agencies are not required to follow FTC's
fair information principles but, instead, are subject to the requirements of law
such as the Privacy Act and guidance issued by the Office of Management and
Budget. In addition, FTC staff expressed our use of the methodology, stating
that there are fundamental differences between federal and commercial websites
which, in their view, make the methodology inappropriate for use in evaluating
federal website privacy policies.
You've already summarized very
accurately what are findings were in this report. So, I will conclude my
statement here and I'd be happy to answer any questions that you have at the end
of the panel.
REP. TAUZIN: Thank you, Ms. Koontz.
MS. KOONTZ:
Thank you.
REP. TAUZIN: We'll now hear from Ms. Sally Katzen, deputy
director of the Office of Management and Budget.
MS. SALLY KATZEN: Thank
you, Mr. Chairman, and I join those who have congratulated you on having this
hearing on this very important issue. And I appreciate your inviting me to
testify on the privacy on government websites.
As the members of this
panel know, protecting the privacy of American citizens is a very high priority
for this administration. We have worked hard to ensure that the fundamental
privacy protections are properly safeguarded as our government, indeed society
at large, moves into the digital age.
Nowhere is this task more
important than in the federal government's obligation to continue to protect the
privacy and confidentiality of the personal
information that it maintains and to protect the
privacy of individuals in their interactions with the
government over the Internet.
Today the federal government is
increasingly becoming and electronic government full of new opportunities to
provide services and information to the public quickly, easily and when the
public wants it. But, as everyone has noted today, we must be vigilant to ensure
that personal privacy protections remain constant or improved in the process of
this transformation.
I am proud to be able to testify here today about
the success of this administration in meeting this challenge, in taking major
steps to boost the level of privacy afforded to American citizens when they
access the government electronically. Without doubt, we have more to learn as a
government. In this time of rapid change in technology and information flows,
all organizations do no matter their size. But I'm confident that we're
achieving significant progress and clearly heading in the right direction.
Now, to understand the GAO reports on privacy practices it is important
to put them in proper context in history. And I would begin with the Privacy Act
of 1974 -- as you did, Mr. Chairman, in your opening comments. For over a
quarter of a century it has afforded Americans strong legal protections for
personal information stored in government systems of records, no matter whether
they exist in paper or in electric form. This is not voluntary, this is
mandatory, it is the law of the land.
These protections include: notice,
prohibitions on the unauthorized release of personal information, ability to
access your records and change errors that may appear, and security safeguards
as well. I would just note that Senator Horn's grades on security -- which
you've mentioned a couple of times now -- was the subject of another hearing
that I participated in and there is grave concern about the methodology that he
used and the grades that he gave. That was not an uncontested system that was
established. We believe that the security of the government websites is, indeed,
very strong and will remain so.
Now, while the Privacy Act provides the
bedrock privacy protections for Americans in their relationship with government,
the changes in technologies have produced a different world than existed in
1974. And, as has been noted, to keep current with meaningful privacy
protections, the Office of Management and Budget has augmented the privacy
provisions with policy guidance. The agencies' response to that guidance has
been outstanding.
For example, in April 1999 a study revealed that just
over a third of the federal agencies had privacy policies posted on their main
web pages. In June, two months later, OMB Director Jack Lew issued a memorandum
to all agency heads directing them to post clearly labeled and clearly written
privacy policies on their websites by September 1, 1999. Director Lew -- echoing
the sentiments of Mr. Boucher earlier -- said, we cannot realize the full
potential of the web until people are confident we protect their privacy when
they visit our sites.
Now the message was received by the federal
agencies and the GAO confirmed this result in which you have referred to as the
Lieberman study. This was a study conducted in April of 2000 and released on
September 5th, 2000. I call it the first GAO study. Now, you suggested that they
found the policies to be wanting. In fact, this study found that 69 of 70
principal agency websites had a privacy policy posted on their sites. And all 70
did within days of the release of that report.
Equally impressive, the
GAO identified 2,692 major website points of entry to six federal government
agencies. These are sites where the largest number of people interact with the
federal government. And of the sites they reviewed, GAO found only nine lacked
privacy policies. This record is impressive and I believe is an accurate picture
of the federal privacy policies online.
Now, in view of this it is, I
think, fair to ask why GAO reached the conclusions that it did about federal
agencies' compliance with the fair information practices written by the Federal
Trade Commission for commercial websites -- which is the second GAO report. The
answer, I believe, as more to do with the questions that were asked than the
practices that were reported. Specifically, the administration pointed out to
GAO staff, in the course of that study, that the study was misdirected and the
answers to the study's questions would likely be misleading.
GAO has
also reported that the FTC independently expressed concern that its methodology
was -- and I'm quoting -- inappropriate for use in evaluating federal website
privacy policies. Why is this, you might ask. Let me explain. The central
premise of the study that was done was that the FTC formulation of fair
information practices for commercial sites could appropriately be used to
measure the privacy protections of government websites. We think it cannot
because the FTC practices were designed for the private sector where the Privacy
Act and OMB guidance do not apply. This is a very important distinction between
commercial companies and federal agencies.
The fact that there is no law
establishing privacy protection for individuals in the commercial arena led the
FTC to stress the need for a statement about policies. Because absent a
statement the companies cannot be held accountable. That is, you must have a
representation of what you will do, and then not do it, to be enforceable by the
FTC. Government websites, by contrast, do not have to make any representations
to be held accountable. The Privacy Act establishes -- in the most public way
possible -- the standards to which citizens can hold federal agencies
accountable and exactly how they can hold those agencies accountable.
Thus, the test of a federal website provides privacy protection is not
whether it includes a statement that makes it comparable with commercial
practices but, rather, whether good privacy protections are in fact in place.
And the first GAO report, the Lieberman report, showed that the major federal
websites informed citizens of how their data are used at their websites.
And I would refer you specifically to page 25 of that report which takes
each of the fair information practices and documents that they are covered
either by OMB policy or by the Privacy Act. And it is against that which the
first study measured the federal websites and it's against that standard that
they did as well as they have done.
Now, we recognize that in this
information age it is critical that the federal government continue to use
technology to keep the public informed and provide services to the public and
stay on the cutting edge of technology. The launch on September 22nd of
FirstGov.gov was a major step to enable us to continue providing information and
resources to the American people. In this, and many other ways, the need for
privacy protection online and the need for public confidence in the federal
government's privacy standards is expected to only increase in the year's ahead.
It would be most unfortunate if any misleading conclusions as to the
state of privacy on federal websites interfered with our common goal of
achieving electronic government with full participation of the public. I thank
you, Mr. Chairman, for holding this hearing and for giving me an opportunity to
testify.
REP. TAUZIN: Thank you, Ms. Katzen. And, finally, Mr. Roger
Baker, chief information officer of the U.S. Department of Commerce. Mr. Baker.
MR. ROGER BAKER: Thank you, Mr. Chairman, members of the committee.
Thank you for inviting me to testify before the committee today. I am testifying
-- as the chairman noted -- in my role as the chairman of the Federal Chief
Information Officers Council subcommittee on privacy. However, as a practicing
as chief information officer for an agency, I'll also include some anecdotal
information from the Department of Council.
In my testimony today I'd
like to make three points. First, privacy is an important issue for chief
information officers throughout the government and the Federal CIO Council. That
our fundamental guidance on privacy, inside the federal government, comes from
the Privacy Act, other applicable federal laws and OMB policy. And that in the
past two years we've made substantial progress in both the quantity and quality
of privacy policies posted on federal websites and significantly raised the
awareness of privacy issues within the federal information technology community.
First, privacy is an important issue for CIOs and the Federal CIO
Council. By creating a subcommittee on privacy, the Federal CIO Council signaled
to all federal information technology workers that protecting
the personal privacy of the public is one of the key issues
facing us today. The American public provides government agencies with the most
sensitive of personal information. It is our duty as federal employees to
protect this information to the best of our ability. This means that our
information systems must be secure from intrusion and that these systems must
work in accordance with applicable federal laws.
The CIO Council keeps
this issue at the forefront of IT discussions by making it a key part of our
annual strategic plan, including privacy in the conferences we support and the
speeches we make, and by providing agencies with best practices or examples of
how to improve the privacy and security aspects of their information systems.
There are many examples of these best practices for privacy and security on the
CIO Council website at www.cio.gov.
I'd like to submit with my testimony
the privacy impact assessment best practice developed by the Internal Revenue
Service and can recommended by the Security, Privacy, and Critical
Infrastructure Committee for use by all federal agencies. The CIO Council will
continue to work with OMB and others to identify further best practices and
other useful guidance that can be provided to agencies to help them in their
efforts to protect personal privacy on the Internet and other
information systems.
Second, our fundamental guidance
on privacy inside the federal government comes from the Privacy Act and other
applicable federal laws. Federal information systems, including Internet web
servers, are subject to the provisions of the Privacy Act. In addition, OMB has
issued policy directives regarding privacy protections on federal websites that
focus on a number of issues.
First, that all major entry points and all
points where substantial personal information is collected
should have easily accessible privacy policies posted. Second,
that those privacy policies be clearly written and reflect actual agency
policies with regard to the collected information. Third, that those policies
are in accordance with the Privacy Act and other laws and guidance that may be
applicable to specific agencies. And fourth, that there is a presumption against
the use of technologies that allow the tracking of activities of users over time
and across different websites -- for example, persistent cookies as
differentiated from session cookies -- unless high-level approval is obtained.
The CIO Council has worked closely with OMB to support the development
and implementation of these directives. As an example of the results of this
work, I would like to submit into the record the privacy policy posted on the
main page of the Census Bureau's Internet website, www.census.gov.
While
admittedly somewhat long, this privacy policy clearly conveys the types of
information that may be collected, how that information will be used, and the
specific legal protections provided that information. I use the Census privacy
policy as an example because it involves both the Privacy Act and Title 13
protections.
Mr. Chairman, I believe the following points were made in
the GAO report, but they are so important I will quickly make them again.
Federal systems of records are covered by specific laws that give individuals
specific rights and remedies if their private information is disclosed. These
laws apply whether or not a privacy policy is posted on a federal website. There
are no equivalent laws covering non-governmental systems. The FTC rules
regarding privacy policies for private sector websites are meant to establish a
legal basis under which a private sector website operator can be held
responsible for the protection of private information collected on a website.
Once posted, the privacy policy falls under the jurisdiction of the FTC,
which uses existing laws to hold companies to the promises they make to
consumers. In short, if a private sector web site does not post a privacy
notice, there is no ready legal recourse available to an individual whose
privacy has been violated. In contrast, the Privacy Act and other laws apply
even if a federal website does not post a privacy notice.
We can and
should do a better job of communicating the protections that the Privacy Act and
other federal laws provide users on federal websites. But I believe we should
continue to use existing federal law as our guidance in this area, instead of
the FTC policies clearly intended to achieve a different purpose.
In the
past two years, we have made substantial progress in both the quantity and
quality of privacy policies posted on federal websites. In 1999 the Secretary of
Commerce called on private sector website operators to improve their privacy
practices, placing special emphasis on the need for, one, posting privacy
policies and, two, that policies include the fair information practices of
notice, choice, access, and security. We quickly recognized that we, also,
needed to make major improvements in our own website privacy policies, both at
the Department of Commerce and throughout the federal government.
Working with OMB, we raised the profile of the privacy issue with both
agency and technical management, and made substantial strides in both the
quantity and quality of privacy policies posted on federal websites. And I won't
go through the GAO reports again since you have that information but clearly
we've made a major improvement. And I believe this is evidenced by the example
from the Census Bureau, the overall quality of these privacy policies has seen
substantial improvement as well.
In closing, Mr. Chairman, I'd like to
reiterate my main points. Privacy is a very important issue for agency CIOs and
the Federal CIO Council. Our fundamental guidance on privacy inside the federal
government comes from the Privacy Act, other applicable laws and OMB guidance.
And in the past two years I believe we've made substantial progress in both the
quantity and quality of privacy policies posted on federal websites.
Thank you for your time and I look forward to any questions you may
have.
REP. TAUZIN: Thank you very much, Mr. Baker. The chair recognizes
himself for five minutes and (members in order?).
Let me first point out
that there's another story on the web today on Yahoo! news that is quite
relevant, Ms. Katzen. It's entitled, FTC to Apply Law to Websites. And it leads,
contrary to a federal directive, major government websites -- including the one
operated by the White House -- are not adhering to a law that requires companies
to obtain parental consent before soliciting personal information from children.
MS. KATZEN: Yes, sir.
REP. TAUZIN: It's dated today. The White
House website invites children to submit personal information, such as names,
addresses and age, along with email messages for the president and for his
family, and there is no -- no warning for children to first get their parents'
consent before sharing this information. Is the White House violating the
federal law?
MS. KATZEN: No, sir, it is not. COPPA, the Children's
Online Privacy Protection Act, does not apply to the federal government.
REP. TAUZIN: Isn't that wonderful.
MS. KATZEN: Excuse me, sir,
if I may please explain the practices that we follow here because this is a
statement that has been made time and again in the press. By law, we're not
covered. However, we have taken every step we can, consistent with our being a
rather unique place, to meet the spirit of COPPA. Now, COPPA, remember, was to
protect children from marketeers who would seek to exploit them for --
REP. TAUZIN: Ms. Katzen, I'm going to run out of time. I want to ask
you, does not the June memorandum state that all federal websites and
contractors when operating on behalf of agencies shall comply with the standards
set forth in the Children's Online Privacy Protection Act of 1998.
MS.
KATZEN: Yes, they do. But one of the conditions of COPPA is that if you're going
to get personal information for a one-time contact you must destroy the record.
And the Presidential Records Act does not allow us to do that.
REP.
TAUZIN: Does not COPPA require the advice to children to get parental consent
before --
MS. KATZEN: Yes, and on five or six --
REP. TAUZIN:
And is the White House complying with COPPA? Is the White House complying with
COPPA today?
MS. KATZEN: Is the White House complying with COPPA today?
It is not required to comply with --
REP. TAUZIN: Does the memorandum
require it to?
MS. KATZEN: The memorandum says to do what we can and we
are working on systems to enable us to not destroy records. The Presidential
Record Act, the security that attends the White House and other considerations
make the White House very different from what COPPA was designed to do. On the
other hand --
REP. TAUZIN: I'm going to run out of time. I want to go to
some other witnesses.
REP. COX: Mr. Chairman, if you'd yield on this
point. Having served in the White House counsel's office I'm well aware of the
requirements of the Presidential Records Act -- which haven't been followed very
carefully by this administration in any case. But why do you need to collect the
information from the kids in the first place? Then you don't have a record to
destroy.
MS. KATZEN: You do not have to provide any information to the
White House. If you want a response you need to provide an email address or a
regular address. Now, that is the information which COPPA says we would have to
destroy if we obtained it from the child in the first instance. It is for that
reason that on the White House homepages -- which are here -- it says on at
least five different occasions "make sure it's okay with your parents," "we
cannot respond to your message without your address but you can write us and you
can tell us what you think without any information from you coming in."
REP. TAUZIN: Returning my time. Does EPA require that? Does EPA advise
--
MS. KATZEN: Yes, sir, and the site that you were talking about has
been taken down.
REP. TAUZIN: Taken down today?
MS. KATZEN: No,
it was taken down on Friday, actually.
REP. TAUZIN: On Friday, right
before this hearing.
MS. KATZEN: It was taken down as soon as it was
brought to our attention that there was a violation. When we --
REP.
TAUZIN: -- something else to the witnesses. I'm going to run out of time, Ms.
Katzen and I've got to control my time, if you don't mind. Let me -- if I ask
the other witnesses. You keep referring to the fact that federal agencies don't
need to post their privacy policies. They don't need to say what they're
collecting and how they're collecting it and who they're sharing it with because
federal agencies are covered by the Privacy Act.
We've got information
on the Privacy Act I want to cite to you. The Privacy Act provides twelve
different exceptions, twelve exceptions provided by law for information
collected by the federal government to be shared with other people. They
include, for example, for routine use as defined in the act -- whatever that is.
To the -- to other offices and employees of the agency. To a recipient who's
provided the agency with an adequate advance written assurance that the record
will be used solely for statistical research. It allows the sharing of private
information to persons pursuant to showing a compelling circumstance of health,
to members of Congress, to the comptroller general, to an (order of court?), to
a consumer reporting agency -- twelve different exceptions by which consumers'
information can be shared with other people. And federal agencies only say,
we're complying with the Privacy Act.
How do consumers know -- without
getting a lawyer and getting the lawyer to explain to him all the places where
his private information can be shared with other people -- what is in fact
happening to his private information under this Privacy Act?
MR. BAKER:
I certainly wouldn't want to imply that I don't believe agencies should have
privacy policies. I've worked very hard to get agencies to have privacy policies
and that's one of the reasons that I'm proud of the fact --
REP. TAUZIN:
Shouldn't federal agencies post their privacy policies, just like people in the
commercial sector, so consumers know without getting a lawyer what's going to be
shared with whom?
MR. BAKER: Federal agencies should post a privacy
policy and we've certainly said that.
REP. TAUZIN: Okay.
MR.
BAKER: That privacy policy, though, should reflect the federal law that applies
to them and I certainly, as chief information officer, would not advise anyone
working for me to not comply.
REP. TAUZIN: You're saying it's our fault,
we wrote a law that lets these agencies share information so consumers be damned
if they don't know where this information will be shared? Or should the federal
government -- let me pose a question to, I think, as clearly as I can. If the
FTC -- and for that matter, members of Congress -- are harping on the private
sector to do more about informing consumers, what information is being collected
about them, how it's being shared and to whom it's being sent, should not
federal agencies live by the same standard? Particularly where information is
being shared with federal agencies in a non-voluntary situation.
MS.
KATZEN: They are. And they should be.
REP. TAUZIN: I'm not asking you,
Ms. Katzen.
I'm asking Mr. Baker right now, if you don't mind. Mr.
Baker?
MR. BAKER: I'm sorry, I --
REP. TAUZIN: Well, let me ask
it again as carefully as I can. If the FTC is setting up standards by which it
is going to judge private sector websites on the basis of whether or not they
accurately inform consumers what information is being gathered, how it's being
used and to whom it's being shared -- so that consumers can be warned -- should
not the federal agencies, by which consumers and constituents interact with
information that is not necessarily voluntarily presented to the government --
in many cases, mandatoraly provided to the government. Shouldn't the federal
agencies be under a higher standard to exactly that? To inform consumers
precisely about what information is being gathered, what it's being used for and
to whom it's going to be shared with. Instead of hiding behind a law that gives
you twelve exceptions that the consumer doesn't even know about.
MR.
BAKER: I certainly believe that federal agencies should be as clear as they
possibly can. Again, the reason I use the Census Bureau as example is because I
believe it is pretty clear about what the protections are. The fact is that the
Privacy Act is there and that's what we've used as our guidance. And even --
REP. TAUZIN: All right, as a final -- my time is almost out. Ms. Koontz,
I want to go to you. Did the IRS in fact have a cookie on its website?
MS. KOONTZ: Using the FTC methodology we identified a third- party
cookie in use at the IRS. However, in fairness to everybody here, the cookie
that we identified was one that is placed on the visitor's hard drive when they
are, in fact, in the process of leaving the IRS site. The reason we picked this
up, however --
REP. TAUZIN: Wait, wait, I want to understand that.
MS. KOONTZ: Okay.
REP. TAUZIN: We have, I think, a federal
policy discouraging -- the memorandum to discourage cookies on federal websites.
MS. KOONTZ: That's correct.
REP. TAUZIN: But there are
exceptions. I understand cookies are allowed if the head of the agency
authorizes a cookie on the website.
MS. KOONTZ: Right.
REP.
TAUZIN: You're telling me that in your investigation, in your survey, you did
discover that the IRS had a cookie on its website that visitors could click onto
and have information shared with third parties?
MS. KOONTZ: When you
were clicking on a link that led you to another website the receiving website
was placing a cookie on your hard drive as you were exiting.
REP.
TAUZIN: Was that authorized by the head of the agency?
MS. KOONTZ: Uh, I
didn't ask them. They would have -- I mean --
REP. TAUZIN: How many
other agencies had cookies on their websites?
MS. KOONTZ: There were
eight websites who had --
REP. TAUZIN: There were eight websites out of
the 65 you surveyed -- federal websites -- that had cookies by which third
parties could gather information about citizens who visited those websites?
MS. KOONTZ: Yes. But, again, I mean, I want to be clear on this, it's
that this is third-party cookies identified using FTC's methodology.
REP. TAUZIN: I understand. The chair's time has expired. The gentleman
from Virginia, Mr. Boucher.
REP. BOUCHER: Thank you very much, Mr.
Chairman. Let me begin by talking about the Children's Online Privacy Protection
Act and asking our witnesses this morning if there's any reason why we shouldn't
simply extend the protections of that act -- which essentially require that
before any information is collected from children that the permission of parents
be obtained -- to the federal government. Why should we not do that? Ms. Katzen?
MS. KATZEN: I don't have any problem with that. As the chairman noted,
we have a memorandum from OMB instructing the agencies that they should comply
and if the law were expanded to cover federal sites it would be fine. It may
mean that when children write to the White House and ask for a picture of the
president -- they want a glossy picture -- we could not send it out unless they
wrote us on paper and then we return mailed.
But aside from the
inhibition on incoming materials requesting -- incoming requests for outgoing
things from the White House, there is no reason why it should not be expanded.
We believe strongly in COPPA and have supported it. And whenever we find that
someone is not complying, we take down that site.
REP. BOUCHER: Do
either of the other witnesses have anything to add to that? Ms. Katzen, let me
ask you this. You were attempting to provide an answer about current White House
website practices with respect to the Children's Online Privacy Protection Act.
I think you did not get a full opportunity to answer that question and I would
like to afford that to you if you'd like to take a minute to do that.
MS. KATZEN: Thank you very much, Mr. Boucher. We had originally had a
White House kids' page which got a lot of requests for things. We knew that it
would be covered within the spirit if not the letter of COPPA. At the time we
had asked for the child's name, the address, the email address, the school, what
grade they were in -- a lot of different questions. With COPPA we stripped that
down to the bare essentials, the minimization principle which is so prevalent in
privacy discussions. And we only asked for that information if they wanted us to
respond to them, not if they were simply communicating one-way to us.
Also, we placed throughout the site, in a number of places, warnings
that they should be talking to their parents, that they should be involving
their parents in this. And, finally, we have been negotiating with NARA, the
National Archives, to see whether we could get an exception from the
Presidential Records Act as we have for bulk mail, for example. If we could put
these children's addresses -- just to send them a picture of the president or
Socks or Buddy -- if we could put those addresses in a separate file or folder
and/or destroy that so we would not have that kind of information. And that has
been in process and we have been working on that. Our intent is to protect
children's privacy and to engage parents. We think COPPA is good law.
REP. BOUCHER: And you would not object to having it be extended to
federal government sites generally?
MS. KATZEN: Correct.
REP.
BOUCHER: Good. Let me ask for your response to the suggestions that I made
earlier that the time has now come for Congress to accept the invitation of the
FTC and legislate a set of minimum guarantees for the privacy protection of
visitors to websites including the requirement that websites post a notice of
what information they collect and how it's used and then provide an opt-out
opportunity. Is there any reason why we should not extend that set of guarantees
not only to the practices of commercial websites but also government websites?
MS. KATZEN: For the most part the actual substance of what you have
provided exists now in the law. In terms of legislation, this administration has
taken the position that the most sensitive information should be protected first
and foremost. So, we have worked on financial records. We have worked on medical
records. These are areas where we think it is essential to provide adequate
protection because they're so sensitive.
If we could have those types of
procedures in place for the very sensitive information we would very much want
to work towards the next step which is to do a broader scope of protecting
privacy. There are difficult questions -- as Mr. Goodlatte and you had discussed
-- the balancing between giving out information and restricting the use of that
information. But we have repeatedly called for more stringent protections for
financial, for medical, for genetic discrimination, social security numbers.
There's a vast area that are specific problems that have appeared.
One
of the other --
REP. BOUCHER: Well, my time is expiring. So, I gather
the answer to the question is you're not sure. And that perhaps we need to
consider further whether to extend that minimum set of guarantees not only to
commercial websites but to government websites as well.
MS. KATZEN: I
think it's an important step but I think the other steps are more important and
should take priority in any legislative proposals.
REP. BOUCHER: Mr.
Chairman, may I have unanimous consent to proceed for one additional minute? I
just have one other question.
REP. TAUZIN: Let me find out. Is there any
objection to the gentleman proceeding for one additional minute? Without
objection --
REP. BOUCHER: Ms. Katzen, let me simply ask you if you
believe there are any statutory provisions that need to be adopted beyond what
we have discussed this morning. Do you have any recommendations for us for any
additional statutory provisions that would be in aid of enhancing the privacy of
Internet users?
MS. KATZEN: Oh, yes, sir. The administration has a
proposal to plug the loophole in Graham-Leach-Bliley, on financial records, that
would enable consumers to know when information is being shared with affiliates
of the organization. That bill has been here. Mr. Markey has been active on that
issue as well, I believe.
Medical health -- we've for two years
requested Congress to move forward on medical health records. This is an area
which is terribly important to people. Whether it be sensitive matters like
mental health records or HIV testing, or commonplace like mammograms. There was
a story on NPR this morning about a woman who was fired after information became
available. Those are very important.
There's also -- the administration
has a social security bill to protect the sale and profiteering from selling
social security numbers. Genetic discrimination has been in committee for a long
time. Ms. Slaughter, Louise Slaughter's bill has been one that we have been
supporting and hoping Congress would pass.
These are things that touch
the lives of American people in a real way. Not when they're out buying
something --
REP. BOUCHER: Okay, okay, thank you, Ms. Katzen. I think
that answers the question.
REP. TAUZIN: The gentleman's time has
expired.
REP. BOUCHER: And I appreciate the chairman's indulgence. Thank
you very much.
REP. TAUZIN: I thank the gentleman. The gentleman
recognizes the gentleman from Illinois.
REP. SHIMKUS: Thank you, Mr.
Chairman, I'm going to yield my time to the gentleman from California. But
before I do that I ask -- forgive this committee -- my brother-in-law was
testifying before another committee on anthrax and the government anthrax so I
got a chance to introduce him. And because of that I wasn't here for all the
testimony, to hear all the comments. So, in lieu of my being able to fully
listen I'm going to yield my time to the gentleman from California.
REP.
TAUZIN: Mr. Cox from California.
REP. COX: Thank you and I'll proceed
out of order in that case. Well, we begin with the GAO report telling us that
most of our federal agencies are not complying with the rules that we apply
throughout the private sector when it comes to privacy. In fact, only three
percent of agencies are implementing all -- or at least part -- of all of the
FTC's requirements. And in particular, the most disturbing to me, at least,
finding is that so many agencies are placing cookies on the computers of people
who log on.
I don't understand why the Office of Management and Budget,
in its latest guidance, continues to permit the use of cookies by federal
agencies, continues to authorize the placement of cookies on citizens'
computers. And I wonder if from OMB's perspective there is a good reason that we
ought to have such vague rules about cookies. OMB doesn't differentiate between
temporary and personal cookies in the guidance. It's very, very brief -- that
Director Lew put out. It's extremely short, just a few paragraphs.
Director Lew says that agency heads can approve putting cookies on the
sites. We have agencies then who are quoted in this article from Wired news
saying that they're quite sure that their agency heads will approve all of this
and continue to use the cookies. The National Endowment for the Humanities says
they're going to continue to use cookies and that they expect approval. In this
article they are quoted as saying that the agency head was on vacation -- that's
what they told the reporter -- but they were sure that the agency head would
approve the gathering of information from citizens who log onto that site.
The Federal Energy Regulatory Commission actually says, we generally do
not use cookies. But according to Wired, anyone who stops by the FERC homepage
will receive a cookie and it will not expire until December of 2010. The
Department of Transportation has placed cookies on citizens' computers logging
onto it that will last 34 years. These are persistent cookies. They track your
web activity after you leave the site.
So, from the standpoint of OMB,
why shouldn't we just say, no cookies? Why are you putting cookies on people's
computers and why is this a good idea? I mean, if you're investigating somebody
I understand it. We ought to say that government can investigate people. But if
you're not -- if somebody's not under investigation, why do we put a cookie on
their computer? And why, of all things, would that cookie track their activity
when they've left the site?
MS. KATZEN: I think you raise a very
important question to which my bottom line answer is that we shouldn't. And that
is why the OMB policy was written. I think it is important to note that GAO did
its study in July of 2000. We had issued the Lew memorandum, no cookies -- on
this presumption of no cookies --
REP. COX: In June.
MS. KATZEN:
In late June. And so it has taken some time --
REP. COX: But the Lew
memorandum doesn't say no cookies, is my point. Why not? Why doesn't it say no
cookies?
MS. KATZEN: Well, it says there should be a presumption against
it. They can be used importantly and that's the reason that -- incidentally,
there is a clarification on the session cookies point, that you had mentioned.
There's a letter actually to Roger Baker (sp) from John Spotila (sp), who is the
administrator of the Office of Information and Regulatory Affairs, that says
that when you're logging on in a single session and you want to, for example,
make a purchase order at the mint and you have put in your name and address and
then you can't remember which things you wanted to buy so you're going to logoff
or open up another window and come back on again, keeping the session cookie
there means that you can complete that one transaction. That cookie disappears
when you have finished the transaction and logoff. That's the clarification of
September 5th to Roger Baker.
There are other reasons.
Whether
they be national security or --
REP. TAUZIN: Could we have a copy of
that clarification for the record, Mr. Baker?
MS. KATZEN: Sure, I have
one here.
REP. TAUZIN: Would you submit it to the staff?
REP.
COX: What is the national security reason that we want to track the usage of the
web by American citizens?
MS. KATZEN: I cannot tell you that there is
one or that --
REP. COX: Well, you just did.
MS. KATZEN: Well, I
think you interrupt -- I was interrupted when I was saying that if the agency
head is presented with a compelling case for why this crucial to the agency's
mission or otherwise endangers some facet of their operation, then the agency
head is to consider that information and make as decision. They are then to
report that to OMB where we will have a chance to review that. We'll be getting
information about this kind of situation and we'll be monitoring it.
I
don't know offhand the kinds of situations -- we're talking about changes in
technology that are happening very rapidly and practices that are changing very
rapidly. And for us to try to set policy that says, no way, no how, never, ever,
ever, ever, regardless of whatever reason might be justified, I think is to fly
in the face of what we have seen in the last two years --
REP. COX:
Well, I don't mean to interrupt you but I certainly need to use some of my own
time. We're sort of far away from that with the Lew memorandum. The Lew
memorandum is far from saying, never, ever, ever, it puts at the discretion of
every agency head. And as you can see from --
MS. KATZEN: It's not
unbridled discretion because you have to have privacy policies in place, you
have to have other kinds of circumstances.
REP. COX: Well, as I just
quoted from the Wired news article, the agency heads or the people who work at
these agencies are assuming that, you know, for whatever reasons -- including
something as mundane as statistical purposes, you know, collecting information
about the use of their site -- they can continue to put cookies onto people's
computers notwithstanding the Lew memorandum. That article was written after the
Lew memorandum went out. So, obviously people are not taking this as an
instruction no longer to put cookies onto people's sites.
Lastly, with
respect to COPPA, which we should distinguish from COPA -- I think your
references to COPA have actually been references to COPPA, they're very similar
sounding acronyms but one deals with pornography, as you know, and --
MS. KATZEN: Right.
REP. COX: -- the other one does not. We're
dealing here with COPPA. This business about the Presidential Records Act and
not being able to respond to people and so on, is relevant only if you're trying
to end run the law. Because, as you know, the law -- the basic provision of the
law that the whole rest of the country's complying with is that you get parental
consent. Verifiable parental consent is the touchstone of the law.
If
the White House were willing to live by the same rules that everybody else in
America is living by, they would just go ahead and get parental consent and
respond to kids in that way. The only reason that it becomes relevant that you
destroy the information is if you're trying to do an end run around that
requirement.
There is an exception, as you know, where consent is not
required in narrow circumstances, and you're trying to exploit that provision
here by importing the Presidential Records Act as the reason you can't get it
done. Why not just comply with the law?
REP. W.J. TAUZIN (R-LA): The
gentleman's time has expired.
Ms. Katzen, you can respond before I'll
move on to someone else.
MS. KATZEN: Thank you very much.
The
exception that you note is the one time contact, and that's the situation where
I'm talking about if you write in and say I want a picture of the president,
it's only one time. We're not trying to build a track record or a relationship
with the child.
REP. COX: So why not comply with the parental consent
requirement?
MS. KATZEN: That's not an end run around the statute. It is
recognizing, as Congress did, that if you're not going to build a long-term
relationship you don't need verifiable consent. Verifiable consent on a one time
only doesn't really make a whole lot of sense.
To have a child say I
want a picture of Socks, you say okay, have your parent fill out a form and fax
it in, and when we get that we'll then send you the picture is a little bizarre
for a one time only, and that's why the statute clearly has that exception built
into it.
REP. TAUZIN: The gentleman's time has expired.
The
chair recognizes the gentlelady from Missouri, Ms. McCarthy.
REP.
MCCARTHY: I have no questions at this time.
REP. TAUZIN: The chair
recognizes the gentleman from Texas, Mr. Green.
REP. GENE GREEN (D-TX):
Thank you, Mr. Chairman. I have a couple questions.
Ms. Katzen, the
chairman outlined loopholes in the Privacy Act of 1974. Do you believe that the
Privacy Act of 1974 is outdated and allows or may allow the distribution of that
personal information?
MS. KATZEN: I think the
Privacy Act has served us well for the last quarter century.
I'm always open to relooking and seeing whether in an age where we act faster
with faxes and internet instead of more leisurely types of communication more
careful language has to be included, but if GAO asks us or Congress in oversight
asks us for information, we're going to be providing it, and I think citizens
know that that is the case. Those are the kinds of exceptions that are in there.
Routine use. To establish routine use that the chairman mentioned, the
agency has to publish in the Federal Register a description of what it is
they're talking about, which is we're going to take your information, and I'm
going to share it with this bureau or that bureau for this purpose or that
purpose. It's written in the Federal Register. Comments can be filed on that.
It's a very public process.
My own instinct is the last quarter century
we've been well served, but I would not be in any way contrary to looking again
at the language to see if it could be tightened. We believe in privacy.
REP. GREEN: Are Americans who provide information to the agencies
vulnerable to having that information used in some inappropriate way? For
example, you know, whether it be the IRS, whether it be, you know, HUD or
somewhere else. Do you know of any examples where information that someone
provided was used inappropriately?
MS. KATZEN: I will not sit here and
tell you that there is no instance of misuse of information. I can tell you that
we have taken all reasonable steps to minimize that and to insure that when we
hear about something there is a remedy.
I thought the first GAO study
that went through and identified where policies could be more clearly stated or
more solicitously put was a good thing because the agencies saw that, and they
want to do the job, and they, therefore, have begun the remedial effects from
these kinds of reports. We have worked very closely with GAO to insure that we
know what's happening.
I can't tell you there's never been an instance,
sir, and I won't do that.
REP. GREEN: Okay. Well, I don't expect that,
but I want -- you know, we have remedies for it, but generally, you know, the
American people ought to feel comfortable that contacting or providing
information is not going to be shared inappropriately --
MS. KATZEN:
Absolutely.
REP. GREEN: -- and there are punishments for inappropriate
use of that information.
MS. KATZEN: Yes, and there's a private right of
action. I mean, in the Privacy Act if you feel that something has been done you
can bring suit.
REP. GREEN: Okay. Yes. I know that. That's not a
problem. I just want to make sure there's also an appropriate response --
MS. KATZEN: Yes.
REP. GREEN: -- that the U.S. government can do
to someone who is using that, not just a private right of action.
MS.
KATZEN: Yes, sir. There are criminal and civil --
REP. GREEN: Okay.
MS. KATZEN: -- statutes and penalties involved.
REP. GREEN:
Okay. Let me ask you about the federal web placement of third party cookies. I
guess the report that we have shows that the survey showed 22 percent of all
sites disclosed that they may allow third party cookies. Fourteen percent
allowed their placement.
What would be the reason why we would allow
placement of a third party cookie on our website?
MS. KATZEN: I don't
know. I did not understand that statement that they may allow, and I did not
understand that they do allow other than as they're leaving the site. I think
that the witness from GAO was trying to explain it.
Cookies are used for
site management. They're very, very popular in the private sector. Everybody
uses them in the private sector.
REP. GREEN: Okay, but 14 percent of
third party. I don't know if that 14 percent is third party non-government.
Mr. Baker, Ms. Koontz, do you know any examples of why we would have a
third party involved in placing cookies on federal websites?
MS. KOONTZ:
In the survey that we did, we identified eight websites where we picked up the
concept of a third party cookie. In the vast majority of those, those were cases
where a visitor might be clicking on a link to go someplace else, and the new
site was placing the cookie before you left.
That's not something that
is typically thought of as a third party cookie, but it was a concern because
there was no clear warning that you were leaving, that you were subject to a new
privacy policy or that a cookie was being placed.
Now, in one case there
was a federal agency did allow the placement of a cookie by a third party who
collects information, and this was done, I believe, as a way of the third party
collecting usage information about that particular federal site.
REP.
GREEN: Okay. It seems like we would want to have some kind of restrictions on
third party, whether it's inadvertent.
MS. KOONTZ: Yes.
REP.
GREEN: Maybe that's something, Mr. Chairman, we need to look at. I appreciate my
time.
REP. TAUZIN: I thank the gentleman.
Before I move to the
next member, I would like for the committee's edification, Ms. Katzen, if you
would submit to the committee clarification of what conditions could an agency
head permit the use of either session or persistent cookies under OMB policy.
MS. KATZEN: Yes, sir.
REP. TAUZIN: If you would submit that for
the record?
The chair recognizes the gentleman from Maryland, Mr. Wynn,
for a round of questions.
I'm sorry. Mr. Sawyer is first. I'm sorry. Mr.
Sawyer from Ohio.
REP. TOM SAWYER (D-OH): Thank you, Mr. Chairman. I
apologize. The irony of this is beyond belief. I've been going back and forth at
this point between Commerce and Census with regard to a question that goes
directly to this sort of thing, and you may in fact be familiar with what I'm
talking about.
I'm not going to go into that here, but I would hope that
we could look at the mirror image of the concern that all of us up here share
and from what I'm hearing you all share about the assurance of privacy.
Could you talk to us for a moment, each of the three of you in turn,
about how we make it possible for agencies of government to share information
that they need in order to illuminate and inform sound policy making here in a
way that all of us would support without compromising the privacy of the
information with which they have been entrusted?
MS. KATZEN: Mr. Sawyer,
as you know, that is near and dear to my heart. It's something I've worked on
for the last five or six years.
GAO sometimes refers to this issue in
several big studies, but we have identified this as one of our priority
management objectives this year and have been working on it to do a number of
things, one of which is to enable agencies to share information to test
eligibility to insure that the right person is getting the right benefit, the
right amount of the right benefit. You do that by sometimes needing access to
tax information, sometimes needing access to information that may be in somebody
else's files. That's one form of sharing.
Now, there are computer
matching Acts. There is the Act on computer matching. There are practices that
are involved, and there are very stiff restrictions. 6103 of the Tax Code, for
example, precludes this kind of thing without a very detailed process.
We have been working to see whether with new technology it will help us
protect the privacy because our intent in sharing data would be to insure that
no matter in whose hands it was it was being protected and it was being kept
confidential.
Another area that we have been working on, which I think
has something vaguely to do with what you've been doing on the times that you've
not been here, has to do with statistical information.
Right now we ask
American businesses to supply all sorts of information over and over and over
again. If we could have the statistical agencies share more of that information
-- ELS, BEA, Census -- you would be able to reduce the burden on respondents
and, therefore, increase the likelihood of complete and honest and accurate
responses.
That's an issue which again, that doesn't have personal
information usually. It doesn't have even identifiable information, but it has
sufficient protection and confidentiality that we need to work out the process
whereby that can happen. Those are just two instances where if we can establish
that we do protect that information, we could save the American citizens and the
American government a lot of time and effort.
REP. SAWYER: Ms. Koontz,
Mr. Baker, from the point of view of the committee that you've been working with
could you comment on that?
MR. ROGER BAKER: It's interesting that the
drive towards electronic government -- there are a lot of great ideas coming up
with federal employees and their contractors for how to utilize information, and
on the other side you have the Privacy Act, Title 13 and other things that do I
think to this point an appropriate job of governing that enthusiasm and keeping
us from putting databases together in ways that we know how to do, but, frankly,
the laws I think appropriately keep us from doing.
One of the things
that I can't help but emphasize, and I'm sure you're well aware of this given
the other thing you're working on, is the attention that federal employees pay
to the privacy issue. When you go out to Census and you're sworn in as a Title
13 swearing in person, they take that very seriously. They are the defenders of
the public's privacy as federal employees.
I don't think that we
recognize that or emphasize that enough in the government is that those people
view that as their life's job A, to do a good statistical job, but, B, to
protect that information, so I think the intersection of those two forces,
electronic government and what we can do, the Privacy Act, Title 13 and others
on what they keep us from doing, so far has kept a balance in there.
We
have been able to move ahead, but not too quickly and without doing a tremendous
amount of violating of people's privacy. I don't know how we would change that,
to be frank. It's interesting to work in it right now, and again it's a
balancing act there.
REP. SAWYER: Ms. Koontz, in preparing your analysis
of all of this is it fair to say that you looked at it largely from the
perspective of protecting privacy rather than the concomitant need to share
information where appropriate?
MS. KOONTZ: I don't think we took
actually either perspective. Our charge was very simply to use the same criteria
that FTC uses, use their identical methodology and to evaluate federal sites
using that criteria and methodology. I don't think there was a particular view
associated with that except to the extent that FTC may have a view on how they
look at sites.
REP. SAWYER: In that sense, without having the two
different angles from which to view a complex problem, would it be fair to say
that without using words like -- I don't want to; I won't even use the word, but
that it yields a less than fully developed portrayal of the complexity of the
problem that we're trying to deal with here?
MS. KOONTZ: I guess I look
at this issue a little bit differently. It's true that you can't hold federal
sites accountable for not following the FTC methodology, the FTC fair
information principles. They're subject to other rules, other laws, other
regulations.
Then, on the other hand, I think it's useful to look at
what federal agencies are doing --
REP. SAWYER: Of course it is.
MS. KOONTZ: -- in light of various standards as a way of I think
continuing the debate on are we happy with the status quo, are we happy with the
requirements that we have, or do we need to take a relook at them.
REP.
SAWYER: And then to evaluate their appropriateness.
REP. TAUZIN: Would
the gentleman yield a second?
REP. SAWYER: I would be pleased to.
REP. TAUZIN: I would just point out that I don't think private sites are
required to follow the FTC methodology either.
MS. KOONTZ: That's
correct.
REP. TAUZIN: There's no law requiring that, is there?
MS. KOONTZ: That's correct.
REP. TAUZIN: All right.
REP.
SAWYER: Thank you very much, Mr. Chairman. You have been flexible, and I
appreciate it.
REP. TAUZIN: I thank the gentleman.
The chair
recognizes Mr. Wynn from Maryland.
REP. ALBERT WYNN (D-MD): Thank you,
Mr. Chairman.
I guess I take a somewhat conservative view starting with
domain cookies, and I really would like to get a clear understanding of the
rationale for domain cookies with respect to getting personal information and
how that enables you to manage -- how the identification of the user enables you
to "manage" the site better.
MS. KATZEN: Let me start, and then Mr.
Baker might be able to add something or will definitely be able to add
something.
When we launched first.gov on September 22, everybody wanted
to know so how many hits did you get, and the question is is that the same
person coming back 12 times, or is it 12 different people? If you have a cookie,
you can tell whether it's the same person or not. Now, that's how you use it for
site management is it gives you --
REP. WYNN: Okay.
MS. KATZEN:
-- that kind of information.
REP. WYNN: If I could jump in? Is that the
best rationale?
MR. BAKER: Sir, if I could?
MS. KATZEN: Go
ahead.
MR. BAKER: I think the best rationale is the one the private
sector utilizes, which is personalization of a web experience is a real benefit
to the consumer if that's all the information is used for is that
personalization. For example, we --
REP. WYNN: But there's an assumption
there that I'm not ready to accept, and that is that personalization is in the
interest of the consumer. Says who?
MS. KATZEN: Some consumers choose.
Mr. Goodlatte sat here and said he has no objection. Indeed, he sort of likes
the idea.
REP. WYNN: Okay.
MS. KATZEN: When he goes to
amazon.com, they say you like biographies. That's how they use it in the private
sector.
REP. WYNN: I want to go back to this. There is no opt out, so
your assumption that it's good for the consumer to be personalized doesn't give
the consumer the chance to say no, I don't want to be personalized.
MR.
BAKER: I would agree with you. There needs to be opt outs, just in answering
your direct question.
REP. WYNN: Okay. That's one item that I think is
important for discussion. You agree there needs to be opt out on domain cookies.
Is that your position?
MR. BAKER: Yes. My personal position. It would be
yes, recognizing that that will have an impact on, if you will, the value of the
companies on the internet who base a lot of what they do on being able to
personalize. That personalized experience is --
REP. WYNN: Well, that's
fine. I mean, I'm satisfied.
I think we've got at least one policy
option on the table, and that is let consumers opt out of this. That's fine.
Now, is there any other rationale for domain cookies that we need to be
aware of? Okay.
With respect to third party cookies, shouldn't there be
some probable cause standard or some restriction or condition, however you would
phrase it, to justify any imposition of third party cookies? I think members of
the panel seem to be saying the same thing in a lot of ways. I will be candid
and say I have a very hard time accepting the notion of third party cookies
unless someone presents a probable cause case for national security.
MS.
KATZEN: Federal websites are not to have third party cookies.
REP. WYNN:
What's the penalty?
MS. KATZEN: The penalty would be to immediately take
the site down and hold the agency head responsible, as you would with any other
kinds of violations of federal policy.
REP. WYNN: But then those --
MS. KATZEN: The assumption is that federal employees will obey the
policy. As Mr. Baker indicated, federal employees --
REP. WYNN: If I
could just jump in? There are no statutory penalties against the federal
employee that imposes a third party cookie?
MS. KATZEN: Not that I'm
aware of, but I'm also not aware of any instances where they are in fact
imposing them. As Ms. Koontz was indicating, they are coming from --
REP. WYNN: I thought Ms. Koontz said there were about eight out of 65.
Is that correct?
MS. KATZEN: That's where as people are leaving the
site, I thought she said.
REP. WYNN: Well, please clarify that.
MS. KOONTZ: It was we identified -- using the methodology that FTC used,
we picked up eight instances that we called third party cookies.
REP.
WYNN: Okay. Stop right there. So there are eight instances. Is there any
requirement in the law that those eight instances be justified, or can we
conclude that they are per se in violation of existing law?
MS. KOONTZ:
I don't know the answer to that question. I think that's --
MS. KATZEN:
It's not law, but policy, and if they were placed by the agency, as opposed to
the exiting link, which is what you had said earlier many of these were placed,
as they clicked to go to someplace else it's someplace else that puts the
cookie, not the agency.
If the agency is doing it, they shouldn't be
doing it unless they've gone through the materials that we have provided to them
in terms of the finding that they need to make, privacy protections that need to
be in place and the other processes and reporting to OMB on this kind of
situation.
REP. WYNN: So they can make a showing to OMB, and it's okay
to impose a third party cookie?
MS. KATZEN: It may or may not be okay.
It depends on what they show. I don't know.
REP. WYNN: What do they have
to show to justify a third party cookie?
MS. KATZEN: That having the
cookie is critical to the obtaining of their mission, and I think that's a
pretty high showing.
REP. WYNN: Well, it depends on whether it's
national security or whether it's Department of Interior.
REP. TAUZIN:
Would the gentleman yield?
REP. WYNN: The Department of Interior -- I
see my time is up, Mr. Chairman.
REP. TAUZIN: If the gentleman would
yield, I will quote from the memorandum for the gentleman. It says that under
this new federal policy dated June 22, cookies should not be used in federal
websites or by contractors when opening websites on behalf of agencies unless in
addition to clear and conspicuous notice -- first of all, you have to at least
give people notice you're doing it -- the following conditions are met:
A compelling need to gather the data on the site, whatever that means,
and appropriate and publicly disclosed privacy safeguards for handling of the
data on the site, appropriate and publicly disclosed privacy
safeguards for handling of information derived from the cookies
and personal approval by the head of the agency.
REP.
WYNN: I thank the chairman. In fact, if I could have 30 seconds?
REP.
TAUZIN: The gentleman is recognized for an additional 30 seconds.
REP.
WYNN: My concern is where is the oversight of the agency decision that they have
a need to collect this information? I'm perfectly willing to accept a national
security or law enforcement rationale. Maybe Interior does have a rationale, but
where is the oversight that would enable those of us in Congress to know that
these agencies are acting in fact within the scope of their authority?
MS. KATZEN: Well, since this information would ultimately be gathered
together by OMB and OMB has very aggressive oversight committees that are
constantly asking for legitimately this kind of information.
I would
also note that this is a subject which has gotten a lot of play in the press
because this is not something you can do in secret. The reason we're here is
because there's a whole cadre of people there who are constantly testing us, the
private sector, NGOs.
REP. WYNN: Last question. Is there any reporting
--
MS. KATZEN: They're constantly coming to discover these activities.
REP. WYNN: Mandated reporting to Congress?
MS. KATZEN: Excuse
me?
REP. WYNN: In other words, the agency reports to you it has a
rationale. Is there any mandated reporting of that information to Congress?
MS. KATZEN: No, sir.
REP. WYNN: Okay. Thank you.
Thank
you, Mr. Chairman.
REP. TAUZIN: I thank the gentleman.
For the
record, and you can submit this for the record. It was raised by a number of
members. When was the last criminal prosecution of a Privacy Act violation? If
you can submit that for the record?
We can't recall one. We can recall a
lot of stories about personal data being released to the press -- Kathleen
Wylie, Linda Tripp, all kinds of stories. Were there any prosecutions of
violations of their rights?
MS. KATZEN: I'd be happy to do that.
REP. TAUZIN: Can you submit that for the record?
The gentleman
from California, Mr. Cox?
REP. COX: I would thank the chairman.
I just want to underscore my complete agreement with the concerns
expressed by Representative Wynn, and I hope that also for the record, Mr.
Chairman, if you would permit perhaps we could see a list of those circumstances
in which the collection of cookies -- not temporary cookies, not session cookies
-- would be compelling for any agency under this memorandum.
REP.
TAUZIN: If the gentleman would yield a second? I want to make sure the request
is specific.
GAO identified eight sites of the surveyed sites, and GAO
only surveyed at random a certain number of sites and the top 30 some odd high
volume sites. What the gentleman is asking for the record is a submission of all
of the existing authorized cookies on all federal sites, if you can identify
those along with the compelling reasons for those cookies to be on those sites.
I yield back to the gentleman.
REP. COX: And I think in
Representative Wynn's question he had embedded the sense we all share that if a
person is legitimately under investigation then obviously tracking them through
their web usage is as legitimate as tapping their phone or anything else, but,
you know, if the national security concern is that somebody might be hacking
into our computers or what have you, we're all for doing whatever we can to
track that down.
Putting that in a clear category of its own, literally
intentionally investigating people, what are the reasons that OMB thinks the
government ought to be placing cookies on people's computers for that are not
just session cookies?
If you could answer that for the record, because I
know that --
MS. KATZEN: I'd be happy to, although I should state that
we don't have a preexisting list of conditions. We don't think they should be
there, but since we do not know everything and we don't know all the different
circumstances that could be presented, we establish this process, but I will
supply the information that you requested for the record.
REP. COX: All
right. I would just then conclude by saying I hope you get rid of the cookies. I
think a policy that --
MS. KATZEN: So do I.
REP. COX: If the
concern is gee, the government is so big we can't get an answer to this question
fast enough or we can't get it done quickly enough, which is what the
administration expressed to Wired News when they put the question, you know, the
best way to get it done quickly is to have a clear policy.
Also, as you
mentioned in your opening comments, if the objective is to instill confidence in
the public that they're not in any way to be worried when they're going onto a
government site, the easiest way to do that is to have a rule that the public
can understand, which is no permanent cookies.
You know, the notion that
we've got cookies on computers, some of the people on this committee, some of
the staff that have, you know, checked on this where the expiration dates are
2034, you know, where our government has been putting these cookies on lately,
and that's just a very bad thing.
I just logged onto the White House
website and checked out the privacy disclosure there with respect to the kids'
side and the regular side, and it states that the White House is collecting IP
addressed. Now, an IP address is unique to a specific computer, and I need to
know why that's important. That I think you could answer now.
MS.
KATZEN: If I may, I would rather provide it for the record rather than now, and
I can explain. I will provide that for the record, sir.
REP. COX: All
right. I thank the chairman.
REP. TAUZIN: I thank the gentleman.
Let me make an announcement. We have a vote on the Floor. Mr. Markey has
arrived, and wants to do a round of questions, and we want to recognize him.
Before I do that, let me announce that both Mr. Shaw and Mr. Pitofsky have
arrived, and we want to accommodate them as quickly as we can when we get back.
We will not have time I think, Mr. Shaw, so if you don't mind we'll make
this vote and come right back. We'll take you up immediately, Clay, if that's
okay with you.
I'm trying to understand. What are you saying? If you can
just tell us briefly what your scheduling problem is?
REP. E. CLAY SHAW,
JR. (R-FL): Well, the problem -- I can dispose of this right now and leave this
statement. This is a question of a privacy issue having to do with social
security numbers.
REP. TAUZIN: Social security numbers, right.
REP. SHAW: I know Mr. Markey is interested in that, as well as the
chairman, and it's something that we should put high on our agenda next year
when we return.
REP. TAUZIN: I thank the gentleman, and his statement
will be a part of the record. Thank you, Mr. Shaw.
The chair now
recognizes the gentleman from Massachusetts, Mr. Markey.
REP. EDWARD J.
MARKEY (D-MA): I thank you very much.
Congressman Shaw and I have been
working on this issue of privacy inside the social security context, and it just
shows that this is not a liberal or conservative or Democratic or Republic issue
at all. It's an issue where the liberal left meets the libertarian right and
isolates the pragmatic middle, okay, who just don't like to tell industry or
their government employees that they can't do this, so there's a kind of a
pragmatist middle here that we just have to isolate and ultimately eliminate,
you know. That's the bottom line on this. It's the pragmatists. They're the
problem here because everyone else agrees on the issue.
The issue really
isn't big brother. The issue is big browser. You give it to anybody, public
sector or private sector. They can't control themselves. They just have to get
this information. It's almost like a compulsion. It's an obsession, okay,
because it's there. The technology controls the ethos. Because you can do it,
you do it. The technology makes its possible.
So it's the browser
itself. It's its capacity to data mine, you know, to know all this information,
and so, yes, in a private sector government context you call it security, you
know. We need better security. From an individual's perspective, they say we
need better privacy. It's all the same issue though, security/privacy. It all
just means is the information secret or not.
Now, the industry says
well, we want stronger encryption technologies so we can move this information
from the consumer to us, but after we get it we don't have any rules. We can do
whatever we want with it, you know.
The government says we want
security, but that's just so we can keep our information private. If we can
gather information about private citizens that help us do our business, that's
good, too. From a consumer's perspective, it's all their privacy. It's their
individual family's identity.
That's why self-regulation doesn't work.
You can't allow the government to self-regulate. You can't allow the private
sector to self-regulate. You've got to have a certain minimal set of protections
that every individual is entitled to, whether it be a big government agency or a
big corporation or a small government player in your hometown or a small company
in your hometown. Regardless of who it is, you've got to have this minimal set
of rights that every American is entitled to.
We have a roll call on the
Floor. I thank all of our witnesses for helping us. I apologize for arriving
late, but I thank you, Mr. Chairman.
REP. TAUZIN: I thank the gentleman,
and the chair thanks the witnesses for their attendance and their participation.
What we will do is declare a 15 minute recess and give everybody a break.
Chairman Pitofsky, we'll be back as soon as this vote is over. We'll
take you up first call as soon as we get back.
The committee stands in
recess.
(Recess.)
REP. TAUZIN: The committee will please come
back to order.
We're pleased to welcome the Honorable Robert Pitofsky,
the chairman of the Federal Trade Commission, who was elated today because the
Senate just passed his reauthorization bill. He would love to see the House take
it up before we leave.
Mr. Pitofsky, we've often had this conversation
in private, in public and we're at it again today, but we'd love to again
welcome you. Your written statement, of course, is part of the record, and we
would welcome you to summarize your report to us today on privacy both in the
private and public sector.
MR. ROBERT PITOFSKY: Thank you very much, Mr.
Chairman, members of the committee. As always, I appreciate this opportunity to
discuss with you and the members these important issues relating to privacy.
As this committee knows very well, the Commission has acquired
considerable expertise and experience in addressing privacy issues on line and
off line in recent years. Our activities in this area are based on our statutory
authority, the challenge of marketing practices that are deceptive or unfair.
Let me start with some basic premises. Protection of privacy is
important to consumers. All surveys demonstrate consumer concern, and on line
commerce will not reach its full potential until and unless these privacy issues
are adequately addressed.
Incidentally, I saw just yesterday a Harris
survey which reported that among internet users they were more concerned with
their privacy on the internet than they were with health care, crime and taxes.
A really remarkable set of findings.
Second, basic protections include
notice of what information is collected and how it will be used, consent to use
by consumers of their personal information, reasonable access to a database to
correct errors and reasonable security arrangements as to how information is
used.
Even if all these fair information practices are adopted, that is
not enough. There must be effective monitoring and enforcement to insure that
privacy guarantees are really respected. It's interesting that many in the
business community have pretty much adopted the four fair information practices
that I described.
The policy dispute in this area has turned on whether
fair information practices can best be achieved through self-regulation or by
legislation. My own view is that neither approach should be exclusive.
Self-regulation is essential, but it will be most effective if it is backed by a
rule of law.
Also, Mr. Chairman, addressing an issue that I know you've
raised with me, any policy choice must be flexible in the sense that it takes
into account the possibilities that new technology may ease or modify the need
for legislation.
The FTC has conducted or reported on three surveys. Our
first, in 1998, found of all sites surveyed only 14 percent published a privacy
notice. The second, in 1999, showed 64 percent. According to a 2000 survey, the
figure had reached 88 percent. That's the good news.
These numbers must
be placed in context. Only 20 percent of the sites reviewed in the 2000 survey
satisfied all four fair information practices. Of the 88 percent that did
include a privacy disclosure, many offered a kind of notice that was inadequate,
misleading or obscure. Most important to me, only 41 percent provided notice and
consent, in my view the two essential fair information practices.
I
should add that if you didn't look at these numbers in the point of view of all
sites but only the 100 most visited, the numbers would be much better. For
example, notice and consent would appear on 60 percent of the sites.
Beyond statistics, there's a policy question of what to do about firms
that provide inadequate notice or no notice at all. Those advocating an
exclusively self-regulatory approach argue that firms should be denied a seal of
approval, and consumers observing the absence of the seal will choose to do
business with other on line sites. There are quite a few flaws with that
conclusion.
First, even in our 2000 survey, our most recent survey, only
eight percent of websites posted a seal of approval. Ninety-two percent did not.
More important, I do not see the denial of a seal of approval will really
influence the outliers, the relatively few unprincipled firms who are collecting
and selling private data and will ignore industry standards to change their
ways. The fact of the matter is that the best self-regulatory programs among
advertisers, funeral directors and others are effective because they are backed
by a rule of law.
Beyond this fundamental question of legislation versus
self- regulation, the Commission has been active in other areas. We commended
the self-regulatory practices by the Network Advertising Initiative, an
organization comprised of leading internet advertisers, to develop a framework
for self-regulation in the profiling area, although we said there, too, that
legislation to back them up would be appropriate.
We issued rules
interpreting Congress' statute entitled the Children's On Line Privacy
Protection Act designed to protect young people from exploitation. We issued
rules under Graham-Leach-Bliley designed to protect consumers' privacy when
dealing with financial institutions. Finally, the Commission has brought three
cases in the past year challenging deceptive or unfair conduct in connection
with websites, and with additional support from Congress on our budget we would
be more active in the future.
To conclude, my hope is that the next
Congress, government, consumer advocates and the business community can join
forces in finding their way to a moderate, balanced, forward looking and
sensible form of privacy protection.
I would be glad to answer your
questions, and if I may I'd like to invite our bureau director, Jodie Bernstein,
to --
REP. TAUZIN: Sure.
MR. PITOFSKY: -- join me up here for
some of the detailed questions that we may run into.
Director Bernstein?
REP. TAUZIN: Thank you, Mr. Chairman, and welcome.
Obviously the
first question you know I'm going to ask you is you gave the industry a grade in
1998 when only 14 percent posted privacy policy, and the grade you gave them was
incomplete. In 1999, after 64 percent had complied with posting privacy
policies, you gave the industry a B+ for effort and a C overall.
In
2000, 88 percent in your survey are now posting some privacy policy. Good, bad
or adequate, but a privacy policy. What grade do you give the industry today on
effort, and what grade to you give them overall?
MR. PITOFSKY: I want to
give the private sector some credit here because I truly believe that they
recognize that this is a problem, and they have worked hard to solve it, so on
effort I'd call it an A-. I'd say that they're even better.
REP. TAUZIN:
And moving up?
MR. PITOFSKY: I'm moving it up.
On overall
performance, I would move that up, too, from C to C+, but C+ is not good enough
to protect consumers over the internet, but they have certainly committed
financially and in terms of energy to try to improve the situation and should
get credit for that.
REP. TAUZIN: Now, when it comes to grading, let me
first thank the FTC for training the GAO officials who conducted the federal
website survey that Mr. Ormi (ph) and I requested.
As you know, we asked
that it be done using your criteria because we felt that we wanted some sort of
a comparison that whether it was a good one or not, it was on an equal basis
between federal sites and commercial sites.
Do you know what grade the
FTC got?
MR. PITOFSKY: The FTC was found wanting in that report.
REP. TAUZIN: So you were not part of the three percent that passed all
of your own criteria?
MR. PITOFSKY: We were not. We were not.
REP. TAUZIN: Where were you found wanting?
MR. PITOFSKY: Well,
let me explain that because I think this is important.
REP. TAUZIN: Yes,
it is.
MR. PITOFSKY: The FTC satisfies anybody's standards in terms of
notice, access and security.
REP. TAUZIN: Right.
MR. PITOFSKY:
The problem was with consent.
REP. TAUZIN: With choice?
MR.
PITOFSKY: Let me explain why that happens.
REP. TAUZIN: Why did the FTC
not make the grade on choice on your own standard?
MR. PITOFSKY: Let me
give you an illustration.
REP. TAUZIN: Okay.
MR. PITOFSKY:
Congress has generously supported something we run call consumer sentinel in
which we gather complaints from consumers. We analyze it, we marshal it, and
then we share that information with other law enforcement agencies. That was the
whole point of Congress giving us the money; that we would share it with others
-- FBI, state AGs and so forth. I think it's been quite successful.
Now,
we tell people in our notice statement if you give us the information we're
going to share it with the FBI and the state AGs. We don't give them the option
of saying well, we want to give you the information, but don't share it with --
REP. TAUZIN: So you don't give them an opt out?
MR. PITOFSKY: We
don't give them an opt out, and, of course, we shouldn't. It would undermine the
whole point of the program, which is to have --
REP. TAUZIN: You
shouldn't give your website users an opt out? Suppose I want to give you
information about a complaint that I make, but I don't want you sharing that. I
don't want to have repercussions from someone else because I complained to you.
Shouldn't I have the right to do that, Mr. Chairman, --
MR. PITOFSKY: I
don't think so.
REP. TAUZIN: -- without your sharing it with people
without my consent?
MR. PITOFSKY: Remember, it's all in the notice.
REP. TAUZIN: I know, but you're telling me I can't complain to you
without you sharing that complaint with other people.
MR. PITOFSKY: But
the reason --
REP. TAUZIN: I'm saying shouldn't constituents have a
right? I give them that right in my office. They can use my website and complain
to me about a federal agency, or they can complain to me about a third party
business in my district, and I give them an assurance on my website that I will
not share that information with anyone else, but shouldn't we at least give them
the choice that you wouldn't share it with someone else if that's what they
wanted?
MR. PITOFSKY: I take your point, but I do think that since the
whole point of gathering the information is to share it that to allow them -- to
give them that choice doesn't make any sense.
REP. TAUZIN: But isn't
part of your business as an FTC agency to in fact collect complaints from
consumers, and isn't that also a good thing to do without necessarily sharing
that with other people pursuant to this Act?
MR. PITOFSKY: Let me make a
more general point.
REP. TAUZIN: Okay.
MR. PITOFSKY: Our fair
information practices are designed to control the marketing sector of the
economy. We're not selling anything to these folks. We're not selling them books
or records.
REP. TAUZIN: No. I understand.
MR. PITOFSKY: So it
seems to me that when you talk about choice in that context it's really a little
different.
REP. TAUZIN: I understand that, Mr. Chairman, but I think
you're making my point, which is that in your own analysis, your own review of
other commercial websites, we hear the same complaint.
Your own, if you
will, methodology for examining and grading these websites doesn't often make
room for those kind of distinctions as to what it's being used for or whether
the site, for example, may have a security, but it doesn't say it has security.
Therefore, it gets graded down under your criteria.
One of the purposes
that Mr. Ormi (ph) and I wanted this GAO study done was exactly that; is to I
guess amplify the fact that the methodology itself isn't necessarily perfect,
that it has flaws. Therefore, the reports that are issued by the agency are not
necessarily as reliable as they perhaps should be.
I think you would say
that the FTC, as an agency that is examining other sites, would want to be as
good about privacy as any agency of the federal government, and yet under your
own methodology you fell short. I think that makes our case about how this
methodology perhaps needs to get further fine tuned so that it doesn't reflect
bad on sites that are really trying, that deserve the A- for effort and perhaps
even better than a C+ for performance.
MR. PITOFSKY: Let me take your
comments to heart and think about them.
REP. TAUZIN: Sure.
MR.
PITOFSKY: We did say in our report to GAO to transpose our four information
practices exactly intact away from the commercial area to the government area
might lead to misleading conclusions, but I hear what you're saying, and I'd
like to think about it.
REP. TAUZIN: Yes. What we're also saying is to
use that methodology on commercial sites without making room for those kind of
distinctions that you make for your own site may be also misleading. That's my
point.
MR. PITOFSKY: Yes. Well --
REP. TAUZIN: But I thank you
for at least considering it because obviously what you say publicly about the
performance of the private sector has some real weight in the Congress and with
the American public, and obviously, you know, it's important that whatever
assessment you make be as clear and as precise as you can make it.
I
want to finally thank you for continuing this effort. You and I have had this
private discussion. I think that FTC constantly monitoring and reporting on the
progress of the industry and making cases where, you know, fraud and deceptive
practices are appearing on the internet is very good.
How come only
three cases? If it's really that bad out there, why have you brought only three
cases?
MR. PITOFSKY: First of all, it's three cases in the very first
year in which we initiated --
REP. TAUZIN: Yes.
MR. PITOFSKY: --
this kind of program. What we try to do is bring cases against the most
egregious. We don't want to hit people for technical violations --
REP.
TAUZIN: Yes.
MR. PITOFSKY: -- and this and that. We want to --
REP. TAUZIN: So you're going after the really bad players?
MR.
PITOFSKY: Yes.
REP. TAUZIN: But again, does that say something about the
overall effort in the private sector that you found three egregious cases, not
ten, 12, 20, 100, last year?
MR. PITOFSKY: Well, I don't know. Jodie?
REP. TAUZIN: Yes.
MS. JODIE BERNSTEIN: If I could add something
to that, Mr. Chairman?
REP. TAUZIN: Please.
MS. BERNSTEIN: Among
the techniques that we've tried to use, because this is a whole new area --
REP. TAUZIN: Yes.
MS. BERNSTEIN: -- is we conduct something we
call surf days where we look at all the sites all at one time, and in many of
those instances instead of bringing cases against all of them we'll send out a
notice saying this is a new kind of initiation on our part. Do you know that you
may be violating the --
REP. TAUZIN: You're giving them fair warning.
MS. BERNSTEIN: Right. Fair warning.
REP. TAUZIN: Sort of like
the traffic policeman who gives me a warning and says you know, you've gone
through a school zone. You better slow down.
MS. BERNSTEIN: Right.
Exactly right. Then we go back after a certain --
REP. TAUZIN: Yes.
MS. BERNSTEIN: You know, maybe 30 days. What we found is that a lot of
them have dropped out or corrected --
REP. TAUZIN: So you don't have to
take action.
MS. BERNSTEIN: -- what they were doing, so we don't have
to. That's one way. I think it's a fair way, but I also think it helps us a lot
in getting to the ones where we feel we can --
REP. TAUZIN: The
gentleman from Ohio, Mr. Sawyer?
REP. SAWYER: Thank you, Mr. Chairman. I
don't intend to take my full amount of time. Let me thank our witnesses for
being here.
You heard my question earlier about the way in which we
assure the ability of agencies to share information with one another while
preserving their mutual guarantees of privacy in the information that they
gather. Do you have any insight and guidance that you could offer us this
morning, or would you prefer to answer that later?
MR. PITOFSKY: Well, I
think it's the right question. You want to -- when you're talking about the
government and not a commercial marketer, you want to assure that the collection
of information can serve government purposes, including the sharing of
information where that is --
REP. SAWYER: Where it's appropriate.
MR. PITOFSKY: Yes, where appropriate.
REP. SAWYER: While
guaranteeing the confidentiality of information that's being shared.
MR.
PITOFSKY: Yes. On the other hand, you don't want to unnecessarily invade
people's privacy. It's got to be designed to serve your mission purpose, and
that's what we've tried to do.
REP. SAWYER: Do you have policies and
principles which guide you in making that judgement in terms of where it is
appropriate? Largely a subjective decision, but one that you try to squeeze as
much subjectivity out of as you can?
MR. PITOFSKY: Within my own agency,
we certainly do.
REP. SAWYER: Can you describe those for us? They might
be of benefit.
MR. PITOFSKY: Well, we probably have -- I'll be glad to
submit it to the committee. We probably have one of the most clear and
conspicuous, non-obscure notice provisions that you're ever going to see.
REP. SAWYER: It's not just notice.
MR. PITOFSKY: Well, no. I
understand.
REP. SAWYER: It's protocols for sharing.
MR.
PITOFSKY: Yes, but nobody could misapprehend what we're going to do with this
information. We also provide reasonable access and reasonable security. It's
only on this question of choice, which the chairman has raised with me.
The trade off is can we share this information, and the whole program is
designed to collect the information and share it, or shall we give people an
opportunity to say look, I want to complain to you, but I don't want this
information going to the FBI and some state.
REP. SAWYER: Sure.
MR. PITOFSKY: We've cut in the direction of giving them notice as to
what we're going to do with it, but sharing the information for law enforcement
purposes.
REP. SAWYER: Thank you, Mr. Chairman.
REP. TAUZIN: I
thank the gentleman.
Again, Mr. Chairman, let me thank you, and let me
for the record indicate again that you actually -- your office actually trained
the GAO in the survey they conducted. Is that correct?
MR. PITOFSKY: I
believe that's right.
MS. BERNSTEIN: That's correct.
REP.
TAUZIN: And they did use your methodology in examining your agency and other
agencies, right?
MR. PITOFSKY: They did.
REP. TAUZIN: And they
did find that under your methodology, only three percent of the federal sites
surveyed met all of the criteria that your office uses to judge private sites?
Is that correct?
MR. PITOFSKY: I understand that's correct.
REP.
TAUZIN: As compared to 20 percent in the private sector that met all four or all
five, I think, of those criteria? Is that correct?
MR. PITOFSKY: Yes.
REP. TAUZIN: Is it fair to conclude that the private sites are doing
better than the government sites?
MR. PITOFSKY: No, I don't think that's
fair, Mr. Chairman.
REP. TAUZIN: Tell me why not. Tell me why not.
MR. PITOFSKY: Because, look, I don't know what other government agencies
fail to satisfy fair information practices. I suspect --
REP. TAUZIN:
We've got a list of why they failed. It's pretty interesting.
MR.
PITOFSKY: I suspect that it's often this issue of sharing the information with
another agency and not giving people the opportunity to say count me out. I want
to complain or I want to submit information, but I don't want to share it with
--
REP. TAUZIN: You know, a lot of them failed because they just didn't
even post a privacy policy. A lot of them failed because they didn't give notice
to consumers that they were gathering information. Some of them failed because
they said they weren't gathering personal information, and they were. Some of
them failed because they had cookies.
By the way, what's a cookie?
People are reminding me not everybody knows what a cookie is. You know, we're
talking about a new cookie monster here in effect. What is the new cookie
monster we're talking about?
MR. PITOFSKY: People have learned what it's
about. It's a device that's placed on the hard drive of the computer of the
person who's communicating which allows the collector of information to trace
where you've been and what you're doing. I described it as a technology which
would allow your TV set to keep track of what programs you watch as you watch
them.
REP. TAUZIN: Worse than that. It's like having a camera following
you around for the rest of your travels all day long, all week long, perhaps for
35 years. It's pretty bad stuff.
MR. PITOFSKY: I don't think -- I think
that's a fair analogy --
REP. TAUZIN: Yes.
MR. PITOFSKY: -- of
what we're talking about here.
REP. TAUZIN: Yes. Some of these 14
percent failed because they did have cookies on their site.
MR.
PITOFSKY: So I heard.
REP. TAUZIN: And in many cases without advising
consumers. That's not a very good report, is it?
MR. PITOFSKY: I heard
Sally Katzen say that she does not intend to defend cookies on government
websites, and I'm not going to step in and do it.
REP. TAUZIN: Well, the
only point I'm making, and we're going to have to move on to this vote and again
take another break, but the only point I want to make is when you compare --
we've got a little comparison sheet of the federal sites and the private sites.
On every standard that you use to judge private sites, federal sites fared worse
on every standard.
On the question of frequency of disclosure, 100
percent on commercial sites compared to 85 percent of the government sites. On
all four principles, 42 percent of the federal sites and only six percent of the
high impact sites. Twenty percent of at random and only three percent of the at
random federal sites.
In fact, there was only one category at all that
was comparable between the federal and the public sites. I mean the federal and
the private sites. We have a copy of this. I want to make sure you get it.
MR. PITOFSKY: I'd like to look at it.
REP. TAUZIN: It basically
says that when your criteria was applied to the public sites where we have to
share information in many cases that privacy was less protected than in the
commercial sites of America. That's not a good finding.
Mr. Ormi (ph)
and I have asked a simple thing of our government. Maybe we need to clean up our
own house as we go by grading and commenting on someone else's house.
Again, I thank you for both cooperating with our effort to examine the
federal sites, and, secondly, for continuing your monitoring of the private
sites and invite you and your staff to stay in close touch with us because I
think we've all come to the conclusion that next year we're going to have to
move legislatively in some of these areas.
MR. PITOFSKY: I'm glad to
hear that, and I do want to continue to work with you and this committee.
REP. TAUZIN: Thank you, Mr. Chairman.
We'll stand in recess for
another ten or 15 minutes.
(Recess.)
REP. TAUZIN: We're going to
get started. Anybody who misses this is just going to miss a lot of good time.
That's all. The committee will please come back to order.
Let me welcome
our final panel, Mr. Larry Chiang, chief executive officer, MoneyForMail.com;
Ms. Glee Harrah Cady, the vice-president for global public policy, --
How do you pronounce it, Privada?
MS. GLEE HARRAH CADY: Privada.
REP. TAUZIN: -- Privada in Sunnyvale, California; Ms. Parry Aftab,
special counsel for Darby & Darby in New York; and Mr. Mike Griffiths, chief
technology officer of Match Logic, Inc.; and Mr. Andrew Shen, the policy analyst
for Electronic Privacy Information Center.
Welcome, ladies and
gentlemen.
I apologize for the long day, but I suspect we're going to
have a lot of long days thinking this business through. Part of what we're doing
is building a record, so all of your written statements are part of that record.
Trust me on this. The members and staff actually read those statements
and get into them. We are desperate for understanding here. What you will
provide for us on this panel is a little more depth of understanding about what
is happening in the marketplace to privacy and the technology in the private
sector.
Let me please welcome you, and we'll begin with Larry Chiang of
MoneyForMail.com. Larry, welcome.
MR. LARRY CHIANG: Thank you. Thank
you, Mr. Chairman. Thank you, members of the subcommittee.
I come to you
as a person who is on his second business. I'm an entrepreneur. My background is
in engineering, so I am fortunate enough to be able to head up one very popular
company called MoneyForMail. This is my second company. My first company was one
that sold credit cards to college students, and my efforts in starting new
businesses is to empower consumers to control and empower them both on two
fronts, both on credit understanding and in understanding on privacy.
What MoneyForMail does basically in a little nutshell is it empowers
consumers to opt in their information so that they control their own information
so that the people that previously compiled and sold information, companies such
as Transgenient (ph), Acrofact (ph) and Experian (ph) profited by selling this
data.
REP. TAUZIN: Give me an example of how that works.
MR.
CHIANG: For example, let's say you're a car leasing company, and you want to
sell cars to people in their middle twenties that have a good job with good
credit, so you can send a prequalified lease to those people using credit data.
Now, a consumer today and up until the past 20 or so years has not been
able to control their own data, so if a car leasing company wants to buy that
information and extract that information from the free credit bureaus they're
able to do so without knowledge and consent of a consumer where you have now
bringing forth a number of these privacy issues also then starts the question of
previous legislation on the Fair Credit Reporting Act with who exactly owns and
controls pieces of credit data.
So what MoneyForMail tries to do and
does successfully is it compiles the credit data, along with demographic data,
so the demographic data is information that gets collected on different surfers
and their preferences, their gender, what state they live in, maybe even some
detailed information as to what sports they like to watch or participate in.
What we do with that demographic data is we add in credit data so that
advertisers now have more pieces of the information to then collect this
information and then send out advertising messages that are geared towards it
because, to backtrack a little bit, the reason that all this is such a large
issue is simply because advertisers know that when they spend money, 50 percent
of that money is simply wasted. Now, the question is, you know, what 50 percent
did I waste?
With the internet you're allowed to target specifically
demographics. You're advertising let's say men's suits, from a previous example.
You're going to target men's suit advertisements solely to men that are prepared
to buy a suit, whereas previously you're just shotgunning that advertising to
everyone, so the internet as a medium allows that, and that's why this issue is
going to balloon further because how many billions of dollars are spent on
advertising and how many of those billions of dollars could potentially not be
wasted should there be a better methodology in sending out these types of
messages.
It not only permeates internet where, yes, it's going to be
personalized content, but also in the future you're going to talk about cable TV
advertising where right now cable TV advertising -- I mean, everybody in certain
markets gets the exact same advertisement. Well, what if you opted in your
demographic data, and then you're able to control your own demographic data. The
cable TV companies then can send you specific ads based on your needs, your
usages, your preferences.
So the situation that I come to you today with
is, number one, the parallel nature of how credit data previously was compiled
without regulation and how the Fair Credit Reporting Act obviously is
legislating and regulating the three bureaus in compiling this data, to also
then translate that where the FTC regulates that data where I see a parallel
where the FTC also similarly can further regulate private issues in its simple,
easy-to-use, easy-to-understand principle.
Right now, if you visit a lot
of these different websites you're faced with pages, literally pages where you
have to scroll down. How many users actually read and understand the privacy
statement? I think that in the future what's going to happen is you're going to
be allowed to go to something similar to a shimmer box where some of these ideas
that I bring forth are not really necessarily my own ideas, but they're based on
historical regulatory efforts.
How a shimmer box then translates to
privacy is maybe in five major points similar to an annual fee, interest rate,
terms and junk fees. A privacy policy box or someone's name box then can,
therefore, disclose the five major points or the six major points for how it is
that you as an internet web surfer can then be assured of some type of
standardized policy.
REP. TAUZIN: Thank you very much, Mr. Chiang.
Now we welcome Ms. Glee Harrah Cady, the vice-president for global
public policy of Privada.
Ms. Cady?
MS. GLEE HARRAH CADY: Thank
you, Mr. Chairman. It's a pleasure for me to be here today to talk to you not
only about what my own company does in privacy enhancing technologies, but what
our industry is doing as a whole.
Privada itself is based in Sunnyvale,
California, and we build privacy infrastructure systems for financial service
companies, for network service providers and for other people who in turn would
like to offer privacy services to their customers. You may have seen a recent
series of advertisements on the television by a large credit card company that
is going to be partnering with us in future products, and we expect to have
further enhancements like that.
Generally, technology is quicker than
legislation. I know this point has been made to you a number of times, and we
can today provide help to your constituents and the people who are genuinely
concerned about a genuine problem with technologies that will assist them to
protect their privacy while the debate goes on here in the Congress. Since early
this year, I think there has been something like 700 different announcements
made about privacy enhancing technologies, and, of course, were all terrific.
Mr. Boucher and Mr. Goodlatte mentioned today the internet caucus, and
earlier this year, in fact just three weeks ago, we were privileged to be part
of a privacy technology fair, and I know that this little booklet has been added
into the record so that people can see who demonstrated there at that time.
Finally, we have this lovely poster that we've also provided you that
was developed by the Privacy Leadership Initiative. There are more of these in
the back of the room for those in the room who would like to have that. It's a
description of some people and their technologies that are in the market today.
Today. Not next Congress. Not tomorrow. Not next week.
So these
technologies range from companies who provide complete anonymity all the time to
people who are called occasionally. They're called infomediaries, who will
broker information on your behalf. Choosing among them might be complex at this
point, but they are all there.
I've tried to provide links to lists of
these technologies in my written testimony, and I would urge you to encourage
your constituents to look at these pieces of information, and if anybody has any
questions about specific technologies or what any of the companies can do to
help them I'd be happy to answer them. Thank you.
REP. TAUZIN: Many of
these are free, right?
MS. CADY: Yes, sir, many of them are free.
REP. TAUZIN: Thank you very much.
And now we'll hear from Ms.
Perry Aftab, the special counsel for Darby & Darby of New York, New York.
Ms. Aftab?
MS. PERRY AFTAB: Thank you very much, Mr. Chairman, and thank
you for inviting me to testify here today.
I am a privacy lawyer. I
specialize in the children's industry, and I'm often called the kids' internet
lawyer, but about half of my time is also spent running non-profits. I run Cyber
Angels, the largest internet safety and help group in the world, and Wired Kids.
I'm also the author of The Parents Guide to Protecting Your Children in
Cyberspace, and my testimony today will be a blend of both my expertise as a
privacy lawyer and my advocacy for children.
REP. TAUZIN: This is the
book you're talking about, right, that you've authored?
MS. AFTAB: It
is, Mr. Chairman. Thank you very much.
REP. TAUZIN: Thank you.
MS. AFTAB: There are roughly 25,000,000 children on line in the United
States. These are children under the age of 18. There are websites that are very
valuable to children. They can help them with education. They can give them
games. They can be very entertaining. Children can have websites where
terminally and seriously ill children can communicate with each other and can
talk to children around the world.
We're here to talk about problems,
but I'd like all of us to remember that the internet is a wonderful place,
especially for children, and the greatest risk our children face with connection
with the internet is being denied access.
No one cares more about
children than the children's internet industry except perhaps the FTC, who I
would like to compliment during my testimony here today for being always
available, always listening and always trying to help the internet industry as a
whole. They're willing to speak at all of the conferences. They're willing to do
many things, and in fact today I bear an invitation from the government of
Singapore for the FTC to come and teach them about regulating privacy in the
area of children.
But there are serious problems that the children's
internet industry is facing. This morning on Good Morning America they talked
about .gone and the problems with the internet industry generally. The
children's internet industry is facing even greater problems because they have
no generally accepted, viable business model. Advertising isn't working because
children aren't directly engaging in e-commerce. There are lots of problems in
this area, and one of the things we need is more flexibility on the part of the
FTC to have greater discretion and exceptions under COPPA (ph).
Today
there's been a lot of discussion about parental consent. One of the biggest
problems that we face is that parents, although they want their children to do
these things, are not taking the time to actually give the consent to the
website, and the choice is then locking children out of these interactive tools.
It's not merely a matter of children sharing personally identifiable
information. It's a matter of whether or not they can send e-postcards or
whether or not they can get a picture from Elmo. It's important that we get
parents involved and find compelling reasons for them to be using the internet.
We need several things that Congress, especially this subcommittee and
your expertise, can help us with. Number one, we need research on how children
are actually using the internet. We need research on what parents really want
and what it will take to get them to be active in the kids' space.
We
also need educational programs teaching children how to surf the internet
safely, how to use the best filter that exists, which is the one between their
ears, Mr. Chairman, and teaching them how to use critical judgement when they're
communicating with strangers on line.
We also need to give a lot more
flexibility and discretion to the FTC in carving out exceptions or special rules
under COPPA (ph) for companies to put children's safety and privacy first for
word innovation rather than putting extra strain on the industry.
What
we need to do is to work together to make sure that the expertise that each of
us brings to the table is used to help children, to help the internet industry
and to help everyone preserve their privacy and keep children safe at the same
time.
We are also creating the children's internet industry trade
association -- it's called KITA, the Kids Internet Trade Association -- to help
members of the kids' internet industry come up with solutions, work together and
work together with regulators and legislators on coming up with solutions that
work.
The greatest problem we have in the area of privacy is unexpected
consequences when legislation has not been as thoroughly thought out as Mr.
Chairman has been looking at here, so I welcome the ability to help in any way I
can at any time, and thank you very much.
REP. TAUZIN: Thank you, Ms.
Aftab.
Mr. Mike Griffiths, the chief technology officer of Match Logic,
Inc.? Welcome, Mike.
MR. MIKE GRIFFITHS: Mr. Chairman and members of the
committee, I want to thank you for inviting me to testify. My name is Mike
Griffiths. I'm a chief technology officer and one of the founders of Match
Logic.
Match Logic is an internet marketing and advertising services
company that provides strategic marketing solutions to Fortune 500 companies. We
were founded in 1996 and currently operate as a subsidiary of a leading broad
band internet service provider, ExciteAtHome.
I'm here today
representing the Network Advertiser Initiative, an industry group comprised of
the leading internet advertising companies. The NAI was formed at the behest of
the Federal Trade Commission and the Department of Commerce to address consumer
privacy concerns by developing self-regulatory guidelines on the practice of on
line preference marketing or profiling. The NAI companies represent more than 90
percent of the internet advertising industry in terms of revenue and numbers of
ads served.
Mr. Chairman, as you know, the NAI announced its
self-regulatory principles in July of this year after months of intensive
consultations with the Federal Trade Commission and with the Clinton
administration. The internet advertising industry needed to adopt rules of the
road for its information practices in order to satisfy legitimate user concerns
about privacy.
For the industry to write these rules in a manner that
would garner public confidence, the NAI needed the guiding hand of public
officials. The talks between the NAI and the federal government were tough, but
fair, in that the industry had to make a number of important concessions.
Ultimately we were pleased that the NAI could develop industry self-regulatory
guidelines that are meaningful and real and which the FTC, Clinton
administration and members of Congress on both sides of the aisle unanimously
applauded.
The NAI principles deal with a practice of on line preference
and marketing.
We define this as data collected over time and across
websites which is used to determine or predict consumer characteristics or
preferences for use in ad delivery on the web. In other words, we try to figure
out which is the best ad to play to a consumer at a given point in time.
We believe that OPM, if done responsibly, benefits both consumers and
businesses. Consumers benefit because they receive banner ads targeted to their
interests. If you're interested in golf, for example, you'll see more
advertisements for the latest golf equipment. If you buy a lot of women's
clothing, you'll see more women's clothing ads. Advertisers benefit because
targeted advertising is more effective, and they get a better return on their
investments. Finally, websites benefit because the more effective the
advertising, the more they can charge.
This brings us back to the
consumer. Without targeted advertising, advertisers will pay less, websites will
earn less and consumers will suffer. Currently, a vast majority of websites are
free. If internet advertising does not work, these websites will not be able to
survive, or they will have to move to a subscription model that charges users
for services.
Our companies allow tens of thousands of small and medium
sized websites to compete with the biggest players for advertising dollars. We
give them the economy of scale that they would otherwise lack, so in summary our
job is to make the internet a more efficient and competitive advertising medium
that will further stimulate the growth and viability of the internet as a source
for free content.
We at Match Logic and at the NAI understand that
consumers are very concerned about internet privacy. We share these concerns. If
consumers are not comfortable that their privacy is protected, then the internet
will suffer. That is why the NAI companies came together with the federal
government to develop landmark principles on data collection and a level of
notice and choice that we must give to consumers. These principles lay out the
ground rules and safeguards for the collection and use of non-personally
identifiable or anonymous information, the collection and use of personally
identifiable information and the merger of PII with non-PII.
In summary,
here are the guidelines. First of all, NAI companies have agreed that we will
not use personally identifiable, sensitive health information, sensitive
financial information or information of a sexual nature for the purposes of
profiling. We do not believe that these categories of data should be used, and
we will not use them.
For non-PII, we require notice and choice. NAI
members must disclose their OPM practices through their websites and through the
NAI gateway website, and in addition, where possible, they must contractually
require their website partners to disclose the collection of non-PII for OPM.
NAI members will provide mechanisms for consumers to opt out from the use of
non-PII for OPM.
For personally identifiable information or PII, we
require that NAI members follow the On Line Privacy Alliance guidelines for on
line privacy policies. These policies require the adoption and implementation of
a privacy policy and that notice and choice be afforded.
Importantly,
for the merger of non-PII with PII we have two scenarios. The first case is
where PII is linked with previously collected non-PII. In this case, members
will not, without prior affirmative consent or opt in, merge PII with previously
collected non-PII. The second case is where PII will be merged with non-PII for
OPM purposes on a going forward basis. In this case, NAI members will provide
consumers with robust notice and choice. The NAI principles include several
examples of what would be considered robust notice for each of these scenarios.
The NAI members have also agreed to establish a third party enforcement
program that will include random audits by the third party enforcer, the ability
to file and handle consumer complaints and the ability to redress lack of
compliance through sanctions such as revocation of the seal or through a
designated public or government forum such as the Federal Trade Commission.
Finally, the NAI members strongly believe that industry, government,
consumer and advertiser pressures to set and maintain high standards for privacy
will render participation in the NAI all but mandatory for network advertisers.
Moreover, because of the contractual reach of these NAI companies across
literally thousands of websites, the NAI principles will have a tremendously
broad impact on web privacy.
In conclusion and to summarize, the NAI
self-regulatory principles are designed primarily to accomplish two things.
First, to make sure that advertisers on websites post notice that are strong and
clear where OPM occurs and, second, to make it easy for users to opt out.
Under these principles, NAI companies agree to afford consumers with
important notice disclosures and appropriate methods of choice for
participation, while at the same time one of the main engines behind this
nation's booming new economy of the internet can continue its remarkable growth
and improve as a provider of free and reduced price content.
Mr.
Chairman, on behalf of the NAI I want to pledge that we will continue to work
with the FTC, the Commerce Department and you and your members of staff to
insure that these self-regulatory principles live up to their promise.
Thank you.
REP. TAUZIN: Thank you, Mr. Griffiths.
Finally, Ms. Andrew Shen, policy analyst for the Electronic Privacy
Information Center here in Washington. Mr. Shen?
MR. ANDREW SHEN: Thank
you, Mr. Chairman. Thanks for inviting me today to speak on a very important
issue to the American public and obviously also to members of this committee.
I'll try to keep my remarks very short since I am the very last speaker of what
has been a long morning.
My name is Andrew Shen, and I'm a policy
analyst at the Electronic Privacy Information Center. EPIC is a public interest
research center located here in Washington, D.C. Today, while I am here formally
on behalf of EPIC, I'm really speaking here to represent the views and interests
of American consumers.
EPIC believes that privacy has and will be one of
the defining consumer protection issues for the internet, and what we have seen
in these early years of electronic commerce is that the internet has resulted in
a vast amount of information collection that I think is unprecedented, and that
information collection has resulted in corresponding concerns about personal
privacy.
Now, when I speak in public at events like these I do my best
to address the concerns of American consumers and those that really just want to
ask me a very simple question, and their question usually goes something like
this. How do I protect my privacy? How do I keep my
personal information within my control?
To some extent,
fellow members of this panel have tried to address that problem. Someone
proposed self-regulatory guidelines. Someone proposed technology. Someone
proposed a mix of both, but I think it's important to sort of analyze what the
typical consumer experience of these approaches are.
Now, some suggest
to a lot of consumers that they should just change the settings on their
browsers or to use privacy tools or to subscribe to anonymizing services, but I
realize this will not be sufficient for the protection of most American
consumers.
Many information collection technologies use jargon and terms
that a lot of people aren't familiar with, terms like cookies, on line
profiling, on line preference marketing, opt in, opt out. This tends to confuse
a lot of people, and I here just as evidence want to cite a recent study done by
the Internet American Life Project. They found that 43 percent of internet users
-- only 43 percent, less than half -- know what a cookie is.
Even more
astonishing than that are the results of internet users that have three or more
years of experience on line. That number only rises to 60 percent. That is for
people who have been on line for a very long time. They still don't know what a
cookie is, let alone what a company like Match Logic can do when they combine
cookie technology with banner ads and huge networks.
Now, others may
suggest that people can just read privacy policies, try to parse out what tend
to be very long, complex and vague statements about what companies will do with
their personal information. Now, these privacy
policies, as I already said, tend to be confusing. Larry spoke to this a minute
ago.
But, I think a more important and more recent phenomenon is that
these privacy policies are constantly changing. Many privacy policies will
explicitly say our terms may change at any future time. Please check back later.
That's just not good enough for the American consumers.
More recently,
even more recently than that, many consumers are simply being told that if the
company fails or goes bankrupt or mismanages the resources they have at their
disposal, their customers' personal information can be sold, just like the
computer sitting on the desk in their office, as if it was their information to
sell.
Now, I do have an answer for these people. I don't want to tell
them they can't do anything. What I usually tell them to do is talk to lawmakers
and legislators like yourselves. I tell them to say to you that they want their
privacy protected and to tell them to tell you that you do have it within your
power to protect their personal information.
Congress has done this
before. You listed off many bills earlier today, this morning, listing all the
various sectors that have information that protect the personal information of
consumers. These include information contained in credit reports, student
records, e- mail messages, telephone toll records, video rental records, cable
subscriber records. They have succeeded in protecting American consumer privacy
with respect to those sectors.
You can do the same for the internet. You
can protect the personal information that is submitted on line, but sort of
beyond that, because I realize that several fellow members of your committee
have introduced legislation. Congressman Luther spoke about it briefly this
morning, and so did Congressman Boucher. Sort of what is the law that we want to
see? What is an ideal approach to the situation?
I would like to make a
couple points. Chairman Pitofsky shortly before said that he believed that
notice and consent were the most important parts of fair information practices.
In addition, I think we also need to think seriously about access, a principle
that has not been discussed a lot today, but is an important one. Access insures
that consumers can see the information that's already been collected on them to
make sure that it's accurate and up-to-date.
Moreover, I think, which is
a very important point, I think it builds an ongoing relationship. I am
providing my information to you, and when I want to see my information you show
it back to me. I think that sort of trust and confidence is something that
e-commerce will definitely need going into the future, and I hope you include
that as a protection that you choose to provide to American consumers.
Thank you.
REP. TAUZIN: Thank you, Mr. Shen.
I think
it's important to point out that one of the reasons why we're finding it hard to
put our arms around all of the many aspects of the privacy issue is that there's
a lot of tension here. Consumers have different expectations about privacy.
On the one hand they want their privacy protected, Mr. Shen, but they
also would love the advantages of people advertising to them very specifically
and very effectively, as was pointed out; the notion that, you know, I don't
necessarily want to see a lot of ads about things I'm not interested in, but I
very much would like to see -- you know, get books and pamphlets and ads and
e-mail and maybe internet advertising on things that I am interested in.
At our Lansdowne conference, for example, we heard from a banker who
installed all sorts of privacy protections, all kinds of separations between
each division in his bank about the information that was stored there, the
mortgage side from the savings and deposit side. The first thing they
experienced was that their customers started leaving them because they didn't
like the service any more. They didn't like people telling them we can't help
you because we don't have that information about you.
We see Ms. Aftab
has pointed out that parental consent of COPPA (ph), if I can say it correctly,
is not necessarily functioning as well as people thought because parents don't
take the trouble to go ahead and okay their kids on sites that kids probably
should be visiting and would be good for them to visit and have interaction
with.
In addition, you know, we've got some experience with that. I
mean, we had incredible debates, my friend, Mr. Markey, and I, over a thing
called a V chip. The percentage of parents that are using it now is still pretty
small, I think, and I don't think it's expected to grow because, you know, it's
just something that parents, as I predicted, by the way, wouldn't have time to
go around, you know, programming the television for the week.
So we come
to this issue understanding all of these tensions, and the problems we also
experience are how much should we legislate and how much should we count on
consumers eventually controlling much of their own private data through
technology and through information.
There's several things we've learned
today that I think are important. One is that we can have all the privacy
notices required in the world, and the bottom line is people are not necessarily
going to read them. They do get changed, and they are confusing, and most
consumers will not be adequately served if that's the way we solve this problem.
Two is that there are some things that do help a lot. I mean, you've
brought some to our attention, some software, some hardware technology and
seals. We know seals work pretty good. We heard from Chairman Pitofsky today
that only eight percent of the companies surveyed, the websites are using seals.
Why is that so low? That would seem to be a real easy thing for consumers to
build confidence in websites and in advertisers and in commercial enterprises if
they saw and recognized the seal on a site without having to go read all this
policy and understand it and opt in or opt out or what have you.
If what
we're looking for is a user friendly world on the internet in the area of
privacy, would not seals, some simple way of understanding what I'm visiting and
what my rights are here without having to learn it all and understand all those
terms, wouldn't that seem to be a very positive and sort of appreciated thing on
the web, and why is so small a percentage of websites choosing to get an
approved seal on their site? Anyone?
MS. AFTAB: Mr. Chairman, if I may,
Parry Aftab. What we're finding is consumers don't recognize the viability of
certain seals. There is no one Good Housekeeping seal of approval that has
emerged --
REP. TAUZIN: There's a bunch of them.
MS. AFTAB: --
that's recognized generally by consumers.
REP. TAUZIN: Yes.
MS.
AFTAB: Once consumers can find various seals that mean something to them, then
the seals will become a market issue.
REP. TAUZIN: Let me give you an
example, for example. Instead of having the problem you cited where parents have
to always consent to let their kids visit a site and share information, if there
was a kiddy seal that parents knew and recognized to be representative of a site
where in fact their kids are not going to be abused and information is not going
to be mishandled and what have you, if they knew that wouldn't parents
appreciate that instead of having to constantly okay a child's visit to a site?
MS. AFTAB: Absolutely, Mr. Chairman.
REP. TAUZIN: Are we going
to ever get there?
MS. AFTAB: We have a seal that's going to be coming
out under Wired Kids, which is safety and privacy, a quality site, which is a
subjective test, but put together by librarians and teachers and child advocates
that say this is a good site. Trust us. We can brand it for you. That will be
coming out of the Wired Kids non-profit group.
REP. TAUZIN: And I
suppose the same thing could happen with software and hardware; that if at some
point the private sector were to build consumer awareness of software and
hardware technologies that are available that parents and consumers generally
would prefer that than reading extensive notices and constantly checking to see
if the terminology has changed or the notice has changed. Is that right?
Mr. Griffiths? Any one of you?
MR. GRIFFITHS: Yes. I would --
REP. TAUZIN: Ms. Cady?
MS. CADY: Go ahead.
MR.
GRIFFITHS: Being a technologist, I have some faith that technology will provide
part of the answer. I mean, I think there's a reason why people don't read a lot
of privacy policies either.
Even if we encourage every website on the
planet to have privacy policies, the nature of the web is very fluid, and it's
very dynamic. If you're searching you don't stop and read the privacy policy --
REP. TAUZIN: Well, you can't.
MR. GRIFFITHS: -- at the top of
the page.
REP. TAUZIN: You don't have time.
MR. GRIFFITHS:
Exactly.
REP. TAUZIN: You may not know all the terms.
MR.
GRIFFITHS: Exactly. So I believe that technology such as P3P that allowed for
automated negotiation of preferences with respect to a site policy are part of
the answer.
REP. TAUZIN: They're all part of the answer, but the concern
I have -- Ms. Cady, I want you to come back because I know you wanted to answer
my question, too.
Part of my problem is when do consumers really
understand which of the solutions works for them and have the confidence in
them? I don't see that happening yet. I don't see people generally saying you
know, there is a good seal out there. There is a good software. There is a good
--
MR. GRIFFITHS: Right.
REP. TAUZIN: -- program that I can
attach to and feel comfortable with without having to study and read and
constantly update my permission, if you will, on a site.
MR. GRIFFITHS:
I think the answer today is that the internet is still changing.
REP.
TAUZIN: Yes.
MR. GRIFFITHS: It's ever changing. It's ever expanding.
REP. TAUZIN: It's too little too late, as someone pointed out to me.
MR. GRIFFITHS: Well, I think we see approaches from a regulatory
perspective, from a self-regulatory perspective, from a technology and an
awareness perspective, but then I think it will take some time for this to work
through. I really do.
REP. TAUZIN: Ms. Cady, you wanted to come in.
I'll get you next, Mr. Shen.
MS. CADY: I do. I want to say --
first of all, I want to give a personal response --
REP. TAUZIN: Okay.
MS. CADY: -- rather than a corporate response to why I think there is a
lack of understanding of seal programs on the part of people who are in
business. Not on the consumer end.
REP. TAUZIN: Okay.
MS. CADY:
On the consumer end we have the branding problem, and we all know that consumer
branding of anything takes time and --
REP. TAUZIN: It takes time.
MS. CADY: -- money and effort. Certainly the seal programs are working
toward that.
From the other perspective of businesses, it's hard to know
which seal might be relevant, and then it's can I actually participate because
there is a cost involved to the website owner, and if they are a very small
organization they may deem that joining a seal program is not something they
could do at some point.
REP. TAUZIN: But if legislation, for example,
provided safe harbor from government regulation if you were sealed properly --
MS. CADY: That certainly would help with the branding problem.
REP. TAUZIN: That certainly would help, wouldn't it?
MS. CADY:
Yes.
REP. TAUZIN: That's one of the things we're looking at and one of
the things --
MS. CADY: Right.
REP. TAUZIN: -- that might help a
great deal.
MS. CADY: On the issue of expanding protections, what
Privada is working towards, quite frankly, is to not have to have you worry
about a seal if you are a consumer or not have to worry about knowing where the
technology is, but what we're trying to do is build in down another layer so
that it will be with you all the time.
So our vision is that privacy is
provided for you by your financial service provider and/or your internet service
provider and/or other service providers that are available to you and which you
use, and you use it in conjunction with the tools that you're already using,
your current browser, your current e-mail clients, so that you have that
protection if you want, and it's available to you easily.
Now, we again
have a sales and branding and growth problem so that we can't say to you that
today, Mr. Chairman, we can do this for everyone in this room and everyone
listening to this hearing, but that's certainly where we're going.
Thank
you.
REP. TAUZIN: Mr. Shen, you wanted to add something?
MR.
SHEN: Yes. I just want to add on to your other comments, Mr. Chairman.
Obviously I think what we're trying to address here are really the needs
of the consumer, and I think consumers, while they have appreciation for the
fluidity, the dynamic nature of the internet, really don't want that fluidity
and dynamic nature to touch their personal information. They want guarantees.
They want standards.
REP. TAUZIN: Yes, but let me tell you something
about that. We're having a hard time gauging what consumers really want in this
area, and I'll tell you why. We found this out in a lot of our political
surveys.
When you ask consumers questions about this, they often tell
you what they think they should want rather than what they really want. They
often answer these questions by what I'm supposed to want to protect my privacy,
as opposed to yes, I would take all these efforts to go, you know, operate all
these consents and these opt in and opt out.
What they really want is
comfort, ease. They want to be able to use these systems with some confidence,
but also with ease, and user friendliness is a huge consumer desire we're
finding in our meetings and town hall meetings and discussions and everything
else about this.
When you really pin people down they say yes, indeed, I
want my privacy protected and protected at all costs, but they'll also tell you
when you really get away from any kind of public surveys where they're answering
what they think you want them to say is do you know what I really want? I just
want this to be easy. I don't want all this trouble. I don't want to have to
work too hard to be able to use these systems.
I don't want to have to
work too hard to access, for example, credit or to access the store that sells
me what I want on the web and to get the information I want. I am willing to
take some risk and do that. If you can make it, you know, reasonably secure for
me, reasonably, you know, comfortable that I'm not going to get burned on this,
if you make it easy I'm pretty happy.
That's what we're hearing. I mean,
it's a real tension and so it's hard to understand what the consumers really
want in the way of legislation and/or, you know, even regulation in this area.
I hear you and I know what you're saying because whenever we do surveys
obviously, number one, everybody wants protection at all costs. Then when you
really get down to it they say yes, I really want my kids to go and visit those
good websites.
Yes, I really want the advertisers to know enough about
me to target ads for my tastes and my wants and my desires. Yes, I don't want to
have to read big notices. I don't really want to have to decide which seal is a
good seal and which program is a good program. I mean, we get real conflicting
signals about this stuff. As much as we think we understand it, we constantly
realize we don't.
The other thing I want to get into with you is the
question of bankruptcies, mergers, acquisitions, change of leadership. Here we
are collecting data. I may indeed agree that your company, your website, can
collect all my data because I trust you with it. I trust you're going to manage
it well.
Next week you die. Somebody else takes over the company. The
next week the company merges with another company. You mentioned merging the
personally identifiable data with non-personally identifiable data problems, but
you've got a range of issues here, not just bankruptcy, but issues where we
changed the management of the company.
The stockholders may change. They
may merge. They may sell the company, all sorts of different ways in which
different people come into control of the information I trusted with a certain
group of people or a company that I trusted only to find out that company is a
new company tomorrow because it merged or it was acquired or because it went
bankrupt and is selling all its assets, including my information.
There
are all sorts of different scenarios you can paint where information I thought
was secure with this group of people in this company brand name that I trusted
is all of a sudden now potentially under somebody else's control. How do we deal
with that? Anybody?
MS. AFTAB: Mr. Chairman, I'll put my bankruptcy
practitioner hat on because before I started doing internet law I started doing
Chapter 11 bankruptcy.
There's a problem here in that there's a tension
between the bankruptcy laws, which try to maximize the value of any asset --
REP. TAUZIN: Of any asset.
MS. AFTAB: -- of a company and the
ability of a trustee or the debtor in possession and the Bankruptcy Court to
permit any contract to be modified so that you can say it will never happen, but
under the bankruptcy law --
REP. TAUZIN: It can happen.
MS.
AFTAB: -- and under policy you can move all those things around. You can make a
mortgage longer.
REP. TAUZIN: Yes, Ms. Aftab, but let's think about -- I
mean, we talk about .com companies now.
MS. AFTAB: Right.
REP.
TAUZIN: A .com company's physical assets are very often much less valuable than
the information assets, the intangible assets. In fact, there's a huge debate
over how to properly assess the value of a company. How do you measure
intangible assets? As you know, FASB has got a big debate on its hands. We've
engaged them on that very question.
But the point is in that .com
companies the information base is the asset, and if we say as a matter of law
that because you've collected that on a confidential basis with your consumer
base that you can't ever transfer your company with that asset. You're basically
devaluing that company significantly in commerce, are you not?
MS.
AFTAB: You absolutely are, Mr. Chairman. I think that's part of the tension.
Part of what can be done is people can actually reach out to the members of that
list through e-mail and say we're moving this, or this list is up. Not an
answer, certainly not an answer, but something that at least will raise
additional questions.
REP. TAUZIN: But it's something we may have to
address, right?
MS. AFTAB: Absolutely.
REP. TAUZIN: It gets down
to whether or not in this case the rights of the consumer is a matter of
contract or we make it a matter of law.
If we take it from whatever the
contract provided, whatever agreement I have with the company, and we start
making law on it, it could dramatically affect the value of .com companies, the
way in which .com companies are financed and the way the stock performs and
everything about them. It could dramatically affect the whole .com economy.
MR. CHIANG: Mr. Chairman? Larry Chiang here.
REP. TAUZIN: Go
ahead, Mr. Chiang.
MR. CHIANG: With regulating this facet of let's say
the sale of information of the company, I mean, can't we look towards previous
legislation where when two banks merge one person's ATM fee is
$1.20 and another person's ATM fee is $1.25,
where you have maybe not just one e-mail notification, but maybe a statement
update or a card member services agreement update where you maybe don't just
send one e-mail? It may be a series of three e-mails.
REP. TAUZIN: But
let's say I have a privacy policy at my bank that I will not sell of transfer
your private financial information to anyone else.
MR. CHIANG: But in --
REP. TAUZIN: But now I go bankrupt, and my bank is being sold, and
somebody else acquires it.
MR. CHIANG: Right.
REP. TAUZIN: Is
the asset, my financial information, an asset of that company that can be
transferred even though I have a contractual relationship with the bank that it
not be shared with anyone else?
MR. CHIANG: Right.
REP. TAUZIN:
Do you get my drift?
MR. CHIANG: Right.
REP. TAUZIN: These are
weird questions.
MR. CHIANG: Right. Previously I think that that's why
if the FTC were given the regulatory authority to, and I'm not, you know,
financially supported from them in that MoneyForMail is a, you know, for profit
corporation, but in that instance where then the FTC can say well, in the
specific example the case study where I think a company called ToySmart went out
of business --
REP. TAUZIN: That's the one we're talking about.
MR. CHIANG -- and attempted to sell their public data.
REP.
TAUZIN: See, that case was built because obviously it went out of business, but
the point I make is that I can envision 12 different scenarios where the
ownership control of that information changes hands, not just through
bankruptcy.
We could have a major shake up of the corporation. All the
board of directors get fired. A new management team is brought in. Effectively
that's a new company now in control of my information. Did I want that team to
have my private information, maybe people I don't trust?
Maybe, you
know, a foreign entity moves in, and I may have some problem with that. You
know, we've got an entity seeking to buy a company in America that's government
owned right now. We're having a big discussion about that. Suppose that entity
has private information. Now a foreign government is going to have information
about me that I maybe didn't want a foreign government to know.
You get
my drift. There are many scenarios affecting the collection and the use of
private information by companies in this changing marketplace that we need to
think about, and we're going to need some help in figuring all that out from
you.
Give us your thoughts, Mr. Chiang.
MR. CHIANG: I think
previously with the property question issue that was I think two panels ago
where who owns the data?
REP. TAUZIN: Who owns it?
MR. CHIANG:
Is it shared data between the corporation and also the personal --
REP.
TAUZIN: But let's get away from the internet. How did it work in the brick and
mortar world?
MR. CHIANG: Well, I think what's going to happen is that
the internet is causing a catalyst where in America it's very inexpensive to
send out a piece of direct mail. I mean, if anybody goes home today and looks at
how many credit card inserts you're going to have, it's probably between ten to
15. It's not price constrained. It's just logistics constrained. Not even
logistics constrained, but just as a --
Well, getting back to the point
where I think what's going to happen with the internet is it's going to cause
people to say hey, don't I also then control other pieces of data that is
compiled and collected on me? Not just internet data; whether, you know, I like
to purchase these specific toys that are racing oriented toys.
Then what
about credit data pieces? Don't I also control my own credit data where, I mean,
everyone is talking about notice and choice and access? I mean, today I don't
have access to my own credit report, and I work in the credit industry. I do not
have access unless I pay $8, and that's going to catalyze some
of the questions I think that are going to happen in the industry, which is who
does control it? Is it shared control of the information? Is it the ToySmart --
REP. TAUZIN: Yes. We've never settled all that, have we, about who owns
the information about me. Doesn't it have a lot to do with how you obtained it?
I mean, you can observe me in this room and gather a lot of information about me
and so you're obtaining it in a public sense.
How it's obtained may have
something to do with whether or not we protect it and the persona we allow it to
be in the public domain or publicly used or publicly traded. I don't know. It's
some interesting thoughts that we're going to have to have and some interesting
discussion.
Mr. Shen, you look very thoughtful. Give me some help.
MR. SHEN: Right. I mean, you obviously bring up a lot of very
interesting issues, Chairman Tauzin, which is basically why I like working on
this issue as well.
REP. TAUZIN: Yes.
MR. SHEN: We are
confronting new sort of conflicts, things that we have, tensions through
bankruptcy of a need to try to satisfy creditors and also the need to protect
consumer privacy.
I think sort of adding on to what people have already
said, there is no reason, I think, why most internet companies cannot contact
their customers if they are going to be bought or merged or acquired in some
fashion. The internet is interactive. It is supposed to facilitate that sort of
contact and communication.
I think with all due respect here, your very
I think important earlier point. What happens in the off line world? It's
something that we do have to go back and address. I think in the off line world
there's obviously not a great deal of protection of personal information in a
bankruptcy proceeding. Is there a reason to go back and see if we want to reopen
that issue? I definitely think so.
REP. TAUZIN: The reason I raised it,
Mr. Shen, is if we get away from the internet, take ourselves back in time a
bit, if I'm a little country store in Tibodaux, Louisiana, where I was born and
raised, and I have a customer base that I've been selling to and I decide to
sell out. I sell that information. We sold that information to the next guy that
bought the store, and nobody complained.
What's different about the
internet that makes us want to complain? What was it, toys.com?
MR.
SHEN: Right.
MS. : ToySmart.
REP. TAUZIN: Whatever it was. Why
was that such a scary thing when that happened in the brick and mortar world
with such frequency?
MR. SHEN: Well, I think one possible answer, and
this may not be a complete answer, is that the information collection on the
internet is much deeper than it ever has been before.
Perhaps if you had
orders from a small business in Louisiana, it would be information about a
person's name, maybe their mailing address in case you wanted to send a receipt
to them. On the internet you create profiles, like the gentleman does right next
to me. You create information or records about what they've been doing on line
across thousands and hundreds of websites. I think that's at least one reason.
REP. TAUZIN: Is part of the fact that, you know, we all know that little
store owner in town, and we probably know the person who's buying the store, but
we don't know all these people on the web?
MR. GRIFFITHS: Right, and
it's important what the original premise was of the collection and that original
relationship.
I think if the party down the line meets and supports the
original premises of collection -- it will be used for this purpose and
collected in this way -- then it's seamless.
REP. TAUZIN: Yes.
MR. GRIFFITHS: If they dramatically change the premise under which they
were contacting them then it's very scary.
MS. AFTAB: Mr. Chairman, I
think also in the ToySmart case there were children involved.
REP.
TAUZIN: Yes.
MS. AFTAB: I think there's this fear the parents have and
knowledge that they have their eight-year-olds know more than they do about
what's going on with the computer and the internet.
REP. TAUZIN: And
they do.
MS. AFTAB: And they absolutely do. I mean, if you have to have
something fixed, you call the eight-year-old.
In this case, children
were sharing information at the site, and the concern was about the parents not
even knowing what the kids may have shared and that now being sold to third
parties is what had frightened people as much as anything.
REP. TAUZIN:
We used to be afraid. I mean, when we were growing up parents used to be afraid
of what we'd tell our teachers about our parents.
MS. AFTAB: That's it,
and the most we had was, you know, the birthday club at Howard Johnsons.
REP. TAUZIN: Now we can tell people we totally don't know about
anything. It's a totally different world.
Thank you very much. We could
keep this going a long time, I think, and we probably will before we come to
some conclusions, but I will invite you to do several things. Number one, the
record stays open for 30 days. If something we've said here or something you've
heard here provokes some good thought and some good comment from you, please
submit some more information to us.
As I said, this is an extraordinary
learning process. Mr. Shen, you're right. It's one reason I love this work, too,
is because it's extraordinarily fascinating. I don't know where it all comes out
yet.
I do know that we've got enormous tensions here, and you've heard
from a lot of members how we need to proceed very judiciously here and carefully
here because obviously we can make some rules that don't work. We can do like
that bank. We can impose some conditions on people that we think people want,
only to find out not only they don't want it, but it didn't work very well for
us.
Finally, we obviously need some real world thought and experience
from those of you working with consumers in trying to find solutions that work
for them.
The record will stay open. We may have some questions. We may
want to submit one or two to you.
I apologize for the lack of members
here. That's the reason why I've always hated second and third panels because
the members all leave, and I'm the only one left with you, but it's been a good
experience for me. I've learned a lot, and we will try to make sure other
members pick up your material and read it and learn from it as well.
Thank you very much.
MS. AFTAB: Thank you so much.
REP.
TAUZIN: If you've got something timely you want to tell me, there's a good
chance.
MS. AFTAB: I would just like on behalf of the entire panel to
offer all of our continuing expertise to anyone who is willing to listen here on
the committee.
REP. TAUZIN: Thanks so much. The hearing stands
adjourned.
END
LOAD-DATE: October 14, 2000