LEXIS-NEXIS® Congressional Universe-Document

Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint

Document 1 of 261.

October 11, 2000, Wednesday

SECTION: CAPITOL HILL HEARING

LENGTH: 36190 words

HEADLINE: HEARING OF THE TELECOMMUNICATIONS, TRADE, AND CONSUMER PROTECTION SUBCOMMITTEE OF THE HOUSE COMMERCE COMMITTEE

SUBJECT: PRIVACY PROTECTIONS FOR CONSUMERS

CHAIRED BY: REPRESENTATIVE W. J. TAUZIN (R-LA)

LOCATION: 2123 RAYBURN HOUSE OFFICE BUILDING, WASHINGTON, D.C.

WITNESSES:

REPRESENTATIVE E. CLAY SHAW, JR. (R-FL)

REPRESENTATIVE BOB GOODLATTE (R-VA)

LINDA D. KOONTZ, DIRECTOR, INFORMATION MANAGEMENT ISSUES, U.S. GENERAL ACCOUNTING OFFICE;

SALLY KATZEN, DEPUTY DIRECTOR FOR MANAGEMENT, OFFICE MANAGEMENT AND BUDGET;

ROGER BAKER, CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF COMMERCE;

ROBERT PITOFSKY, CHAIRMAN, FEDERAL TRADE COMMISSION;

JODIE BERNSTEIN, BUREAU DIRECTOR, FEDERAL TRADE COMMISSION;

LARRY CHIANG, CHIEF EXECUTIVE OFFICER, MONEYFORMAIL.COM;

GLEE HARRAH CADY, VICE PRESIDENT FOR GLOBAL PUBLIC POLICY, PRIVADA;

PARRY AFTAB, SPECIAL COUNSEL, DARBY AND DARBY, P.C.;

MIKE GRIFFITHS, CHIEF TECHNOLOGY OFFICER;

ANDREW SHEN, POLICY ANALYST, ELECTRONIC PRIVACY INFORMATION CENTER;

BODY:
REP. W.J. TAUZIN (R-LA): The subcommittee will please come to order. Today this subcommittee will hold a hearing on the important developments in the efforts to protect the privacy of American consumers.

Few issues in this industry generate such strong emotions as how to deal with the enormous amounts of personal information that are collected, distributed, stored every day by the Internet. This morning, later, we will hear from two of our colleagues -- Representative Clay Shaw and Representative Bob Goodlatte. Representative Shaw will explain to this subcommittee his legislation, H.R. 4857, the Privacy and Identity Protection Act of 2000, which has been reported out of the Ways and Means Subcommittee on Social Security and is currently awaiting action in the subcommittee.

In addition, the subcommittee will hear from Representative Goodlatte about the Lansdowne Privacy Summit, which the National Chamber Foundation hosted for House Republicans in May of this year, and what has come from that. I understand the foundation also scheduled a similar session with the House Democrats and unfortunately got cancelled, I believe. Representative Goodlatte co-hosted, along with my colleagues Chairman Bliley, Representative Ehrlich and myself, this privacy summit and I personally want to thank him for his efforts in this endeavor. I also want to thank both of our colleagues for coming this morning and for sharing their views with us. This subcommittee has been a keen observer, for many years, of this debate -- holding hearings on this issue both in 1998, 1999 and, again, in 2000. Over the last year we have seen consumer concerns over privacy heightened and, as a result, specific federal responses. Congress has adopted two federal laws to deal with specific areas of concern -- the Graham- Leach-Bliley law, in which financial privacy laws are written, and the Children's Online Privacy Protection Act.

In addition, Americans have witnessed the development of a new private sector technology -- in fact, many technologies -- to help consumers as well as voluntary standards by industry to self-police and educate consumers. In certain areas the federal government and commercial entities have come together to achieve cooperative standards to govern their online conduct. Privacy was not created with the advent of the Internet. In fact, we have been passing privacy laws, I believe, for the past 30 years. But the Internet adds a level of dissemination beyond what Americans had ever thought possible and in many circumstances beyond which they feel comfortable.

While the Internet is still relatively new the issue of privacy, of course, is not. Prior to the adoption of the GLB and the COPPA laws, Congress had enacted privacy protections in a dozen other circumstances, indeed, over that past 30 years, with the Fair Credit Reporting Act in 1970 starting that process. The sharing of personal information did not begin when the Internet was established but many people remember party-line telephones and can recall door-to-door salesmen plying their wares using neighborhood directories. Businesses for decades have bought and sold their business assets including their valuable information databases about their customers. There's nothing new in that.

As I've said many times before, personal information has value to both consumers and to an information economy. We live in an Internet information age and obviously information is the lifeblood of that system. A consumer's purchasing patterns, online behavior, is indeed valuable information to marketers. But at the same time I believe that consumers should have the ability to control that information or at least to be potentially compensated for giving away personal information if it indeed is a valuable asset. One of our witnesses, who will testify later this morning, has a business model that operates on consumers being compensated for sharing their personal information.

The issues as we move forward in this debate in coming years are these: has industry done enough to protect consumer privacy or should government step in to establish minimum standards to protect against the bad player? And if there are standards that work for private industry should they also be applied to government's collection of personal information? After all, I can choose whether to give information to a private company but in many government agencies I don't have a choice. I'm obliged to provide them with personal information. Does the government have a higher standard in play here to protect the privacy of my information?

Well, hopefully this morning we'll shed some light on these matters. While a tremendous amount of attention over the past year has been paid to the privacy of consumers in dealing with private industry, very little has been paid to the federal government's collection of personal information. The last time I checked very few consumers, indeed, were providing information to the IRS strictly voluntarily. Consumers, indeed, can vote with their feet in the private sector and go to another business if they don't want to share private information with them. But can you refuse to do business with the IRS or the EPA or the Medicare program, for that matter? And if you do can you refuse to provide them with information they require of you in order to do business with them?

Earlier this year, Representative Dick Armey and I asked the GAO to conduct a survey of the privacy policies of federal websites and then compare it to the fair information practices recommended by the FTC for commercial websites.

In short, we wanted to see if federal websites would fare any better than the commercial websites if they were held to the exact same standards that the FTC has held the commercial websites in their reviews. Was the federal government ready to practice what it has preached?

Well, from the results of the survey -- which we will discuss today -- it appears that the federal government does not practice what it preaches. Our report is not the only GAO report that has produced failing grades for government websites and databases. The Horn report on database security and the Lieberman report on OMB privacy requirements have also both shown that the government is not doing an adequate job of protecting America's personal information.

On just two issues in recent weeks the government has flunked. On the placement of cookies on government websites, the results are troubling. Despite OMB memoranda in 1999, in June of 2000, prohibiting the placement of cookies on federal websites, the practice continues today at the IRS and possibly at other government websites. In fact, we learned in the GAO report, I think, that 14 percent of the websites surveyed potentially permit cookies on their federal websites.

And just last Friday the AP reported that the White House website itself violates COPPA by collecting personal information from children. While government websites can hide behind different standards, in these two instances they certainly do not live up to the spirit of the laws that apply in the commercial world. Chairman Pitofsky of the Federal Trade Commission has graciously agreed to testify today about the many FTC reports and activities in the past year dealing with privacy.

We'll also hear from private sector witnesses who will discuss online profiling and Children's Online Privacy Protection Act and the use of technology in protecting privacy. And we will hear from one entrepreneur with an interesting take on privacy. In short, we'll be looking at both the government sector and the private sector today and we will examine just how well we stack up. In short, while there's no obvious time this year for this committee to engage probably in legislation, the remaining days of this session, this hearing will be preparatory to activities next year in which we will continue our efforts to guarantee that both the federal government and the private sector respect the privacy of American citizens.

I want to close by inviting you -- I understand the website is down this morning but -- to visit the EPA website. Our staff visited the EPA website, I believe, yesterday and discovered that there is on the EPA website a section called "explorers' club" which invites children to give information about themselves to the EPA. Nowhere on this website is there a disclosure that children should first get the permission of their parents before sharing their private information with a government agency. There's something wrong when federal agencies can't obey the law that we impose on private citizens.

The chair yields back his time and the chair recognizes the gentleman from Virginia, Mr. Boucher, for an opening statement.

REP. RICK BOUCHER (D-VA): Thank you very much, Mr. Chairman. I want to begin by complimenting you on your handling of the delicate and complex matter of establishing a federal privacy policy respecting the practices of websites that collect information from the Internet- using public. The chairman has properly taken a cautious and deliberative approach toward the development of legislation in this sensitive area.

In my view, the time for legislation has now arrived. With the hearing today, I urge the subcommittee to begin the process of developing a federally-assured baseline set of guarantees for personal privacy with respect to the information collected by websites through the use of cookies placed on the hard drives of website visitors. The requirements which Congress should enact are straightforward and would be in the nature of minimum guarantees that would be applicable to all websites.

I suggest that our legislation contain the following five elements. First, each website should provide a clear notice of what information is collected from the Internet-using public and how that information is used. If the information is used internally within the website, that fact should be stated. If there are circumstances under which the information is transferred to third parties, that fact should also be stated and those circumstances listed.

Secondly, after reviewing the policy, the website visitor should be able to limit the information about him which is collected and, in practical terms, that may mean that he would depart the website with no information being collected -- a practice that we commonly would refer to as an opt-out.

Third, the Federal Trade Commission should be directed by statute to create a mechanism to assure compliance with these basic privacy guarantees. Fourth, the legislation should declare that the policy is the national policy and preempt any state requirements that are more onerous or inconsistent or in conflict with the national guarantees as assured in the statute. And, fifth, the Federal Trade Commission should be instructed to review website practices on an ongoing basis and recommend any additional legislative steps that may be appropriate.

I would suggest that a number of benefits would flow from the passage of this set of minimum statutory guarantees. First, it would assure that all websites -- whether privately operated or operated by a government agency -- respect privacy. The larger commercial sites are presently members of self-regulatory organizations and generally respect the privacy policies announced by the SROs. Smaller websites in large numbers do not belong to SROs and government agencies have observed privacy policies in a truly voluntary way which has been somewhat inconsistent, as the chairman has suggested. In our view, all sites should be covered by a minimum federal guarantee.

Secondly, the legislation would establish only a minimum set of guarantees and websites could then offer higher levels of privacy protection and market that enhanced privacy as a competitive difference. And, so, offering greater levels of privacy would then become a competitive asset in the marketplace.

Third, this basic privacy guarantee would encourage the growth and development of the Internet by creating the confidence in Internet users that their privacy is being protected. And, fourth, we can assure that the law is efficient and workable by preventing a patchwork of inconsistent or conflicting state requirements from arising.

The Federal Trade Commission has called on the Congress to act and it's time for the Congress to accept that invitation. And I believe that we can do so with a large consensus of support from the private sector. Over the course of the last several months I have watched that consensus grow and it is in support of the kinds of steps that I'm recommending that we take this morning.

I want to welcome to the subcommittee today my friend, and Virginia colleague, Bob Goodlatte, with whom I have the privilege of co-chairing the House Internet Caucus. Eighteen months ago, Mr. Goodlatte and I put forward legislation which closely resembles the recommendations that I have made this morning. Our Internet Caucus has also been active over the course of the last year. We have conducted a technology demonstration to demonstrate various technical means of protecting personal privacy for Internet users.

We've also conducted two widely attended workshops on the question of protecting Internet user privacy. And now we are planning to take our activities to the next level. During the coming days we intend to establish a working group of interested members of the House and Senate, primarily composed, I suppose, of members of the Internet Caucus but anyone is certainly welcome to participate. And our goal in establishing this working group will be to help in developing a broad consensus in support of the elements that should comprise our privacy legislation during the course of the next Congress.

It's our hope that the consensus building process will include consultation with the industry and with the Federal Trade Commission, and we hope to achieve the consensus that we're seeking within a matter of just several months. So that by January recommendations can be in hand that enjoy the support of a broad consensus within the stakeholder community and among members of Congress. I look forward to working with the interested members of this subcommittee and with my friend, Mr. Goodlatte, and the members of the Internet Caucus, as we consider the best means of enhancing privacy protections for the Internet-using public.

Mr. Chairman, I want to commend you for this timely hearing. I frankly wish it was a little bit better attended because it truly is an important subject.

And I want to commend you also for the careful and thoughtful way in which you have addressed it and I look forward to working with you as we seek to assure that the Internet-using public truly has its privacy protected. Thank you.

REP. TAUZIN: I thank the gentleman and, believe me, I feel very similar about the gentleman's involvement. I pledge to him that -- as I have privately -- we're going to work very closely over the next several months in preparing for some very serious work on this issue next session. I thank the gentleman.

The chair recognizes the gentleman from Illinois, Mr. Shimkus.

REP. JOHN SHIMKUS (R-IL): Thank you, Mr. Chairman, and I'll be brief. I do believe, as many of us do, that the big issue of the new millenium will be privacy. It's a great issue because it really brings the political spectrum of the far left and the far right together as teammates really trying to address the concerns of the good government types that want to create new efficiencies for government to provide services with the possibility of accepting and storing personal data.

So, this is a great time to have this hearing. I'm concerned over the policies and statements that we enact at the federal level but I'm more concerned that we follow those policies and statements which, it seems -- those of us who are not technology experts, you know, unfortunately, we're a very trustful nation. We trust everybody and so if an agency says this information is not going to be used, and they ask for information, well, we think, oh, good for them. But the information is still being gathered and stored.

I hope that this debate stirs up the whole issue that I think our founding fathers would be very, very proud of -- the debate of personal privacy -- actually, privacy rights which would be similar to property rights in that there are some -- they're part of the fabric of our national culture, that I think (have been ?) lost through a technology age and an information age, that we need to get back to some privacy rights issues. Again, I think the founding fathers would be pleased about this debate and we have a lot of work to do.

I appreciate this hearing and I look forward to being engaged with my friends from Virginia and members of this committee as we move forward in the next Congress. I yield back my time.

REP. TAUZIN: I thank my friend. The chair recognizes the gentleman from Ohio, Mr. Sawyer.

REP. THOMAS C. SAWYER (D-OH): Thank you very much, Mr. Chairman. I can't help but think our founding fathers would not only be proud but would be flabbergasted by this debate.

I want to join with my colleagues in thanking the chairman for this hearing today. As he suggested, many businesses have -- and many other kinds of entities have long collected information about Americans for a variety of purposes but today the use of individual reference services and (lock-up?) services operate computerized databases on personalized information that have expanded the concept beyond what most Americans have ever really seriously thought about. But they will be thinking about them a great deal more in the future.

Most of us are familiar with the story that Thomas Friedman (sp) likes to tell, the New York Times columnist who checked into a hotel with his wife and children and as children are wont, they wanted to go to the hotel pool right away. So they jumped into their swimsuits, went downstairs and got into the pool. And when it came time to get out of the pool and go back to their rooms they discovered that he had left the hotel key in the room. So, dripping wet, with little more than a bathing suit and a towel, he went up the front desk and asked the manager if he could get his -- I guess he asked the check-in clerk if he could get an extra room key. And the clerk said, I'm sorry, if you don't have any identification with you we can't do that, I'll call my manager.

The manager came out and he said, Mr. Friedman, I really could not in good conscience -- and you wouldn't want me to give your key to someone who simply came up in a bathing suit and said that he was you. And, in the meantime, he's standing there, he's working with the computer. He said, but I can tell you what room I'm in. He said, you could have done that in any number of ways but let me ask you this, you say your kids are with you, what are their names? He told them. What are their birth dates? He told them. He said, here's your key. He said, why did you do that? He said because you stayed here nine months ago and we have all of this information and a whole lot more about you. And he said, thank you very much. He was gratified but he was dumbfounded by the level of information and the depth of knowledge they had about him as a product of simply having checked into the hotel on a previous occasion.

That is chilling information and it is a remarkable example of why the hearing that we're having today is important. I appreciate the comments about he relationship between information gathered by federal agencies and those gathered by businesses. Over the course of the last couple of days, Mr. Chairman, I've rejoined a discussion that I've been involved in for the last dozen years. And that is, efforts over the last 210 years to gain access to private individual information gathered as a product of the census. It has never been violated in the 210-year history of this nation.

If we're looking for (principle/ principal?) examples of the fundamental ideas behind which we might seek to guard information, we could do no better than to turn to the kind of repeated efforts that have been made to penetrate the census and the efforts that the census has made to guard against that. Not only other agencies but even, as we learned last spring, in times of war when efforts were made to individually identify Japanese-Americans living in the United States, United States citizens. That effort was directly resisted as a product of the work of the census.

Personal information is our single most valued possession and the work that we're doing here today could not be more important. I thank you for that and yield back the balance of my time.

REP. TAUZIN: I thank my friend. By the way, that hotel now has new personal data on Mr. Friedman, the fact that he loses his hotel key is I'm sure included now. The gentleman from Maryland, Mr. Ehrlich.

REP. ROBERT L. EHRLICH, Jr. (R-MD): Real briefly, Mr. Chairman, real brief. Everyone said really what I can say, this is a timely issue, it's an emerging issue. It's always been a second tier issue, now rapidly becoming a first tier issue in American politics. If there's any doubt for anybody in this room that this issue is very important to the chairman, let me assure you there should be no doubts because the chairman and I regularly have conversations about this. We've already had one conference to be followed by many more conferences and hearings and hopefully good pieces of legislation. I yield back.

REP. TAUZIN: I thank my friend, also, and thank him for co- hosting the conference with Chairman Bliley and Mr. Goodlatte and I. And, as you know, we'll hear about that conference a little later but I again want to thank the gentleman for his personal involvement because it's going to take a lot of members' involvement for us to unravel all these issues by next year.

The chair welcomes and recognizes Mr. Luther for an opening statement.

REP. BILL LUTHER (D-MN): Thank you, Mr. Chairman, and thank you for holding this important final subcommittee hearing. I want to thank you and Mr. Markey and Mr. Boucher for your leadership on this subcommittee and on this issue. I'm pleased to hear you say that this hearing will only be the beginning on this issue and that hopefully in the next Congress we can deal with very substantively with this particular issue for the benefit of America's consumers.

Last November, I was pleased to join Representative Markey in introducing HR 3321, the Electronic Privacy Bill of Rights, which would require website operators to comply with the so-called fair information practice principles. I would also be remiss if I didn't mention this morning the great work of my colleague and friend, Congressman Bruce Vento of Minnesota, who passed away yesterday morning. Bruce introduced two online privacy bills and I want to recognize him for his hard work on behalf of the American consumer on this issue and on so many other issues through his lifetime.

REP. TAUZIN: Would the gentleman yield. I want to -- Mr. Luther, we might ask all our friends for a moment of silence in memory of Mr. Vento. He was indeed a dear friend of many of us and his passing is very hard on many of us. I ask you all to join us now in a moment of silence. Thank you. Mr. Luther.

REP. LUTHER: Thank you, Mr. Chairman. In light of both the FTC and GAO studies that report that an unacceptable low percentage of websites comply with the fair information practices, I look forward to hearing our panelists' opinions. Hopefully their testimony will provide insight as to what we, as a committee and as a Congress, can do to protect the American consumer from this wholesale collection and distribution of personal information. Thank you, Mr. Chairman, and I yield back.

REP. TAUZIN: Thank you, Mr. Luther. The chair is now pleased to welcome our first witness, indeed, our good friend from the Judiciary Committee who, I think, spends more time here than he does with his own committee, the honorable gentleman from Virginia, Mr. Bob Goodlatte. Bob, I also wanted -- I spoke last night, at midnight, with your chairman, Mr. Hyde, and he was kind enough to get on the phone with his staff last night and work out the final details of the Firestone recall bill that we passed last night, the Tread Act. And I again wanted to thank all of you members of the Judiciary Committee for the excellent cooperation your committee provided our committee in resolving the technical areas of common concern in the bill, and for waiving referral to the Judiciary Committee. Again, if you'll extend my thanks on behalf of the Commerce Committee to other members of the Judiciary Committee I would deeply appreciate it.

As you know, the bill passed last night and is now on its way to the Senate and so we're, again, very grateful for the work of our good friend, Mr. Goodlatte, on the Judiciary Committee. Mr. Goodlatte, you're recognized, sir.

REP. BOB GOODLATTE (R-VA): Well, thank you, Mr. Chairman. I want to thank you and other members of the Commerce Committee for similar cooperation and coordination of legislation that these committees share on many occasions. You've been very helpful to us so we very much appreciate that and I will extend your remarks to Chairman Hyde.

I also want to thank you for allowing me to testify today. I do want to know how many appearances is required before I can get a guest host status (laughs) but I do very much appreciate the opportunity to testify on this very important issue. I must also thank you for your leadership on this. You were very instrumental in organizing the retreat, which you have referenced, which Congressman Ehrlich and Congressman Bliley and myself were privileged to co-host with you. I felt that was a very, very productive retreat for Republican members. And, while this is bipartisan in nature and we intend to work with our Democratic friends on this as well, that retreat -- which heard from experts in industry, academia and various think tanks on this increasingly important issue -- yielded, I think, some very substantive results. I can say with confidence that it was a great success and I think members learned a great deal about the issue.

We discussed what the main privacy concerns of our constituents are -- including unsolicited direct mail marketing, the collection of personal information on the Internet, the disclosure of personal financial information by financial institutions, and identity theft and other criminal uses of personal information for fraudulent purposes. We also learned about the complexities of how information is used by commercial entities and that any privacy legislation needs to permit the beneficial uses of the information as well as address consumer concerns.

And, finally, we learned that we need to use a combination of tools to address privacy -- targeted legislation that specifically identifies the harm we're trying to regulate, education to ensure consumers know that their rights are -- what their rights are and how to exercise those rights, technological tools on the Internet to allow consumers to control their information better, and policies that encourage and reward businesses for self-regulation and protecting consumer privacy at the same time that they extend enormous new benefits to consumers by making valuable information available to them. We also have to be careful not to increase identity theft and fraud by making information unavailable to businesses and law enforcement to detect and stop crime.

I also want to recognize and thank my colleague from Virginia, Congressman Boucher, for his dedicated hard work on this issue. We are, as you well know, the co-chairs of the congressional Internet Caucus. And with the hard work of Congressman Boucher the caucus has sponsored a number of privacy-related activities and events in recent years, including several public policy forums, a technology demonstration of the latest privacy technologies, and a briefing book for members that outline various positions on the issue of online privacy. As my colleague mentioned, the caucus will continue to be active on this issue after we adjourn this year.

Earlier this year, I had the opportunity to lead a congressional delegation, along with Congressman Boucher, that was attended by several members of the Commerce Committee -- including Congressman Gordon, Congressman Stearns and Congressman Pickering -- in which we had the opportunity to testify before the European Parliament on the issue of privacy as it relates to electronic commerce. As a part of that testimony we promoted the efforts to coordinate privacy policy with the European Union. Something that, as you know, is vitally important. And something that hasn't been mentioned thus far today but is also important, looking toward our states as well. We have a great concern that if we have 50 different state privacy policies enacted by our state legislatures -- many of which are very active on this issue today -- as well as differing privacy policies around the world, we'll have an unworkable situation on the Internet. And, so, the effort to promote the safe harbor that allows U.S. companies to do business in Europe by meeting certain standards while not requiring the United States to pass legislation that may be contrary to our interest and the intent of the majority of the members of Congress is vitally important.

It's also important to recognize the contribution that industry has made because substantial progress has been made in the area of self-regulation. At this time the vast majority of Internet sites of major businesses have good solid privacy policies that are enforced by those companies. And that progress which would indicate that -- for example, of the top 100 websites in the country, they have improved from 71 percent having a good privacy policy to now better than 95 percent, is progress. But obviously more work needs to be done in this area.

Mr. Chairman, you've noted the substantial progress we have already made in a number of targeted areas dealing with children's privacy, financial privacy, medical privacy. And I think that's the type of approach that we should continue to pursue, not a shotgun approach but rather a targeted approach to where the problems exist. We believe that through private initiative and this targeted federal action we have been making and will continue to make substantial progress toward achieving a balance between ensuring adequate consumer protection and encouraging the development of electronic commerce.

As we look ahead, obviously bipartisan support is vital and I'm pleased to hear so many members on each side of the aisle commit to that because that is exactly what is called for. There have been several legislative proposals introduced and considered in the Congress this year and it's unlikely that we'll see any of them enacted into a general online privacy law this year. That's a good thing; that's not a bad thing. And I know there have been those who have been pushing for us to take action before we adjourn this year but, quite frankly, the Congress must approach the issue of comprehensive online privacy legislation in a careful and deliberative manner. And that is exactly what we are doing with your leadership here today.

Lastly, I want to say a little bit more about what Congressman Boucher mentioned and that is the desire of the Internet Caucus to work with you and other members of the Congress as we brainstorm, if you will, for ideas on how to work in this direction. I do think Congressman Boucher has outlined the shape of a very good potential piece of legislation very similar to what came out of the privacy retreat which we hosted. And we are moving toward that kind of consensus but during the time between now and when the Congress reconvenes in January there is much work to be done. And the Internet Caucus intends to be a part of that by coordinating a working group of caucus members and others to develop a statement of principles on Internet privacy.

This working group will consist of any member of the caucus or others who are interested in the issue of online privacy. We'll work informally from now until the new Congress convenes in January to outline those areas the caucus deems important to address in any legislative initiative. And members who have been leaders on privacy issues from both sides of the aisle and both sides of the Hill -- from Congressman Asa Hutchinson to Senator Ron Wyden -- we hope will be actively involved in the working group.

And we're also hopeful that by working in a bipartisan manner we can contribute to the process which will begin in your committee and to ensure that all members of the House -- including new members who are still looking for information -- are prepared to act on any legislation that is considered in the early part of this year.

I thank you again for the opportunity to testify today and look forward to continuing to work with you.

REP. TAUZIN: Thank you again, Mr. Goodlatte. Let me -- first of all, you mentioned Asa Hutchinson. I want to state publicly that our concern about Asa's bill to create a commission -- which many of the members of this committee voted against -- was not, of course, that we don't need an awful lot of work done on this issue. And, as you pointed out, perhaps even some legislation next year. But it was our concern that this work ought to be done by members of Congress rather than some commission. And Asa and I had had many discussions about that. It was not a -- our opposition was simply that it was a job we had to do and we needed to get about doing it.

Secondly, I think you will recommend to our good friends on this side of the aisle the experience of the Lansdowne conference. I know that the Chamber Foundation has offered to conduct a similar retreat for members of the Democratic conference or caucus and I would hope that you'd take advantage of it, frankly. Let's talk about the Lansdowne conference quickly, Bob.

First of all, it rained all weekend so everybody had to listen to each other which was pretty good. And after all the meetings, after all the panels, which included -- as you pointed out -- members of industry, members of academia, think tanks, consumer representatives -- after everybody had a chance to listen to one another, wasn't there a major shift in the conference opinion by the time we left -- the early morning sessions on the first day until the last session? And didn't that shift represent a sort of major redefining of our mission here in privacy?

REP. GOODLATTE: Well, I think that there was definitely a coming together of ideas. And one of the -- speaking about Asa again -- one of the reasons why I also did not vote for his legislation was in addition to the fact that Congress needs to address this, I think that the speed with which we need to address it is upon us. And, therefore, some might take the establishment of a commission that would last for some lengthy period of time as a putting off of addressing this and I don't think we can do that. And I think that's one of the things that came out of that conference, was that we need to act in a comprehensive manner and we need to do it in such a way that sets a minimum baseline. That there is an opportunity for legislation here that promotes self-regulation.

REP. TAUZIN: Let's talk about some of the issues the conference highlighted. One of them was harmonizing various privacy laws. The conference noted the fact that in some of the state legislatures of our land there were as many as 200 bills filed. I know most of them didn't pass but there's a lot of activity going on in state legislatures, to establish privacy rights, that may be very different from one another and may create some very different kinds of laws all set on top of an Internet, interstate, international commerce question. Would you address that quickly for us?

REP. GOODLATTE: Well, I think we have to -- we have an international problem here, we have to start by having our own house in order in the United States. The chairman is absolutely right. One of the things I mentioned earlier that came out of that was the need to have federal legislation to avoid having 50 different states have 50 different privacy policies that are inevitably going to conflict with each other. And a company attempting to do business in interstate commerce on the Internet is going to have to have a consistent policy. I mean, you can't have a website which has two conflicting requirements on it. Much less, perhaps, 50 different states with a multitude of different components of regulation that could collectively make it a totally unworkable proposition. Particularly for a small business that wants to do something to supplement their bricks-and-mortar business with some Internet business and then suddenly find that they have an enormously task of complying with regulations.

So, we need to come up with something simple and understandable and comprehensive that everyone can comply with and avoid this problem.

REP. TAUZIN: We also ran into the question of various federal agencies adopting privacy policies that may or may not be in conflict with one another or in conflict with those state laws. And businesses that have to comply with more than one agency privacy policy that may be different from one another. And the question was, do we need to focus on harmonizing the federal standards as it applies to private businesses doing business with the federal government.

REP. GOODLATTE: Well, I think that's absolutely correct. And we have to make sure that the federal government itself -- as you noted earlier -- is setting the example of protecting the privacy of consumers and not abusing already existing laws much less --

REP. TAUZIN: And, finally, we're going to hear from the GAO about the various tests by which websites are judged or rated. And we'll hear from the FTC about how well privacy is being protected in the private, commercial sites of America. And we will learn that there are always going to be some bad actors and bad players. Can we trust on privacy to be totally protected by private, sort of self-policing organizations? Or will we need some minimum standard by which -- or something that applies to those sites that refuse to be members of self-policing organizations.

REP. GOODLATTE: We're always going to have -- of the millions of commercial websites -- some that are going to either through neglect, or through deliberate desire to misuse consumers' privacy, abuse this process in very unacceptable ways that are going to harm consumer confidence in the entire Internet. And, therefore, it seems to me that legislation should include a baseline standard to go after those outliers who are not going to meet that standard. When we do that we have to be very, very careful that we don't get into the idea that we should dictate the minutiae of how businesses protect privacy of consumers when we have in fact a long history, as you cited, of useful information being made available to consumers through businesses.

REP. TAUZIN: And, finally, Bob, I want to ask one thing of you -- of the Internet Caucus -- if you don't mind. I would very much appreciate it if -- before we get to this matter next year -- if you would perhaps co-host with us a technology demonstration for all members of the Congress to see the new technology in privacy protection. At the Lansdowne conference we saw some new software, some new hardware, some new ID systems by which consumers can and will be able to protect themselves from sites that might be negligent or intentionally damaging to their privacy. And I think a demonstration of all those new technologies would probably help us understand what needs to be done in law and what can be taken care of in technology and self-policing.

So, I would ask of you that -- the consideration of perhaps some sort of technology demonstration for our committee, perhaps in union with the Internet Caucus, perhaps, next year.

REP. GOODLATTE: We would be delighted to work with you to do just that. We have hosted some similar demonstrations. And, you know, it's a hard time reaching so many members of Congress who have such busy schedules so continuing to do that perhaps in conjunction with the committee here in the committee room, or something, we could have --

REP. TAUZIN: Well, either they come or we can threaten to release their private information.

REP. GOODLATTE: There you go.

REP. TAUZIN: We can work that out.

REP. GOODLATTE: Thank you, Mr. Chairman.

REP. TAUZIN: Mr. Boucher is recognized.

REP. BOUCHER: Well, thank you very much, Mr. Chairman. Let me echo the comments of Mr. Goodlatte about our willingness, through the Internet Caucus, to integrate our activities more closely with those of this subcommittee. Both in terms of conducting demonstrations and perhaps also in terms of having panel discussions that are apart from the formal hearing process and through other ways collaborating in the development of good policy.

I want to commend Mr. Goodlatte on his superb statement here this morning.

I'll note in passing that I'm not a particular fan of partisan retreats and so he will not be surprised if the Democrats do not accept the invitation to have a purely partisan retreat. I tend to think that the best policy is made in a bipartisan fashion. But I'm very pleased that the Republican members gained education from the retreat that they had.

REP. TAUZIN: Was that a -- was that a -- excuse me, would the gentleman yield?

REP. BOUCHER: I'll be pleased to yield. (Laughter.)

REP. TAUZIN: Was there a note of sarcasm in that? (Laughter.)

REP. BOUCHER: Oh, no, Mr. Chairman, there was no sarcasm, the statement speaks for itself. (Laughter.)

Mr. Goodlatte, I enjoyed very much the visit that we paid to the European Parliament in February of this year and I'm glad that you mentioned that. I thought it was an informative exchange on both sides. We did have, as Mr. Goodlatte indicated, the opportunity to testify before the European Parliament on the concerns that we have on this side of the ocean about privacy protection. At that time we strongly encouraged the formation of a safe harbor agreement which subsequently was negotiated. I'm not sure we can claim much credit for that but we certainly endorsed the concept.

And I was pleased to hear Mr. Goodlatte mention this morning that that safe harbor arrangement between the United States and the European Union is in the nature of a foundation. It is a minimum set of guarantees. It's in the nature of a floor and it's anticipated that the privacy understandings between the U.S. and the European Union evolve over time. And I would ask Mr. Goodlatte if he agrees that adopting a set of guarantees as national policy here in the United States that would assure the privacy protection of those who are using the Internet, and visiting websites whether commercial or governmental, would be in keeping with the spirit of the safe harbor agreement between the U.S. and the European Union and would serve to strengthen that agreement to the mutual benefit of U.S. citizens and European citizens alike?

REP. GOODLATTE: Well, I say that the legislation that you and I introduced earlier and -- which is a shorter form of legislation that I know the chairman and others have been formulating in their thinking process -- would provide such a baseline standard of guarantees. But we have to be careful that we don't try to -- I think -- micromanage that as the Europeans have done. I think that the purpose of that safe harbor is to allow us to take our course of action and to continue to promote privacy in a way very different than the way that the European Union has taken that approach of basically an opt-in policy. In fact, an opt-in each time somebody wants to use information. And I would say that that would be the wrong direction to head.

And if I might give an analogy to other areas, if I go into a men's clothing store that I frequent every year in Roanoke, Virginia -- the gentleman's probably familiar with it -- and they were to remember that I wear a size 40 suit and I like a particular brand of suit and so on. Here, I'm giving away a lot of my privacy information. And he happens to remember that, either in his head or by writing it down on a little card and keeping it in the back room, so when I come in again he tells me about a special sale they have on this particular type of suit and pulls out the size 40, or goes directly to size 40 to see what they have in that stock. I'm not in the least bit offended by that. And I'm also not offended if I go online to Amazon.com or BarnesandNoble.com and the first screen pops up and it says, we know you're -- welcome, Mr. Goodlatte, we know that you're interested in biographies and we have a new biography that we think you might be interested in. That, to me, is a value to consumers. In fact, in some areas like purchasing airline tickets or so on and then the -- you're also notified of a potential reduced rate on a particular hotel room in the city that you're going to with the airline tickets.

I think most consumers would appreciate having that information. They should have the opportunity to opt out of that if they don't like that but I don't think we should get into the business of cutting people off from that. And I think that's the effect of the policy Europe that we need to steer away from.

REP. BOUCHER: Mr. Goodlatte, thank you very much. In the interest of time, I'm going to stop with this but I do want to thank you, once again, for being here this morning. We always enjoy having you before this subcommittee and hope that you'll return. Thank you, Mr. Chairman.

REP. TAUZIN: The chair asks unanimous consent, by the way, that all members' written statements be made a part of the record including those who are witnesses. Is there any objection? Without objection, so ordered. The gentleman from Maryland, Mr. Ehrlich.

REP. EHRLICH: I yield my time, Mr. Chairman.

REP. TAUZIN: The gentleman from California, Mr. Cox.

REP. COX: Thank you. I just want to welcome my colleague, Mr. Goodlatte, and likewise thank you for your informed statement on this and all the hard work and study that you are putting into this subject. I'd like to ask you -- because of your role also as a member of the Judiciary Committee -- whether or not you think that it would be possible to improve choices for consumers and protections for consumers by using property rights in personal information as the means by which we regulate, as individuals, the information sharing that goes on both over the Internet and in other forms of commerce.

I want to stress, too, that I hope we can think about this in non-technologically bound terms because while the Internet is certainly today's medium, the Internet wasn't around a few years ago and it may not be around in recognizable form some years from now. Catalog sellers have collected financial information long before there was an Amazon.com. Direct marketers have bought lists of names and mailing addresses long before there was email. Americans have used the white pages to look up people's names and phone numbers long before search engines like People Finder were around. So, in that sense, what the Internet has done is simply to improve vastly the efficiency and reduce the expense of this kind of data collection and dissemination. And that development has brought into sharper tension the longstanding tensions between the desire for privacy on the one hand and the benefits of dissemination of information on the other.

So, my question is whether or not, as a consumer, I shouldn't have the opportunity to take advantage of -- as you have said -- of the opportunities to benefit, in many cases, from sharing my personal information. But if I'm a consumer who just disagrees with you and, you know, what suit size I wear is nobody's business but my own and that may be good for Goodlatte, it may be good for Cox, but it's not good for me, the consumer. You know, should I have that choice? And can we do this, therefore, on a market basis, on an individual basis, and give people property rights -- in the form of laws that we might pass here -- that would permit them in essence to license this information, sometimes for free or nominal cost, sometimes just for the benefits of whatever it is that they'd be getting over the Internet, as a means of implementing this. Because -- I'll leave it to you to think about it and answer it -- because I so fundamentally agree with what you said about the need for some predictability and uniformity.

I mean, in the sense that we don't want to have all these different privacy regimes in place, and so some uniformity with a national rule might be useful, isn't it true that if you had a one- size-fits-all policy that the downside of that is that it might not satisfy consumers. The consumers come in a lot of different shapes and sizes, that's what markets are all about. What you really want are neutral rules of universal application that permit the maximum amount of flexibility so we can all have our own privacy policies. And the Cox privacy policy might be different from the Goodlatte privacy policy which might be different from the privacy policy of every member on this panel. But what's the same is the law that gives us the right to choose and to enforce our choice in a legally binding way so that everybody leaves a market-based transaction happy because they chose the result. And so that we avoid the problems with government mandates which are that it's almost impossible for everybody to leave happy because it's forced on everyone whether they like it or not.

REP. GOODLATTE: Well, I think you make a very interesting observation. In fact, I think everyone does have their own privacy policy. If I don't like the fact that the fellow remembers my suit size, and so on, I'll go to another store the next time around. And, similarly with other types of information, if I don't want to be listed in the phone book I will ask to be de-listed. And if there is an abuse of that information I think we do need to set the policy to give the consumer that right.

So, that, for example, when I go into a store or go to visit a website and that website has information about me that they might want to use to give me more information, that's different than if that website takes that information and sells it to somebody else. I need to have the opportunity to know that and make a decision about whether or not I want to deal with somebody who is going to turn around and share that information with somebody I may not want to have it shared with.

Now, there are lots of new technologies that are enabling people to establish that personal privacy policy and fine tune it to their own preferences. P3P, for example, is a new technology -- that is growing in its use on the Internet -- that allows you to set your computer so that when you visit a website it will tell you whether or not that website has met certain privacy policies based upon your own criteria that you devise at the outset and will warn you that this site does not meet all those criteria. And therefore you can leave the site if you don't want to participate in the standard that they have. Or you can let them know you don't agree with their standard and negotiate with them to change that policy as they deal with you.

I think that should be a part of the opportunity of not only each consumer but also each business to negotiate as a part of their doing business with you. But when they take that to the next step of taking that information beyond their own usage of it -- because, after all, the transaction that took place in the past between you and them is information that both of you and they share in ownership. But if they then attempt to turn around and sell that to somebody else or give it to somebody else for whatever reason, I think you need to have the opportunity to avoid that if you don't want to.

REP. COX: And can I ask you to comment just briefly on the other part of that question which is whether it is possible to use property rights as the basis for enforcing this regime of privacy protection and information sharing? And apply it across all technologies -- pen and ink, typewriter, telephone, U.S. mail, the Internet, whatever it's going to be. Can we write a law that says that you have these protections, you have these rights, businesses also have rights and ways to conduct themselves that are all clear in advance that aren't dependent upon the Internet.

REP. GOODLATTE: Well, framing it as a property right, I think we have laws that do that to a certain extent today. But in limited areas like intellectual property and so on. Whether you can take that beyond that is a good thinking tool, I guess, as we move forward to address this. But it would be, I think, a major change in policy to try to write every use of every piece of information about anybody as something that cannot be known. There are lots of things that we pick up just by looking around this room that --

REP. COX: Oh, no, to the contrary, what I would have in mind is that simply by clarifying that people can do whatever they want you would have the maximum freedom to exchange information but also individuals would have the maximum opportunity, if they chose not to participate in that regime, to pick something else.

REP. GOODLATTE: I think that's the direction we're headed with an opt-out type of policy here. I think we share --

REP. COX: And can you extend that to life on the planet as opposed to just the Internet?

REP. GOODLATTE: Well, we, I think, should certainly consider that as we move forward. If it is necessary and appropriate to make sure that we're not singling out the Internet.

REP. COX: Yeah, I think that if we can do that that would be ideal. Because I worry always about laws that however well intended end up discriminating against the Internet. We need to recognize that some of this transcends the technology and a lot of these things have been going on for an awfully long time.

REP. GOODLATTE: But we also have some laws in those other areas that in a new technology we need to make sure that those same protections exist there. So, yes, I think our objective is the same but how we -- how we achieve --

REP. COX: Thank you, thank you very much.

REP. TAUZIN: Thank you, gentlemen. The chair recognizes the gentleman from Ohio, Mr. Sawyer, for a round of questions.

REP. SAWYER: Thank you very much, Mr. Chairman. I am grateful for the work that both the gentleman from -- well, both of the gentlemen from Virginia have done not only within this Congress but internationally. I think the work that you've done internationally may be even more important than the work that has taken place here, as important as that may have been.

I was interested in your tailor analogy. My tailor has gone one step beyond yours. He has been able to project trend lines. (Laughter.) So I came in -- when I was in the legislature -- at 38 and then when I was a mayor it was 40 and now as a member of Congress it's 42. And I'm just stunned at his ability to anticipate this sort of thing.

REP. GOODLATTE: Well, he has an inflated view of your potential. (Laughter.)

REP. SAWYER: I was out of the room for a moment. Am I correct -- in hearing the tail end of your comment to the gentleman from California -- that you believe there ought to be a distinction between information that is gathered for the internal use of a vendor of a service and that which is then subsequently offered for sale, for profit, to others?

REP. GOODLATTE: Well, I think that there very definitely needs to be a standard set that allows people to know if that information is going to be used for other purposes to give them the opportunity to opt out of that. And that's one of the things, that Congressman Boucher outlined in the formulation of potential legislation, that I think would promote the Internet at the same time make sure that consumers are aware of some of the risks of misuse of their information.

REP. SAWYER: Might that be an appropriate point of distinction between opt out and opt in?

REP. GOODLATTE: Well, no, because, again, it would be I think the opportunity to find out if indeed that information was going to be used for those purposes and if so choose not to do business with that company or have the company agree that in dealing with you they will not use the information for that purpose.

REP. SAWYER: Let me touch on the subject that both you and Mr. Boucher talked about in terms of the work that's been done with the European Union. Clearly that is only one arena in which this kind of problem will arise in a global market. To what degree do you believe this has served as a template for broader negotiations with other arenas? And how would you propose to go about doing this?

REP. GOODLATTE: Well, it's only a starting point, even with regard to the European Union, because we have such widely divergent approaches thus far to consumer privacy on the Internet that it only works in the intermediate term, if you will, to allow --

REP. SAWYER: You're actually answering my second question --

REP. GOODLATTE: Yes.

REP. SAWYER: -- rather than the other one. But if you want to go ahead with that -- I mean, I agree --

REP. GOODLATTE: Well, let me say that I think --

REP. SAWYER: -- there are huge cultural differences between the United States and Europe in terms of their government business relationships.

REP. GOODLATTE: There are indeed and the Internet is probably the greatest challenge to the sovereignty of nations and states to insist on a particular format or standard.

So, I think what we need to do is to continue to work with parts of the world that have taken the lead in addressing this issue, like the European Union, with whom we may have substantial disagreement but attempt to forge a workable solution to that. And, also, show more leadership in the United States as we continue to evolve this policy so that then as other countries in the world begin to address this we can have some influence over that process. Because, again, we'll have the same problem with 150 nations around the world as we have with 50 states in the United States attempting to have different privacy policies.

REP. SAWYER: Or 13, 14, 18 members of the European Union.

REP. GOODLATTE: Right.

REP. SAWYER: Thank you, Mr. Chairman. I yield back the balance of my time.

REP. TAUZIN: I thank the gentleman. The gentleman -- Mr. Luther is recognized.

REP. LUTHER: Mr. Chairman, thank you, I'll pass.

REP. TAUZIN: Ms. McCarthy?

REP. KAREN McCARTHY (D-MO): I thank the gentlemen, both gentlemen from Virginia, for their efforts to raise and resolve this very important issue. And, Mr. Chairman, I would like to reserve my questions for the panelists who are coming.

REP. TAUZIN: I thank the gentlelady.

Mr. Green, from Texas.

REP. GENE GREEN (D-TX): Thank you, Mr. Chairman. I have one question I'd like to ask our colleague. I know you mentioned beneficial uses earlier in your -- in data collection -- and I want to echo your comments. I think that we in Congress must be careful not to restrict legitimate business practices. One of the concerns I have on data collection (is part of it?). Do you believe that Congress should prevent, for example, third parties from trying to collect an individual's anonymous website visits with that individual's personal information? You know, because now we're hearing new technology is being developed every day on how not only -- at one time it was a cookie so you didn't let the -- you didn't accept that but now there's other technology that the individual user may not know. You know, again, it's hard to write laws to stop that when, you know, technology can change from day to day, week to week. I'd appreciate a comment on third parties just tracking someone. It may not be a -- have a relationship, a business relationship.

REP. GOODLATTE: Yeah, I think that is a very great concern. We have in our constitution protections against governments doing that, in our Fourth Amendment, and we certainly should have protections against other individuals who are not engaged in a transaction with you using some technological device to track your activities and gather information about you without your knowledge or approval. I think that's a serious problem. I think, quite frankly, that some existing laws and regulations enforced by the Federal Trade Commission give some protection in that area but we need to continue to look at that.

And we also need to have the kind of spotlight on that activity that has, I think, been effective thus far in pointing out some entities that have stepped over the line on the Internet. And there's been an outcry and if they are a reputable business they've backed away from some of these things. I think that's good and that's important. So, in addition to disclosure to individuals we also to have prohibitions in any law that we write that says that if you are gathering information about somebody without their knowledge and not disclosing that to them that there is a consequence to doing that.

REP. TAUZIN: I thank the gentleman. The chair again wishes to thank our friend for his patience, for spending so much time with us. And, again, to pledge to work with him as we enter the new Congress, hopefully together again where we can continue this dialogue and eventually a resolution of some of these issues.

REP. GOODLATTE: Thank you, Mr. Chairman, it's a privilege to work with you.

REP. TAUZIN: Thank you. We'll now welcome our second panel. I want to preface this second panel with, again, an explanation that the second panel will discuss with us findings of several reports -- the Horn report, the Lieberman report, and the recent GAO report, done at the request of Mr. Armey and myself, in so far as it covers the federal websites and the status of the federal websites.

In prefacing this panel I want to read to you the results of that GAO report in brief. As of July 2000, all of the 65 websites in our survey, conducted by GAO, all of the 65 websites in the survey collected personal, identifying information from their visitors. Eighty-five percent of the sites posted a privacy notice. That means 15 percent did not, obviously. The majority of these federal sites, 69 percent, also met the FTC's criteria for notice. Which implies that 31 percent did not. However, a much smaller number of sites implemented the three remaining principles of the FTC: choice -- 45 percent; access -- 17 percent; and security -- 23 percent.

Few of the federal sites, three percent, implemented elements of all four of the FTC's fair information principles. Three percent implemented elements of all four of the FTC's fair information principles. Finally, a small number of sites, 22 percent, disclosed that they may allow third-party cookies. Fourteen percent actually allowed their placement. That is, 14 percent of the sites surveyed by GAO indicated that they allowed placement of cookies on their federal websites.

In fact, we learned in the news today that the White House itself discovered that it permitted the collection of information through a cookie system and has ordered it to be dismantled. Where is that notice? I want to refer to it. So everybody can see that this is a real problem.

The story on the web today, "White House on Cookies: Doh!" Cookie dough, I guess. After being chastised by watchdog groups, the White House has issued an order to all federal departments and agencies: no more cookies. The White House was embarrassed last week by the revelation that it used cookies -- bits of consumer code that track and record users' movements across websites -- on some of its websites, violating its own privacy policies and possibly violating federal privacy laws. Check it out on the web -- entitled "White House on Cookies: Doh!" -- Wired news report.

I'm pleased now to welcome our witnesses. First of all, Ms. Linda Koontz, the director of information management issues, U.S. General Accounting Office. Ms. Sally Katzen, deputy director for management of the Office of Management and Budget. And Mr. Roger Baker, the chief information officer of the U.S. Department of Commerce, who by the way also, I understand, chairs a privacy subcommittee of the Federal Chief Information Officers Council.

So, we want to welcome you all. We begin with our first witness, Ms. Linda Koontz of the U.S. General Accounting Office. Remember, your written statements are already a part of our record. We would appreciate it if you would use the five minutes allotted to you to summarize your comments and then to open yourselves up to a dialogue with us on some of the issues we discussed today.

Let me again thank the GAO, on behalf of Mr. Armey and myself and this committee, for in fact conducting the survey as we requested it. That information, combined with the Lieberman and Horn reports, is again the basis of this panel's discussion. We begin with Linda Koontz.

MS. LINDA D. KOONTZ: Good morning, Mr. Chairman and members of the subcommittee, thank you. Thank you for inviting us to discuss online privacy, a subject that has emerged as one of the key and most contentious issues surrounding the continued evolution of the Internet.

My testimony today will discuss the findings in our recent report on Internet privacy which was based on a survey of federal websites that we conducted, at your request, in July 2000. Specifically, you asked us to determine how federal websites would fare when measured against the Federal Trade Commission's fair information principles for commercial websites.

These principles are: notice -- data collectors must disclose their information practices before collecting personal information from consumers; choice -- consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those which the information was provided; access -- consumers should be able to view and contest the accuracy and completeness of data collected about them; and, security -- data collectors must take reasonable steps to ensure that information collected from consumers is both accurate and protected from unauthorized use.

Using the methodology that the FTC developed to evaluate commercial website privacy disclosures, we analyzed a sample of 65 federal websites to determine whether they collected personal information -- such as name, address, email. And, if so, whether the sites included disclosures to indicate that they met the fair information principles. We did not try to determine whether the websites actually followed their stated policies.

I should note that federal agencies are not required to follow FTC's fair information principles but, instead, are subject to the requirements of law such as the Privacy Act and guidance issued by the Office of Management and Budget. In addition, FTC staff expressed our use of the methodology, stating that there are fundamental differences between federal and commercial websites which, in their view, make the methodology inappropriate for use in evaluating federal website privacy policies.

You've already summarized very accurately what are findings were in this report. So, I will conclude my statement here and I'd be happy to answer any questions that you have at the end of the panel.

REP. TAUZIN: Thank you, Ms. Koontz.

MS. KOONTZ: Thank you.

REP. TAUZIN: We'll now hear from Ms. Sally Katzen, deputy director of the Office of Management and Budget.

MS. SALLY KATZEN: Thank you, Mr. Chairman, and I join those who have congratulated you on having this hearing on this very important issue. And I appreciate your inviting me to testify on the privacy on government websites.

As the members of this panel know, protecting the privacy of American citizens is a very high priority for this administration. We have worked hard to ensure that the fundamental privacy protections are properly safeguarded as our government, indeed society at large, moves into the digital age.

Nowhere is this task more important than in the federal government's obligation to continue to protect the privacy and confidentiality of the personal information that it maintains and to protect the privacy of individuals in their interactions with the government over the Internet.

Today the federal government is increasingly becoming and electronic government full of new opportunities to provide services and information to the public quickly, easily and when the public wants it. But, as everyone has noted today, we must be vigilant to ensure that personal privacy protections remain constant or improved in the process of this transformation.

I am proud to be able to testify here today about the success of this administration in meeting this challenge, in taking major steps to boost the level of privacy afforded to American citizens when they access the government electronically. Without doubt, we have more to learn as a government. In this time of rapid change in technology and information flows, all organizations do no matter their size. But I'm confident that we're achieving significant progress and clearly heading in the right direction.

Now, to understand the GAO reports on privacy practices it is important to put them in proper context in history. And I would begin with the Privacy Act of 1974 -- as you did, Mr. Chairman, in your opening comments. For over a quarter of a century it has afforded Americans strong legal protections for personal information stored in government systems of records, no matter whether they exist in paper or in electric form. This is not voluntary, this is mandatory, it is the law of the land.

These protections include: notice, prohibitions on the unauthorized release of personal information, ability to access your records and change errors that may appear, and security safeguards as well. I would just note that Senator Horn's grades on security -- which you've mentioned a couple of times now -- was the subject of another hearing that I participated in and there is grave concern about the methodology that he used and the grades that he gave. That was not an uncontested system that was established. We believe that the security of the government websites is, indeed, very strong and will remain so.

Now, while the Privacy Act provides the bedrock privacy protections for Americans in their relationship with government, the changes in technologies have produced a different world than existed in 1974. And, as has been noted, to keep current with meaningful privacy protections, the Office of Management and Budget has augmented the privacy provisions with policy guidance. The agencies' response to that guidance has been outstanding.

For example, in April 1999 a study revealed that just over a third of the federal agencies had privacy policies posted on their main web pages. In June, two months later, OMB Director Jack Lew issued a memorandum to all agency heads directing them to post clearly labeled and clearly written privacy policies on their websites by September 1, 1999. Director Lew -- echoing the sentiments of Mr. Boucher earlier -- said, we cannot realize the full potential of the web until people are confident we protect their privacy when they visit our sites.

Now the message was received by the federal agencies and the GAO confirmed this result in which you have referred to as the Lieberman study. This was a study conducted in April of 2000 and released on September 5th, 2000. I call it the first GAO study. Now, you suggested that they found the policies to be wanting. In fact, this study found that 69 of 70 principal agency websites had a privacy policy posted on their sites. And all 70 did within days of the release of that report.

Equally impressive, the GAO identified 2,692 major website points of entry to six federal government agencies. These are sites where the largest number of people interact with the federal government. And of the sites they reviewed, GAO found only nine lacked privacy policies. This record is impressive and I believe is an accurate picture of the federal privacy policies online.

Now, in view of this it is, I think, fair to ask why GAO reached the conclusions that it did about federal agencies' compliance with the fair information practices written by the Federal Trade Commission for commercial websites -- which is the second GAO report. The answer, I believe, as more to do with the questions that were asked than the practices that were reported. Specifically, the administration pointed out to GAO staff, in the course of that study, that the study was misdirected and the answers to the study's questions would likely be misleading.

GAO has also reported that the FTC independently expressed concern that its methodology was -- and I'm quoting -- inappropriate for use in evaluating federal website privacy policies. Why is this, you might ask. Let me explain. The central premise of the study that was done was that the FTC formulation of fair information practices for commercial sites could appropriately be used to measure the privacy protections of government websites. We think it cannot because the FTC practices were designed for the private sector where the Privacy Act and OMB guidance do not apply. This is a very important distinction between commercial companies and federal agencies.

The fact that there is no law establishing privacy protection for individuals in the commercial arena led the FTC to stress the need for a statement about policies. Because absent a statement the companies cannot be held accountable. That is, you must have a representation of what you will do, and then not do it, to be enforceable by the FTC. Government websites, by contrast, do not have to make any representations to be held accountable. The Privacy Act establishes -- in the most public way possible -- the standards to which citizens can hold federal agencies accountable and exactly how they can hold those agencies accountable.

Thus, the test of a federal website provides privacy protection is not whether it includes a statement that makes it comparable with commercial practices but, rather, whether good privacy protections are in fact in place. And the first GAO report, the Lieberman report, showed that the major federal websites informed citizens of how their data are used at their websites.

And I would refer you specifically to page 25 of that report which takes each of the fair information practices and documents that they are covered either by OMB policy or by the Privacy Act. And it is against that which the first study measured the federal websites and it's against that standard that they did as well as they have done.

Now, we recognize that in this information age it is critical that the federal government continue to use technology to keep the public informed and provide services to the public and stay on the cutting edge of technology. The launch on September 22nd of FirstGov.gov was a major step to enable us to continue providing information and resources to the American people. In this, and many other ways, the need for privacy protection online and the need for public confidence in the federal government's privacy standards is expected to only increase in the year's ahead.

It would be most unfortunate if any misleading conclusions as to the state of privacy on federal websites interfered with our common goal of achieving electronic government with full participation of the public. I thank you, Mr. Chairman, for holding this hearing and for giving me an opportunity to testify.

REP. TAUZIN: Thank you, Ms. Katzen. And, finally, Mr. Roger Baker, chief information officer of the U.S. Department of Commerce. Mr. Baker.

MR. ROGER BAKER: Thank you, Mr. Chairman, members of the committee. Thank you for inviting me to testify before the committee today. I am testifying -- as the chairman noted -- in my role as the chairman of the Federal Chief Information Officers Council subcommittee on privacy. However, as a practicing as chief information officer for an agency, I'll also include some anecdotal information from the Department of Council.

In my testimony today I'd like to make three points. First, privacy is an important issue for chief information officers throughout the government and the Federal CIO Council. That our fundamental guidance on privacy, inside the federal government, comes from the Privacy Act, other applicable federal laws and OMB policy. And that in the past two years we've made substantial progress in both the quantity and quality of privacy policies posted on federal websites and significantly raised the awareness of privacy issues within the federal information technology community.

First, privacy is an important issue for CIOs and the Federal CIO Council. By creating a subcommittee on privacy, the Federal CIO Council signaled to all federal information technology workers that protecting the personal privacy of the public is one of the key issues facing us today. The American public provides government agencies with the most sensitive of personal information. It is our duty as federal employees to protect this information to the best of our ability. This means that our information systems must be secure from intrusion and that these systems must work in accordance with applicable federal laws.

The CIO Council keeps this issue at the forefront of IT discussions by making it a key part of our annual strategic plan, including privacy in the conferences we support and the speeches we make, and by providing agencies with best practices or examples of how to improve the privacy and security aspects of their information systems. There are many examples of these best practices for privacy and security on the CIO Council website at www.cio.gov.

I'd like to submit with my testimony the privacy impact assessment best practice developed by the Internal Revenue Service and can recommended by the Security, Privacy, and Critical Infrastructure Committee for use by all federal agencies. The CIO Council will continue to work with OMB and others to identify further best practices and other useful guidance that can be provided to agencies to help them in their efforts to protect personal privacy on the Internet and other information systems.

Second, our fundamental guidance on privacy inside the federal government comes from the Privacy Act and other applicable federal laws. Federal information systems, including Internet web servers, are subject to the provisions of the Privacy Act. In addition, OMB has issued policy directives regarding privacy protections on federal websites that focus on a number of issues.

First, that all major entry points and all points where substantial personal information is collected should have easily accessible privacy policies posted. Second, that those privacy policies be clearly written and reflect actual agency policies with regard to the collected information. Third, that those policies are in accordance with the Privacy Act and other laws and guidance that may be applicable to specific agencies. And fourth, that there is a presumption against the use of technologies that allow the tracking of activities of users over time and across different websites -- for example, persistent cookies as differentiated from session cookies -- unless high-level approval is obtained.

The CIO Council has worked closely with OMB to support the development and implementation of these directives. As an example of the results of this work, I would like to submit into the record the privacy policy posted on the main page of the Census Bureau's Internet website, www.census.gov.

While admittedly somewhat long, this privacy policy clearly conveys the types of information that may be collected, how that information will be used, and the specific legal protections provided that information. I use the Census privacy policy as an example because it involves both the Privacy Act and Title 13 protections.

Mr. Chairman, I believe the following points were made in the GAO report, but they are so important I will quickly make them again. Federal systems of records are covered by specific laws that give individuals specific rights and remedies if their private information is disclosed. These laws apply whether or not a privacy policy is posted on a federal website. There are no equivalent laws covering non-governmental systems. The FTC rules regarding privacy policies for private sector websites are meant to establish a legal basis under which a private sector website operator can be held responsible for the protection of private information collected on a website.

Once posted, the privacy policy falls under the jurisdiction of the FTC, which uses existing laws to hold companies to the promises they make to consumers. In short, if a private sector web site does not post a privacy notice, there is no ready legal recourse available to an individual whose privacy has been violated. In contrast, the Privacy Act and other laws apply even if a federal website does not post a privacy notice.

We can and should do a better job of communicating the protections that the Privacy Act and other federal laws provide users on federal websites. But I believe we should continue to use existing federal law as our guidance in this area, instead of the FTC policies clearly intended to achieve a different purpose.

In the past two years, we have made substantial progress in both the quantity and quality of privacy policies posted on federal websites. In 1999 the Secretary of Commerce called on private sector website operators to improve their privacy practices, placing special emphasis on the need for, one, posting privacy policies and, two, that policies include the fair information practices of notice, choice, access, and security. We quickly recognized that we, also, needed to make major improvements in our own website privacy policies, both at the Department of Commerce and throughout the federal government.

Working with OMB, we raised the profile of the privacy issue with both agency and technical management, and made substantial strides in both the quantity and quality of privacy policies posted on federal websites. And I won't go through the GAO reports again since you have that information but clearly we've made a major improvement. And I believe this is evidenced by the example from the Census Bureau, the overall quality of these privacy policies has seen substantial improvement as well.

In closing, Mr. Chairman, I'd like to reiterate my main points. Privacy is a very important issue for agency CIOs and the Federal CIO Council. Our fundamental guidance on privacy inside the federal government comes from the Privacy Act, other applicable laws and OMB guidance. And in the past two years I believe we've made substantial progress in both the quantity and quality of privacy policies posted on federal websites.

Thank you for your time and I look forward to any questions you may have.

REP. TAUZIN: Thank you very much, Mr. Baker. The chair recognizes himself for five minutes and (members in order?).

Let me first point out that there's another story on the web today on Yahoo! news that is quite relevant, Ms. Katzen. It's entitled, FTC to Apply Law to Websites. And it leads, contrary to a federal directive, major government websites -- including the one operated by the White House -- are not adhering to a law that requires companies to obtain parental consent before soliciting personal information from children.

MS. KATZEN: Yes, sir.

REP. TAUZIN: It's dated today. The White House website invites children to submit personal information, such as names, addresses and age, along with email messages for the president and for his family, and there is no -- no warning for children to first get their parents' consent before sharing this information. Is the White House violating the federal law?

MS. KATZEN: No, sir, it is not. COPPA, the Children's Online Privacy Protection Act, does not apply to the federal government.

REP. TAUZIN: Isn't that wonderful.

MS. KATZEN: Excuse me, sir, if I may please explain the practices that we follow here because this is a statement that has been made time and again in the press. By law, we're not covered. However, we have taken every step we can, consistent with our being a rather unique place, to meet the spirit of COPPA. Now, COPPA, remember, was to protect children from marketeers who would seek to exploit them for --

REP. TAUZIN: Ms. Katzen, I'm going to run out of time. I want to ask you, does not the June memorandum state that all federal websites and contractors when operating on behalf of agencies shall comply with the standards set forth in the Children's Online Privacy Protection Act of 1998.

MS. KATZEN: Yes, they do. But one of the conditions of COPPA is that if you're going to get personal information for a one-time contact you must destroy the record. And the Presidential Records Act does not allow us to do that.

REP. TAUZIN: Does not COPPA require the advice to children to get parental consent before --

MS. KATZEN: Yes, and on five or six --

REP. TAUZIN: And is the White House complying with COPPA? Is the White House complying with COPPA today?

MS. KATZEN: Is the White House complying with COPPA today? It is not required to comply with --

REP. TAUZIN: Does the memorandum require it to?

MS. KATZEN: The memorandum says to do what we can and we are working on systems to enable us to not destroy records. The Presidential Record Act, the security that attends the White House and other considerations make the White House very different from what COPPA was designed to do. On the other hand --

REP. TAUZIN: I'm going to run out of time. I want to go to some other witnesses.

REP. COX: Mr. Chairman, if you'd yield on this point. Having served in the White House counsel's office I'm well aware of the requirements of the Presidential Records Act -- which haven't been followed very carefully by this administration in any case. But why do you need to collect the information from the kids in the first place? Then you don't have a record to destroy.

MS. KATZEN: You do not have to provide any information to the White House. If you want a response you need to provide an email address or a regular address. Now, that is the information which COPPA says we would have to destroy if we obtained it from the child in the first instance. It is for that reason that on the White House homepages -- which are here -- it says on at least five different occasions "make sure it's okay with your parents," "we cannot respond to your message without your address but you can write us and you can tell us what you think without any information from you coming in."

REP. TAUZIN: Returning my time. Does EPA require that? Does EPA advise --

MS. KATZEN: Yes, sir, and the site that you were talking about has been taken down.

REP. TAUZIN: Taken down today?

MS. KATZEN: No, it was taken down on Friday, actually.

REP. TAUZIN: On Friday, right before this hearing.

MS. KATZEN: It was taken down as soon as it was brought to our attention that there was a violation. When we --

REP. TAUZIN: -- something else to the witnesses. I'm going to run out of time, Ms. Katzen and I've got to control my time, if you don't mind. Let me -- if I ask the other witnesses. You keep referring to the fact that federal agencies don't need to post their privacy policies. They don't need to say what they're collecting and how they're collecting it and who they're sharing it with because federal agencies are covered by the Privacy Act.

We've got information on the Privacy Act I want to cite to you. The Privacy Act provides twelve different exceptions, twelve exceptions provided by law for information collected by the federal government to be shared with other people. They include, for example, for routine use as defined in the act -- whatever that is. To the -- to other offices and employees of the agency. To a recipient who's provided the agency with an adequate advance written assurance that the record will be used solely for statistical research. It allows the sharing of private information to persons pursuant to showing a compelling circumstance of health, to members of Congress, to the comptroller general, to an (order of court?), to a consumer reporting agency -- twelve different exceptions by which consumers' information can be shared with other people. And federal agencies only say, we're complying with the Privacy Act.

How do consumers know -- without getting a lawyer and getting the lawyer to explain to him all the places where his private information can be shared with other people -- what is in fact happening to his private information under this Privacy Act?

MR. BAKER: I certainly wouldn't want to imply that I don't believe agencies should have privacy policies. I've worked very hard to get agencies to have privacy policies and that's one of the reasons that I'm proud of the fact --

REP. TAUZIN: Shouldn't federal agencies post their privacy policies, just like people in the commercial sector, so consumers know without getting a lawyer what's going to be shared with whom?

MR. BAKER: Federal agencies should post a privacy policy and we've certainly said that.

REP. TAUZIN: Okay.

MR. BAKER: That privacy policy, though, should reflect the federal law that applies to them and I certainly, as chief information officer, would not advise anyone working for me to not comply.

REP. TAUZIN: You're saying it's our fault, we wrote a law that lets these agencies share information so consumers be damned if they don't know where this information will be shared? Or should the federal government -- let me pose a question to, I think, as clearly as I can. If the FTC -- and for that matter, members of Congress -- are harping on the private sector to do more about informing consumers, what information is being collected about them, how it's being shared and to whom it's being sent, should not federal agencies live by the same standard? Particularly where information is being shared with federal agencies in a non-voluntary situation.

MS. KATZEN: They are. And they should be.

REP. TAUZIN: I'm not asking you, Ms. Katzen.

I'm asking Mr. Baker right now, if you don't mind. Mr. Baker?

MR. BAKER: I'm sorry, I --

REP. TAUZIN: Well, let me ask it again as carefully as I can. If the FTC is setting up standards by which it is going to judge private sector websites on the basis of whether or not they accurately inform consumers what information is being gathered, how it's being used and to whom it's being shared -- so that consumers can be warned -- should not the federal agencies, by which consumers and constituents interact with information that is not necessarily voluntarily presented to the government -- in many cases, mandatoraly provided to the government. Shouldn't the federal agencies be under a higher standard to exactly that? To inform consumers precisely about what information is being gathered, what it's being used for and to whom it's going to be shared with. Instead of hiding behind a law that gives you twelve exceptions that the consumer doesn't even know about.

MR. BAKER: I certainly believe that federal agencies should be as clear as they possibly can. Again, the reason I use the Census Bureau as example is because I believe it is pretty clear about what the protections are. The fact is that the Privacy Act is there and that's what we've used as our guidance. And even --

REP. TAUZIN: All right, as a final -- my time is almost out. Ms. Koontz, I want to go to you. Did the IRS in fact have a cookie on its website?

MS. KOONTZ: Using the FTC methodology we identified a third- party cookie in use at the IRS. However, in fairness to everybody here, the cookie that we identified was one that is placed on the visitor's hard drive when they are, in fact, in the process of leaving the IRS site. The reason we picked this up, however --

REP. TAUZIN: Wait, wait, I want to understand that.

MS. KOONTZ: Okay.

REP. TAUZIN: We have, I think, a federal policy discouraging -- the memorandum to discourage cookies on federal websites.

MS. KOONTZ: That's correct.

REP. TAUZIN: But there are exceptions. I understand cookies are allowed if the head of the agency authorizes a cookie on the website.

MS. KOONTZ: Right.

REP. TAUZIN: You're telling me that in your investigation, in your survey, you did discover that the IRS had a cookie on its website that visitors could click onto and have information shared with third parties?

MS. KOONTZ: When you were clicking on a link that led you to another website the receiving website was placing a cookie on your hard drive as you were exiting.

REP. TAUZIN: Was that authorized by the head of the agency?

MS. KOONTZ: Uh, I didn't ask them. They would have -- I mean --

REP. TAUZIN: How many other agencies had cookies on their websites?

MS. KOONTZ: There were eight websites who had --

REP. TAUZIN: There were eight websites out of the 65 you surveyed -- federal websites -- that had cookies by which third parties could gather information about citizens who visited those websites?

MS. KOONTZ: Yes. But, again, I mean, I want to be clear on this, it's that this is third-party cookies identified using FTC's methodology.

REP. TAUZIN: I understand. The chair's time has expired. The gentleman from Virginia, Mr. Boucher.

REP. BOUCHER: Thank you very much, Mr. Chairman. Let me begin by talking about the Children's Online Privacy Protection Act and asking our witnesses this morning if there's any reason why we shouldn't simply extend the protections of that act -- which essentially require that before any information is collected from children that the permission of parents be obtained -- to the federal government. Why should we not do that? Ms. Katzen?

MS. KATZEN: I don't have any problem with that. As the chairman noted, we have a memorandum from OMB instructing the agencies that they should comply and if the law were expanded to cover federal sites it would be fine. It may mean that when children write to the White House and ask for a picture of the president -- they want a glossy picture -- we could not send it out unless they wrote us on paper and then we return mailed.

But aside from the inhibition on incoming materials requesting -- incoming requests for outgoing things from the White House, there is no reason why it should not be expanded. We believe strongly in COPPA and have supported it. And whenever we find that someone is not complying, we take down that site.

REP. BOUCHER: Do either of the other witnesses have anything to add to that? Ms. Katzen, let me ask you this. You were attempting to provide an answer about current White House website practices with respect to the Children's Online Privacy Protection Act. I think you did not get a full opportunity to answer that question and I would like to afford that to you if you'd like to take a minute to do that.

MS. KATZEN: Thank you very much, Mr. Boucher. We had originally had a White House kids' page which got a lot of requests for things. We knew that it would be covered within the spirit if not the letter of COPPA. At the time we had asked for the child's name, the address, the email address, the school, what grade they were in -- a lot of different questions. With COPPA we stripped that down to the bare essentials, the minimization principle which is so prevalent in privacy discussions. And we only asked for that information if they wanted us to respond to them, not if they were simply communicating one-way to us.

Also, we placed throughout the site, in a number of places, warnings that they should be talking to their parents, that they should be involving their parents in this. And, finally, we have been negotiating with NARA, the National Archives, to see whether we could get an exception from the Presidential Records Act as we have for bulk mail, for example. If we could put these children's addresses -- just to send them a picture of the president or Socks or Buddy -- if we could put those addresses in a separate file or folder and/or destroy that so we would not have that kind of information. And that has been in process and we have been working on that. Our intent is to protect children's privacy and to engage parents. We think COPPA is good law.

REP. BOUCHER: And you would not object to having it be extended to federal government sites generally?

MS. KATZEN: Correct.

REP. BOUCHER: Good. Let me ask for your response to the suggestions that I made earlier that the time has now come for Congress to accept the invitation of the FTC and legislate a set of minimum guarantees for the privacy protection of visitors to websites including the requirement that websites post a notice of what information they collect and how it's used and then provide an opt-out opportunity. Is there any reason why we should not extend that set of guarantees not only to the practices of commercial websites but also government websites?

MS. KATZEN: For the most part the actual substance of what you have provided exists now in the law. In terms of legislation, this administration has taken the position that the most sensitive information should be protected first and foremost. So, we have worked on financial records. We have worked on medical records. These are areas where we think it is essential to provide adequate protection because they're so sensitive.

If we could have those types of procedures in place for the very sensitive information we would very much want to work towards the next step which is to do a broader scope of protecting privacy. There are difficult questions -- as Mr. Goodlatte and you had discussed -- the balancing between giving out information and restricting the use of that information. But we have repeatedly called for more stringent protections for financial, for medical, for genetic discrimination, social security numbers. There's a vast area that are specific problems that have appeared.

One of the other --

REP. BOUCHER: Well, my time is expiring. So, I gather the answer to the question is you're not sure. And that perhaps we need to consider further whether to extend that minimum set of guarantees not only to commercial websites but to government websites as well.

MS. KATZEN: I think it's an important step but I think the other steps are more important and should take priority in any legislative proposals.

REP. BOUCHER: Mr. Chairman, may I have unanimous consent to proceed for one additional minute? I just have one other question.

REP. TAUZIN: Let me find out. Is there any objection to the gentleman proceeding for one additional minute? Without objection --

REP. BOUCHER: Ms. Katzen, let me simply ask you if you believe there are any statutory provisions that need to be adopted beyond what we have discussed this morning. Do you have any recommendations for us for any additional statutory provisions that would be in aid of enhancing the privacy of Internet users?

MS. KATZEN: Oh, yes, sir. The administration has a proposal to plug the loophole in Graham-Leach-Bliley, on financial records, that would enable consumers to know when information is being shared with affiliates of the organization. That bill has been here. Mr. Markey has been active on that issue as well, I believe.

Medical health -- we've for two years requested Congress to move forward on medical health records. This is an area which is terribly important to people. Whether it be sensitive matters like mental health records or HIV testing, or commonplace like mammograms. There was a story on NPR this morning about a woman who was fired after information became available. Those are very important.

There's also -- the administration has a social security bill to protect the sale and profiteering from selling social security numbers. Genetic discrimination has been in committee for a long time. Ms. Slaughter, Louise Slaughter's bill has been one that we have been supporting and hoping Congress would pass.

These are things that touch the lives of American people in a real way. Not when they're out buying something --

REP. BOUCHER: Okay, okay, thank you, Ms. Katzen. I think that answers the question.

REP. TAUZIN: The gentleman's time has expired.

REP. BOUCHER: And I appreciate the chairman's indulgence. Thank you very much.

REP. TAUZIN: I thank the gentleman. The gentleman recognizes the gentleman from Illinois.

REP. SHIMKUS: Thank you, Mr. Chairman, I'm going to yield my time to the gentleman from California. But before I do that I ask -- forgive this committee -- my brother-in-law was testifying before another committee on anthrax and the government anthrax so I got a chance to introduce him. And because of that I wasn't here for all the testimony, to hear all the comments. So, in lieu of my being able to fully listen I'm going to yield my time to the gentleman from California.

REP. TAUZIN: Mr. Cox from California.

REP. COX: Thank you and I'll proceed out of order in that case. Well, we begin with the GAO report telling us that most of our federal agencies are not complying with the rules that we apply throughout the private sector when it comes to privacy. In fact, only three percent of agencies are implementing all -- or at least part -- of all of the FTC's requirements. And in particular, the most disturbing to me, at least, finding is that so many agencies are placing cookies on the computers of people who log on.

I don't understand why the Office of Management and Budget, in its latest guidance, continues to permit the use of cookies by federal agencies, continues to authorize the placement of cookies on citizens' computers. And I wonder if from OMB's perspective there is a good reason that we ought to have such vague rules about cookies. OMB doesn't differentiate between temporary and personal cookies in the guidance. It's very, very brief -- that Director Lew put out. It's extremely short, just a few paragraphs.

Director Lew says that agency heads can approve putting cookies on the sites. We have agencies then who are quoted in this article from Wired news saying that they're quite sure that their agency heads will approve all of this and continue to use the cookies. The National Endowment for the Humanities says they're going to continue to use cookies and that they expect approval. In this article they are quoted as saying that the agency head was on vacation -- that's what they told the reporter -- but they were sure that the agency head would approve the gathering of information from citizens who log onto that site.

The Federal Energy Regulatory Commission actually says, we generally do not use cookies. But according to Wired, anyone who stops by the FERC homepage will receive a cookie and it will not expire until December of 2010. The Department of Transportation has placed cookies on citizens' computers logging onto it that will last 34 years. These are persistent cookies. They track your web activity after you leave the site.

So, from the standpoint of OMB, why shouldn't we just say, no cookies? Why are you putting cookies on people's computers and why is this a good idea? I mean, if you're investigating somebody I understand it. We ought to say that government can investigate people. But if you're not -- if somebody's not under investigation, why do we put a cookie on their computer? And why, of all things, would that cookie track their activity when they've left the site?

MS. KATZEN: I think you raise a very important question to which my bottom line answer is that we shouldn't. And that is why the OMB policy was written. I think it is important to note that GAO did its study in July of 2000. We had issued the Lew memorandum, no cookies -- on this presumption of no cookies --

REP. COX: In June.

MS. KATZEN: In late June. And so it has taken some time --

REP. COX: But the Lew memorandum doesn't say no cookies, is my point. Why not? Why doesn't it say no cookies?

MS. KATZEN: Well, it says there should be a presumption against it. They can be used importantly and that's the reason that -- incidentally, there is a clarification on the session cookies point, that you had mentioned. There's a letter actually to Roger Baker (sp) from John Spotila (sp), who is the administrator of the Office of Information and Regulatory Affairs, that says that when you're logging on in a single session and you want to, for example, make a purchase order at the mint and you have put in your name and address and then you can't remember which things you wanted to buy so you're going to logoff or open up another window and come back on again, keeping the session cookie there means that you can complete that one transaction. That cookie disappears when you have finished the transaction and logoff. That's the clarification of September 5th to Roger Baker.

There are other reasons.

Whether they be national security or --

REP. TAUZIN: Could we have a copy of that clarification for the record, Mr. Baker?

MS. KATZEN: Sure, I have one here.

REP. TAUZIN: Would you submit it to the staff?

REP. COX: What is the national security reason that we want to track the usage of the web by American citizens?

MS. KATZEN: I cannot tell you that there is one or that --

REP. COX: Well, you just did.

MS. KATZEN: Well, I think you interrupt -- I was interrupted when I was saying that if the agency head is presented with a compelling case for why this crucial to the agency's mission or otherwise endangers some facet of their operation, then the agency head is to consider that information and make as decision. They are then to report that to OMB where we will have a chance to review that. We'll be getting information about this kind of situation and we'll be monitoring it.

I don't know offhand the kinds of situations -- we're talking about changes in technology that are happening very rapidly and practices that are changing very rapidly. And for us to try to set policy that says, no way, no how, never, ever, ever, ever, regardless of whatever reason might be justified, I think is to fly in the face of what we have seen in the last two years --

REP. COX: Well, I don't mean to interrupt you but I certainly need to use some of my own time. We're sort of far away from that with the Lew memorandum. The Lew memorandum is far from saying, never, ever, ever, it puts at the discretion of every agency head. And as you can see from --

MS. KATZEN: It's not unbridled discretion because you have to have privacy policies in place, you have to have other kinds of circumstances.

REP. COX: Well, as I just quoted from the Wired news article, the agency heads or the people who work at these agencies are assuming that, you know, for whatever reasons -- including something as mundane as statistical purposes, you know, collecting information about the use of their site -- they can continue to put cookies onto people's computers notwithstanding the Lew memorandum. That article was written after the Lew memorandum went out. So, obviously people are not taking this as an instruction no longer to put cookies onto people's sites.

Lastly, with respect to COPPA, which we should distinguish from COPA -- I think your references to COPA have actually been references to COPPA, they're very similar sounding acronyms but one deals with pornography, as you know, and --

MS. KATZEN: Right.

REP. COX: -- the other one does not. We're dealing here with COPPA. This business about the Presidential Records Act and not being able to respond to people and so on, is relevant only if you're trying to end run the law. Because, as you know, the law -- the basic provision of the law that the whole rest of the country's complying with is that you get parental consent. Verifiable parental consent is the touchstone of the law.

If the White House were willing to live by the same rules that everybody else in America is living by, they would just go ahead and get parental consent and respond to kids in that way. The only reason that it becomes relevant that you destroy the information is if you're trying to do an end run around that requirement.

There is an exception, as you know, where consent is not required in narrow circumstances, and you're trying to exploit that provision here by importing the Presidential Records Act as the reason you can't get it done. Why not just comply with the law?

REP. W.J. TAUZIN (R-LA): The gentleman's time has expired.

Ms. Katzen, you can respond before I'll move on to someone else.

MS. KATZEN: Thank you very much.

The exception that you note is the one time contact, and that's the situation where I'm talking about if you write in and say I want a picture of the president, it's only one time. We're not trying to build a track record or a relationship with the child.

REP. COX: So why not comply with the parental consent requirement?

MS. KATZEN: That's not an end run around the statute. It is recognizing, as Congress did, that if you're not going to build a long-term relationship you don't need verifiable consent. Verifiable consent on a one time only doesn't really make a whole lot of sense.

To have a child say I want a picture of Socks, you say okay, have your parent fill out a form and fax it in, and when we get that we'll then send you the picture is a little bizarre for a one time only, and that's why the statute clearly has that exception built into it.

REP. TAUZIN: The gentleman's time has expired.

The chair recognizes the gentlelady from Missouri, Ms. McCarthy.

REP. MCCARTHY: I have no questions at this time.

REP. TAUZIN: The chair recognizes the gentleman from Texas, Mr. Green.

REP. GENE GREEN (D-TX): Thank you, Mr. Chairman. I have a couple questions.

Ms. Katzen, the chairman outlined loopholes in the Privacy Act of 1974. Do you believe that the Privacy Act of 1974 is outdated and allows or may allow the distribution of that personal information?

MS. KATZEN: I think the Privacy Act has served us well for the last quarter century. I'm always open to relooking and seeing whether in an age where we act faster with faxes and internet instead of more leisurely types of communication more careful language has to be included, but if GAO asks us or Congress in oversight asks us for information, we're going to be providing it, and I think citizens know that that is the case. Those are the kinds of exceptions that are in there.

Routine use. To establish routine use that the chairman mentioned, the agency has to publish in the Federal Register a description of what it is they're talking about, which is we're going to take your information, and I'm going to share it with this bureau or that bureau for this purpose or that purpose. It's written in the Federal Register. Comments can be filed on that. It's a very public process.

My own instinct is the last quarter century we've been well served, but I would not be in any way contrary to looking again at the language to see if it could be tightened. We believe in privacy.

REP. GREEN: Are Americans who provide information to the agencies vulnerable to having that information used in some inappropriate way? For example, you know, whether it be the IRS, whether it be, you know, HUD or somewhere else. Do you know of any examples where information that someone provided was used inappropriately?

MS. KATZEN: I will not sit here and tell you that there is no instance of misuse of information. I can tell you that we have taken all reasonable steps to minimize that and to insure that when we hear about something there is a remedy.

I thought the first GAO study that went through and identified where policies could be more clearly stated or more solicitously put was a good thing because the agencies saw that, and they want to do the job, and they, therefore, have begun the remedial effects from these kinds of reports. We have worked very closely with GAO to insure that we know what's happening.

I can't tell you there's never been an instance, sir, and I won't do that.

REP. GREEN: Okay. Well, I don't expect that, but I want -- you know, we have remedies for it, but generally, you know, the American people ought to feel comfortable that contacting or providing information is not going to be shared inappropriately --

MS. KATZEN: Absolutely.

REP. GREEN: -- and there are punishments for inappropriate use of that information.

MS. KATZEN: Yes, and there's a private right of action. I mean, in the Privacy Act if you feel that something has been done you can bring suit.

REP. GREEN: Okay. Yes. I know that. That's not a problem. I just want to make sure there's also an appropriate response --

MS. KATZEN: Yes.

REP. GREEN: -- that the U.S. government can do to someone who is using that, not just a private right of action.

MS. KATZEN: Yes, sir. There are criminal and civil --

REP. GREEN: Okay.

MS. KATZEN: -- statutes and penalties involved.

REP. GREEN: Okay. Let me ask you about the federal web placement of third party cookies. I guess the report that we have shows that the survey showed 22 percent of all sites disclosed that they may allow third party cookies. Fourteen percent allowed their placement.

What would be the reason why we would allow placement of a third party cookie on our website?

MS. KATZEN: I don't know. I did not understand that statement that they may allow, and I did not understand that they do allow other than as they're leaving the site. I think that the witness from GAO was trying to explain it.

Cookies are used for site management. They're very, very popular in the private sector. Everybody uses them in the private sector.

REP. GREEN: Okay, but 14 percent of third party. I don't know if that 14 percent is third party non-government.

Mr. Baker, Ms. Koontz, do you know any examples of why we would have a third party involved in placing cookies on federal websites?

MS. KOONTZ: In the survey that we did, we identified eight websites where we picked up the concept of a third party cookie. In the vast majority of those, those were cases where a visitor might be clicking on a link to go someplace else, and the new site was placing the cookie before you left.

That's not something that is typically thought of as a third party cookie, but it was a concern because there was no clear warning that you were leaving, that you were subject to a new privacy policy or that a cookie was being placed.

Now, in one case there was a federal agency did allow the placement of a cookie by a third party who collects information, and this was done, I believe, as a way of the third party collecting usage information about that particular federal site.

REP. GREEN: Okay. It seems like we would want to have some kind of restrictions on third party, whether it's inadvertent.

MS. KOONTZ: Yes.

REP. GREEN: Maybe that's something, Mr. Chairman, we need to look at. I appreciate my time.

REP. TAUZIN: I thank the gentleman.

Before I move to the next member, I would like for the committee's edification, Ms. Katzen, if you would submit to the committee clarification of what conditions could an agency head permit the use of either session or persistent cookies under OMB policy.

MS. KATZEN: Yes, sir.

REP. TAUZIN: If you would submit that for the record?

The chair recognizes the gentleman from Maryland, Mr. Wynn, for a round of questions.

I'm sorry. Mr. Sawyer is first. I'm sorry. Mr. Sawyer from Ohio.

REP. TOM SAWYER (D-OH): Thank you, Mr. Chairman. I apologize. The irony of this is beyond belief. I've been going back and forth at this point between Commerce and Census with regard to a question that goes directly to this sort of thing, and you may in fact be familiar with what I'm talking about.

I'm not going to go into that here, but I would hope that we could look at the mirror image of the concern that all of us up here share and from what I'm hearing you all share about the assurance of privacy.

Could you talk to us for a moment, each of the three of you in turn, about how we make it possible for agencies of government to share information that they need in order to illuminate and inform sound policy making here in a way that all of us would support without compromising the privacy of the information with which they have been entrusted?

MS. KATZEN: Mr. Sawyer, as you know, that is near and dear to my heart. It's something I've worked on for the last five or six years.

GAO sometimes refers to this issue in several big studies, but we have identified this as one of our priority management objectives this year and have been working on it to do a number of things, one of which is to enable agencies to share information to test eligibility to insure that the right person is getting the right benefit, the right amount of the right benefit. You do that by sometimes needing access to tax information, sometimes needing access to information that may be in somebody else's files. That's one form of sharing.

Now, there are computer matching Acts. There is the Act on computer matching. There are practices that are involved, and there are very stiff restrictions. 6103 of the Tax Code, for example, precludes this kind of thing without a very detailed process.

We have been working to see whether with new technology it will help us protect the privacy because our intent in sharing data would be to insure that no matter in whose hands it was it was being protected and it was being kept confidential.

Another area that we have been working on, which I think has something vaguely to do with what you've been doing on the times that you've not been here, has to do with statistical information.

Right now we ask American businesses to supply all sorts of information over and over and over again. If we could have the statistical agencies share more of that information -- ELS, BEA, Census -- you would be able to reduce the burden on respondents and, therefore, increase the likelihood of complete and honest and accurate responses.

That's an issue which again, that doesn't have personal information usually. It doesn't have even identifiable information, but it has sufficient protection and confidentiality that we need to work out the process whereby that can happen. Those are just two instances where if we can establish that we do protect that information, we could save the American citizens and the American government a lot of time and effort.

REP. SAWYER: Ms. Koontz, Mr. Baker, from the point of view of the committee that you've been working with could you comment on that?

MR. ROGER BAKER: It's interesting that the drive towards electronic government -- there are a lot of great ideas coming up with federal employees and their contractors for how to utilize information, and on the other side you have the Privacy Act, Title 13 and other things that do I think to this point an appropriate job of governing that enthusiasm and keeping us from putting databases together in ways that we know how to do, but, frankly, the laws I think appropriately keep us from doing.

One of the things that I can't help but emphasize, and I'm sure you're well aware of this given the other thing you're working on, is the attention that federal employees pay to the privacy issue. When you go out to Census and you're sworn in as a Title 13 swearing in person, they take that very seriously. They are the defenders of the public's privacy as federal employees.

I don't think that we recognize that or emphasize that enough in the government is that those people view that as their life's job A, to do a good statistical job, but, B, to protect that information, so I think the intersection of those two forces, electronic government and what we can do, the Privacy Act, Title 13 and others on what they keep us from doing, so far has kept a balance in there.

We have been able to move ahead, but not too quickly and without doing a tremendous amount of violating of people's privacy. I don't know how we would change that, to be frank. It's interesting to work in it right now, and again it's a balancing act there.

REP. SAWYER: Ms. Koontz, in preparing your analysis of all of this is it fair to say that you looked at it largely from the perspective of protecting privacy rather than the concomitant need to share information where appropriate?

MS. KOONTZ: I don't think we took actually either perspective. Our charge was very simply to use the same criteria that FTC uses, use their identical methodology and to evaluate federal sites using that criteria and methodology. I don't think there was a particular view associated with that except to the extent that FTC may have a view on how they look at sites.

REP. SAWYER: In that sense, without having the two different angles from which to view a complex problem, would it be fair to say that without using words like -- I don't want to; I won't even use the word, but that it yields a less than fully developed portrayal of the complexity of the problem that we're trying to deal with here?

MS. KOONTZ: I guess I look at this issue a little bit differently. It's true that you can't hold federal sites accountable for not following the FTC methodology, the FTC fair information principles. They're subject to other rules, other laws, other regulations.

Then, on the other hand, I think it's useful to look at what federal agencies are doing --

REP. SAWYER: Of course it is.

MS. KOONTZ: -- in light of various standards as a way of I think continuing the debate on are we happy with the status quo, are we happy with the requirements that we have, or do we need to take a relook at them.

REP. SAWYER: And then to evaluate their appropriateness.

REP. TAUZIN: Would the gentleman yield a second?

REP. SAWYER: I would be pleased to.

REP. TAUZIN: I would just point out that I don't think private sites are required to follow the FTC methodology either.

MS. KOONTZ: That's correct.

REP. TAUZIN: There's no law requiring that, is there?

MS. KOONTZ: That's correct.

REP. TAUZIN: All right.

REP. SAWYER: Thank you very much, Mr. Chairman. You have been flexible, and I appreciate it.

REP. TAUZIN: I thank the gentleman.

The chair recognizes Mr. Wynn from Maryland.

REP. ALBERT WYNN (D-MD): Thank you, Mr. Chairman.

I guess I take a somewhat conservative view starting with domain cookies, and I really would like to get a clear understanding of the rationale for domain cookies with respect to getting personal information and how that enables you to manage -- how the identification of the user enables you to "manage" the site better.

MS. KATZEN: Let me start, and then Mr. Baker might be able to add something or will definitely be able to add something.

When we launched first.gov on September 22, everybody wanted to know so how many hits did you get, and the question is is that the same person coming back 12 times, or is it 12 different people? If you have a cookie, you can tell whether it's the same person or not. Now, that's how you use it for site management is it gives you --

REP. WYNN: Okay.

MS. KATZEN: -- that kind of information.

REP. WYNN: If I could jump in? Is that the best rationale?

MR. BAKER: Sir, if I could?

MS. KATZEN: Go ahead.

MR. BAKER: I think the best rationale is the one the private sector utilizes, which is personalization of a web experience is a real benefit to the consumer if that's all the information is used for is that personalization. For example, we --

REP. WYNN: But there's an assumption there that I'm not ready to accept, and that is that personalization is in the interest of the consumer. Says who?

MS. KATZEN: Some consumers choose. Mr. Goodlatte sat here and said he has no objection. Indeed, he sort of likes the idea.

REP. WYNN: Okay.

MS. KATZEN: When he goes to amazon.com, they say you like biographies. That's how they use it in the private sector.

REP. WYNN: I want to go back to this. There is no opt out, so your assumption that it's good for the consumer to be personalized doesn't give the consumer the chance to say no, I don't want to be personalized.

MR. BAKER: I would agree with you. There needs to be opt outs, just in answering your direct question.

REP. WYNN: Okay. That's one item that I think is important for discussion. You agree there needs to be opt out on domain cookies. Is that your position?

MR. BAKER: Yes. My personal position. It would be yes, recognizing that that will have an impact on, if you will, the value of the companies on the internet who base a lot of what they do on being able to personalize. That personalized experience is --

REP. WYNN: Well, that's fine. I mean, I'm satisfied.

I think we've got at least one policy option on the table, and that is let consumers opt out of this. That's fine.

Now, is there any other rationale for domain cookies that we need to be aware of? Okay.

With respect to third party cookies, shouldn't there be some probable cause standard or some restriction or condition, however you would phrase it, to justify any imposition of third party cookies? I think members of the panel seem to be saying the same thing in a lot of ways. I will be candid and say I have a very hard time accepting the notion of third party cookies unless someone presents a probable cause case for national security.

MS. KATZEN: Federal websites are not to have third party cookies.

REP. WYNN: What's the penalty?

MS. KATZEN: The penalty would be to immediately take the site down and hold the agency head responsible, as you would with any other kinds of violations of federal policy.

REP. WYNN: But then those --

MS. KATZEN: The assumption is that federal employees will obey the policy. As Mr. Baker indicated, federal employees --

REP. WYNN: If I could just jump in? There are no statutory penalties against the federal employee that imposes a third party cookie?

MS. KATZEN: Not that I'm aware of, but I'm also not aware of any instances where they are in fact imposing them. As Ms. Koontz was indicating, they are coming from --

REP. WYNN: I thought Ms. Koontz said there were about eight out of 65. Is that correct?

MS. KATZEN: That's where as people are leaving the site, I thought she said.

REP. WYNN: Well, please clarify that.

MS. KOONTZ: It was we identified -- using the methodology that FTC used, we picked up eight instances that we called third party cookies.

REP. WYNN: Okay. Stop right there. So there are eight instances. Is there any requirement in the law that those eight instances be justified, or can we conclude that they are per se in violation of existing law?

MS. KOONTZ: I don't know the answer to that question. I think that's --

MS. KATZEN: It's not law, but policy, and if they were placed by the agency, as opposed to the exiting link, which is what you had said earlier many of these were placed, as they clicked to go to someplace else it's someplace else that puts the cookie, not the agency.

If the agency is doing it, they shouldn't be doing it unless they've gone through the materials that we have provided to them in terms of the finding that they need to make, privacy protections that need to be in place and the other processes and reporting to OMB on this kind of situation.

REP. WYNN: So they can make a showing to OMB, and it's okay to impose a third party cookie?

MS. KATZEN: It may or may not be okay. It depends on what they show. I don't know.

REP. WYNN: What do they have to show to justify a third party cookie?

MS. KATZEN: That having the cookie is critical to the obtaining of their mission, and I think that's a pretty high showing.

REP. WYNN: Well, it depends on whether it's national security or whether it's Department of Interior.

REP. TAUZIN: Would the gentleman yield?

REP. WYNN: The Department of Interior -- I see my time is up, Mr. Chairman.

REP. TAUZIN: If the gentleman would yield, I will quote from the memorandum for the gentleman. It says that under this new federal policy dated June 22, cookies should not be used in federal websites or by contractors when opening websites on behalf of agencies unless in addition to clear and conspicuous notice -- first of all, you have to at least give people notice you're doing it -- the following conditions are met:

A compelling need to gather the data on the site, whatever that means, and appropriate and publicly disclosed privacy safeguards for handling of the data on the site, appropriate and publicly disclosed privacy safeguards for handling of information derived from the cookies and personal approval by the head of the agency.

REP. WYNN: I thank the chairman. In fact, if I could have 30 seconds?

REP. TAUZIN: The gentleman is recognized for an additional 30 seconds.

REP. WYNN: My concern is where is the oversight of the agency decision that they have a need to collect this information? I'm perfectly willing to accept a national security or law enforcement rationale. Maybe Interior does have a rationale, but where is the oversight that would enable those of us in Congress to know that these agencies are acting in fact within the scope of their authority?

MS. KATZEN: Well, since this information would ultimately be gathered together by OMB and OMB has very aggressive oversight committees that are constantly asking for legitimately this kind of information.

I would also note that this is a subject which has gotten a lot of play in the press because this is not something you can do in secret. The reason we're here is because there's a whole cadre of people there who are constantly testing us, the private sector, NGOs.

REP. WYNN: Last question. Is there any reporting --

MS. KATZEN: They're constantly coming to discover these activities.

REP. WYNN: Mandated reporting to Congress?

MS. KATZEN: Excuse me?

REP. WYNN: In other words, the agency reports to you it has a rationale. Is there any mandated reporting of that information to Congress?

MS. KATZEN: No, sir.

REP. WYNN: Okay. Thank you.

Thank you, Mr. Chairman.

REP. TAUZIN: I thank the gentleman.

For the record, and you can submit this for the record. It was raised by a number of members. When was the last criminal prosecution of a Privacy Act violation? If you can submit that for the record?

We can't recall one. We can recall a lot of stories about personal data being released to the press -- Kathleen Wylie, Linda Tripp, all kinds of stories. Were there any prosecutions of violations of their rights?

MS. KATZEN: I'd be happy to do that.

REP. TAUZIN: Can you submit that for the record?

The gentleman from California, Mr. Cox?

REP. COX: I would thank the chairman.

I just want to underscore my complete agreement with the concerns expressed by Representative Wynn, and I hope that also for the record, Mr. Chairman, if you would permit perhaps we could see a list of those circumstances in which the collection of cookies -- not temporary cookies, not session cookies -- would be compelling for any agency under this memorandum.

REP. TAUZIN: If the gentleman would yield a second? I want to make sure the request is specific.

GAO identified eight sites of the surveyed sites, and GAO only surveyed at random a certain number of sites and the top 30 some odd high volume sites. What the gentleman is asking for the record is a submission of all of the existing authorized cookies on all federal sites, if you can identify those along with the compelling reasons for those cookies to be on those sites.

I yield back to the gentleman.

REP. COX: And I think in Representative Wynn's question he had embedded the sense we all share that if a person is legitimately under investigation then obviously tracking them through their web usage is as legitimate as tapping their phone or anything else, but, you know, if the national security concern is that somebody might be hacking into our computers or what have you, we're all for doing whatever we can to track that down.

Putting that in a clear category of its own, literally intentionally investigating people, what are the reasons that OMB thinks the government ought to be placing cookies on people's computers for that are not just session cookies?

If you could answer that for the record, because I know that --

MS. KATZEN: I'd be happy to, although I should state that we don't have a preexisting list of conditions. We don't think they should be there, but since we do not know everything and we don't know all the different circumstances that could be presented, we establish this process, but I will supply the information that you requested for the record.

REP. COX: All right. I would just then conclude by saying I hope you get rid of the cookies. I think a policy that --

MS. KATZEN: So do I.

REP. COX: If the concern is gee, the government is so big we can't get an answer to this question fast enough or we can't get it done quickly enough, which is what the administration expressed to Wired News when they put the question, you know, the best way to get it done quickly is to have a clear policy.

Also, as you mentioned in your opening comments, if the objective is to instill confidence in the public that they're not in any way to be worried when they're going onto a government site, the easiest way to do that is to have a rule that the public can understand, which is no permanent cookies.

You know, the notion that we've got cookies on computers, some of the people on this committee, some of the staff that have, you know, checked on this where the expiration dates are 2034, you know, where our government has been putting these cookies on lately, and that's just a very bad thing.

I just logged onto the White House website and checked out the privacy disclosure there with respect to the kids' side and the regular side, and it states that the White House is collecting IP addressed. Now, an IP address is unique to a specific computer, and I need to know why that's important. That I think you could answer now.

MS. KATZEN: If I may, I would rather provide it for the record rather than now, and I can explain. I will provide that for the record, sir.

REP. COX: All right. I thank the chairman.

REP. TAUZIN: I thank the gentleman.

Let me make an announcement. We have a vote on the Floor. Mr. Markey has arrived, and wants to do a round of questions, and we want to recognize him. Before I do that, let me announce that both Mr. Shaw and Mr. Pitofsky have arrived, and we want to accommodate them as quickly as we can when we get back.

We will not have time I think, Mr. Shaw, so if you don't mind we'll make this vote and come right back. We'll take you up immediately, Clay, if that's okay with you.

I'm trying to understand. What are you saying? If you can just tell us briefly what your scheduling problem is?

REP. E. CLAY SHAW, JR. (R-FL): Well, the problem -- I can dispose of this right now and leave this statement. This is a question of a privacy issue having to do with social security numbers.

REP. TAUZIN: Social security numbers, right.

REP. SHAW: I know Mr. Markey is interested in that, as well as the chairman, and it's something that we should put high on our agenda next year when we return.

REP. TAUZIN: I thank the gentleman, and his statement will be a part of the record. Thank you, Mr. Shaw.

The chair now recognizes the gentleman from Massachusetts, Mr. Markey.

REP. EDWARD J. MARKEY (D-MA): I thank you very much.

Congressman Shaw and I have been working on this issue of privacy inside the social security context, and it just shows that this is not a liberal or conservative or Democratic or Republic issue at all. It's an issue where the liberal left meets the libertarian right and isolates the pragmatic middle, okay, who just don't like to tell industry or their government employees that they can't do this, so there's a kind of a pragmatist middle here that we just have to isolate and ultimately eliminate, you know. That's the bottom line on this. It's the pragmatists. They're the problem here because everyone else agrees on the issue.

The issue really isn't big brother. The issue is big browser. You give it to anybody, public sector or private sector. They can't control themselves. They just have to get this information. It's almost like a compulsion. It's an obsession, okay, because it's there. The technology controls the ethos. Because you can do it, you do it. The technology makes its possible.

So it's the browser itself. It's its capacity to data mine, you know, to know all this information, and so, yes, in a private sector government context you call it security, you know. We need better security. From an individual's perspective, they say we need better privacy. It's all the same issue though, security/privacy. It all just means is the information secret or not.

Now, the industry says well, we want stronger encryption technologies so we can move this information from the consumer to us, but after we get it we don't have any rules. We can do whatever we want with it, you know.

The government says we want security, but that's just so we can keep our information private. If we can gather information about private citizens that help us do our business, that's good, too. From a consumer's perspective, it's all their privacy. It's their individual family's identity.

That's why self-regulation doesn't work. You can't allow the government to self-regulate. You can't allow the private sector to self-regulate. You've got to have a certain minimal set of protections that every individual is entitled to, whether it be a big government agency or a big corporation or a small government player in your hometown or a small company in your hometown. Regardless of who it is, you've got to have this minimal set of rights that every American is entitled to.

We have a roll call on the Floor. I thank all of our witnesses for helping us. I apologize for arriving late, but I thank you, Mr. Chairman.

REP. TAUZIN: I thank the gentleman, and the chair thanks the witnesses for their attendance and their participation. What we will do is declare a 15 minute recess and give everybody a break.

Chairman Pitofsky, we'll be back as soon as this vote is over. We'll take you up first call as soon as we get back.

The committee stands in recess.

(Recess.)

REP. TAUZIN: The committee will please come back to order.

We're pleased to welcome the Honorable Robert Pitofsky, the chairman of the Federal Trade Commission, who was elated today because the Senate just passed his reauthorization bill. He would love to see the House take it up before we leave.

Mr. Pitofsky, we've often had this conversation in private, in public and we're at it again today, but we'd love to again welcome you. Your written statement, of course, is part of the record, and we would welcome you to summarize your report to us today on privacy both in the private and public sector.

MR. ROBERT PITOFSKY: Thank you very much, Mr. Chairman, members of the committee. As always, I appreciate this opportunity to discuss with you and the members these important issues relating to privacy.

As this committee knows very well, the Commission has acquired considerable expertise and experience in addressing privacy issues on line and off line in recent years. Our activities in this area are based on our statutory authority, the challenge of marketing practices that are deceptive or unfair.

Let me start with some basic premises. Protection of privacy is important to consumers. All surveys demonstrate consumer concern, and on line commerce will not reach its full potential until and unless these privacy issues are adequately addressed.

Incidentally, I saw just yesterday a Harris survey which reported that among internet users they were more concerned with their privacy on the internet than they were with health care, crime and taxes. A really remarkable set of findings.

Second, basic protections include notice of what information is collected and how it will be used, consent to use by consumers of their personal information, reasonable access to a database to correct errors and reasonable security arrangements as to how information is used.

Even if all these fair information practices are adopted, that is not enough. There must be effective monitoring and enforcement to insure that privacy guarantees are really respected. It's interesting that many in the business community have pretty much adopted the four fair information practices that I described.

The policy dispute in this area has turned on whether fair information practices can best be achieved through self-regulation or by legislation. My own view is that neither approach should be exclusive. Self-regulation is essential, but it will be most effective if it is backed by a rule of law.

Also, Mr. Chairman, addressing an issue that I know you've raised with me, any policy choice must be flexible in the sense that it takes into account the possibilities that new technology may ease or modify the need for legislation.

The FTC has conducted or reported on three surveys. Our first, in 1998, found of all sites surveyed only 14 percent published a privacy notice. The second, in 1999, showed 64 percent. According to a 2000 survey, the figure had reached 88 percent. That's the good news.

These numbers must be placed in context. Only 20 percent of the sites reviewed in the 2000 survey satisfied all four fair information practices. Of the 88 percent that did include a privacy disclosure, many offered a kind of notice that was inadequate, misleading or obscure. Most important to me, only 41 percent provided notice and consent, in my view the two essential fair information practices.

I should add that if you didn't look at these numbers in the point of view of all sites but only the 100 most visited, the numbers would be much better. For example, notice and consent would appear on 60 percent of the sites.

Beyond statistics, there's a policy question of what to do about firms that provide inadequate notice or no notice at all. Those advocating an exclusively self-regulatory approach argue that firms should be denied a seal of approval, and consumers observing the absence of the seal will choose to do business with other on line sites. There are quite a few flaws with that conclusion.

First, even in our 2000 survey, our most recent survey, only eight percent of websites posted a seal of approval. Ninety-two percent did not. More important, I do not see the denial of a seal of approval will really influence the outliers, the relatively few unprincipled firms who are collecting and selling private data and will ignore industry standards to change their ways. The fact of the matter is that the best self-regulatory programs among advertisers, funeral directors and others are effective because they are backed by a rule of law.

Beyond this fundamental question of legislation versus self- regulation, the Commission has been active in other areas. We commended the self-regulatory practices by the Network Advertising Initiative, an organization comprised of leading internet advertisers, to develop a framework for self-regulation in the profiling area, although we said there, too, that legislation to back them up would be appropriate.

We issued rules interpreting Congress' statute entitled the Children's On Line Privacy Protection Act designed to protect young people from exploitation. We issued rules under Graham-Leach-Bliley designed to protect consumers' privacy when dealing with financial institutions. Finally, the Commission has brought three cases in the past year challenging deceptive or unfair conduct in connection with websites, and with additional support from Congress on our budget we would be more active in the future.

To conclude, my hope is that the next Congress, government, consumer advocates and the business community can join forces in finding their way to a moderate, balanced, forward looking and sensible form of privacy protection.

I would be glad to answer your questions, and if I may I'd like to invite our bureau director, Jodie Bernstein, to --

REP. TAUZIN: Sure.

MR. PITOFSKY: -- join me up here for some of the detailed questions that we may run into.

Director Bernstein?

REP. TAUZIN: Thank you, Mr. Chairman, and welcome.

Obviously the first question you know I'm going to ask you is you gave the industry a grade in 1998 when only 14 percent posted privacy policy, and the grade you gave them was incomplete. In 1999, after 64 percent had complied with posting privacy policies, you gave the industry a B+ for effort and a C overall.

In 2000, 88 percent in your survey are now posting some privacy policy. Good, bad or adequate, but a privacy policy. What grade do you give the industry today on effort, and what grade to you give them overall?

MR. PITOFSKY: I want to give the private sector some credit here because I truly believe that they recognize that this is a problem, and they have worked hard to solve it, so on effort I'd call it an A-. I'd say that they're even better.

REP. TAUZIN: And moving up?

MR. PITOFSKY: I'm moving it up.

On overall performance, I would move that up, too, from C to C+, but C+ is not good enough to protect consumers over the internet, but they have certainly committed financially and in terms of energy to try to improve the situation and should get credit for that.

REP. TAUZIN: Now, when it comes to grading, let me first thank the FTC for training the GAO officials who conducted the federal website survey that Mr. Ormi (ph) and I requested.

As you know, we asked that it be done using your criteria because we felt that we wanted some sort of a comparison that whether it was a good one or not, it was on an equal basis between federal sites and commercial sites.

Do you know what grade the FTC got?

MR. PITOFSKY: The FTC was found wanting in that report.

REP. TAUZIN: So you were not part of the three percent that passed all of your own criteria?

MR. PITOFSKY: We were not. We were not.

REP. TAUZIN: Where were you found wanting?

MR. PITOFSKY: Well, let me explain that because I think this is important.

REP. TAUZIN: Yes, it is.

MR. PITOFSKY: The FTC satisfies anybody's standards in terms of notice, access and security.

REP. TAUZIN: Right.

MR. PITOFSKY: The problem was with consent.

REP. TAUZIN: With choice?

MR. PITOFSKY: Let me explain why that happens.

REP. TAUZIN: Why did the FTC not make the grade on choice on your own standard?

MR. PITOFSKY: Let me give you an illustration.

REP. TAUZIN: Okay.

MR. PITOFSKY: Congress has generously supported something we run call consumer sentinel in which we gather complaints from consumers. We analyze it, we marshal it, and then we share that information with other law enforcement agencies. That was the whole point of Congress giving us the money; that we would share it with others -- FBI, state AGs and so forth. I think it's been quite successful.

Now, we tell people in our notice statement if you give us the information we're going to share it with the FBI and the state AGs. We don't give them the option of saying well, we want to give you the information, but don't share it with --

REP. TAUZIN: So you don't give them an opt out?

MR. PITOFSKY: We don't give them an opt out, and, of course, we shouldn't. It would undermine the whole point of the program, which is to have --

REP. TAUZIN: You shouldn't give your website users an opt out? Suppose I want to give you information about a complaint that I make, but I don't want you sharing that. I don't want to have repercussions from someone else because I complained to you. Shouldn't I have the right to do that, Mr. Chairman, --

MR. PITOFSKY: I don't think so.

REP. TAUZIN: -- without your sharing it with people without my consent?

MR. PITOFSKY: Remember, it's all in the notice.

REP. TAUZIN: I know, but you're telling me I can't complain to you without you sharing that complaint with other people.

MR. PITOFSKY: But the reason --

REP. TAUZIN: I'm saying shouldn't constituents have a right? I give them that right in my office. They can use my website and complain to me about a federal agency, or they can complain to me about a third party business in my district, and I give them an assurance on my website that I will not share that information with anyone else, but shouldn't we at least give them the choice that you wouldn't share it with someone else if that's what they wanted?

MR. PITOFSKY: I take your point, but I do think that since the whole point of gathering the information is to share it that to allow them -- to give them that choice doesn't make any sense.

REP. TAUZIN: But isn't part of your business as an FTC agency to in fact collect complaints from consumers, and isn't that also a good thing to do without necessarily sharing that with other people pursuant to this Act?

MR. PITOFSKY: Let me make a more general point.

REP. TAUZIN: Okay.

MR. PITOFSKY: Our fair information practices are designed to control the marketing sector of the economy. We're not selling anything to these folks. We're not selling them books or records.

REP. TAUZIN: No. I understand.

MR. PITOFSKY: So it seems to me that when you talk about choice in that context it's really a little different.

REP. TAUZIN: I understand that, Mr. Chairman, but I think you're making my point, which is that in your own analysis, your own review of other commercial websites, we hear the same complaint.

Your own, if you will, methodology for examining and grading these websites doesn't often make room for those kind of distinctions as to what it's being used for or whether the site, for example, may have a security, but it doesn't say it has security. Therefore, it gets graded down under your criteria.

One of the purposes that Mr. Ormi (ph) and I wanted this GAO study done was exactly that; is to I guess amplify the fact that the methodology itself isn't necessarily perfect, that it has flaws. Therefore, the reports that are issued by the agency are not necessarily as reliable as they perhaps should be.

I think you would say that the FTC, as an agency that is examining other sites, would want to be as good about privacy as any agency of the federal government, and yet under your own methodology you fell short. I think that makes our case about how this methodology perhaps needs to get further fine tuned so that it doesn't reflect bad on sites that are really trying, that deserve the A- for effort and perhaps even better than a C+ for performance.

MR. PITOFSKY: Let me take your comments to heart and think about them.

REP. TAUZIN: Sure.

MR. PITOFSKY: We did say in our report to GAO to transpose our four information practices exactly intact away from the commercial area to the government area might lead to misleading conclusions, but I hear what you're saying, and I'd like to think about it.

REP. TAUZIN: Yes. What we're also saying is to use that methodology on commercial sites without making room for those kind of distinctions that you make for your own site may be also misleading. That's my point.

MR. PITOFSKY: Yes. Well --

REP. TAUZIN: But I thank you for at least considering it because obviously what you say publicly about the performance of the private sector has some real weight in the Congress and with the American public, and obviously, you know, it's important that whatever assessment you make be as clear and as precise as you can make it.

I want to finally thank you for continuing this effort. You and I have had this private discussion. I think that FTC constantly monitoring and reporting on the progress of the industry and making cases where, you know, fraud and deceptive practices are appearing on the internet is very good.

How come only three cases? If it's really that bad out there, why have you brought only three cases?

MR. PITOFSKY: First of all, it's three cases in the very first year in which we initiated --

REP. TAUZIN: Yes.

MR. PITOFSKY: -- this kind of program. What we try to do is bring cases against the most egregious. We don't want to hit people for technical violations --

REP. TAUZIN: Yes.

MR. PITOFSKY: -- and this and that. We want to --

REP. TAUZIN: So you're going after the really bad players?

MR. PITOFSKY: Yes.

REP. TAUZIN: But again, does that say something about the overall effort in the private sector that you found three egregious cases, not ten, 12, 20, 100, last year?

MR. PITOFSKY: Well, I don't know. Jodie?

REP. TAUZIN: Yes.

MS. JODIE BERNSTEIN: If I could add something to that, Mr. Chairman?

REP. TAUZIN: Please.

MS. BERNSTEIN: Among the techniques that we've tried to use, because this is a whole new area --

REP. TAUZIN: Yes.

MS. BERNSTEIN: -- is we conduct something we call surf days where we look at all the sites all at one time, and in many of those instances instead of bringing cases against all of them we'll send out a notice saying this is a new kind of initiation on our part. Do you know that you may be violating the --

REP. TAUZIN: You're giving them fair warning.

MS. BERNSTEIN: Right. Fair warning.

REP. TAUZIN: Sort of like the traffic policeman who gives me a warning and says you know, you've gone through a school zone. You better slow down.

MS. BERNSTEIN: Right. Exactly right. Then we go back after a certain --

REP. TAUZIN: Yes.

MS. BERNSTEIN: You know, maybe 30 days. What we found is that a lot of them have dropped out or corrected --

REP. TAUZIN: So you don't have to take action.

MS. BERNSTEIN: -- what they were doing, so we don't have to. That's one way. I think it's a fair way, but I also think it helps us a lot in getting to the ones where we feel we can --

REP. TAUZIN: The gentleman from Ohio, Mr. Sawyer?

REP. SAWYER: Thank you, Mr. Chairman. I don't intend to take my full amount of time. Let me thank our witnesses for being here.

You heard my question earlier about the way in which we assure the ability of agencies to share information with one another while preserving their mutual guarantees of privacy in the information that they gather. Do you have any insight and guidance that you could offer us this morning, or would you prefer to answer that later?

MR. PITOFSKY: Well, I think it's the right question. You want to -- when you're talking about the government and not a commercial marketer, you want to assure that the collection of information can serve government purposes, including the sharing of information where that is --

REP. SAWYER: Where it's appropriate.

MR. PITOFSKY: Yes, where appropriate.

REP. SAWYER: While guaranteeing the confidentiality of information that's being shared.

MR. PITOFSKY: Yes. On the other hand, you don't want to unnecessarily invade people's privacy. It's got to be designed to serve your mission purpose, and that's what we've tried to do.

REP. SAWYER: Do you have policies and principles which guide you in making that judgement in terms of where it is appropriate? Largely a subjective decision, but one that you try to squeeze as much subjectivity out of as you can?

MR. PITOFSKY: Within my own agency, we certainly do.

REP. SAWYER: Can you describe those for us? They might be of benefit.

MR. PITOFSKY: Well, we probably have -- I'll be glad to submit it to the committee. We probably have one of the most clear and conspicuous, non-obscure notice provisions that you're ever going to see.

REP. SAWYER: It's not just notice.

MR. PITOFSKY: Well, no. I understand.

REP. SAWYER: It's protocols for sharing.

MR. PITOFSKY: Yes, but nobody could misapprehend what we're going to do with this information. We also provide reasonable access and reasonable security. It's only on this question of choice, which the chairman has raised with me.

The trade off is can we share this information, and the whole program is designed to collect the information and share it, or shall we give people an opportunity to say look, I want to complain to you, but I don't want this information going to the FBI and some state.

REP. SAWYER: Sure.

MR. PITOFSKY: We've cut in the direction of giving them notice as to what we're going to do with it, but sharing the information for law enforcement purposes.

REP. SAWYER: Thank you, Mr. Chairman.

REP. TAUZIN: I thank the gentleman.

Again, Mr. Chairman, let me thank you, and let me for the record indicate again that you actually -- your office actually trained the GAO in the survey they conducted. Is that correct?

MR. PITOFSKY: I believe that's right.

MS. BERNSTEIN: That's correct.

REP. TAUZIN: And they did use your methodology in examining your agency and other agencies, right?

MR. PITOFSKY: They did.

REP. TAUZIN: And they did find that under your methodology, only three percent of the federal sites surveyed met all of the criteria that your office uses to judge private sites? Is that correct?

MR. PITOFSKY: I understand that's correct.

REP. TAUZIN: As compared to 20 percent in the private sector that met all four or all five, I think, of those criteria? Is that correct?

MR. PITOFSKY: Yes.

REP. TAUZIN: Is it fair to conclude that the private sites are doing better than the government sites?

MR. PITOFSKY: No, I don't think that's fair, Mr. Chairman.

REP. TAUZIN: Tell me why not. Tell me why not.

MR. PITOFSKY: Because, look, I don't know what other government agencies fail to satisfy fair information practices. I suspect --

REP. TAUZIN: We've got a list of why they failed. It's pretty interesting.

MR. PITOFSKY: I suspect that it's often this issue of sharing the information with another agency and not giving people the opportunity to say count me out. I want to complain or I want to submit information, but I don't want to share it with --

REP. TAUZIN: You know, a lot of them failed because they just didn't even post a privacy policy. A lot of them failed because they didn't give notice to consumers that they were gathering information. Some of them failed because they said they weren't gathering personal information, and they were. Some of them failed because they had cookies.

By the way, what's a cookie? People are reminding me not everybody knows what a cookie is. You know, we're talking about a new cookie monster here in effect. What is the new cookie monster we're talking about?

MR. PITOFSKY: People have learned what it's about. It's a device that's placed on the hard drive of the computer of the person who's communicating which allows the collector of information to trace where you've been and what you're doing. I described it as a technology which would allow your TV set to keep track of what programs you watch as you watch them.

REP. TAUZIN: Worse than that. It's like having a camera following you around for the rest of your travels all day long, all week long, perhaps for 35 years. It's pretty bad stuff.

MR. PITOFSKY: I don't think -- I think that's a fair analogy --

REP. TAUZIN: Yes.

MR. PITOFSKY: -- of what we're talking about here.

REP. TAUZIN: Yes. Some of these 14 percent failed because they did have cookies on their site.

MR. PITOFSKY: So I heard.

REP. TAUZIN: And in many cases without advising consumers. That's not a very good report, is it?

MR. PITOFSKY: I heard Sally Katzen say that she does not intend to defend cookies on government websites, and I'm not going to step in and do it.

REP. TAUZIN: Well, the only point I'm making, and we're going to have to move on to this vote and again take another break, but the only point I want to make is when you compare -- we've got a little comparison sheet of the federal sites and the private sites. On every standard that you use to judge private sites, federal sites fared worse on every standard.

On the question of frequency of disclosure, 100 percent on commercial sites compared to 85 percent of the government sites. On all four principles, 42 percent of the federal sites and only six percent of the high impact sites. Twenty percent of at random and only three percent of the at random federal sites.

In fact, there was only one category at all that was comparable between the federal and the public sites. I mean the federal and the private sites. We have a copy of this. I want to make sure you get it.

MR. PITOFSKY: I'd like to look at it.

REP. TAUZIN: It basically says that when your criteria was applied to the public sites where we have to share information in many cases that privacy was less protected than in the commercial sites of America. That's not a good finding.

Mr. Ormi (ph) and I have asked a simple thing of our government. Maybe we need to clean up our own house as we go by grading and commenting on someone else's house.

Again, I thank you for both cooperating with our effort to examine the federal sites, and, secondly, for continuing your monitoring of the private sites and invite you and your staff to stay in close touch with us because I think we've all come to the conclusion that next year we're going to have to move legislatively in some of these areas.

MR. PITOFSKY: I'm glad to hear that, and I do want to continue to work with you and this committee.

REP. TAUZIN: Thank you, Mr. Chairman.

We'll stand in recess for another ten or 15 minutes.

(Recess.)

REP. TAUZIN: We're going to get started. Anybody who misses this is just going to miss a lot of good time. That's all. The committee will please come back to order.

Let me welcome our final panel, Mr. Larry Chiang, chief executive officer, MoneyForMail.com; Ms. Glee Harrah Cady, the vice-president for global public policy, --

How do you pronounce it, Privada?

MS. GLEE HARRAH CADY: Privada.

REP. TAUZIN: -- Privada in Sunnyvale, California; Ms. Parry Aftab, special counsel for Darby & Darby in New York; and Mr. Mike Griffiths, chief technology officer of Match Logic, Inc.; and Mr. Andrew Shen, the policy analyst for Electronic Privacy Information Center.

Welcome, ladies and gentlemen.

I apologize for the long day, but I suspect we're going to have a lot of long days thinking this business through. Part of what we're doing is building a record, so all of your written statements are part of that record.

Trust me on this. The members and staff actually read those statements and get into them. We are desperate for understanding here. What you will provide for us on this panel is a little more depth of understanding about what is happening in the marketplace to privacy and the technology in the private sector.

Let me please welcome you, and we'll begin with Larry Chiang of MoneyForMail.com. Larry, welcome.

MR. LARRY CHIANG: Thank you. Thank you, Mr. Chairman. Thank you, members of the subcommittee.

I come to you as a person who is on his second business. I'm an entrepreneur. My background is in engineering, so I am fortunate enough to be able to head up one very popular company called MoneyForMail. This is my second company. My first company was one that sold credit cards to college students, and my efforts in starting new businesses is to empower consumers to control and empower them both on two fronts, both on credit understanding and in understanding on privacy.

What MoneyForMail does basically in a little nutshell is it empowers consumers to opt in their information so that they control their own information so that the people that previously compiled and sold information, companies such as Transgenient (ph), Acrofact (ph) and Experian (ph) profited by selling this data.

REP. TAUZIN: Give me an example of how that works.

MR. CHIANG: For example, let's say you're a car leasing company, and you want to sell cars to people in their middle twenties that have a good job with good credit, so you can send a prequalified lease to those people using credit data.

Now, a consumer today and up until the past 20 or so years has not been able to control their own data, so if a car leasing company wants to buy that information and extract that information from the free credit bureaus they're able to do so without knowledge and consent of a consumer where you have now bringing forth a number of these privacy issues also then starts the question of previous legislation on the Fair Credit Reporting Act with who exactly owns and controls pieces of credit data.

So what MoneyForMail tries to do and does successfully is it compiles the credit data, along with demographic data, so the demographic data is information that gets collected on different surfers and their preferences, their gender, what state they live in, maybe even some detailed information as to what sports they like to watch or participate in.

What we do with that demographic data is we add in credit data so that advertisers now have more pieces of the information to then collect this information and then send out advertising messages that are geared towards it because, to backtrack a little bit, the reason that all this is such a large issue is simply because advertisers know that when they spend money, 50 percent of that money is simply wasted. Now, the question is, you know, what 50 percent did I waste?

With the internet you're allowed to target specifically demographics. You're advertising let's say men's suits, from a previous example. You're going to target men's suit advertisements solely to men that are prepared to buy a suit, whereas previously you're just shotgunning that advertising to everyone, so the internet as a medium allows that, and that's why this issue is going to balloon further because how many billions of dollars are spent on advertising and how many of those billions of dollars could potentially not be wasted should there be a better methodology in sending out these types of messages.

It not only permeates internet where, yes, it's going to be personalized content, but also in the future you're going to talk about cable TV advertising where right now cable TV advertising -- I mean, everybody in certain markets gets the exact same advertisement. Well, what if you opted in your demographic data, and then you're able to control your own demographic data. The cable TV companies then can send you specific ads based on your needs, your usages, your preferences.

So the situation that I come to you today with is, number one, the parallel nature of how credit data previously was compiled without regulation and how the Fair Credit Reporting Act obviously is legislating and regulating the three bureaus in compiling this data, to also then translate that where the FTC regulates that data where I see a parallel where the FTC also similarly can further regulate private issues in its simple, easy-to-use, easy-to-understand principle.

Right now, if you visit a lot of these different websites you're faced with pages, literally pages where you have to scroll down. How many users actually read and understand the privacy statement? I think that in the future what's going to happen is you're going to be allowed to go to something similar to a shimmer box where some of these ideas that I bring forth are not really necessarily my own ideas, but they're based on historical regulatory efforts.

How a shimmer box then translates to privacy is maybe in five major points similar to an annual fee, interest rate, terms and junk fees. A privacy policy box or someone's name box then can, therefore, disclose the five major points or the six major points for how it is that you as an internet web surfer can then be assured of some type of standardized policy.

REP. TAUZIN: Thank you very much, Mr. Chiang.

Now we welcome Ms. Glee Harrah Cady, the vice-president for global public policy of Privada.

Ms. Cady?

MS. GLEE HARRAH CADY: Thank you, Mr. Chairman. It's a pleasure for me to be here today to talk to you not only about what my own company does in privacy enhancing technologies, but what our industry is doing as a whole.

Privada itself is based in Sunnyvale, California, and we build privacy infrastructure systems for financial service companies, for network service providers and for other people who in turn would like to offer privacy services to their customers. You may have seen a recent series of advertisements on the television by a large credit card company that is going to be partnering with us in future products, and we expect to have further enhancements like that.

Generally, technology is quicker than legislation. I know this point has been made to you a number of times, and we can today provide help to your constituents and the people who are genuinely concerned about a genuine problem with technologies that will assist them to protect their privacy while the debate goes on here in the Congress. Since early this year, I think there has been something like 700 different announcements made about privacy enhancing technologies, and, of course, were all terrific.

Mr. Boucher and Mr. Goodlatte mentioned today the internet caucus, and earlier this year, in fact just three weeks ago, we were privileged to be part of a privacy technology fair, and I know that this little booklet has been added into the record so that people can see who demonstrated there at that time.

Finally, we have this lovely poster that we've also provided you that was developed by the Privacy Leadership Initiative. There are more of these in the back of the room for those in the room who would like to have that. It's a description of some people and their technologies that are in the market today. Today. Not next Congress. Not tomorrow. Not next week.

So these technologies range from companies who provide complete anonymity all the time to people who are called occasionally. They're called infomediaries, who will broker information on your behalf. Choosing among them might be complex at this point, but they are all there.

I've tried to provide links to lists of these technologies in my written testimony, and I would urge you to encourage your constituents to look at these pieces of information, and if anybody has any questions about specific technologies or what any of the companies can do to help them I'd be happy to answer them. Thank you.

REP. TAUZIN: Many of these are free, right?

MS. CADY: Yes, sir, many of them are free.

REP. TAUZIN: Thank you very much.

And now we'll hear from Ms. Perry Aftab, the special counsel for Darby & Darby of New York, New York. Ms. Aftab?

MS. PERRY AFTAB: Thank you very much, Mr. Chairman, and thank you for inviting me to testify here today.

I am a privacy lawyer. I specialize in the children's industry, and I'm often called the kids' internet lawyer, but about half of my time is also spent running non-profits. I run Cyber Angels, the largest internet safety and help group in the world, and Wired Kids. I'm also the author of The Parents Guide to Protecting Your Children in Cyberspace, and my testimony today will be a blend of both my expertise as a privacy lawyer and my advocacy for children.

REP. TAUZIN: This is the book you're talking about, right, that you've authored?

MS. AFTAB: It is, Mr. Chairman. Thank you very much.

REP. TAUZIN: Thank you.

MS. AFTAB: There are roughly 25,000,000 children on line in the United States. These are children under the age of 18. There are websites that are very valuable to children. They can help them with education. They can give them games. They can be very entertaining. Children can have websites where terminally and seriously ill children can communicate with each other and can talk to children around the world.

We're here to talk about problems, but I'd like all of us to remember that the internet is a wonderful place, especially for children, and the greatest risk our children face with connection with the internet is being denied access.

No one cares more about children than the children's internet industry except perhaps the FTC, who I would like to compliment during my testimony here today for being always available, always listening and always trying to help the internet industry as a whole. They're willing to speak at all of the conferences. They're willing to do many things, and in fact today I bear an invitation from the government of Singapore for the FTC to come and teach them about regulating privacy in the area of children.

But there are serious problems that the children's internet industry is facing. This morning on Good Morning America they talked about .gone and the problems with the internet industry generally. The children's internet industry is facing even greater problems because they have no generally accepted, viable business model. Advertising isn't working because children aren't directly engaging in e-commerce. There are lots of problems in this area, and one of the things we need is more flexibility on the part of the FTC to have greater discretion and exceptions under COPPA (ph).

Today there's been a lot of discussion about parental consent. One of the biggest problems that we face is that parents, although they want their children to do these things, are not taking the time to actually give the consent to the website, and the choice is then locking children out of these interactive tools.

It's not merely a matter of children sharing personally identifiable information. It's a matter of whether or not they can send e-postcards or whether or not they can get a picture from Elmo. It's important that we get parents involved and find compelling reasons for them to be using the internet.

We need several things that Congress, especially this subcommittee and your expertise, can help us with. Number one, we need research on how children are actually using the internet. We need research on what parents really want and what it will take to get them to be active in the kids' space.

We also need educational programs teaching children how to surf the internet safely, how to use the best filter that exists, which is the one between their ears, Mr. Chairman, and teaching them how to use critical judgement when they're communicating with strangers on line.

We also need to give a lot more flexibility and discretion to the FTC in carving out exceptions or special rules under COPPA (ph) for companies to put children's safety and privacy first for word innovation rather than putting extra strain on the industry.

What we need to do is to work together to make sure that the expertise that each of us brings to the table is used to help children, to help the internet industry and to help everyone preserve their privacy and keep children safe at the same time.

We are also creating the children's internet industry trade association -- it's called KITA, the Kids Internet Trade Association -- to help members of the kids' internet industry come up with solutions, work together and work together with regulators and legislators on coming up with solutions that work.

The greatest problem we have in the area of privacy is unexpected consequences when legislation has not been as thoroughly thought out as Mr. Chairman has been looking at here, so I welcome the ability to help in any way I can at any time, and thank you very much.

REP. TAUZIN: Thank you, Ms. Aftab.

Mr. Mike Griffiths, the chief technology officer of Match Logic, Inc.? Welcome, Mike.

MR. MIKE GRIFFITHS: Mr. Chairman and members of the committee, I want to thank you for inviting me to testify. My name is Mike Griffiths. I'm a chief technology officer and one of the founders of Match Logic.

Match Logic is an internet marketing and advertising services company that provides strategic marketing solutions to Fortune 500 companies. We were founded in 1996 and currently operate as a subsidiary of a leading broad band internet service provider, ExciteAtHome.

I'm here today representing the Network Advertiser Initiative, an industry group comprised of the leading internet advertising companies. The NAI was formed at the behest of the Federal Trade Commission and the Department of Commerce to address consumer privacy concerns by developing self-regulatory guidelines on the practice of on line preference marketing or profiling. The NAI companies represent more than 90 percent of the internet advertising industry in terms of revenue and numbers of ads served.

Mr. Chairman, as you know, the NAI announced its self-regulatory principles in July of this year after months of intensive consultations with the Federal Trade Commission and with the Clinton administration. The internet advertising industry needed to adopt rules of the road for its information practices in order to satisfy legitimate user concerns about privacy.

For the industry to write these rules in a manner that would garner public confidence, the NAI needed the guiding hand of public officials. The talks between the NAI and the federal government were tough, but fair, in that the industry had to make a number of important concessions. Ultimately we were pleased that the NAI could develop industry self-regulatory guidelines that are meaningful and real and which the FTC, Clinton administration and members of Congress on both sides of the aisle unanimously applauded.

The NAI principles deal with a practice of on line preference and marketing.

We define this as data collected over time and across websites which is used to determine or predict consumer characteristics or preferences for use in ad delivery on the web. In other words, we try to figure out which is the best ad to play to a consumer at a given point in time.

We believe that OPM, if done responsibly, benefits both consumers and businesses. Consumers benefit because they receive banner ads targeted to their interests. If you're interested in golf, for example, you'll see more advertisements for the latest golf equipment. If you buy a lot of women's clothing, you'll see more women's clothing ads. Advertisers benefit because targeted advertising is more effective, and they get a better return on their investments. Finally, websites benefit because the more effective the advertising, the more they can charge.

This brings us back to the consumer. Without targeted advertising, advertisers will pay less, websites will earn less and consumers will suffer. Currently, a vast majority of websites are free. If internet advertising does not work, these websites will not be able to survive, or they will have to move to a subscription model that charges users for services.

Our companies allow tens of thousands of small and medium sized websites to compete with the biggest players for advertising dollars. We give them the economy of scale that they would otherwise lack, so in summary our job is to make the internet a more efficient and competitive advertising medium that will further stimulate the growth and viability of the internet as a source for free content.

We at Match Logic and at the NAI understand that consumers are very concerned about internet privacy. We share these concerns. If consumers are not comfortable that their privacy is protected, then the internet will suffer. That is why the NAI companies came together with the federal government to develop landmark principles on data collection and a level of notice and choice that we must give to consumers. These principles lay out the ground rules and safeguards for the collection and use of non-personally identifiable or anonymous information, the collection and use of personally identifiable information and the merger of PII with non-PII.

In summary, here are the guidelines. First of all, NAI companies have agreed that we will not use personally identifiable, sensitive health information, sensitive financial information or information of a sexual nature for the purposes of profiling. We do not believe that these categories of data should be used, and we will not use them.

For non-PII, we require notice and choice. NAI members must disclose their OPM practices through their websites and through the NAI gateway website, and in addition, where possible, they must contractually require their website partners to disclose the collection of non-PII for OPM. NAI members will provide mechanisms for consumers to opt out from the use of non-PII for OPM.

For personally identifiable information or PII, we require that NAI members follow the On Line Privacy Alliance guidelines for on line privacy policies. These policies require the adoption and implementation of a privacy policy and that notice and choice be afforded.

Importantly, for the merger of non-PII with PII we have two scenarios. The first case is where PII is linked with previously collected non-PII. In this case, members will not, without prior affirmative consent or opt in, merge PII with previously collected non-PII. The second case is where PII will be merged with non-PII for OPM purposes on a going forward basis. In this case, NAI members will provide consumers with robust notice and choice. The NAI principles include several examples of what would be considered robust notice for each of these scenarios.

The NAI members have also agreed to establish a third party enforcement program that will include random audits by the third party enforcer, the ability to file and handle consumer complaints and the ability to redress lack of compliance through sanctions such as revocation of the seal or through a designated public or government forum such as the Federal Trade Commission.

Finally, the NAI members strongly believe that industry, government, consumer and advertiser pressures to set and maintain high standards for privacy will render participation in the NAI all but mandatory for network advertisers. Moreover, because of the contractual reach of these NAI companies across literally thousands of websites, the NAI principles will have a tremendously broad impact on web privacy.

In conclusion and to summarize, the NAI self-regulatory principles are designed primarily to accomplish two things. First, to make sure that advertisers on websites post notice that are strong and clear where OPM occurs and, second, to make it easy for users to opt out.

Under these principles, NAI companies agree to afford consumers with important notice disclosures and appropriate methods of choice for participation, while at the same time one of the main engines behind this nation's booming new economy of the internet can continue its remarkable growth and improve as a provider of free and reduced price content.

Mr. Chairman, on behalf of the NAI I want to pledge that we will continue to work with the FTC, the Commerce Department and you and your members of staff to insure that these self-regulatory principles live up to their promise.

Thank you.

REP. TAUZIN: Thank you, Mr. Griffiths.

Finally, Ms. Andrew Shen, policy analyst for the Electronic Privacy Information Center here in Washington. Mr. Shen?

MR. ANDREW SHEN: Thank you, Mr. Chairman. Thanks for inviting me today to speak on a very important issue to the American public and obviously also to members of this committee. I'll try to keep my remarks very short since I am the very last speaker of what has been a long morning.

My name is Andrew Shen, and I'm a policy analyst at the Electronic Privacy Information Center. EPIC is a public interest research center located here in Washington, D.C. Today, while I am here formally on behalf of EPIC, I'm really speaking here to represent the views and interests of American consumers.

EPIC believes that privacy has and will be one of the defining consumer protection issues for the internet, and what we have seen in these early years of electronic commerce is that the internet has resulted in a vast amount of information collection that I think is unprecedented, and that information collection has resulted in corresponding concerns about personal privacy.

Now, when I speak in public at events like these I do my best to address the concerns of American consumers and those that really just want to ask me a very simple question, and their question usually goes something like this. How do I protect my privacy? How do I keep my personal information within my control?

To some extent, fellow members of this panel have tried to address that problem. Someone proposed self-regulatory guidelines. Someone proposed technology. Someone proposed a mix of both, but I think it's important to sort of analyze what the typical consumer experience of these approaches are.

Now, some suggest to a lot of consumers that they should just change the settings on their browsers or to use privacy tools or to subscribe to anonymizing services, but I realize this will not be sufficient for the protection of most American consumers.

Many information collection technologies use jargon and terms that a lot of people aren't familiar with, terms like cookies, on line profiling, on line preference marketing, opt in, opt out. This tends to confuse a lot of people, and I here just as evidence want to cite a recent study done by the Internet American Life Project. They found that 43 percent of internet users -- only 43 percent, less than half -- know what a cookie is.

Even more astonishing than that are the results of internet users that have three or more years of experience on line. That number only rises to 60 percent. That is for people who have been on line for a very long time. They still don't know what a cookie is, let alone what a company like Match Logic can do when they combine cookie technology with banner ads and huge networks.

Now, others may suggest that people can just read privacy policies, try to parse out what tend to be very long, complex and vague statements about what companies will do with their personal information. Now, these privacy policies, as I already said, tend to be confusing. Larry spoke to this a minute ago.

But, I think a more important and more recent phenomenon is that these privacy policies are constantly changing. Many privacy policies will explicitly say our terms may change at any future time. Please check back later. That's just not good enough for the American consumers.

More recently, even more recently than that, many consumers are simply being told that if the company fails or goes bankrupt or mismanages the resources they have at their disposal, their customers' personal information can be sold, just like the computer sitting on the desk in their office, as if it was their information to sell.

Now, I do have an answer for these people. I don't want to tell them they can't do anything. What I usually tell them to do is talk to lawmakers and legislators like yourselves. I tell them to say to you that they want their privacy protected and to tell them to tell you that you do have it within your power to protect their personal information.

Congress has done this before. You listed off many bills earlier today, this morning, listing all the various sectors that have information that protect the personal information of consumers. These include information contained in credit reports, student records, e- mail messages, telephone toll records, video rental records, cable subscriber records. They have succeeded in protecting American consumer privacy with respect to those sectors.

You can do the same for the internet. You can protect the personal information that is submitted on line, but sort of beyond that, because I realize that several fellow members of your committee have introduced legislation. Congressman Luther spoke about it briefly this morning, and so did Congressman Boucher. Sort of what is the law that we want to see? What is an ideal approach to the situation?

I would like to make a couple points. Chairman Pitofsky shortly before said that he believed that notice and consent were the most important parts of fair information practices. In addition, I think we also need to think seriously about access, a principle that has not been discussed a lot today, but is an important one. Access insures that consumers can see the information that's already been collected on them to make sure that it's accurate and up-to-date.

Moreover, I think, which is a very important point, I think it builds an ongoing relationship. I am providing my information to you, and when I want to see my information you show it back to me. I think that sort of trust and confidence is something that e-commerce will definitely need going into the future, and I hope you include that as a protection that you choose to provide to American consumers.

Thank you.

REP. TAUZIN: Thank you, Mr. Shen.

I think it's important to point out that one of the reasons why we're finding it hard to put our arms around all of the many aspects of the privacy issue is that there's a lot of tension here. Consumers have different expectations about privacy.

On the one hand they want their privacy protected, Mr. Shen, but they also would love the advantages of people advertising to them very specifically and very effectively, as was pointed out; the notion that, you know, I don't necessarily want to see a lot of ads about things I'm not interested in, but I very much would like to see -- you know, get books and pamphlets and ads and e-mail and maybe internet advertising on things that I am interested in.

At our Lansdowne conference, for example, we heard from a banker who installed all sorts of privacy protections, all kinds of separations between each division in his bank about the information that was stored there, the mortgage side from the savings and deposit side. The first thing they experienced was that their customers started leaving them because they didn't like the service any more. They didn't like people telling them we can't help you because we don't have that information about you.

We see Ms. Aftab has pointed out that parental consent of COPPA (ph), if I can say it correctly, is not necessarily functioning as well as people thought because parents don't take the trouble to go ahead and okay their kids on sites that kids probably should be visiting and would be good for them to visit and have interaction with.

In addition, you know, we've got some experience with that. I mean, we had incredible debates, my friend, Mr. Markey, and I, over a thing called a V chip. The percentage of parents that are using it now is still pretty small, I think, and I don't think it's expected to grow because, you know, it's just something that parents, as I predicted, by the way, wouldn't have time to go around, you know, programming the television for the week.

So we come to this issue understanding all of these tensions, and the problems we also experience are how much should we legislate and how much should we count on consumers eventually controlling much of their own private data through technology and through information.

There's several things we've learned today that I think are important. One is that we can have all the privacy notices required in the world, and the bottom line is people are not necessarily going to read them. They do get changed, and they are confusing, and most consumers will not be adequately served if that's the way we solve this problem.

Two is that there are some things that do help a lot. I mean, you've brought some to our attention, some software, some hardware technology and seals. We know seals work pretty good. We heard from Chairman Pitofsky today that only eight percent of the companies surveyed, the websites are using seals. Why is that so low? That would seem to be a real easy thing for consumers to build confidence in websites and in advertisers and in commercial enterprises if they saw and recognized the seal on a site without having to go read all this policy and understand it and opt in or opt out or what have you.

If what we're looking for is a user friendly world on the internet in the area of privacy, would not seals, some simple way of understanding what I'm visiting and what my rights are here without having to learn it all and understand all those terms, wouldn't that seem to be a very positive and sort of appreciated thing on the web, and why is so small a percentage of websites choosing to get an approved seal on their site? Anyone?

MS. AFTAB: Mr. Chairman, if I may, Parry Aftab. What we're finding is consumers don't recognize the viability of certain seals. There is no one Good Housekeeping seal of approval that has emerged --

REP. TAUZIN: There's a bunch of them.

MS. AFTAB: -- that's recognized generally by consumers.

REP. TAUZIN: Yes.

MS. AFTAB: Once consumers can find various seals that mean something to them, then the seals will become a market issue.

REP. TAUZIN: Let me give you an example, for example. Instead of having the problem you cited where parents have to always consent to let their kids visit a site and share information, if there was a kiddy seal that parents knew and recognized to be representative of a site where in fact their kids are not going to be abused and information is not going to be mishandled and what have you, if they knew that wouldn't parents appreciate that instead of having to constantly okay a child's visit to a site?

MS. AFTAB: Absolutely, Mr. Chairman.

REP. TAUZIN: Are we going to ever get there?

MS. AFTAB: We have a seal that's going to be coming out under Wired Kids, which is safety and privacy, a quality site, which is a subjective test, but put together by librarians and teachers and child advocates that say this is a good site. Trust us. We can brand it for you. That will be coming out of the Wired Kids non-profit group.

REP. TAUZIN: And I suppose the same thing could happen with software and hardware; that if at some point the private sector were to build consumer awareness of software and hardware technologies that are available that parents and consumers generally would prefer that than reading extensive notices and constantly checking to see if the terminology has changed or the notice has changed. Is that right?

Mr. Griffiths? Any one of you?

MR. GRIFFITHS: Yes. I would --

REP. TAUZIN: Ms. Cady?

MS. CADY: Go ahead.

MR. GRIFFITHS: Being a technologist, I have some faith that technology will provide part of the answer. I mean, I think there's a reason why people don't read a lot of privacy policies either.

Even if we encourage every website on the planet to have privacy policies, the nature of the web is very fluid, and it's very dynamic. If you're searching you don't stop and read the privacy policy --

REP. TAUZIN: Well, you can't.

MR. GRIFFITHS: -- at the top of the page.

REP. TAUZIN: You don't have time.

MR. GRIFFITHS: Exactly.

REP. TAUZIN: You may not know all the terms.

MR. GRIFFITHS: Exactly. So I believe that technology such as P3P that allowed for automated negotiation of preferences with respect to a site policy are part of the answer.

REP. TAUZIN: They're all part of the answer, but the concern I have -- Ms. Cady, I want you to come back because I know you wanted to answer my question, too.

Part of my problem is when do consumers really understand which of the solutions works for them and have the confidence in them? I don't see that happening yet. I don't see people generally saying you know, there is a good seal out there. There is a good software. There is a good --

MR. GRIFFITHS: Right.

REP. TAUZIN: -- program that I can attach to and feel comfortable with without having to study and read and constantly update my permission, if you will, on a site.

MR. GRIFFITHS: I think the answer today is that the internet is still changing.

REP. TAUZIN: Yes.

MR. GRIFFITHS: It's ever changing. It's ever expanding.

REP. TAUZIN: It's too little too late, as someone pointed out to me.

MR. GRIFFITHS: Well, I think we see approaches from a regulatory perspective, from a self-regulatory perspective, from a technology and an awareness perspective, but then I think it will take some time for this to work through. I really do.

REP. TAUZIN: Ms. Cady, you wanted to come in.

I'll get you next, Mr. Shen.

MS. CADY: I do. I want to say -- first of all, I want to give a personal response --

REP. TAUZIN: Okay.

MS. CADY: -- rather than a corporate response to why I think there is a lack of understanding of seal programs on the part of people who are in business. Not on the consumer end.

REP. TAUZIN: Okay.

MS. CADY: On the consumer end we have the branding problem, and we all know that consumer branding of anything takes time and --

REP. TAUZIN: It takes time.

MS. CADY: -- money and effort. Certainly the seal programs are working toward that.

From the other perspective of businesses, it's hard to know which seal might be relevant, and then it's can I actually participate because there is a cost involved to the website owner, and if they are a very small organization they may deem that joining a seal program is not something they could do at some point.

REP. TAUZIN: But if legislation, for example, provided safe harbor from government regulation if you were sealed properly --

MS. CADY: That certainly would help with the branding problem.

REP. TAUZIN: That certainly would help, wouldn't it?

MS. CADY: Yes.

REP. TAUZIN: That's one of the things we're looking at and one of the things --

MS. CADY: Right.

REP. TAUZIN: -- that might help a great deal.

MS. CADY: On the issue of expanding protections, what Privada is working towards, quite frankly, is to not have to have you worry about a seal if you are a consumer or not have to worry about knowing where the technology is, but what we're trying to do is build in down another layer so that it will be with you all the time.

So our vision is that privacy is provided for you by your financial service provider and/or your internet service provider and/or other service providers that are available to you and which you use, and you use it in conjunction with the tools that you're already using, your current browser, your current e-mail clients, so that you have that protection if you want, and it's available to you easily.

Now, we again have a sales and branding and growth problem so that we can't say to you that today, Mr. Chairman, we can do this for everyone in this room and everyone listening to this hearing, but that's certainly where we're going.

Thank you.

REP. TAUZIN: Mr. Shen, you wanted to add something?

MR. SHEN: Yes. I just want to add on to your other comments, Mr. Chairman.

Obviously I think what we're trying to address here are really the needs of the consumer, and I think consumers, while they have appreciation for the fluidity, the dynamic nature of the internet, really don't want that fluidity and dynamic nature to touch their personal information. They want guarantees. They want standards.

REP. TAUZIN: Yes, but let me tell you something about that. We're having a hard time gauging what consumers really want in this area, and I'll tell you why. We found this out in a lot of our political surveys.

When you ask consumers questions about this, they often tell you what they think they should want rather than what they really want. They often answer these questions by what I'm supposed to want to protect my privacy, as opposed to yes, I would take all these efforts to go, you know, operate all these consents and these opt in and opt out.

What they really want is comfort, ease. They want to be able to use these systems with some confidence, but also with ease, and user friendliness is a huge consumer desire we're finding in our meetings and town hall meetings and discussions and everything else about this.

When you really pin people down they say yes, indeed, I want my privacy protected and protected at all costs, but they'll also tell you when you really get away from any kind of public surveys where they're answering what they think you want them to say is do you know what I really want? I just want this to be easy. I don't want all this trouble. I don't want to have to work too hard to be able to use these systems.

I don't want to have to work too hard to access, for example, credit or to access the store that sells me what I want on the web and to get the information I want. I am willing to take some risk and do that. If you can make it, you know, reasonably secure for me, reasonably, you know, comfortable that I'm not going to get burned on this, if you make it easy I'm pretty happy.

That's what we're hearing. I mean, it's a real tension and so it's hard to understand what the consumers really want in the way of legislation and/or, you know, even regulation in this area.

I hear you and I know what you're saying because whenever we do surveys obviously, number one, everybody wants protection at all costs. Then when you really get down to it they say yes, I really want my kids to go and visit those good websites.

Yes, I really want the advertisers to know enough about me to target ads for my tastes and my wants and my desires. Yes, I don't want to have to read big notices. I don't really want to have to decide which seal is a good seal and which program is a good program. I mean, we get real conflicting signals about this stuff. As much as we think we understand it, we constantly realize we don't.

The other thing I want to get into with you is the question of bankruptcies, mergers, acquisitions, change of leadership. Here we are collecting data. I may indeed agree that your company, your website, can collect all my data because I trust you with it. I trust you're going to manage it well.

Next week you die. Somebody else takes over the company. The next week the company merges with another company. You mentioned merging the personally identifiable data with non-personally identifiable data problems, but you've got a range of issues here, not just bankruptcy, but issues where we changed the management of the company.

The stockholders may change. They may merge. They may sell the company, all sorts of different ways in which different people come into control of the information I trusted with a certain group of people or a company that I trusted only to find out that company is a new company tomorrow because it merged or it was acquired or because it went bankrupt and is selling all its assets, including my information.

There are all sorts of different scenarios you can paint where information I thought was secure with this group of people in this company brand name that I trusted is all of a sudden now potentially under somebody else's control. How do we deal with that? Anybody?

MS. AFTAB: Mr. Chairman, I'll put my bankruptcy practitioner hat on because before I started doing internet law I started doing Chapter 11 bankruptcy.

There's a problem here in that there's a tension between the bankruptcy laws, which try to maximize the value of any asset --

REP. TAUZIN: Of any asset.

MS. AFTAB: -- of a company and the ability of a trustee or the debtor in possession and the Bankruptcy Court to permit any contract to be modified so that you can say it will never happen, but under the bankruptcy law --

REP. TAUZIN: It can happen.

MS. AFTAB: -- and under policy you can move all those things around. You can make a mortgage longer.

REP. TAUZIN: Yes, Ms. Aftab, but let's think about -- I mean, we talk about .com companies now.

MS. AFTAB: Right.

REP. TAUZIN: A .com company's physical assets are very often much less valuable than the information assets, the intangible assets. In fact, there's a huge debate over how to properly assess the value of a company. How do you measure intangible assets? As you know, FASB has got a big debate on its hands. We've engaged them on that very question.

But the point is in that .com companies the information base is the asset, and if we say as a matter of law that because you've collected that on a confidential basis with your consumer base that you can't ever transfer your company with that asset. You're basically devaluing that company significantly in commerce, are you not?

MS. AFTAB: You absolutely are, Mr. Chairman. I think that's part of the tension. Part of what can be done is people can actually reach out to the members of that list through e-mail and say we're moving this, or this list is up. Not an answer, certainly not an answer, but something that at least will raise additional questions.

REP. TAUZIN: But it's something we may have to address, right?

MS. AFTAB: Absolutely.

REP. TAUZIN: It gets down to whether or not in this case the rights of the consumer is a matter of contract or we make it a matter of law.

If we take it from whatever the contract provided, whatever agreement I have with the company, and we start making law on it, it could dramatically affect the value of .com companies, the way in which .com companies are financed and the way the stock performs and everything about them. It could dramatically affect the whole .com economy.

MR. CHIANG: Mr. Chairman? Larry Chiang here.

REP. TAUZIN: Go ahead, Mr. Chiang.

MR. CHIANG: With regulating this facet of let's say the sale of information of the company, I mean, can't we look towards previous legislation where when two banks merge one person's ATM fee is $1.20 and another person's ATM fee is $1.25, where you have maybe not just one e-mail notification, but maybe a statement update or a card member services agreement update where you maybe don't just send one e-mail? It may be a series of three e-mails.

REP. TAUZIN: But let's say I have a privacy policy at my bank that I will not sell of transfer your private financial information to anyone else.

MR. CHIANG: But in --

REP. TAUZIN: But now I go bankrupt, and my bank is being sold, and somebody else acquires it.

MR. CHIANG: Right.

REP. TAUZIN: Is the asset, my financial information, an asset of that company that can be transferred even though I have a contractual relationship with the bank that it not be shared with anyone else?

MR. CHIANG: Right.

REP. TAUZIN: Do you get my drift?

MR. CHIANG: Right.

REP. TAUZIN: These are weird questions.

MR. CHIANG: Right. Previously I think that that's why if the FTC were given the regulatory authority to, and I'm not, you know, financially supported from them in that MoneyForMail is a, you know, for profit corporation, but in that instance where then the FTC can say well, in the specific example the case study where I think a company called ToySmart went out of business --

REP. TAUZIN: That's the one we're talking about.

MR. CHIANG -- and attempted to sell their public data.

REP. TAUZIN: See, that case was built because obviously it went out of business, but the point I make is that I can envision 12 different scenarios where the ownership control of that information changes hands, not just through bankruptcy.

We could have a major shake up of the corporation. All the board of directors get fired. A new management team is brought in. Effectively that's a new company now in control of my information. Did I want that team to have my private information, maybe people I don't trust?

Maybe, you know, a foreign entity moves in, and I may have some problem with that. You know, we've got an entity seeking to buy a company in America that's government owned right now. We're having a big discussion about that. Suppose that entity has private information. Now a foreign government is going to have information about me that I maybe didn't want a foreign government to know.

You get my drift. There are many scenarios affecting the collection and the use of private information by companies in this changing marketplace that we need to think about, and we're going to need some help in figuring all that out from you.

Give us your thoughts, Mr. Chiang.

MR. CHIANG: I think previously with the property question issue that was I think two panels ago where who owns the data?

REP. TAUZIN: Who owns it?

MR. CHIANG: Is it shared data between the corporation and also the personal --

REP. TAUZIN: But let's get away from the internet. How did it work in the brick and mortar world?

MR. CHIANG: Well, I think what's going to happen is that the internet is causing a catalyst where in America it's very inexpensive to send out a piece of direct mail. I mean, if anybody goes home today and looks at how many credit card inserts you're going to have, it's probably between ten to 15. It's not price constrained. It's just logistics constrained. Not even logistics constrained, but just as a --

Well, getting back to the point where I think what's going to happen with the internet is it's going to cause people to say hey, don't I also then control other pieces of data that is compiled and collected on me? Not just internet data; whether, you know, I like to purchase these specific toys that are racing oriented toys.

Then what about credit data pieces? Don't I also control my own credit data where, I mean, everyone is talking about notice and choice and access? I mean, today I don't have access to my own credit report, and I work in the credit industry. I do not have access unless I pay $8, and that's going to catalyze some of the questions I think that are going to happen in the industry, which is who does control it? Is it shared control of the information? Is it the ToySmart --

REP. TAUZIN: Yes. We've never settled all that, have we, about who owns the information about me. Doesn't it have a lot to do with how you obtained it? I mean, you can observe me in this room and gather a lot of information about me and so you're obtaining it in a public sense.

How it's obtained may have something to do with whether or not we protect it and the persona we allow it to be in the public domain or publicly used or publicly traded. I don't know. It's some interesting thoughts that we're going to have to have and some interesting discussion.

Mr. Shen, you look very thoughtful. Give me some help.

MR. SHEN: Right. I mean, you obviously bring up a lot of very interesting issues, Chairman Tauzin, which is basically why I like working on this issue as well.

REP. TAUZIN: Yes.

MR. SHEN: We are confronting new sort of conflicts, things that we have, tensions through bankruptcy of a need to try to satisfy creditors and also the need to protect consumer privacy.

I think sort of adding on to what people have already said, there is no reason, I think, why most internet companies cannot contact their customers if they are going to be bought or merged or acquired in some fashion. The internet is interactive. It is supposed to facilitate that sort of contact and communication.

I think with all due respect here, your very I think important earlier point. What happens in the off line world? It's something that we do have to go back and address. I think in the off line world there's obviously not a great deal of protection of personal information in a bankruptcy proceeding. Is there a reason to go back and see if we want to reopen that issue? I definitely think so.

REP. TAUZIN: The reason I raised it, Mr. Shen, is if we get away from the internet, take ourselves back in time a bit, if I'm a little country store in Tibodaux, Louisiana, where I was born and raised, and I have a customer base that I've been selling to and I decide to sell out. I sell that information. We sold that information to the next guy that bought the store, and nobody complained.

What's different about the internet that makes us want to complain? What was it, toys.com?

MR. SHEN: Right.

MS. : ToySmart.

REP. TAUZIN: Whatever it was. Why was that such a scary thing when that happened in the brick and mortar world with such frequency?

MR. SHEN: Well, I think one possible answer, and this may not be a complete answer, is that the information collection on the internet is much deeper than it ever has been before.

Perhaps if you had orders from a small business in Louisiana, it would be information about a person's name, maybe their mailing address in case you wanted to send a receipt to them. On the internet you create profiles, like the gentleman does right next to me. You create information or records about what they've been doing on line across thousands and hundreds of websites. I think that's at least one reason.

REP. TAUZIN: Is part of the fact that, you know, we all know that little store owner in town, and we probably know the person who's buying the store, but we don't know all these people on the web?

MR. GRIFFITHS: Right, and it's important what the original premise was of the collection and that original relationship.

I think if the party down the line meets and supports the original premises of collection -- it will be used for this purpose and collected in this way -- then it's seamless.

REP. TAUZIN: Yes.

MR. GRIFFITHS: If they dramatically change the premise under which they were contacting them then it's very scary.

MS. AFTAB: Mr. Chairman, I think also in the ToySmart case there were children involved.

REP. TAUZIN: Yes.

MS. AFTAB: I think there's this fear the parents have and knowledge that they have their eight-year-olds know more than they do about what's going on with the computer and the internet.

REP. TAUZIN: And they do.

MS. AFTAB: And they absolutely do. I mean, if you have to have something fixed, you call the eight-year-old.

In this case, children were sharing information at the site, and the concern was about the parents not even knowing what the kids may have shared and that now being sold to third parties is what had frightened people as much as anything.

REP. TAUZIN: We used to be afraid. I mean, when we were growing up parents used to be afraid of what we'd tell our teachers about our parents.

MS. AFTAB: That's it, and the most we had was, you know, the birthday club at Howard Johnsons.

REP. TAUZIN: Now we can tell people we totally don't know about anything. It's a totally different world.

Thank you very much. We could keep this going a long time, I think, and we probably will before we come to some conclusions, but I will invite you to do several things. Number one, the record stays open for 30 days. If something we've said here or something you've heard here provokes some good thought and some good comment from you, please submit some more information to us.

As I said, this is an extraordinary learning process. Mr. Shen, you're right. It's one reason I love this work, too, is because it's extraordinarily fascinating. I don't know where it all comes out yet.

I do know that we've got enormous tensions here, and you've heard from a lot of members how we need to proceed very judiciously here and carefully here because obviously we can make some rules that don't work. We can do like that bank. We can impose some conditions on people that we think people want, only to find out not only they don't want it, but it didn't work very well for us.

Finally, we obviously need some real world thought and experience from those of you working with consumers in trying to find solutions that work for them.

The record will stay open. We may have some questions. We may want to submit one or two to you.

I apologize for the lack of members here. That's the reason why I've always hated second and third panels because the members all leave, and I'm the only one left with you, but it's been a good experience for me. I've learned a lot, and we will try to make sure other members pick up your material and read it and learn from it as well.

Thank you very much.

MS. AFTAB: Thank you so much.

REP. TAUZIN: If you've got something timely you want to tell me, there's a good chance.

MS. AFTAB: I would just like on behalf of the entire panel to offer all of our continuing expertise to anyone who is willing to listen here on the committee.

REP. TAUZIN: Thanks so much. The hearing stands adjourned.

END

LOAD-DATE: October 14, 2000

Document 1 of 261.


Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase: