Copyright 2000 eMediaMillWorks, Inc.
(f/k/a Federal
Document Clearing House, Inc.)
FDCH Political Transcripts
May 25, 2000, Thursday
TYPE: COMMITTEE HEARING
LENGTH: 25974 words
COMMITTEE:
SENATE COMMERCE COMMITTEE
HEADLINE:
U.S. SENATOR JOHN MCCAIN (R-AZ) HOLDS HEARING ON INTERNET PRIVACY
LOCATION: WASHINGTON, D.C.
BODY:
U.S. SENATE COMMITTEE ON COMMERCE, SCIENCE
AND TRANSPORTATION
HOLDS HEARING ON INTERNET PRIVACY
MAY 25,
2000
SPEAKERS: U.S. SENATOR JOHN MCCAIN (R-AZ), CHAIRMAN
U.S. SENATOR TED STEVENS (R-AK)
U.S. SENATOR CONRAD BURNS (R-MT)
U.S. SENATOR SLADE GORTON (R-WA)
U.S. SENATOR TRENT LOTT (R-MS)
U.S. SENATOR KAY BAILEY HUTCHISON (R-TX)
U.S. SENATOR OLYMPIA J.
SNOWE (R-ME)
U.S. SENATOR JOHN ASHCROFT (R-MO)
U.S. SENATOR
WILLIAM FRIST (R-TN)
U.S. SENATOR SPENCER ABRAHAM (R-MI)
U.S.
SENATOR SAM BROWNBACK (R-KS)
U.S. SENATOR ERNEST F. HOLLINGS (D-SC),
RANKING
U.S. SENATOR DANIEL K. INOUYE (D-HI)
U.S. SENATOR JOHN
D. ROCKEFELLER IV (D-WV)
U.S. SENATOR JOHN F. KERRY (D-MA)
U.S.
SENATOR JOHN B. BREAUX (D-LA)
U.S. SENATOR RICHARD H. BRYAN (D-NV)
U.S. SENATOR BYRON L. DORGAN (D-ND)
U.S. SENATOR RON WYDEN
(D-OR)
U.S. SENATOR MAX CLELAND (D-GA)
ROBERT PITOFSKY,
CHAIRMAN
FEDERAL TRADE COMMISSION
SHEILA ANTHONY,
COMMISSIONER
FEDERAL TRADE COMMISSION
MOZELLE THOMPSON,
COMMISSIONER
FEDERAL TRADE COMMISSION
ORSON SWINDLE,
COMMISSIONER
FEDERAL TRADE COMMISSION
THOMAS LEARY,
COMMISSIONER
FEDERAL TRADE COMMISSION
JILL LESSER, VICE
PRESIDENT OF DOMESTIC POLICY
AMERICA ONLINE
CHRISTINE
VARNEY, SENIOR PARTNER
HOGAN AND HARTSON
JASON CATLETT,
PRESIDENT
JUNKBUSTERS CORP.
JERRY BERMAN, EXECUTIVE DIRECTOR
CENTER FOR DEMOCRACY AND TECHNOLOGY
DANIEL WEITZNER,
TECHNOLOGY AND SOCIETY DOMAIN LEADER
WORLD WIDE WEB CONSORTIUM
*
MCCAIN: This morning the committee will examine the
recently released FTC report on online privacy.
I welcome the
members of the commission and all of the witnesses we will hear from today to
the committee. I also want to take this opportunity to thank all of you for your
hard work and dedication you have brought to this difficult issue.
Every accolade that can be ascribed to the Internet has been stated
many times over. Needless to say, it continues to transform our lives and our
economy, while chief among those concerns is the ability of the Internet to
further erode individual privacy. Since the beginning of commerce, business has
sought to learn more about consumers. The ability of the Internet to aid
business in the collection, storage, and transfer of information about
consumers' habits is unprecedented. While this technology can allow business to
better target goods and services, it has also increased consumers' fears about
the collection and use of personally identifiable information. The commission
documented many of these concerns in its report.
Last year, when the
committee reviewed the FTC's 1999 report on privacy, I made clear that my
primary concern was to ensure that privacy policies were clear and
understandable, that consumers could use them to guide their decisions and that
companies actually followed the policies they posted. Improving the depth of
privacy policies is the primary factor motivating this committee's interests in
this matter.
This year's report demonstrates that the business
community has had great success in providing consumers with some form of notice
of their information practices. However, the report makes it equally clear that
there is much work to be done to improve the depth of information practices on
the Internet. Consumers should not be forced to forgo what has been described by
Justices Brandeis and Warren as the "sacred precincts of private and domestic
life" to enjoy the benefits of this new medium.
It is clear that
businesses should inform consumers in a clear and conspicuous manner how they
treat personal information and give consumers meaningful choices as to how that
information is used. While we may disagree on the manner in which we meet this
goal, we all agree that it must be done. I am hopeful that today's hearing will
begin the process of developing consensus about the best way to accomplish this
goal and enable consumers to protect their privacy online.
I look
forward to working with all of you to address this vital issue.
Welcome, Senator Hollings.
HOLLINGS: Mr. Chairman, let
me thank you for this hearing.
We've toyed with the problem long
enough. It worsens everyday. Industry agrees that there should be privacy
protection. They've all enunciated privacy policies, but that has added more to
the confusion rather than assisted the problem, because it's written either in
legalese or can't be found or not understood or otherwise. And we've had the
Federal Trade Commission, this distinguished group, work on it for at least five
years.
As a result of their fine work, incidentally, we passed a
bill on children's privacy, and that's working. And I emphasize that, because
the intellectual community now is up running around saying that this technology
is advancing so fast that you can't keep up with it. It's silly to try to even
draw up a statute about it, because it would be obsolete by the time it's
passed. That isn't what they said when they came to us for protection of
intellectual property -- the movies, the books, the Hollywood crowd, and
everything else -- and we passed their protection. And we've got to do it for
the individual.
Mind you me, this is not technology or the advancement
that was invented either by the vice president or by the advertisers. It was
started by Senator Stevens (ph) in the Defense Subcommittee back in the late
'60s, and it's been free, it will stay free, and unless you are commercializing
privacy, you don't have any worry about any statute on privacy. This is for
those who have taken private -- individual private information and
commercialized it, and they have agreed that there should be some protection for
it. And the question is how to give notice and consent with respect to access to
what they do have, the enforcement of the security, and otherwise.
So, what we need to do is look at it. Several senators have. I
commend my colleague, Senator Wyden and Senator Burns. They've sort of led the
way. I've consulted over the last three months now with various senators and the
FTC and other entities interested in it and with industry and with the consumer
groups, and we have a bill on course now with 10 cosponsors. And I think we've
got a pretty good target for a good approach that's very necessary at this
particular time.
But don't let's come here and say that it's going
to ruin the Internet and no longer is it going to be free or anything else of
that. I've heard statements recently to that effect. That's outrageous nonsense.
There's nothing wrong with the Internet. You and I can't stop it; in fact, the
president only yesterday said it's going to bring democracy to China. So, it's a
wonderful thing, and I'll include my full statement in the record.
MCCAIN: Thank you very much, Senator Hollings.
Senator
Stevens.
STEVENS: Well, that one was long enough, Senator. You've
got me becoming the grandfather. I don't want to get in a fight with Al Gore,
you know.
HOLLINGS: Well, we started it in Defense.
STEVENS: You're right about that.
Mr. Chairman, I thank
you for holding this hearing. I hope we have a series of hearings. I think this
is one of the most complex issues we'll face in regard to the Internet, and it
was a privilege to have a discussion with the chairman here this past week. I
look forward to working on it with all of you.
But I do have a firm
feeling that this is not an issue to be hasty about. So, I'm glad you're holding
the hearing, and I hope we can pursue and understand what we're doing before we
bring out a bill from this committee.
Thank you. By the way, I'm
pleased to see all the members of the commission here and to see that there was
a unanimous position taken by the commission.
MCCAIN: Thank you,
sir, and I think we may require more hearings on this issue. As you say, it's
very complex, and it's changing rather dramatically, as we find out with the
reports that we receive every year from the FTC.
Senator Wyden.
WYDEN: Thank you, Mr. Chairman, and I, too, appreciate your
scheduling the hearing, and at the outset I want to thank Senator Hollings for
his kind comments. I think Senator Hollings' bill is very credible and a very
significant product. I want to assure the senator I'm looking forward to working
closely with him.
Mr. Chairman and colleagues, Senator Burns and I
introduced more than a year ago an online privacy bill, and at this point, when
you've been following the issue, it probably is a little hard to figure out how
it can be that the last time the Federal Trade Commission surveyed prospects for
self-regulation things seemed very rosy. And now it appears that prospects are
pretty dire. My sense is that we're going to find that reality is probably
somewhere in between.
The fact is that until this week's survey, the
commission showed extraordinary patience and support for industry's
self-policing. And my read of the Federal Trade Commission's report is that
they're still support for self-regulation, but I think it's appropriate that
they are showing a little less patience.
In my opinion, the privacy
situation was never as rosy as the headlines that last year's survey had you
believe. The reality then was that some of the surveyed privacy policies were
just as flimsy as they are today. Further, there was virtually no enforcement,
little accountability, and many less visited web sites were ignoring privacy
altogether.
And the truth today, I suspect, is that things aren't
nearly as dire as some would have us believe. While the same problems exist
today that were in place at the time of the previous survey, there are important
steps indicating progress. The seal programs I think are getting better at what
they do, and it does seem that more web sites are taking privacy more seriously.
But for more than a year, I and others and Senator Burns and I, as I
stated earlier, have worked on this on a bipartisan basis have said that the
costs are just too high to wait and see if self- regulation alone can tackle the
bulk of the online privacy problem. None of us, none of us want to see an Exxon
Valdez of privacy that undermines the extraordinary growth of e-commerce.
WYDEN: So, the worst thing that we could do now is set back the
progress of self-regulatory efforts, but what I think makes the best sense it to
build on those kinds of approaches. That's what Senator Burns and Senator Kohl
and I have sought to do, to reward and build on the self-regulatory efforts,
while creating a baseline set of requirements to ensure that there are important
consumer protection standards that would apply to those who are unwilling to
take consumer privacy seriously.
Mr. Chairman, I would ask that the
rest of my statement be part of the record. I look forward to hearing from
Chairman Pitofsky and again commend Senator Hollings and Senator Rockefeller for
what I think is a very important bill that they've introduced as well, and I
yield back.
MCCAIN: Senator Burns.
BURNS: Thank you, Mr.
Chairman, and thank you for holding this hearing today, as this continues to be
a great center of interest when we start talking about the Internet and related
items around it.
I think we're charged with issues like this today.
If the Internet and electronic commerce and e-commerce continues to grow, we
have to do something about safety and security and privacy and this type of
thing for it to reach its real potential.
We've been amazed at the
continuing spectacular growth of the Internet, which has become a staple in
modern life, it seems. The tremendous reach, the Internet does pose challenges
as well as opportunities. Unfortunately, digital technologies can be used by bad
actors to collect nearly limitless information on individuals without their
knowledge.
I'm convinced that legislation is necessary to provide
consumers with a safety net of privacy in the online world. As I stated in a
hearing of privacy held on the Communications Subcommittee last summer, I'm very
disappointed in -- that I was very disappointed in the Federal Trade
Commission's report on online privacy last year. The July 1999 report
acknowledged that fewer than 10 percent of the web sites met the basic privacy
protections, yet called for no federal legislation to address this critical
situation. However, at that time I was encouraged by the chairman's pledge that
if the industry failed to produce strong progress, the commission would call for
action in this area.
The chairman and the commission have been true
to their word in the report issued to Congress just this last Monday, which
called for legislation. And I want to take a moment to specifically commend the
work and the insight of Commissioner Anthony on the privacy matters. In
retrospect, her dissenting opinion in last year's report has proved to be
absolutely correct.
Last year, she stated that the legislation was
necessary to ensure a minimum consumer privacy protection in the digital area.
In her statement she expressed concern that the absence of effective privacy
protection would undermine consumer confidence and hinder the advancement of
electronic commerce. That is exactly what has happened in this past year.
While e-commerce has continued to grow, several studies point out
that the primary reason that's preventing more people from making purchases
online and doing more business online is the lack of privacy. While the Internet
has continued to exhibit massive growth, less than one percent of all consumer
retail spending is done online. In short, Internet e-commerce still has a huge
upside potential, but the potential will never be fulfilled without basic
assurances of consumer privacy.
I'm going to submit the rest of my
statement, but I want to thank Senator Wyden and his hard work on our
legislation, and it continues to be massaged and to be made better. And I also
welcome the introduction of Senator Hollings' piece of legislation. I look
forward in working with Senator Hollings, because we can find and take care of
this problem, because it has to be done in a bipartisan way, and it's not a
partisan situation where we start talking about one of these building blocks of
the future, e-commerce, of this country. So, we welcome all of these ideas, and
I'm sure that we'll come up with a bill that we can all support. So, I
appreciate that very much.
And I would ask unanimous consent that
the rest of my statement be put in the record.
MCCAIN: Without
objection.
Senator Bryan.
BRYAN: Thank you very much.
First, I'd like to preface my comments by thanking Chairman McCain
for calling today's hearing on this important issue of Internet privacy. And,
secondly, I would like to commend the FTC for all the work that it has done over
the past five years in the area of online privacy.
Each of the FTC's
three reports to Congress, detailing online privacy practices and the numerous
workshops and hearings they've held on this issue, have contributed greatly to
the ongoing dialogue about the best way to protect the privacy of consumers on
the Internet.
The protection of privacy is a core value of our
democratic society. Although not mentioned explicitly in the Constitution, the
Supreme Court has recognized that a fundamental right to privacy is embodied in
both the 4th and the 14th Amendments to the Constitution. The right to privacy
recognized by the court is a reflection of our citizens' long held expectation
that they should be able to engage in a range of day-to-day activities with a
significant degree of autonomy and confidentiality.
The Internet
presents new challenges as well as new opportunities for the protection of
privacy. The sheer volume of personal
information that's exchanged on a daily basis between individuals and
businesses on the Internet, coupled with the ability of other entities to track
the flow of this information with relative ease, poses serious privacy concerns
for many customers.
A recent survey showed that 92 percent of
consumers are concerned about the misuse of their personal information online.
Conversely, the architecture of the Internet provides for an opportunity for
technology to enhance online privacy. Many innovative companies are focusing
more and more resources on the development of privacy- enhancing tools that will
enable consumers to have more control over the use of their personal
information.
I agree with the recommendation of the majority of the
commission that the time has come for the Congress to establish a baseline
standard for the protection of consumer privacy on the Internet.
Earlier this week, I was pleased to join the distinguished ranking
member of this committee, Senator Hollings, in introducing consumer privacy
legislation that largely tracks the recommendations of the majority FTC report.
This legislation builds upon the framework of legislation that was established
in legislation that I offered on the children's online privacy protection, which
just took effect last month. It embodies the four widely accepted fair
information practices -- notice, choice, access, and security -- for the
collection of personally identifiable information about consumers online.
The commission's report does indicate that the industry has made
progress with self-regulatory initiatives, but in spite of this progress,
however, I remain concerned about the effectiveness of online privacy seal
programs, especially in the area of enforcement, and I agree with the commission
that legislation is necessary to complement the industry's self-regulatory
efforts in order to enhance adequate protection of consumer privacy.
I fully understand the industry's concerns with the regulatory
approach to protecting privacy on the Internet, but I am hopeful, however, that
they will come to view this effort as an opportunity to enhance consumer
confidence in e-commerce, much like what occurred in the off-line world with the
credit card industry in the 1970s.
And I look forward to working
with the industry, much as I did during the committee's consideration of the
Children's Online Privacy Protection Act, to enact a responsible piece of
legislation that adequately protects consumer privacy online in a manner that
does not unduly burden the growing importance of e-commerce in the marketplace.
MCCAIN: Senator Ashcroft.
ASHCROFT: Thank you very much,
Mr. Chairman. Thank you for holding today's hearing.
I don't see
this hearing as merely discussing a report from a federal agency to Congress. I
think this hearing will help us determine whether the federal government should
develop a significant and sweeping regulatory scheme. And we're here to
understand whether the growth of a flourishing high tech industry would be
hindered by such an involvement.
We must discuss this issue in terms
of whether or not the American people will be well served by significant
government involvement in this dynamic industry. We should ask ourselves whether
it will continue to grow or will it continue to provide jobs and new opportunity
and education and research. We should ask whether the involvement of government
bureaucrats will dramatically diminish the new efficiencies gained by conducting
business on the Internet.
All of us are concerned about consumer
privacy. I'm concerned that consumers who want privacy should have privacy. In
fact, Congress recently has recognized through statutes, which apply to every
segment of the economy, that sensitive consumer information, such as financial
and medical records, should be treated with extra care. I would point out that
those regulations apply to everyone, not just companies who conduct business in
the traditional brick and mortar sense.
But the privacy laws which
we now have in place already apply to companies doing business on the Internet.
However, through the fear mongering from Washington in some situations,
consumers have been led to believe that there are no protections in place on the
Internet, and that's simply not true. Not only do our new privacy laws apply to
Internet transactions, so do our consumer protection laws. In fact, we have
heard glowing testimony before this committee about the work of the FTC -- about
the work that the FTC has done to fight consumer fraud on the Internet. The
Internet has even been credited with giving the FTC new and powerful tools to
fight such fraud.
A few months ago, the FTC commissioner sat before
this committee to discuss this very issue, and at that time I was concerned that
the latest Internet sweep was predestined to reach the conclusion contained in
the commission's report, and that is that there need to be special regulations
that apply to the Internet that don't apply to other collections of data, don't
apply to other businesses, don't apply to the other utilizations of data in our
culture.
For example, when people promote, through the distribution
of coupons, refund opportunities for individuals who buy products, people mail
in those refund opportunities. There aren't special laws that relate to what
they can do with that information or how it can be used. It's not on the
Internet, but it is the collection of consumer data, and it's distributed
widely. Many people like the opportunity to participate in refund schemes and
are willing to trade the value of the refund for the utilization of that
information, which is consumer data, by businesses. It's a big part of the way
we do business in this country.
In our household, my wife scarcely
lets a refund offer go by without collecting the labels necessary to cash in. As
a matter of fact, she keeps a file of labels so that when the offer comes out,
she doesn't have to go buy additional products; she already has the labels ready
to mail them in.
Now, I would just point out that I think we've got
to be careful that we don't impose on the Internet unnecessary regulation that
is differential, specially designed, would curtail and confine the Internet from
operating in ways that we don't ask for responsibility or we don't ask for
regulation on the rest of commerce. Further, I think we ought to make sure that
when we're talking about choice we allow people the choice of saying that they
want to receive data based on the kinds of practices they have, and they are
interested, for instance, in getting offers from companies and the like based on
the kinds of interest they've expressed in purchasing patterns, whether it be
through refund coupons or other devices.
Although regulating the
Internet was the recommendation following the sweep by the commission, I'm a
little confused about how the numbers really move us toward that result. Two
years ago, a sweep showed that 14 percent of web sites had privacy policies;
today, 90 percent posted policies. That really says that in an industry that
showed a 543 percent improvement in two years, that it was deemed to be failing
in self-regulation.
So, in the interest of time and because the
witnesses will address this issue, I won't mention all of the significant work
done by industry to improve privacy and security on the net. I just want to say
that I hope that we don't single out the Internet for a kind of regulation which
would stifle it, which would limit the kinds of choices consumers have, and make
the Internet a place where it would be difficult to grow business in the same
way that it might be available for growth in other settings.
And
with that note, I want to indicate again how I respect privacy and want to be
able to protect privacy, but I don't have a clear picture of how I want to
inhibit information on the Internet that's not inhibited in other sectors of our
economy.
Thank you.
MCCAIN: Senator Kerry?
KERRY: Mr. Chairman, thank you very much. I'm delighted that Senator
McCain has called this hearing.
I think there's going to be a
unanimity among most of us on the committee, as there is probably among most
Americans, that they want their privacy protected.
KERRY: And I
applaud the FTC and the analysis that they've put into this, and I particularly
respect the effort of Senator Hollings and colleagues on the committee who've
drafted some legislation and who have moved in a direction.
But I
differ a little bit with some of them, with respect to the degree to which, at
this stage, at a five- or six-year point in terms of the development of the net,
that Congress has the ability to move adroitly enough, fast enough, with
sufficient analysis and information to be able to properly regulate something
that is developing, even as we sit here, so rapidly, with so many technological
advances that have the ability to answer some of our questions without our
constricting the creativity and the efforts that are going into this.
It seems to me that there are certain principles we could adopt. For
instance, anonymity. What I hear from people in the industry is that the
technology is moving fast enough that there are ways that the offerings of the
marketplace are going to make it very clear to people that they can choose one
service or another that protects their privacy and that protects their options
without our setting up a rigid, strict structure, at least at this point. And I
think the FTC sort of adopted this up until this sudden point, and one of the
questions today, obviously, is why there is the moment of departure. Maybe they
don't think things will move fast enough, obviously. But, initially,
self-regulation was certainly their guiding theory, and this is the first moment
of departure from that.
Secondly, as I look at Senator Hollings'
bill and other approaches, the opt-in requirement, on the whole, while obviously
I favor opt-in as a principle, and I think most Americans are going to want that
kind of choice and demand it in the marketplace. But in point of fact, to
mandate that actually sets a standard that in some cases, in terms of
marketplace behavior, is neither necessary nor technologically sound. There are
certain instances where certain kinds of marketing can take place, that does no
harm to people that may choose to participate in it. You don't require that kind
of burden.
Moreover, and here I think the committee is very much
behind the curve, the country is behind the curve in analyzing the degree to
which we're drawing distinctions for the online world that we don't draw in the
off-line world. If I walk into -- when you go to a local store here, let's say
you go to Georgetown and you visit some store, and you buy a bunch of goods, and
you swish your card through the thing when you leave, that entity could
determine everything you bought. They can market accordingly. I mean I must get
40 or 50 magazines every three weeks that are targeted based on my off-line
behavior, and yet we're about to require online restrictions that have no
relationship to what's happening in the off-line world. And I don't think we've
thought that through, frankly, adequately.
So, I think there's a lot
more analysis that needs to be done, and I'm going to introduce legislation that
I think will kind of balance these interests, where we can establish what we
think are the goals and principles by which this ought to be in its earlier
stages developed. There ought to be maximum amount of opt-in; there ought to be
anonymity. I mean clearly in the marketing you don't have to know that it's John
Smith at Myrtle Street. You have to know that X number of goods are being bought
in certain area by certain demographics, but there are ways to protect the
privacy without our becoming, I think, extraordinarily sort of mandating at the
federal level.
And I might add to that that it seems to me there are
very significant realities of the marketplace that Americans are going to opt
for those entities that most protect them, if that's what indeed they want. And
if the don't wan it, they can also have the opportunity to make that kind of
conscious choice. There's clearly a difference between what happens in opt-in
and opt-out; we all know it. We thought that -- I'll wrap it up very quickly --
we thought that out on the Banking Committee last year and in the Financial
Modernization Act. And it seems to me that also we haven't really balanced some
of those kinds of equities and how the market works.
So, in my
judgment, Mr. Chairman, I think we have to be very, very careful in this
committee and in the Congress not to move fast. I think there are ways to
protect Americans, to protect our interests, to protect our prerogatives to come
back, to protect the capacity of the FTC to in fact regulated and enforce. And
if we were to set adequate standards and goals, the FTC would in fact be
leveraged in its capacity to enforce, particularly if each company adopts its
own privacy regime, they would then be significantly leveraged in their ability
-- the FTC would be leveraged in its ability to enforce based on any violations
of self-adopted.
So, I hope we're going to measure this carefully
and not move overly rapidly, and I hope the committee can find a consensus on
this with some careful deliberation.
Thank you, Mr. Chairman.
MCCAIN: Mr. Gorton.
GORTON: I'll pass, thank you.
MCCAIN: Senator Rockefeller?
ROCKEFELLER: Thank you, Mr.
Chairman.
I don't think the problem is are we going to move slowly
or are we going to move quickly. This committee has a history of not reacting at
all on issues. That we say that we don't understand and therefore we've got to
give ourselves ample time, well, there's no such thing as ample time in the
world of the net. And there is no such thing as ample time if I have diabetes,
for example, and that's my own private information, and that gets out, and it's
sold to a third party, and there aren't controls, and I can't get a job. That
example is used often. But this is a different world. I mean to compare, as the
senator from Missouri did, this medium that we're talking about to sort of other
things and what transactions he and his wife might make at home is behind the
curve. This is a new world.
He mentions that 90 percent -- there's
been a 548 percent increase in online disclosure and privacy policies and all
that, but of course that's exactly what the FTC looked at, and it's the quality
of what they say -- can you find them? Can you read them? Is the print big
enough? Is it written in words only those who are lawyers can understand? The
American consumer is not always the most sophisticated, and the American
consumer when on the net is always -- or on a web site is almost always in a
hurry and doesn't take the time. It's simply understanding human nature in a
medium which is changing and then rechanging every six to eight months.
So, this isn't a question of should we wait and make sure that we do
absolutely the most perfect thing. There are hundreds of thousands or millions
of people whose lives are going to be intervened with in ways that are dramatic
and dangerous, if this committee doesn't pass a bill which supports what the FTC
basically says, and that is that the work isn't being done sufficiently.
I would remind the senator from Massachusetts and Missouri that we
heard all these same arguments back in the 1970s when the credit card started
up. The credit card industry was all over everybody saying that you can't
regulate us. And it was only in fact when we did put regulations on the credit
card industry that the 90 percent of American consumers, who at that time
perhaps were not using credit cards or who were not at this point on web sites
or using the Internet the way they might, gained confidence in precisely the
industry that had just gone through some form of regulation. It was the
regulation and thus the privacy and the access and the security that in fact
helped the industry to attract users.
So, it's a cliche to say, but
it is through regulation, judicious, cautious, not exuberant, no irrational
exuberance here, but regulation which will help protect Americans and which will
also help the industry grow. We will make a mistake here if we apply traditional
values to our legislative course.
MCCAIN: Thank you.
Senator Cleland, do you have an opening statement?
CLELAND: Yes, sir; I do. Thank you very much, Mr. Chairman.
More
and more, as a member of this committee, I feel like I'm in a cul-de-sac on the
information highway, and I'm still struggling with trying to find out what it's
all about.
I was thinking this morning of how to equate what we're
facing now with what I understood. I come from a small town, and it wasn't that
many years ago in my little town there were only four numbers involved with a
telephone, and it was a totally public line. It was a party line, it used to be
called, and basically everybody else knew each other's business, so much so that
my state director, who's only five years older than I am, remembers when he
would go home from school in the afternoon, pick up the phone, call the
switchboard operator and say, "Where is my mother?" And she'd say, "Over at
Gracie's." I wonder if here in the early days of the Internet that everybody
that is online is actually on a party line and doesn't know it.
The
information superhighway began just a few short years ago as a footpath and now
is an unlimited expressway. People can now use the Internet to shop at virtual
stores located thousands of miles away, find turn-by-turn directions to faraway
destinations and journeys to cities and states across the country. While the
virtual world is available to us with just a few keystrokes and mouse clicks,
there's one area of the Internet that many are finding troublesome. It is the
collection and use of personal data.
All too often web surfers are
providing personal information about themselves without their knowledge and
consent. It's a party line except people don't know they're on a party line.
There is so much information being collected on people visiting web sites today,
it would take several buildings the size of the Library of Congress to store it
all. That's a lot of information, much of which is very personal, and I believe
it must be kept that way.
My concern about privacy on the Internet
is that this issue is keeping people from fully enjoying the marvelous
technology available to them. According to a recent survey by the Center for
Democracy and Technology, consumers are fearful of the sale of their personal
information to others and web sites tracking people's use of the web. I think
the term "cookies" is a fascinating terms. I love cookies, but not this way.
This survey seems to be pointing to the same argument that was made
when credit cards were first introduced to the American public. At hat time,
credit cards didn't initially enjoy widespread usage because of the potential
misuse by others, but it was only after regulatory intervention to protect
consumers that this fear was somewhat dispelled. We should learn this lesson
from the Internet and the challenges that it is experiencing over privacy
concerns.
These concerns are translating into lost opportunities for
consumers and businesses. Now, most of the dot-com companies doing business over
the Internet today are very cognizant of the fact that privacy is a major
concern; however, in a report you all just released, you found that 92 percent
of the web sites that you surveyed were collecting great amounts of personal
information from consumers, and only 14 percent disclose anything about how the
information would be used. Interestingly enough, your report found that a mere
41 percent, less than half, of the randomly selected web sites notified the
visitor of their information practices and offered the visitor choices on how
the personal information would be used.
Now, this report seems to
suggest to me that industry efforts by themselves are indeed not sufficient to
control the gathering and dissemination of personal data. At one web site visit
a company can collect some very interesting facts about the person who's on the
other end without them knowing it. While surfing the web the other day, I hit on
a web site that provided me with the insight on just how much information can be
collected. In less than a minute, the site reported what other sites I had
visited, what sites I would likely visit in the future, what plug-ins are
installed on my PC, how my domain is configured, and a lot more information that
I didn't really understand. Many consider this type of tracking akin to
stalking.
I believe that the information that can be collected by
web site administrators can create problems for people through a violation of
trust and invasion of privacy.
CLELAND: And I would say as an
old Army signal officer I know that you really can't communicate real important
data unless you have a feeling that it is secure. Novice Internet users are
generally unaware, as I was until visiting the site, of the extent of the
information being collected on it. Even those who are aware of the capabilities
of firms to collect private data are frightened by what can happen.
I believe in increasing the level of protection for private
information to a level that the people of our nation and the dot-coms can live
with, and I believe in providing assurances to those who are providing
information that their privacy rights will be protected. It seems reasonable to
me that firms that are collecting private data should notify consumers of the
firm's information practices, offer this consumer choices on how the personal
information will be used, allow consumers to access the information that is
collected on them, and require those firms to take reasonable steps to protect
the security of that information.
However, I'm looking forward to
learning more about the Internet privacy issue this morning and hearing from
experts like these wonderful people at the table, Mr. Chairman, and the rest of
our distinguished testifiers.
Thank you very much.
MCCAIN: Chairman Pitofsky, welcome. I'm sorry for the delay. I
apologize to all the commissioners.
Chairman Pitofsky.
PITOFSKY: Thank you, Mr. Chairman, Senator Hollings, members of the
committee. I welcome this opportunity to once again appear before this committee
to discuss this important subject, especially because this committee has
supported so consistently and so well our efforts to deal with the kind of
problems we'll discuss today.
As you know, the commission has been
active in this area. Since 1995, to a large extent, we've dealt with the fraud
on the Internet, but we've also addressed questions of privacy. We all know that
the Internet commerce sector of the economy is growing at an amazing pace, but
we also know that many people, some surveys say over 90 percent, are
apprehensive about the way their private information is being used, including
people who go ahead and buy things on the Internet.
Most observers
believe that protection would require four fair information practices, and
incidentally the business community in their seal programs and elsewhere, have
also indicated that these are the four bases that need to be touched.
First, notice. What information is being collected, and what are the
collectors doing with it. Consumers ought to know that. Choice -- the
opportunity of consumers to say that we don't want this information used for any
purpose other than completion of the transaction. Most people think that there
ought to be some access, so if sensitive information is involved in the database
and it's wrong, there's an opportunity to correct it so consumers are not
injured by errors and an obligation to keep the information they collect secure.
The debate really concerns whether these rights can be achieved
through legislation or through growing efforts of responsible companies in the
field to engage in self-regulation. My own view is that neither legislation
alone nor self-regulation alone is the right answer, but it ought to be some
combination of the two.
I applaud the progress that has been made in
self-regulation in recent years. On the matter of notice, we've gone from 14
percent notice to 88 percent notice in all web sites. The question has been
raised, "Well, if that's the case, why have a majority of the commission changed
its view about the adequacy of self-regulation?" I would make a number of
points.
First of all, the 88 percent figure is a little misleading.
It really includes notice which says, in effect, we protect privacy or it could
include notice that says we don't protect your privacy. The fact of the matter
is if you ask the question how many of these notices actually tell you what
information is collected and how it's used, then the figure falls down to about
55 percent for all sites, 89 percent for the most visited site.
If
you ask the question, what about all four information practices, are they being
adequately addressed through self- regulation, it turns out only 20 percent of
firms on the Internet, one in five, have all four fair information practices.
Some have said, "Well, but access and security are difficult to understand; the
industry is slow to move in that area." All right. Let's leave out access and
security, and ask only about notice and consent. There, all web sites we find
only 41 percent have notice and consent, 60 percent of the most traveled sites.
Finally, the whole notion of self-regulation requires that companies
be part of seal programs, and if they don't abide by the self-regulatory
standards, the seal will be taken away. Well, we find in that area, even though
these seal programs have been working for a year and a half, two years, eight
percent of web sites are members of seal programs. That does not seem adequate
to the majority here.
What is to be done? First, let me say again
that self-regulation has achieved a good deal and has an important role to play
in the future. I have always been a strong advocate of self-regulation. It works
in many sectors of the economy. But I tell you, on the basis of my experience,
that the most effective self-regulatory programs are those that have a rule of
law to back them up so that the self- regulators can then say to the
irresponsible few who don't go along with the standards that their behavior will
be referred to a law enforcement agency. The idea that the self-regulators can
go to the few and say, "If you continue to sell this information without
permission at a profit to third parties, we're going to take your seal of
approval away from you," just doesn't get there. It helps, but it's not, in my
opinion, adequate.
Second, I do believe that Congress must be
cautious in this area and not impose on this growing and wonderful pro-consumer
marketplace burdens that will hamper the development of the marketplace.
Third, as our report tries to emphasize, there are many complicated
questions that arise here: What is adequate notice? How much access is required?
What do we mean by security? And therefore I applaud those who say that we
should be careful. We should get it right rather than rush to any judgment in
this area. Any legislation should be sufficiently flexible so that if there are
technological solutions, and we hear about them all the time, if they really
develop, then they should be incorporated, and they should be allowed to protect
consumers rather than direct government regulation.
Finally, the
issue has been raised by several: Why are we emphasizing consumer protection
online and not off-line? Well, first of all, it is possible to manipulate data
online in a very special way. But more important than that, we address the
question of online privacy; we have not examined the question of off-line
privacy. Slowly but surely, I have come around to the view, as we've moved
through this area, that the argument that off-line and online should be treated
in a radically different way just doesn't hold up, and we should be addressing
whether or not consumers online deserve protections as well.
Let me
conclude my remarks with a reference to some basic principles. Millions of
people now enthusiastically shop online, and they have no problem at all
supplying personally identifiable information -- names, addresses, credit card
numbers, if necessary, even security numbers, if necessary -- to complete the
transaction. But many sellers on the Internet are not just in the business of
selling a product or selling a service, but rather they're in the business of
accumulating data -- the books we read, the music we hear, the pharmaceuticals
and cosmetics we buy, our travel and vacation plans, the information research,
on and on and on -- and that is sold at a profit to third parties with whom we
have no direct connection whatsoever. We don't even know who they are or what
they're doing with that information. Many people don't object to that either as
long as they have an opportunity to say to the online seller, "If that's what
you're going to do with the data, just leave me out. I visited your web site to
buy a product, not to provide information about my life, my family, my habits or
my economic class." That, I think, is the goal that I think virtually all of us
share.
We've got to make sure that that option is available to
consumers on the Internet. They should not be required to forfeit their privacy
online in exchange for the rich benefits of electronic commerce. Careful,
non-burdensome legislation backed up by effective self- regulation to set -- and
the legislation would set minimum standards, seems to me, at this point, the
right way to go.
Thank you very much.
MCCAIN: I thank
you, Chairman Pitofsky.
I would tell the other commissioners your
complete statement will be made part of the record, and if you could summarize,
we'd very much appreciate it. But at the same time, we don't want to prevent the
committee from receiving all the information you wish to convey.
Commissioner Anthony.
ANTHONY: Thank you, Mr. Chairman.
I'm delighted to be here today, and I'm pleased that the commission
is recommending federal legislation.
MCCAIN: Can you pull that mike
up to you, please?
ANTHONY: Sure.
I'm pleased that the
commission is recommending legislation necessary to protect consumer privacy.
I wish to emphasize four points related to our legislative
recommendation. One, any quality privacy policy should offer true protections to
consumers and be presented in a simple format that is clear and understandable.
Two, an enforcement mechanism must be in place that gives consumers confidence
that web sites do what they say they do with consumers' personal data. Three, a
patchwork of state privacy laws will result in confusion, both to consumers and
businesses, and thus federal preemption should at least be seriously considered.
Four, implementation of consumer consent, via opt-in and opt-out, may require
making a distinction between market information and sensitive health and
financial information.
The 2000 survey reports that 97 percent of
the random sample and 99 percent of the most popular group collect personally
identifying information, but only 20 percent of the random sample and just 42
percent of the most popular group addressed, at least in part, all four
information practices. Seal programs and audits can be key enforcement
mechanisms, yet only eight percent in the random sample and 45 percent in the
most popular group display a seal.
Perhaps more troubling to me is
that many privacy policies are confusing, contradictory, and ambiguous. I
reviewed some of those privacy policies in the most popular group, and frankly,
I was disappointed. Almost half of the policies are too long, varying from three
to 12 pages. Many try to lull a consumer into a false sense of comfort despite
opening statements asserting the importance of the users' privacy, subsequent
paragraphs frequently contain contradictory information.
Consider
the following language in an Internet service providers published privacy
policy. The first sentence states, "Your privacy is important to us," but
continues several paragraphs later, "The personal information we collect from
members during the registration process is used to manage each member's account.
This information is not shared with third parties unless specifically stated
otherwise or in special circumstances." Three pages later, the same policy goes
on to say, "We may disclose personal information about our visitors or members
or information regarding your use of the services or web sites accessible
through our services for any reason if, in our sole discretion, we believe it is
reasonable to do so." Would you call this a clear, unambiguous disclosure? I do
not. Does it inform consumers about whether his or her information will be
shared, and if so, with whom? I do not believe it does.
My next
example illustrates serious concerns with regard to meaningful consent. I quote
from a privacy policy statement from one of the top 100 sites: "When you submit
personal information to us, you understand and agree that our subsidiaries,
affiliates, and trusted vendors may transfer, store, and process your customer
profile in any of the countries in which we and our affiliates maintain
offices." Has the site identified with specificity the parties with whom it will
share this consumer's information?
ANTHONY: Is consent
meaningful if consumers don't see this notice or have access to it at the time
they supply their personal information?
Even a policy that
incorporates all four fair information practices can be ambiguous and
contradictory. What do you make of this privacy policy that contains the
following disclaimer: "This statement and the policies outlined herein are not
intended to and do not create any contractual or other legal rights in or on
behalf of any party." This disclaimer seems to absolve the site of any
responsibility to protect a consumer's information. It reminds me of a letter I
once received from a lawyer, which had the following postscript: "dictated but
not read."
I do not think it is difficult to design a standardized,
conspicuous privacy notice that informs consumers. The chart, which was attached
to my testimony, and is what you see here, tells the viewer most of what she
needs to know about a web site's privacy practices and consumer choices. Web
sites can take advantage of the interactive nature of the Internet to design
effective mechanisms and to provide meaningful notice and privacy policies.
I share Commissioner Leary's view that a comprehensive privacy
policy for consumers must extend to the off-line world. The business incentive
to compete simultaneously in both the online and off-line worlds is high. To
create a distinction between off-line and online is artificial and outdated, and
in the long run may foster market barriers.
Finally, I want to
commend the FTC staff for the hard work they've done on this report. The Bureau
of Consumer Protection with the assistance of the Bureau of Economics designed
and implemented this survey, and the numbers were reported clearly, fairly, and
without bias.
Thank you for allowing me to share my views.
MCCAIN: Thank you very much, Commissioner Anthony.
Commissioner Swindle.
SWINDLE: Thank you, Mr. Chairman,
Senator Hollings, and members of this committee. I appreciate this opportunity
...
MCCAIN: You need to move the microphone.
SWINDLE: Yes. I
appreciate this opportunity to be with you today and share some thoughts, and I
will, at the chairman's request, try to summarize our prepared statement, which
we've all submitted.
I've dissented against the commission's
embarrassingly flawed privacy report and its conclusory yet sweeping legislative
recommendation. In an unwarranted reversal of its earlier acceptance of a
self-regulatory approach, a majority of the commission has recommended that
Congress require all commercial, consumer-oriented Web sites that collect
personal identifying information from consumers to adopt government-prescribed
versions of four fair information practices, known as FIPPs. You've heard
notice, choice, access, and security. The majority has abandoned a
self-regulatory approach in favor of extensive government regulation, despite
continued progress in self-regulation.
Why has the majority of the
commission decided to discontinue relying on self-regulation? The fundamental
rationale given is that not enough Web sites are providing the type of privacy
protections that the commission has decided should be provided, and this is
hindering and will continue to hinder the growth of electronic commerce.
Instead of focusing on consumers' increasing ability to make choices
concerning online privacy protections, the majority emphasizes that the survey,
the 2000 survey, reveals that only 20 percent of all commercial web sites, and
42 percent of the most popular, meet the full FIPPs requirement. But the main
reason for this relatively low percentage is that commercial web sites have not
disclosed to consumers whether they provide access and security. This failure to
disclose is not surprising, given the access and security implementation
difficulties recently identified by the Advisory Committee on Access and
Security, which I believe a copy of the report is included in our report.
In this regard, it is important to emphasize that the 2000 survey
did not attempt to measure whether sites actually provide access and security;
rather, it gauged only whether disclosures addressed these issues. And the 2000
survey certainly did not give any credit for no access, even though the majority
indicates it might consider no access to be reasonable access in some instances.
If these access and security disclosure requirements are eliminated, the
percentage of all web sites meeting the FIPPs requirement rises significantly in
41 percent of all commercial web sites and 60 percent of the most popular.
But even this 41 percent figure is understated, because it uses a
strained definition of "choice" that is more accurately, in my mind, described
as mandated choice. Specifically, there is no choice recognized by the survey
unless the consumer is allowed to make two choices: Whether or not his
information can be used internally by the web site, and the second requirement,
whether the business is allowed to use that information with third parties.
The report's recommendation that choice be legislated does not mean
the kind of choice that informed consumers exercise in a marketplace once they
know the terms on which they are dealing with retailers. That is real choice.
The effect of mandated choice may be, as Senator Kerry pointed out, to start to
eliminate or reduce choices for the consumers.
Legislation, in my
mind, should be reserved for problems that the market cannot fix on its own and
should not be adopted without consideration of the problems legislation might
create by, for example, imposing costs or other unintended consequences that
could severely stifle the thriving new economy.
The majority has
recommended that Congress give rulemaking authority to an implementing agency,
presumably the commission, to define the proposed legislative requirements. In
my judgment, however, the commission owes it to Congress and to the public to
comment more specifically on what it has in mind before it recommends
legislation that requires all consumer-oriented commercial web sites to comply
with breathtakingly broad laws whose details will be filled in later during the
rulemaking process. The privacy report is devoid of any consideration of the
costs of legislation in comparison to the asserted benefits of enhancing
consumer confidence and allowing electronic commerce to reach its full
potential.
For the sake of time, I will not cover my entire dissent
nor the prepared statement that I've submitted today, but I would like to make a
couple of remarks in conclusion.
The privacy report fails to pose
and to answer basic questions that all regulators and lawmakers should consider
before embarking on extensive regulation that could throttle the new economy.
Shockingly, there is absolutely no consideration of the costs and benefits of
regulation, nor of regulation's predictable and unanticipated effects on
competition and consumer choice, nor of the experience we have to date with
government regulation of privacy, nor of the constitutional issues, nor of how
this vague and vast mandate will be enforced.
Industry
self-regulation is working. Effective privacy protection is more than a numbers
game, and the private sector is continuing to address consumer concerns about
privacy, because it is in industry's best interest to do so. Let us not make the
search for the perfect the enemy of the good. The best way to build consumer
trust and to ensure the continued growth of the Internet is through a
combination of education, strong industry self-regulation, and strong FTC
enforcement under existing legal authority. It is premature and
counterproductive for the commission to radically change course and call for
broad legislation.
Thank you, sir. I'd be happy to answer questions
later.
MCCAIN: Thank you.
Commissioner Thompson.
THOMPSON: Thank you, Mr. Chairman. Good morning to you and members
of the committee, and I wanted to thank you for inviting me to appear before you
again with my fellow commissioners to address our most report on online privacy.
Now, In 1997 when we began to look at the issue of privacy on the
Internet, consumer-based electronic commerce was largely viewed as a place for
the adventurous and technologically savvy. But at the same time, people with
vision viewed the Internet as a place that could potentially transform the
American consumer marketplace by empowering consumers with access to vast
quantities of information and new goods and services. Since then, we've
witnessed great progress in achieving that transformation, yet we still have a
long way to go until Americans fully embrace the Internet and accept its
technology as integral parts of their daily lives.
Today, industry,
government, and consumers alike share a common goal of making the Internet as
meaningful and productive for those at the center of the market bell curve,
namely, the family in the suburbs of Canton, Ohio, as it is for the technologist
in Silicon Valley. To achieve this goal, we must be led by the voice of users
and allow the Internet to become consumer driven.
Now, from the
beginning of the commission's Internet work, consumers have expressed a great
concern about privacy of their personal information on the
Internet. And industry has focused its attention on attracting the core of
American consumers. The concern that the public has about privacy has only grown
louder. So today, the issue of data privacy has become a litmus for consumer
confidence in the online marketplace.
Back in December 1998, I told
industry that we were at a critical juncture, one where industry is asked to
self-regulate at the behest of government and public trust. This choice, while
daunting, provides an exciting and unprecedented opportunity for industry to
take the lead in shaping public policy for this important new medium. Consumers
are expecting that industry and government will work together to find new and
better ways to make the Internet safe, inspire consumer confidence, preserve the
innovative spirit of e- commerce. But, the failure of industry to meet this
challenge will not only have a negative effect on the future of e-commerce but
also on the public's confidence in industry's ability to take the lead in
solving important public policy problems.
To its credit, the most
responsible segments of the online economy recognized the importance of the data
privacy issue, both from a public policy standpoint as a test of their own
accountability ...
MCCAIN: Commissioner Thompson, could you
summarize?
THOMPSON: OK. I think that we are at a critical juncture
here. I think that what we are trying to do is propose a model that is not
heavy-handed legislation, but what it does it provides a means of what some
people term as co-regulation. It puts industry in a forefront.
The
problem of Internet privacy may indeed be larger than what we originally
envisioned. Industry has a very important role as the lead, but there are holes
in the Swiss cheese. A legislative backdrop allows us to get at those holes, and
you've seen them in our report when we talk about the quality of what's being
provided and still parts of the Internet industry that are not doing anything at
all. Those need attention, and we think it's a critical issue for consumer
confidence.
Thank you.
MCCAIN: Thank you very much,
Commissioner Thompson, and as I mentioned, your complete statement will be made
part of the record, which I read and I appreciate.
Commissioner
Leary.
LEARY: Mr. Chairman, members of the committee, you have my
concurring and dissenting statement, and in the interest of time, I would just
like to summarize and start with the areas where I think we have broad
agreement.
There's a dramatic increase in the number of companies
that publicly address privacy one way or the other, but the quality of
disclosures varies widely. Too many are confusing, if not misleading, and I
think that the examples that Commissioner Anthony has cited for you speak for
themselves. More widespread disclosures of this kind could actually do more harm
than good. And, therefore, I agree with some of the members of this committee
and with the commission majority that both business and consumers would benefit
from better disclosures.
There also seems to be broad agreement that
any legislation to address privacy concerns should ultimately apply in the same
way to both the online and the off-line worlds to the extent the information is
the same. There are special capabilities in the online world which may require
special attention, but there is no reasonable basis for treating information
that is collected about my purchases on Amazon.com any differently from my
purchases at Borders, and I think that we have a consensus on that.
There seems to be just some difference in the issue of timing and
some question as to whether the commission has enough expertise to recommend
broad-based legislation to you, because we've studied the Internet only.
LEARY: We've had a lot of experience in privacy issues in the
off-line world as well, Senators, and if there are any doubts about the issue,
you have the capability yourselves to investigate and satisfy yourselves that
when the information is the same there should be an equal playing field between
the online and the off-line world.
And, finally, I would like to say
that I think we all generally recognize that once you get past the issue of
notice and disclosure, the further elements of the so-called fair information
practices become progressively more complicated. And there's an even more
compelling reason for treating them differently than notice or disclosure. I
agree with those members of this committee that their ultimately well informed,
adequately informed consumers should be able to select for themselves the level
of privacy protection they are willing and want and may be willing pay for,
either directly or by foregoing some benefit. It is not fair to allow consumers
who are particularly solicitous about particular elements of privacy and want
broad access and broad ability to correct and so on to impose costs on those
consumers who do not care.
And, so I urge you to consider whether or
not the market, as we do in so many other areas of our life, won't work better
ultimately than government regulation. There may be certain special categories
of information or special uses, like health information or financial
information, that require special treatment in both the online and off-line
worlds. But they should not be part of a broad privacy policy imposed on the
Internet alone.
And, finally, I would just like to say that I think
it is in all of our interest to continue to encourage the self-regulatory
schemes, which are underway and which I believe ultimately hold tremendous
promise for improving performance in this industry in a market-based fashion.
Thank you.
MCCAIN: Thank you very much, Commissioner.
We have another panel, and I know all of our members have questions,
so I'll just ask one. As has been pointed out, at least statistically, it's
fairly impressive the number of web sites that offer privacy protections. But
once of you get into some of these so- called protections it gets somewhat
interesting.
Recently, there was a review of 10 major web sites in
early May. It found their policies to be a confusing jumble of incomprehensible
language riddled with loopholes. Yahoo's policy, for instance, is eight pages
long, and your survey finds that fewer than half of the sites had clearly worded
procedures. One of the more controversial web sites, Double Click, says that it
would use personal information only with your, quote, "permission." It doesn't
tell you that it assumes it has permission unless you explicitly opt-out, and
here's what you have to do: Read the first 1,468 words, click on a link to
another page, read 650 more words that tell you why you shouldn't opt- out, read
200 more words urging you once again not to opt-out, and click onto a final link
to opt-out of the program. That's not exactly permission for privacy as some of
us understand it.
Now, I think this is a matter of real concern,
particularly when we look at what Double Click was set up for, and I wonder if,
according to your report, as the numbers of web sites that provide, quote,
"privacy protection" are more like Double Click's than the kind of thing we
assume that would allow us to ensure privacy.
And, so I guess I
would begin with Chairman Pitofsky and go through the witnesses, because I think
this is a serious problem, not only for a web site to advertise that it will
protect your privacy and then have this kind of mumbo jumbo. And when somebody
like Yahoo, which is one of the most respected and I believe the most used web
site that take eight pages and 3,405 words and 167 sentences, that's not what we
had in mind, and I hope it's not your definition of web sites that allow people
to have their privacy insured.
We'll begin with you, Commissioner
Pitofsky, and we'll go through it in order of how the commissioners spoke.
PITOFSKY: Mr. Chairman, I went through the same process with Double
Click, and I have to tell you if I didn't have somebody helping me, I would
never have found out how to get the third and fourth screen in order to opt-out.
MCCAIN: And you're a former university professor.
(LAUGHTER)
PITOFSKY: And I've been doing this work for
30 years, but I would have been lost somewhere between the third and the fourth
screen.
It's extreme, but I tell you it's not the only one. I saw
one yesterday that was brought to my attention. The headline is, "We protect
your privacy. Read on and find out the terms." There are then 10 single-spaced
pages, lawyers would have trouble reading it, and when you get to the ninth page
you find out you have not rights at all. It's notice, I suppose, but it's the
kind of notice that doesn't do consumers much good.
On the other
hand, there's 60 percent of the web sites have notice that we found was quite
fair. The question is how do you get from that 60 percent all the way to the
end? And let me just repeat what I said: I'm all for self-regulation, but if the
self-regulators can't say, "If you fail to give better notice than that, you
violate our standards, and we'll refer you to some law enforcement agency," then
I'm afraid a lot of these web sites who are fairly irresponsible are going to
say, "Well, why I don't keep making the money, selling private, identifiable
information. So, take my seal away from me. I'll have to get along without it."
I think there has to be a backup. Effective self-regulation, in my experience,
always has that kind of backup of law.
MCCAIN: Did you see the Yahoo
web site?
PITOFSKY: I didn't see that one, as a matter of fact.
MCCAIN: I'm curious whether that would warrant a seal of approval.
And I say that not in any bias for or against Yahoo, but the fact is that it's
the most popular web site there is.
PITOFSKY: Let me check it out,
and I'll get an answer for you.
MCCAIN: Commissioner Swindle.
SWINDLE: I'll defer to Commissioner Anthony since you were second.
Do you want to go? OK, I'll continue.
MCCAIN: I'm sorry.
Commissioner Anthony, I'm sorry; I apologize.
ANTHONY: It's all
right, Senator McCain.
My view is that a uniform, standardized
notice setting forth in a simple manner understandable and non-contradictory
yes, no, it would be a good thing for consumer to reveal what exactly the web
site's practices are, and then have an opportunity to either opt-in or opt- out.
If there is additional information that needs to be conveyed to the consumer,
there are interactive "click here" places on a standardized uniform notice that
could be utilized to further explain the policy. I don't think consumers have
any protections if the policy is so confusing that not even a university
professor can understand it.
MCCAIN: My kid -- well, I won't comment
on the university professor's -- Commissioner Swindle.
(LAUGHTER)
SWINDLE: Mr. Chairman, I think we all agree that these are lengthy
dissertations that we go through, and they're so bad we don't look at them, and
that's obviously counterproductive, and I think we could all agree that some
form of reasonable English notice -- and I don't want to get trapped into saying
I'm for English only here; we have other people of other languages ...
MCCAIN: How do we force that then?
SWINDLE: The
enforcement of it I think comes from the Federal Trade Commission with its
existing regulations.
We had a case here a couple of years ago
called Geocities. It's a very popular site. I personally have never visited it,
but I'll take the staff's word for it, very popular. They had a privacy
statement, and they said that we will do certain things. And we alleged that
contrary to what they said they turned around and shared the information with a
third party in some sense. They settled the case with us; however, once they
posted the policy, they then come under the umbrella of section 5 of the Federal
Trade Commission Act, and if they're deceiving their customers, we have the
authority to do something.
Now, our survey, as has been reflected
here in some of the numbers that are addressed today, indicate that something on
the order of 90 percent of all web sites have posted some form of notice. Now,
if that notice was properly conveyed in a more simple manner than we're seeing
now to express what the site does and where collecting information how it uses
it, all those sites would be under the oversight of the Federal Trade Commission
under the existing laws.
I might point out that even though we have
a quantum leap in the number of sites that have these notices, we've only
handled just a bare handful of cases in which we've challenged the practices
that they're implementing having stated what they do, such as in Geocities. But
I think if we continue to expand the numbers of people who have notice, state
their privacy policies, and we apply very close scrutiny on what they're doing,
I think the effects of FTC action will have a positive effect on seeing more
comply with it.
MCCAIN: Commissioner Thompson.
THOMPSON:
Mr. Chairman, I agree with you, and you're talking about what we consider to be
the good guys, because there are people out there who are saying nothing. And we
have very few tools to get at those people. And one of the questions that some
people raise is what is it that industry can't fix on its own?
As
you may remember, last year I was here, and I talked to you a little bit about
coverage, and I said that is there a core group that you still can't get to? And
they're still out there, and consumers deserve better. Second of all, there's
also a benefit to having a level playing field here so that there are not these
wide disparities so that consumers wind up taking a risk every time they go on
the Internet.
And where I might disagree slightly with some of my
colleagues about why online and why now, because the Internet provides you with
an opportunity; the Internet follows you around the shopping mall without your
knowledge. It is a little bit different, and because it allows you to aggregate
data and collect it on a real-time basis, as you put it in, they get it and they
use it means something. So, I think there is a slight difference.
And one other thing is that I understand that Forrester Research is
coming out with a report today that's going to talk a little bit about this,
about some of the pressures on businesses in the dot-com space that make it more
advantageous to sell data. They need to do that for economic reasons, and the
combination of hyper-partnering meaning doing things with other companies. The
pressure to get profits in that way may actually mean that you'll see more of
this occurring in the Internet space faster.
MCCAIN: Mr. Leary.
LEARY: Mr. Chairman, I agree with the majority here that there
should be some legislation directing us to make rules to assure more consistent
and more adequate disclosure. That's something we know how to do, and we've done
in other areas.
I also agree with a somewhat different majority that
you should have the same disclosures when you order by mail or when you open a
charge account at your department store to the extent the information is exactly
the same.
Thank you.
MCCAIN: Senator Hollings has a
question, and we have two votes on the floor. After that we'll take a brief
recess until we can return from the vote. Thank you.
Senator
Hollings.
HOLLINGS: There isn't any question that the off-line
should be regulated as online, and we just put in that bill where we putted, we
gave it to you to do just as you just said, Mr. Leary, that promote regulations
for the off-line as we have it for the online. Otherwise, we've got the
proposition, of course, that it's going to be more difficult each day that
passes to ex post facto retroactively do anything.
And we're into an
environment where the best of the best -- and I know Fred Yang and Yahoo; they
are one of the best, and yet they give that kind of notice. You can see the game
is going on. I feel like I'm in a class where the professor is grading by way of
a scale and everybody's cheating. And, so I'm going to have to cheat in order to
pass regardless of how much I know about this subject.
And Kennedy
said years ago, the captain who waited for his ship to be fit never puts it to
sea. So, we put it to sea with 2606. We did it with your counsel. There isn't
any question, you folks are the nearest experts I can find, and the most
objective folks that I can find. Our staff has done, along with your staff, an
outstanding job.
We've got a target drawn now, 2606. And if I had
time, I'd listen -- maybe most of you haven't had a chance to read it, because
we waited for you to submit your report, and then we, of course, introduced our
bill. We've already got 10 cosponsors. I want each of you in writing to give me
criticisms of that particular bill. What's heavy-handed? What's unrealistic?
What's impossible for industry? Because we've been very considerate of industry.
The Internet's not going to stop. All of these folks here act like
someday it's going to slow down. It'll never slow down. This thing is a dynamic
that's running way ahead of all of us, and each day that passes with states
attorneys generals all trying to pass their laws with any and everything coming
out of the Congress and nothing's real, we've got to really move on this thing.
And after five years, I think we're pretty well in a position to move with your
counsel and criticism. So, please do that for me, and we thank you very, very
much for what you've done for us so far.
Excuse me. The committee
will be at ease.
(RECESS)
MCCAIN: The committee will
resume. Please, commissioners take their seats, and we will begin questioning.
I think Senator Wyden, by early bird rules, is next.
WYDEN: Thank you very much, Mr. Chairman, and I'll let our guests
get their seat.
Mr. Chairman, this question is for you. As you know,
Senator Burns and I have been at it for well over a year trying to craft
bipartisan legislation, as I've indicated. I happen to think that Senator
Hollings, Senator Kerry, and others are making important contributions. And I
think it would be helpful if you could tell us in your view are there any
dangers in waiting to pass bipartisan privacy legislation?
PITOFSKY:
It's an interesting question. Yes, I think there are inappropriate invasions of
privacy that go on all the time, and they're of a sort that it's difficult for
us to get at, because nothing is said about privacy or it's a confusing
disclosure but not really -- not qualified as a deceptive one. So, I think
there's always a question of protecting consumer rights as promptly as possible.
On the other hand, I do think, having worked on this now for five
years and very energetically for three, there are differences of view reflected
in some of the legislation. There are tough questions that are raised by our
Advisory Committee and in our report, and therefore I think it's more important
to do this in a thorough and careful way than to rush to any judgment in this
area. And I think we're all aware that it's the end of a session, and there
aren't that many legislative days left. If it can be done appropriately in a
short period of time, fine, but I think it's more important to get it right.
WYDEN: Do you believe that you have existing rulemaking authority
under your underlying statute, the organic statute, to protect consumer privacy?
PITOFSKY: No. No, we do not; that's the point. It seems to me we
need the kind of legislation that we've recommended and then you and Senator
Burns have offered in order to engage in rulemaking. We could call invasions of
privacy unfair, but I do not believe that we could sustain that position.
WYDEN: Let me wrap up with this: I don't think what you're talking about
now is a radical departure from your previous position, and I don't think you're
abandoning self-regulation. And I hope that what people will see in this whole
effort is this is not some sinister government power grab. This is an
opportunity to empower the consumer, that at the end of the day what we want to
do is give consumers control over important information.
We can have
this debate about technical terms -- opting out and opting in -- and in English
what we all understand is that explicit permission from the consumer to things
like medical and financial information is clearly their expectations. Senator
Kerry has defined that as opt-in. At the same time, if you subscribe to Newsweek
for 20 years and they're thinking about contacting you for the 21st year, we
shouldn't make them send you one letter in order to get permission to send them
another letter.
And I think the approach that you're talking about
is very much in line with the bipartisan legislation that Senator Burns has
talked about. I think it's consistent with the kinds of ideas that Senator
Hollings and Senator Kerry have expressed, and we appreciate your leadership and
look forward to working with you.
Thank you, Mr. Chairman.
MCCAIN: Senator Kerry?
KERRY: Well, I appreciate Senator
Wyden's comments. Senator Wyden, Senator Hollings, and I were chatting on the
floor a few moments ago, and I think that -- and Senator Rockefeller -- it seems
to me that there's an opportunity here for us, Mr. Chairman, to try to see if we
can't find a bipartisan meeting ground here that sort of pulls people together.
I don't think we're all that far off. Clearly, medical and financial deserves
some kind of special status, and I think we can agree with that. We need to find
a way to do that.
I still maintain that the degree to which the --
when you get beyond the notice, the degree to which the choice, access, security
issues are, at this point, perhaps left too much to the regulatory process
rather than trying to bring the marketplace into it, bring the private sector
into some perhaps joint resolution that might even result, for instance, in
something like an FTC seal of approval, in conjunction with the corporate
community joining in sort of a joint effort to arrive at an agreement as to what
the appropriate measure ought to be. I mean it seems to me there's some choices
in front of us.
But I still remain troubled -- well, let me ask this
question first: If we were to pass a fairly significant disclosure and fairly
clear disclosure requirement without mandating in specificity each of the
aspects of choice, access, security, would you not then be empowered to be able
to enforce, and would you not, if you joined together with the community in this
sort of FTC seal, be leveraged significantly in your ability to be able to hold
people accountable?
PITOFSKY: In my view, a notice bill is better
than the status quo, and I would be comfortable with it. But I think we should
go further. I believe Congress should go further.
Let me emphasize
the choice aspect, because access and security becomes very complicated. But
what would be the consequence of a bill that mandated notice, and we could
enforce that of course, but didn't provide choice? Well, first of all, I would
point out that's not the way we do things in consumer protection. We don't say
to consumers, "If you go to a store and you're the victim of bait and switch, if
you buy a defective product, if you buy a dangerous product, if you're abused in
credit terms, then why don't you go to some other store?" We say to them, "You
have a right to be protected against fraud." Now, if privacy is worthwhile, and
I believe it is, then we ought to go the next step and say, one, you should be
told what is going to happen with that information, and you should be given an
opportunity to say, "Count me out."
WYDEN: Sure, but my point is
rather than mandating whether it's going to be opt-out or opt-in in a particular
instance, it seems to me you could arrive with the industry at a fair set of
choice options, at which you put your approval, and if they vary from that or
they aren't clear, as Chairman McCain suggested they aren't in eight pages, I
agree with that.
I mean it is clear, you go to the net today to some
of these sites, and it is an exercise in obfuscation, and they're clearly trying
to not have you opt-out and so forth. So, we need to empower consumers, and most
people I talk to who are in the industry want to empower consumers. I mean the
entire salesmanship of this industry has been based on its democratization
impact and consumer empowerment. So, it seems to me you could arrive at that,
couldn't you?
PITOFSKY: I agree, and I think we could. I think if we
sat down with the responsible people in this industry, from what I've seen of
their behavior so far, we could come to a common ground about what the rules of
play ought to be.
WYDEN: I also want to say that I think it is far
more urgent, and I think what's happening is because of the conglomeration of
information on the net and because of the speed with which the net moves and
sort of the new awareness of choice, the American public is now becoming far
more sensitized to the privacy issue. But in point of act, we can't just gloss
over this off-line, online distinction, and it sometimes amuses me. Somebody
doesn't want to give their credit card on the Internet, but they'll hand it to a
waiter at a restaurant they've never been to and they're never going to go to
again, and he disappears in the back room for five minutes, and they don't have
a clue what happened to their credit card or what may happen in the ensuing
days.
Likewise, you can buy, I am told, criminal information records
on individuals. You can buy it in the marketplace today. Likewise, the amount of
information available on somebody's social security number and through any kind
of credit check, I have seen people's personal credit card transactions appear
in newspapers based on their private sleuthing through the off-line market.
So, I mean the notion that there's some new threat really needs to
be thought through, because the level of loss of privacy of the average American
today is absolutely extraordinary, and the degree to which marketing takes place
in highly specified ways off-line, but we're only worried about online, it seems
to me, is an imbalance. I mean do you not agree that these are inconsistencies
we've got to try to work through?
PITOFSKY: I do agree with that,
and I...
WYDEN: Are there not dangers in the off-line issue?
PITOFSKY: Speaking for myself, I've increasingly come around to the
view -- I didn't start there -- increasingly come around to the view that the
theory of distinguishing online from off-line is really rather weak. I was very
influenced by one of our Advisory Panel people who said, what is the point of
treating warranty information that's gathered when the consumer files a warranty
card, because some clerk is going to sit there and read it right into an
electronic format? Why would you treat one differently than the other? I found
that a very powerful argument.
I'm also influenced by the fact that
we hear, through mergers, joint ventures, and otherwise that online and off-line
companies are merging their database, and that's another reason why we should
think about both.
WYDEN: But I also say respectfully, and I'll
terminate on this, that that is another reason why I think we need to approach
this thoughtfully and carefully and why I suggest simply that if we had at least
the first step, we all could agree on a simple, clear, straightforward form of
required disclosure, with a set of principles on which each of the acceptable
four major principles and enforcement, which we add to it -- security, access,
choice, and notice, plus enforcement -- if we could establish that in terms of
principles and you went to work with the industry, it seems to me that you may
wind up with a better product, and meanwhile we can go to work.
Now,
I want to emphasize, Mr. Chairman, on financial information and medical
information, those are places where there ought to be significant rigidity and
clarity, and I hope the committee can come together on it.
Thank
you, Mr. Chairman.
MCCAIN: I would remind committee members, we do
have another panel after this, and it's now quarter to 12, so I hope we can ask
sufficient questions, and yet exercise brevity.
Senator Burns?
BURNS: Thank you, Mr. Chairman. I only have one question. In
listening to the testimony here, it will be very simple.
We're
pretty much -- we agree that the four areas of concern in this are -- we agreed
to as notice, choice, access and security.
BURNS: Ms. Anthony, I
was interested in your recommendation on strong enforcement mechanisms, as well
as an audit process. Can you give me some detail on what that might look like?
I'd be interested in that.
ANTHONY: Well, as I said in my testimony,
Senator Burns, there are enforcement mechanisms at hand. The seal programs, I
think, really had a very sensible way to deal with privacy. However, I'm unaware
of anybody that they've kicked out for not complying, and I don't think everyone
has complied.
I think also we have -- the government has used in the
past industry standards and audits, and that is another just suggestion. I am
not making any firm recommendation on those fronts; I'm just throwing them out
as suggestions for you to consider when you devise some enforcement mechanism.
BURNS: That's -- everybody jumped and run away.
(LAUGHTER)
Oh, are you next? Senator Rockefeller? If you
could be brief, please.
(LAUGHTER)
ROCKEFELLER: Sorry I
asked. Couple quick points. A comparison was made between fraud and privacy, and
I just want to emphasize the enormity of the issue of privacy. It affects every
single American, mostly without their knowledge, as opposed to fraud, which is
the usual thing you complain about with Medicare and other things -- waste,
fraud, and abuse, et cetera. These are issues of enormously different
dimensions.
Secondly, if you have voluntary compliance or if you
have a regulatory system set up, with or without laws, in which you actually get
80 percent or 90 percent of companies that are complying with proper
notification that meets Commissioner Anthony's specification, the 10 percent can
undo all the 90 percent in an instant. So, it's got to be 100 percent. That's
not off-line; that's an online problem. And that's why I think that there's --
we tread on dangerous water when we start comparing off-line and online and
saying, well, if we're going to do one, we've got to do the other. They operate
under different sets of market rules, and they access or make themselves
available or dangerous to the American public at very different levels of speed
and enormity.
So, I can be -- I average in that industry about nine out
of 10 businesses that start up fail, which means they're starting off often --
they're accounting rules have changed. Now we've discovered they don't have as
much money as they thought they did, but people are still into it. It's driving
the economy, and it's a very good thing for America and for the world. But,
again, all it takes is a couple of start-ups that don't have the money or the
time or can't afford the lawyers or whatever it is to not be able to put that
proper notification, and all the good work that you enforce or lay out self-
regulatory or we lay out other rules for is gone.
The two percent
can undo the 98 percent, because once it's sold to the -- once they sell it to
the third party purchaser or they've bought it for a third party purchaser, it's
all gone. And that point needs to be made. That's why I think this is a very
different level of problem than talking about online, off-line.
And
the third thing I want to say is that this is a wonderful set of circumstances
into which to introduce minutia, which distracts, but which is nevertheless
important as you listen to it, witness. Somebody comes in my office yesterday,
they don't like what Senator Hollings and I are doing, and so they say "But if
you get into access, that means that a consumer might be, let's as we used to
say, deadbeat dad -- until we started getting all the letters from dads who
didn't consider themselves that way -- that they go on and they access and then
they change information to protect themselves from having to do what they need
to do or criminals can access, change their records.
In other words,
there's 1,000 ways you can come at this to nit- pick, to show that there is no
perfect software, there's no perfect system, and what that does is tends to
throw us on the defensive, and say, "Oh, we can't do that. We can't have
deadbeat dads changing their record so they don't have to pay child support. So,
let's just back off and do nothing."
Again, I come back to my
original point: We don't have that luxury. We don't have that luxury, and I
think that's why, Mr. Chairman, you come down with the line of we have to do
better, and I think you want to do off-line and online together, but my question
would be are they really of the same dimension? Do they move at the same speed?
Do they have the same consequences off-line as online? And I think that you
would agree with me that they don't.
PITOFSKY: I do agree with you,
Senator. I think if Congress were to do one thing, then -- I think the online
threats to the privacy of consumers is greater than off-line because of the way
in which information can be gathered, marshaled, sorted out, accumulated, and
then sold. So, it is different, but I don't know about very different. There are
threats to privacy that occur in the off-line world that deserve our attention,
and I know the bill that you're sponsoring suggests that we take a look at that
and report back to Congress, and I think that's the right way to go. We didn't
report on it on this occasion, because we really haven't investigated it.
MCCAIN: Thank you.
Senator Bryan?
BRYAN: Mr.
Chairman, if I might just follow-up on that. You're not suggesting, however,
that because in your own thought process, as you describe the evolution of the
significance of off-line privacy invasion, you're not suggesting that we should
hold up on these recommendations in terms of developing these base standards of
notice and choice and access and enforcement? I want to be clear on that.
PITOFSKY: Yes, Senator, exactly right; I am not.
BRYAN:
Mr. Swindle, if I might ask you a couple of questions. I believe you are a
dissenter in the report that the majority filed, and as I understood the thrust
of your testimony, you believe that self- regulation ought to be given an
opportunity to work its course before we embark upon a legislative course of
action. Is that a fair statement of your position, sir? I don't want to
mischaracterize it
SWINDLE: Yes, sir; that's a fair description of
it, but it goes further than that. My concerns with the report were that the
report is a misconstruing of information and data, which leads -- it's the basis
for making the recommendation that we have this very broad, all- encompassing
legislation on virtually every web site that exists. And I think the data is --
it's used in a misleading manner, and that leads to a recommendation which is
illogical, and I think we're on the wrong track.
BRYAN: Do you
support the concept that consumers ought to be given a notice of what the
privacy policies are of online providers?
SWINDLE: Yes, sir.
BRYAN: Let me ask you to respond. Ms. Anthony had an example, which
she shared with us. I won't belabor the record by repeating it, but you were
here and heard that where you've got to be referred from one page to another and
several hundred intervening words. Our chairman cited example of one which I
think any fair-minded person would say, "That's not effective notice." I believe
Senator Kerry used the word "obfuscation." I would say that it triumphs form
over substance. Now, why shouldn't we have some legislative standard that
requires meaningful notice if this kind of action is being done by some of the
major online providers in the country?
SWINDLE: Senator Bryan, I
think that you will perhaps recall in commenting to Senator McCain's comments I
said these things are so ridiculous that I don't even read them. I just click
them off.
BRYAN: And I apologize. I think I had to leave.
SWINDLE: I'm in the same group, and I think some form of clear and
obvious notice would be most appropriate. And I also made the statement that, in
effect, our survey indicates that in excess of 90 percent of web sites now
provide some formal notice already. It's not the best of notices, because one of
them is the Yahoo version, and one of them probably doesn't say anything other
than we have a privacy policy. So, the quality of that statement if it were
prepared and put into a very clear and precise, easy to understand form, would
be a very good thing to do, and I think choice naturally follows from being able
to understand what is before you. It's like going into a store. It costs $1 for
this ball. If I want to pay $1 for the ball, I pay it. If the privacy notice
says we want to collect this information, if you want to come into our site,
then you make a choice -- you go or don't go.
BRYAN: But because
these privacy notices -- and I'm sure there are other examples other than that
that are cited for the record -- are misleading and confusing, and I think
you're saying that you agree, in effect, that those are not real notice, don't
we need to have some type of a legislative response that says, "Look, I mean
notice can't be just some game in which the consumer is moved from one link to
another on a web page. It's got to meaningful." Is there anything with a
legislative standard that requires notice to in fact be what you and I...
SWINDLE: Sure.
BRYAN: So, you'd agree with that.
SWINDLE: My disagreement is with the all-encompassing nature of the
recommendation. I mean we're not talking about the same thing here.
BRYAN: OK, OK. So, you would have no problem with legislation that
talks about notice in a meaningful sense.
SWINDLE: Yes, sir, and I
think in my statement, or my dissent, I said if the Congress believes we must
legislate, let's go no further than notice.
BRYAN: Notice. Let me
ask an aspect of enforcement -- Mr. Chairman, this is my last question. You've
been patient, but I don't think I've belabored the point. We had a situation,
those of us that served in the Banking Committee where we had one of the major
banks in America, Chase Manhattan, and their privacy policy indicated a course
of action in terms of how they would deal with consumer information, with
private information. In point of fact, they violated their own consumer policy
and sold to third party telemarketers, if you will, and they received a
24-percent commission for each sale that was ultimately consummated as a result
of that third party, the telemarketer, negotiating with the customer.
Now, clearly -- ultimately, what occurred, as you know, is the
attorney general in New York brought suit, but that deals with an enforcement
issue. I mean I don't know the law of every state in the country, and I
certainly don't know the particular circumstances of the New York law, but I
mean clearly that's such a blatant violation of a stated policy, there's got to
be some enforcement. Would you agree with that point, Mr. Swindle?
SWINDLE: Yes, sir, and we can do that under section 5 of the Federal
Trade Commission Act. I made reference earlier to Geocities, which is exactly
that case. We would not be involved in the banking industry, as the senator
knows, but in the case of Geocities they had a privacy statement. They said
we'll do A, B, and C, and we found out later -- alleged that they did A, B, C,
D, and F and did a similar thing -- they sold the information to third parties
-- and we have the power today to take enforcement action against them.
BRYAN: So, I take it that your response would be that to the extent
it's within your jurisdiction -- and maybe we need to look at that; that's a
separate issue -- that you would certainly a regulation that would clearly
provide some sanction for violation of a stated privacy policy such as that.
SWINDLE: We have that authority today under existing law.
BRYAN: Mr. Chairman, thank you very much.
Appreciate
your response, Mr. Swindle.
MCCAIN: Thank you. I'd like to tell the
witnesses I appreciate their patience. I apologize for the break while we had a
couple of votes. I thank you for helping us address these very difficult issues.
We'll be in communications with you; in fact, we may ask you to come back if and
when there is some proposed legislation concerning this very, very important
issue.
So, thank you very much.
PITOFSKY: Thank you, Mr.
Chairman.
MCCAIN: The next panel is Ms. Jill Lesser, vice president
of Domestic Public Policy, America Online; Ms. Christine Varney, senior partner
of Hogan and Hartson, the Online Privacy Alliance; Mr. Jason Catlett, the
president of Junkbusters Corporation; Mr. Jerry Berman, executive director,
Center for Democracy and Technology, and Mr. Daniel Weitzner, who is Technology
and Society Domain leader of the World Wide Web Consortium.
I would
ask those who are departing to expedite their departure, and those who are
witnesses please come forward as quickly as possible so we can continue the
hearing.
Ms. Lesser, now that you have refreshed...
LESSER: Sorry.
MCCAIN: ... I hope. I want to thank all
the witnesses for their patience, and obviously your complete statement will be
made part of the record.
Welcome, Ms. Lesser.
LESSER:
Thank you, Chairman McCain, and I will try to be brief.
Chairman
McCain...
MCCAIN: Could I emphasize...
LESSER: Yes.
MCCAIN: ... of course we want you to be brief, but it is most
important that we receive the information you have to impart.
MCCAIN: If there's any appearance of impatience on the part of
the chairman and members of the committee, please disregard that.
(LAUGHTER)
The most important thing is for...
LESSER: I will take that under advisement.
The privacy
report issued this week by the Federal Trade Commission shows in many ways that
we have reached a crossroads in the development of the online medium. It is
clear that the Internet is revolutionizing our society, dramatically changing
the way we learn, communicate, and do business. People are migrating to the
Internet to meet their commerce and communications needs at an extraordinary
rate, because it is convenient and fast and offers unprecedented selection of
information, goods, and services.
Yet, despite this enormous growth
the Internet has enjoyed over the past few years, or perhaps because of it, we
have seen a heightened awareness of online privacy and security issues, consumer
protection, and a whole host of issues related to online safety. And even though
the medium continues to grow at an enormous rate, online companies are realizing
that it is their responsibility to address these issues for their consumers.
Of course, and I think this has perhaps been underemphasized today,
this medium offers to users an ability unprecedented to customize and
personalize their experiences. Consumers can, and do, on a regular basis
communicate specific preferences that will allow them to receive information
tailored to their own interests. No other commercial or educational medium has
ever afforded such tremendous potential for personalization, and we are seeing
consumers take advantage of these opportunities at an incredible rate.
But we know that the power of the Internet can only be fully
realized if consumers feel confident that their privacy is properly protected
when they take advantage of these benefits. And, therefore, we, along with many
other companies, are protecting privacy. We view it as an essential aspect to
earning their trust, and this trust is in turn essential to building the medium.
That's why we and other companies have devoted so much time and energy to
creating strong policies that provide meaningful protections.
As
we've discussed much this morning, there are several important elements of those
policies, and I believe many, particularly the industry leaders, have policies
that address all of those elements. Our own commitment is based on the lessons
we've learned and the input we've gotten from consumers, policies that clearly
notify our users what information will be collected, why, how it will be used,
and the opportunity to exercise choice and disclosure. And indeed we intend to
fully implement those notice and choice principles across all of our brands when
we hope our merger with Time Warner is finally consummated.
We also
make sure that our policies are well understood with respect to our employees,
and I think this is an important point as well. Implementation throughout a
company of a privacy policy is critical to making sure that it is really truly
within the ethos of all of our companies. And we do try to keep users informed
about the steps they can take, that is don't give out your password, and
certainly do not give information out to companies or anybody you don't know and
you don't trust.
And, finally, with respect to children, we have
worked with many of you, Senator Bryan and Senator McCain in particular,
supporting the Online Privacy Act related to children in the 105th Congress and
do believe it was an area where additional steps were needed.
In
adopting and implementing our own policies, we are committed to fostering best
practices within the industry, and you will hear from the Online Privacy
Alliance and many other trade associations and others we've worked with. And we
have done a lot to make sure that our business partners are also following
important privacy policies.
So, after all of that background, where
are we now? The FTC report concludes that despite this progress industry hasn't
done enough, and that broad privacy legislation is necessary in order to ensure
that consumers are protected. Does this mean, in their view, that
self-regulation is a failure? And what are we, as industry, therefore, supposed
to do?
As the committee and other congressional leaders begin to
sift through the FTC's recommendations, I would just like to offer a few
thoughts as you do that. First, it is important for all of us in industry and
government to stop thinking about this issue as a zero sum game, as
self-regulation versus government regulation. Instead we must remember that the
crux of the issue is about consumer confidence, consumer protection, safety, and
security, and since all of us have the same end goal, to ensure that consumers
trust the online medium, we do not need to set ourselves up as opponents in a
privacy battle..
One way to approach this joint responsibility is to
allow the market to lead, as it has, in developing up-to-date and innovative
initiatives for protecting privacy, but give the government its important
enforcement activities. Indeed, and I think this is important to note in light
of all the numbers we've heard today, the government's existing enforcement
powers are greatly expanded by the proliferation of privacy policies now
numbering almost 90 percent. And if you look at the examples used by Chairman
McCain, by Commissioner Anthony, and others this morning about perhaps unfair or
deceptive privacy policies, I would note that the FTC does have broad
enforcement authority in those areas. So, if you compare 90 percent of sites
having privacy policies with the enforcement authority of the FTC, I think
there's an enormous amount of coverage that we are underestimating.
Second, I would say that it is critical that neither the government
nor industry view this issue as simple. On the contrary, when we as businesses
ask our consumers what they're most concerned about, we get a variety of
different answers. For some consumers, it is really security rather than privacy
-- identity theft, hacking -- and certainly this is an area where the industry
has every incentive to do the right thing, but the government must make clear
that bad behavior is unacceptable. For other consumers, the primary concern
relates to sensitive information, an issue we have talked about a lot this
morning.
Individuals want to take advantage of online health related
services, for example, without worrying about embarrassing or compromising
releases of their health information, and indeed Congress has addressed these
issues through financial services legislation enacted last Congress and the
Health Insurance Portability and Accountability Act of 1996, neither of which, I
would note, have been fully implemented. So, we do need to make sure we
understand what's out there. Such examples and others underscores the intricacy
of the privacy issue and the difficulty in pinpointing the actual problems that
need to be addressed through industry or government action.
Unfortunately, I would say the FTC's recommendation for a sweeping
regulatory regime for online privacy does not take into account either the
complex dimensions of this issue or the need for industry-government partnership
on privacy. The commission purports to recognize the important role that
industry leadership on self- regulation has played, yet it recommends broad
legislation with expansive regulatory authority that could actually discourage
industry-led initiatives and market-driven solutions by outlawing
consumer-oriented methods of privacy protection and personalization.
We would, therefore, simply ask that members of this committee look
at privacy with a high regard for the benefits of personalization and the
efficacy action to date. You may find there are gaps in industry enforcement
where government must step in to ensure compliance. Nevertheless, it is clear
that companies are responding to increasing marketplace demand for online
privacy, and the tremendous growth of e-commerce reflects a positive trend on a
variety of consumer protection issues, including privacy.
The
challenges that lie ahead will give us a chance to prove the industry and
government can work together, but ultimately it is the consumer who will judge
whether those efforts are adequate. Because no matter how extraordinary the
opportunities for e-commerce may be, the marketplace will fail if we cannot meet
consumers' demands for privacy protection and gain their trust. We as a company
are committed to doing the right thing. We believe our colleagues in the
industry are as well, and we appreciate the opportunity to discuss these
important issues with you this morning.
Thanks.
MCCAIN:
Ms. Varney, welcome.
VARNEY: Thank you, Chairman; a pleasure to be
here. Thank you for inviting me, and mindful of your admonition, I'm just going
to talk for a few minutes. I've got longer remarks that we've submitted for the
record, and I'd like to address some of the issues that have been raised this
morning.
First of all, you know, we can sit here all day and
argument about numbers -- 88 percent, 60 percent, 40 percent, back-out access,
back-out security, whatever. I think that it's fairly clear that there has been
enormous progress. If you look over time, the increase in the numbers of web
sites that are making some type of privacy disclosures, providing some types of
choices is going up, and I think that is something that this Congress can take a
lot of credit for, because they've a lot of leadership in working with the
industry on it.
The complexity that we get to, that Commissioner
Anthony and others have mentioned, when you read these notice policies shouldn't
be underestimated. Both Yahoo and Double Click have very large, very complex
businesses, and Chairman, both those companies have been working very hard in
the last months to completely revamp their privacy policies and make them easier
to use, easier to read. And both those companies would like to come and talk to
you, perhaps next week if you have time, to show you what they're planning on
doing and get your feedback and your thoughts about it.
MCCAIN: I'd
be glad to do that.
VARNEY: Thank you.
If privacy
policies -- if notices are misleading, I think as Ms. Lesser said, the FTC has
the authority. Maybe what they need is more resources. They ought to prosecute
those people. To put a statement up that says, "We protect your privacy" policy
and somewhere in the statement say, "We do whatever we deem reasonable with your
data, and you don't get any choice about it," I think is deceptive on its face,
and it ought to be prosecuted.
Senator Kerry talked a lot...
MCCAIN: Yahoo ought to be prosecuted?
VARNEY: Well,
Yahoo's is not deceptive, Senator; Yahoo's is complex. Yahoo's a very large
company with an enormous web site offering a wide array of services and
products. And when I read Yahoo's privacy policy what I think they tried to do
was be completely comprehensive, tell you everything. And it's not easy to read;
they will agree with that.
MCCAIN: Why do you have to be
comprehensive? Can't you just say this information will be private? What's the
comprehensiveness?
VARNEY: You may absolutely say we will never
disclose this information to anyone under any circumstances, if that is what you
do. When you run a web site where you have content provider partners, where you
have chat rooms that you link to that are run by other companies, where you have
"ask a doctor" questions where you e-mail a doctor who does not work for a
company, but works for somebody else, that information is in fact going to
someone else. It might be clear to you; it might not be clear to you. But to say
we never give your information to anyone under any circumstances is flat out
deceptive unless that is precisely what you do. And I would submit to you,
Senator, unless you're dealing with a very small web site, that is not the case
today. And these web sites, why are they so complex and comprehensive in
their...
MCCAIN: So, we need a how many sentence policy?
VARNEY: Well, I think that what you'll see...
MCCAIN:
That's not appropriate. It's not appropriate for most Americans not to be able
to understand the issue of privacy.
VARNEY: I agree, I agree.
MCCAIN: Now, can you understand the Yahoo statement?
VARNEY: I don't think that's a fair test, Senator.
(LAUGHTER)
MCCAIN: Well, we just had a university
professor who couldn't.
VARNEY: I'll leave that one. But I think
that you're right. It is too complicated, and these companies are really working
on how to make it less complex.
Why is it so complicated? Because
they're big companies with lots of business units. They're publicly traded
companies that face shareholder lawsuits if they are not completely accurate in
every regard. That's not to say they can't do it better and that they shouldn't
and that they will. I think they all will, which goes to the next -- my next
point.
MCCAIN: I apologize for interrupting.
VARNEY: Not
at all. Always better to have an exchange, I think, than a -- a dialogue than a
monologue.
What you've identified here this morning, I think, is a
real problem in making these notices easy to find, read, and understand. How do
you do that? That's a problem we ought to address, and perhaps, ultimately, it
may need to be addressed legislatively. Do you need to delegate what I consider
to be broad, sweeping regulatory authority to the FTC to do that? No. This
Congress has not delegated to any federal agency broad, regulatory authority
over the Internet, and I don't think this is the time to start.
Senator Kerry mentioned the financial data, data related to health
and medical information, kids' data related to sensitive data. That may need a
more complex regulatory scheme. In fact, as Ms. Lesser said, you passed the
Financial Services Modernization Act. Now, we can argue about whether or not the
privacy protections in that are adequate, but you passed it, and it's just now
going into effect. You passed the Health Insurance Portability and
Accountability Act. Those regulations dealing with privacy are not even done
yet. We need to look at them. We need to figure out if there's loopholes. We
have to give Americans the highest level of protection for their health and
medical data. The kids' law, the Children's Online Privacy Protection Act, which
this committee, versed, has been wildly successful in my view, but it has had
some unintended consequences; maybe not bad, but unintended. Let's take a look
and see where the gaps are.
The question I think is, whether it's 80
percent or 90 percent or 60 percent, how do you get this last mile to get every
web site that is collecting personal information to tell consumers in a
straightforward way what they're doing and what they're choices are? I don't
believe the answer is delegating broad regulatory authority to the Federal Trade
Commission at this time.
Thank you, Senator.
MCCAIN:
Thank you very much.
Mr. Catlett. And Mr. Catlett, for the benefit
of the committee, perhaps you could tell us what Junkbusters is all about.
CATLETT: I'd be pleased to, sir. Junkbusters is a web site where
people go for information about how to stop junk communication, such as junk
e-mail, junk telemarketing calls, junk faxes, unwanted junk mail, and so forth,
and to defend...
MCCAIN: It sounds to me like you're doing the
Lord's work.
(LAUGHTER)
CATLETT: Thank you, sir.
BURNS: Maybe we don't have to pass the spamming bill then?
CATLETT: I strongly recommend that you do pass something like H.R.
3113 without the provision of labeling. I think that's very much needed.
There are those who say that technological solutions for, for
example, filtering out junk e-mail will suffice. But I can tell you after
running this web site for four years and publishing software to help people
protect their privacy, publishing information about how to remove cookies, how
to stop junk phone calls, and so forth, I can tell you that technology is not
going to stop the death of privacy in this country. Furthermore, self-regulation
is also not, alone or with technology, going to stop the erosion of privacy. It
is necessary to have laws that give individuals the right to protect their own
interests.
MCCAIN: You don't believe that FTC has existing
authority.
CATLETT: I don't believe they have sufficient authority
to require sites to, for example, stop selling your telephone number to
telemarketers when you tell them. If the site's policy is stated as they'll do
that or they don't state that, there's nothing you can do. And we get e-mail
with junkbusters from harassed mothers in West Virginia who say, "How can I get
these telemarketers to stop calling me?" Merely notice is not enough. The
doctrine that all actions can be taken as on the basis of fraud is simply
mistaken, I think.
There's been a lot of discussion about online and
off-line, and I'd like to relate a little experience. When I used to work at
AT&T Bell Labs, I came here in 1992 to work on research on marketing and
databases, and that work was governed by very strict laws about what could be
done with people's phone call records. Suppose that Congress had not passed
those laws to protect the privacy of people when they used the phone system?
Well, we would have a situation similar to what we have today on the Internet,
where we're reading headlines about the terrible things that phone companies are
doing. And instead of Double Click, it would be some company -- I'll fictionally
call it Orwell Long Distance -- that is spying on the phone customers.
For example, it might have speech recognition technology that
listens to the keywords that you speak in your phone conversations with business
and use them to target more interesting telemarketing calls to you. It might
analyze the telephone numbers that you call, look them up in the Yellow Pages
categories and see what kind of categories of products you're interested in, and
sell that information to catalogers. Now, if they did that, people would be
outraged, and it would be simply illegal. But analogous practices on the Web are
prevalent from companies such as Double Click.
The Federal Trade
Commission's report has been criticized by some people as understating the
amount of progress that is being made, but if you look at the analysis of, say,
Forrester Research, an independent industry analysis firm, they actually paint a
much bleaker picture of the amount of privacy protection that has been provided
by industry. Forrester called many of these policies a joke, and said that they
serve to protect the interest of companies rather than consumers. The Electronic
Privacy Information Center has also done a series of excellent reports that come
to the same conclusion.
So, to my mind, the FTC's conclusion that
legislation is necessary is absolutely unassailable. We need legislation. What
kind of legislation is needed? Well, the Online Privacy Alliance's four
principles are not sufficient. Merely having notice, offering choice, some sort
of weak access, and some sort of security is not enough. What is needed is, in
many cases, to ask the consent of the person concerned before using his or her
information, and that is one of the great principles in the bill before you, the
Consumer Privacy Protection Act.
It furthermore establishes -- would
establish standing institutions that look to the privacy issue beyond the trade
issue, and most importantly, it gives individuals a private right of action so
that they can defend their own interests when their privacy is violated. My one
major criticism with the bill that it preempts state law. I think it's entirely
proper to allow the states their traditional role of laboratories of legislative
innovation.
Privacy is a fundamental human right, and Congress, with
this bill now, has the opportunity to head off the demise of that right. It's
really clear to me that looking at the U.S. as someone who wasn't born here,
that the world looks to the U.S. as a nation that deeply respects human rights
and individual liberties. And the citizens of this country do not have enough
rights to defend their own privacy in cyberspace. So, I think that you all bear
a great responsibility for determining whether the United States leadership will
extend into cyberspace and whether American citizens' rights will be preserved
into the 21st century.
Thank you.
MCCAIN: Thank you, Mr.
Catlett.
Mr. Berman?
BERMAN: Thank you, Mr. Chairman and
members of the committee. It's a privilege to be here.
My
organization is a civil liberties organization but also an Internet policy
organization, and we're trying to maximize the democratic potential of the
Internet, to build a bill of rights in cyberspace. And we've worked with all of
you on different issues affecting the Internet, whether it's objectionable
content and indecency and how to protect the rights of adults versus how to
protect our children, encryption, communications privacy, and here data privacy.
In every one of those areas we've recognized that the Internet is a different
paradigm: It's global, it's decentralized, and that we need to focus in every
one of those areas on empowering users and caretakers to protect their rights.
That's the thrust of every model piece of legislation.
Why I think
there's absolute consensus between Senator Burns' effort with Senator Wyden a
year ago, the Boucher and Goodlatte, all four chairs of the Internet Caucus who
share that vision of the Internet are supporting privacy legislation. It is very
important to understand that none of that legislation is saying government takes
over the Internet. All the thrust of that legislation, and Senator Wyden too, is
to empower users to protect their rights on the Internet. And users cannot
protect their rights if they have a crazy quilt of notice and obfuscation on the
net where they do not know what the information policies are of those web sites,
and they cannot exercise the right to choose or opt-in or opt-out of particular
practices, and there's has to be flexibility in that area.
The
legislation I see that has been introduced not only provides that baseline
information, that information will not be provided by a 100 percent of the sites
until Congress acts, because there's so -- everyone can be a publisher on the
Internet. There are so many Net sites that don't know that privacy is even an
issue. It is not the last mile, as Christine Varney says, because if Yahoo
doesn't know what notice is required, and they may be suffering from a potential
prosecution over their eight pages, what about the little web site? Isn't it
important for the government to set some standards so that people on the
Internet -- the web sites and consumers -- know where they are? That's the key
part of this legislation.
You do not have to rely on the heavy hand
of government, particularly on trying to figure out on Web what notice means.
You can also rely on self-enforcement, and some of the web -- E-Trust and BBB
Online -- they can become safe harbors under the legislation. But to move it
from eight percent take-up by the industry to 100 percent is going to require
some push that they know that's a safe harbor, and only Congress can do that.
If Congress does not act in this area, you are facing 270 bills in
the states, and we've recognized in many areas that a crazy quilt of state laws
is counterproductive, a burden on the Internet, a burden on commerce, a burden
on speech, and not in the interest of the Internet.
I think that the
companies like AOL and IBM and Microsoft and others that we've worked with on
their online privacy guidelines have done a terrific job, and they've moved
forward, and they should be commended for it. But they cannot bear the burden,
and they do not have the resources or the time to drag the other web sites along
or to subsidize them or to pick them up. That is a role for government, and it's
balancing and making their practices the best practices as part of legislation,
which will build legislation, which maps on to the decentralized Internet, and
preserves and protects and enhances the values that we share.
Thank you.
MCCAIN: Thank you, Mr. Berman.
Mr. Weitzner? Is that the
proper pronunciation?
WEITZNER: That's exactly correct.
MCCAIN: Welcome, Mr. Weitzner.
WEITZNER: Thank you,
Chairman McCain. It's an honor to be here, and I'm very pleased to be part of
this discussion.
My testimony, which I've submitted and I won't read
all of, makes three very basic points.
First -- and I think based on
the discussion we don't even have to go through this any further -- the
increasing sophistication of web technology enables the collection of large
volumes of personal information, both directly from users and in the background
in some way or another. Some characterize it as surreptitious; others
characterize it as convenient, but there is an increasing volume of information
collected.
Secondly, the World Wide Web Consortium, the organization
I work for, which is the group that sets technical standards for the web and
includes over 420 members from industry, academia, research, consumer
organizations all around the world, recognized the increasing consumer concern
over privacy and we therefore launched a project called P3P, the Platform for
Privacy Preferences, which will enable the marketplace to deliver software tools
and services that enhance users' knowledge of web sites' information practices
and give users more control over their personal information.
Finally, I hope that we can dispense with the false dichotomies, the
false choices presented between law, regulation, technology, industry practices
or self-regulation. I think it should be clear to us that some balance of all of
those factors is needed. No one of those is going to solve the problem, not law,
not self-regulation, not technology. So, we don't need to worry about any one of
them as sufficient. I think we should all just stipulate that we need to find
the right combination.
MCCAIN: You're saying the right combination
of legislation and regulation. Is that what you're saying?
WEITZNER:
Well, I suppose that's a further distinction that I would probably leave to you.
I think we need some kind of legal baseline. Whether that's implemented solely
in statue or through regulation is something I'd leave to you. But I think we
need a legal framework in which to operate here, along with technology tools and
responsible industry practices.
Let me dispense with the discussion
of all the myriad ways that information, personal information can be collected
online, because I think there's a general appreciation for that point.
And I want to talk directly about W3C's efforts to build technology
tools that will help enhance users' privacy experiences. And particularly given
all the discussion we've heard already about the complexity of privacy policies,
the difficulty of finding them, the number of words that one has to get through
to get to the bottom line of the policy, let me talk in a little more detail
about W3C's platform for privacy preferences.
Through this project,
which is really a project to develop technical standards that address privacy,
we hope to enable the development of a variety of tools and services produced by
the marketplace that give users greater control over personal information and
thereby enhance trust between web services and individual users.
P3P
enables services, whether they're in web browsers, in web servers, in other
pieces of software or services that users come across, will enhance user control
by putting privacy policies where users can find them, by presenting the
policies in a form that users can understand, and most importantly by enabling
users to act on the policies that they see more quickly.
For
e-commerce services there are benefits as well. P3P can be used to make the
browsing experience more seamless. Any web designer who is concerned about
offering a product or a service to someone who visits their site has a difficult
balancing task even if they want to provide the maximum information about their
privacy policy to that user. It's not easy to present, and I think it's a fair
point that it is sometimes complicated to articulate in pros, especially pros
readable to the non-experts out there, exactly what information practices sites
are engaged in. And I think it's quite fair to say that whether it's Yahoo or
any of the other really sophisticated, exciting services, they do a lot of
different things with your personal information in a lot of different places,
and to try to catalog all that in one single place is bound to be complex.
So, with P3P what we've tried to do is to enable the association of
particular web pages and privacy policies that apply to what's going on at that
point on the web. So, that when you're asked to fill out a form, right there
your browser will be able to tell you, not necessarily in prose terms, but with
graphical icons or some other means exactly what's going to happen there when
you submit that form data.
WEITZNER: Think, if you will, for a
minute about the experience we've had with security on the web. Several have
referred to the fact that there was great concern about providing credit card
numbers on the web by a number of users.
And how was that concern
alleviated? In some part, it was alleviated by I think a very broad education
campaign. In some part, though, it was alleviated because browsers added tools
that told users that their transaction was secure.
No one on this
committee may know the acronym, SSL. That is the technology that secures the
communication between a user and a web site. But I think vast numbers of people
who use the web recognize the little lock or the little key icons, and know when
that lock or that key is closed, they should feel comfortable putting their
credit card number onto that page.
We're looking to do the same kind
of thing for privacy, to be able to represent to users exactly what's going on
at exactly the point in the web site they're at, rather than forcing them to go
back and read through the web site and click through -- I was amused with the
description of the number of clicks; I've never actually counted them, and the
number of words -- but I think that's exactly the problem that we're trying to
address with P3P.
Finally, P3P can held to assist with three of the
four information practices that the FTC report has outlined. Obviously, notice.
It provides a capability for presenting easier to understand notice to users. It
helps users to make a choice. And, finally, it has the vocabulary to tell users
exactly where they can go, what they have to do to get access to their personal
information. Security is dealt with in other parts of web standards, so we
haven't addressed it directly in P3P. I would say that the question of access is
complex, and P3P does not pretend to provide a mechanism to enable access, but
we do provide a way for users to understand how to go and get access.
I want to just close by saying that I think that this committee does
face very difficult questions regarding what legal or regulatory framework, if
any, are best to address privacy on the web. There are obviously a variety of
options before you. And I'm not here to support or oppose any particular
approach. I would urge, though, that with or without legislation, with or
without regulation, web users both in the United States and around the world
need more powerful technical tools to give them greater control over their
online privacy relationships and greater information about what kinds of
relationships they enter into.
Even with the most stringent privacy laws
in place, I would submit, so much of individual users' practical privacy rights
on a day-to-day basis depends on being able to make individualized choices about
what they want done with their personal information in a particular interaction.
And the web is getting so complex that we are going to need technology tools to
help with that.
We certainly also need some way or another to
encourage and in some cases most likely require web sites to offer those
choices, but we're going to need the tools to make those choices effective
choices and make sure that they're not buried four or five clicks and thousands
of words down in some policy. So, I hope that whatever action this committee
takes it will be consistent with encouraging the development of these tools and
unleashing the innovative forces in the marketplace, which, whether or not they
have an incentive to provide privacy protection, the innovation that we see in
this marketplace can help to solve these problems, and we should make sure that
it's able to do that.
Thank you very much.
MCCAIN: Thank
you.
Ms. Lesser and Ms. Varney, do you have a response to Mr.
Catlett's allegations?
LESSER: Well, I would say the following:
Obviously, we sort of fundamentally disagree with Mr. Catlett on approach, but
we fundamentally agree with Mr. Catlett on the need to protect consumers'
privacy. And, so I...
MCCAIN: You disagree when he says that there
is no technology that will solve this problem nor does the FTC has sufficient
authority.
LESSER: Let me take the first and then the second. On the
technology question, I think it is certainly not technology alone. As Mr.
Weitzner has laid out, there are lots of efforts going on in terms of
technological development in helping consumers and businesses have that
conversation and making it easier for consumers to get notice and make choices,
and that's critical. However, in order for technology to solve some of these
problems, you have to rely on implementation, and in many ways you need to rely
on how businesses are going to deal with their consumers.
So, I
would say, in answer to some of the questions raised about whether they are
large companies or small companies, having complicated, incomplete, misleading
privacy policies, I would submit, based on our data with our customers, those
companies will not ultimately succeed in gaining consumers' trust, and they will
see a decrease in their business. So, I don't think that technology can do it
alone, but we've never relied on technology to do anything alone. It needs to be
coordinated with good business practices.
In terms of legislation, I
think that, as I've said, it is not a zero sum game. There may be areas where we
need to see standards set by this committee to guide the industry and to make
sure that we are all headed in the right direction, particularly those of us who
are not at this particular point. However, we need to do this in a deliberative
way and make sure that we've identified what issues need to be addressed and who
best to address them. I strongly believe that the FTC has an important role to
play. I believe this committee has an important role to play, and that industry
and consumers engaged in a dialogue have an important role to play.
I will say there is one important thing I disagree with in Mr.
Catlett's remarks, and I think it's important to emphasize, and that is the
issue of preemption. And whatever or however you folks begin to look at this
issue, it is critical as we look at this medium, which we know is national but
we also know is global, that we don't seek out a multiplicity of confusing and
inconsistent standards; that whatever road we go down we make sure that
companies -- every single company, be it the smallest company in any of the
states represented here, go online and serve customers. They may be serving
customers from all 50 states very quickly and from all over the world, and they
simply, both large and small companies, cannot comply with a multiplicity of
laws that are inconsistent around the globe and around this country. So, I would
strongly urge you as you look at standards to think clearly about the need to
respect the global and national nature of the Internet online medium.
MCCAIN: Ms. Varney?
VARNEY: Yes, Senator. As to the
second question, the FTC authority, clearly the Federal Trade Commission has the
authority to prosecute anybody who posts a privacy policy that is deceptive or
misleading, and they should do it, and perhaps they need more resources to do
it. Do they have the authority to compel web sites that don't post privacy
policies to do so? Probably not. Do they have the authority to compel web sites
to post privacy policies using certain language or in a certain way? Probably
not.
The chairman of the Federal Trade Commission and I, as a former
Federal Trade commissioner, have had a long-standing argument, which I think
you've heard before, about whether or not the FTC's unfairness authority, as
opposed to their deception authority, would be a sufficient basis for them to
prosecute those who collect and use personal information for purposes other than
it was provided without adequate notice and consent. The chairman believes he
does not have the -- that section 5, unfairness standard, does not give him that
authority. I think it does. But he's a professor and a former dean of a
university, and he's the chairman.
MCCAIN: All right.
Mr. Catlett?
CATLETT: Thank you, sir. On the issue of
preemption, if Congress moves promptly and passes a good law that gives strong
rights to individuals, then the states will not need to move in to address
particular needs of their citizens.
As to the question of
inconsistent legislation, companies deal globally with this problem all the
time. For example, Double Click does not set cookies in Germany because of laws
that relate to privacy. Therefore, Germans are getting better privacy protection
from an American company than Americans are. So, companies do deal with these
large differences, and a nation gets the level of privacy protection that it
demands.
MCCAIN: Mr. Berman?
BERMAN: I think some
companies can deal with the crazy quilt of regulations. One of the arguments for
legislation is to get away from that and to have some uniformity. I agree with
Jason that it ought to be a high standard, but if it also comes -- and a
standard that protects privacy -- but it also has to protect the free flow of
information over the Internet, and if our companies or small web sites have to
figure out the laws and design their sales and their approaches to be consistent
with every country in the world, I think that will be an enormous burden on
commerce.
So, one of the reasons why I think that it's important for
the United States and for us to work these things out now is to establish we are
a leader in the Internet and that the regulatory regime that makes sense for the
Internet makes sense also internationally. And the traditional large regulatory
role over every web site, which some Europeans advocate, I think is inconsistent
with the way the web is designed and will not work. So, It's part of providing
leadership.
One last point: These issues are complex, and I think
that in order to work them out it does require drilling down on what do we mean
by notice, what do we mean by access, what do we mean by a remedy, what's fair
when L.L. Bean sends your shoe size to the wrong company? Do they go to jail?
Those are not easy questions. What access do you have and what is the security
for those issues? And I think in order to -- and if regulatory agencies should
not be given an enormous amount of discretion.
In order to limit
that discretion, one of the things that Congress can do is when it writes its
legislation, which is to make clear in legislative history and go and really use
staff time and drill down on how its legislation is going to work, to explain to
the FTC and explain to the public and to the companies what they have in mind.
That is not easy legislation but is absolutely, I think, critical in this area
or you will see too much discretion, and you will not have the confidence of the
Internet community.
MCCAIN: So, Mr. Catlett, along those lines, I,
like many others, buy books online, and now when I go on one of these web sites,
they say, "Hi, John. We just got in a new biography of Napoleon we know you
would like," which is true. They know what my preferences are. So, actually
they're helping me by informing me of books that I would like to read. What's
wrong with that?
CATLETT: It's a wonderful service, sir, and I use
it myself.
MCCAIN: Then you know what I'm getting at here, OK? Where
does the line stop where they're informing me and helping me, and they're
invading my privacy?
CATLETT: Everybody wants the benefits of
personalized technologies, and the Internet is wonderful at providing that,
provided that the personal information is treated fairly. And that means several
things. Only using the information for the purpose that they collected it for,
in the case of, say, making book recommendations, and for not selling to or
giving to journalists who want to get a psychographic profile of the individual
who buys the books. Secondly, the individual should have access to that complete
profile that's built up so they can be sure for themselves...
MCCAIN: Like the FOIA. Like the Freedom of Information Act.
CATLETT: Precisely, sir, and those laws should apply very broadly to
all commercial entities that maintain personal information. It's the right of
people to determine the information that's held about them. That information is
being used by companies supposedly for their benefit, and so people have the
right to see that information.
MCCAIN: Do they now?
CATLETT: No, they do not, sir. You have the right to see your credit
report, but you do not have the right to see the vastly great profiles about you
that marketing companies have.
MCCAIN: Is that fair, Ms. Lesser?
LESSER: I think it's a fair articulation of the current law. I don't
think it's necessarily a fair articulation of all business practices. So, for
example...
MCCAIN: Now, wait a minute. Is it fair for me not to know
what...
LESSER: Oh, I'm sorry; I misunderstood your question.
MCCAIN: ... Amazon.com's profile of me is?
LESSER: I
imagine that if Amazon.com is creating -- is giving you, for example, as we do,
an opportunity to have a member profile...
MCCAIN: Is it fair for me
to know what the profile is, Ms. Lesser?
LESSER: Sure, absolutely.
It is fair for you to know.
MCCAIN: But right now I don't have that
right.
LESSER: You will probably be given a right to know what your
profile says by a lot of companies, because it's smart business practice.
MCCAIN: But if they don't choose to...
LESSER: Now, the
level of -- there's a difference between understanding access, i.e. do you
access directly into the database or do you have an ability to basically say...
MCCAIN: You're complicating the issue.
MCCAIN: Ms.
Varney, do I have the right to know what profile is compiled on me by an
Internet corporation?
VARNEY: Do I get to ask you a question back to
further the...
MCCAIN: Yes.
VARNEY: OK, thank you.
MCCAIN: Tragically, yes.
(LAUGHTER)
VARNEY:
Do you want to know -- a company is going to take what you've purchased on their
web site to develop their profile. Do you want access to everything that you've
purchased?
MCCAIN: No, what their profile of me is.
VARNEY: OK. So, you don't care about getting access to your past
purchases. You want to see what they do with that information.
MCCAIN: I want to know what the profile is, because obviously they
are letting other people know that profile.
VARNEY: Why are they
letting other people know the profile?
MCCAIN: I don't know why.
VARNEY: What if they don't?
MCCAIN: For profit and fun.
(LAUGHTER)
VARNEY: Not yours, Senator, I can assure you.
If they're not sharing the profile, does that matter to your
question? Because here's what the...
MCCAIN: Even if they're not
sharing the profile. The FBI has a file on me, and I hope they're not sharing
it. Yet, I have the ability -- well, I don't really care.
(LAUGHTER)
Most citizens would not want that. So, through the Freedom of
Information Act then I can find out -- I can get my FBI file. Shouldn't I be
able to, through some kind of Freedom of Information Act, know the profile that
is kept on me?
VARNEY: Having been through the Senate confirmation
process, I do have an FBI file, and I have reviewed it, and what is in my FBI
file are facts and summaries of conversations.
MCCAIN: Should every
American have the same right as they do with the FBI file?
VARNEY:
But, Senator, that's what I'm getting at. What's in the FBI file -- if the FBI
has a psychographic profile on me, I have not seen it. I cannot see it.
MCCAIN: They may and they may not. I've seen all kinds of FBI files.
VARNEY: Can you see what they have on me?
MCCAIN: You
are evading my question. Should they have the right to know the profile that is
-- should I have the right to know the profile that is kept on me?
VARNEY: Senator, I don't mean to be evasive. I'm trying to draw...
MCCAIN: So, you're not going to give me an answer.
(LAUGHTER)
VARNEY: I am going to give you an answer. I'm
trying to draw a distinction...
MCCAIN: If you want to ask me a
question, you've got to give me a yes or no answer.
VARNEY: I will,
I will. You don't let me, though. I'm trying to draw a distinction between the
data that is used by a company to create a profile. Obviously, you have a right
to all of the data, the transactional data. What some of the companies will say
back to you, whether or not you accept this argument, is we spend a lot of time
and a lot of money and hire a lot of people and do algorithms and all kinds of
things to come up with what we think is the profile. It's our proprietary
property. Is it good business sense to share it with you? Sure. Do you want to
legislate it? Talk to the companies that do it; I don't know.
MCCAIN: So, your answer is I don't know. Now, what's your question
for me?
VARNEY: I asked the question, whether you wanted access to
the underlying data or to the profile that the data was used to generate.
WEITZNER: Well, my question is I want to see your profile.
MCCAIN: I think I should have access -- very frankly, I think I should
have access to any information that is collected about me and conclusions that
are drawn about me. I think that's the right of citizens, and I don't understand
how it could be -- go ahead.
WEITZNER: Could I suggest we just take
one step back? I don't have a clear answer to this question, but the right of
access...
MCCAIN: By law, I can have my credit profile.
WEITZNER: That's right. And the reason that you can have your credit
profile is because important decisions are made affecting your life based on
that credit profile, so you have a right to see it, really, in order to correct
it if there are mistakes.
MCCAIN: Suppose that this company that
makes a profile of me that portrays me as an ex-murderer is then sold and
distributed all over the Internet. Is that good?
WEITZNER: I think
that what you certainly have a right to know is what they are disseminating to
others. I'm not sure that I'm comfortable with the notion that any single web
site that has any kind of commercial activity has to have a mechanism for
disclosing all of the information that it compiles that is in some way
personally identifiable. That really goes pretty far, and I think, as the FTC
Advisory Committee recently pointed out, you get into a whole other set of
privacy problems. How does Amazon know that you're you when you're coming to
look at your profile? A lot of people are going to be trying to...
MCCAIN: Because they get my credit card.
WEITZNER: ...
figure out every senator's password.
MCCAIN: They get my credit card
when I make a purchase, so they're pretty darn sure that it's me.
WEITZNER: Well, they ensure against the risk that it actually isn't
you, and they protect themselves, and the credit card companies charge you
whatever interest they charge you.
MCCAIN: They don't know that I
like history books just because of one purchase.
Go ahead, Mr.
Berman.
BERMAN: I think the answer -- I raised it before. This is
not an easy question. There's been a committee now on access, which has drilled
down and made distinctions between proprietary information, information which
you should have, which might be exempt. So, it depends. That's one of the
critical factors in writing legislation like this. In order to decide...
MCCAIN: If you're making an argument, we better be very careful
about writing legislation.
BERMAN: You better be very careful and go
through the hypotheticals about what you mean by access and who has access, and
you might also raise the question which we raised is if you have total
commitment from the private sector to both only give you that profile and keep
it for themselves and never use it for anyone else, because they're the only
ones that want to sell you Napoleon books, what is the right of the FBI to get
access to that information, that profile? And what we've done is we're making an
enormous transfer of third- party information, personal, sensitive information
to the net without also examining what the government access standards to that
information.
I mentioned the Monica Lewinsky example. A colleague of
mine at CET is trying to find...
MCCAIN: Try not to mention that.
BERMAN: ... over in another committee dealing with government
access. And I would urge that at some point the committee try and look at them
together, because they are of a piece.
MCCAIN: Well, this is a
fascinating issue. I mean it is really a remarkable issue, and I would argue
that five years ago if we'd have said we would be having this kind of
discussion, that that simply was not on screen. And I believe that Mr. Catlett
is right, though. I think is a very rapidly growing issue rather than one that
is diminishing. I apologize to my friend and colleague for the length of time I
took, but it's a fascinating dialogue.
I thank the witnesses.
HOLLINGS: I have never missed a meal, and I don't plan to.
(LAUGHTER)
(UNKNOWN): You've never missed a meal while
I've been up here.
HOLLINGS: In light of the conversation and the
dialogue with the chairman, give me your assessment -- and I'd ask you, Jerry --
give your assessment of the Safe Harbor approach.
BERMAN: Well, I
think that the Safe Harbor approach offers a real opportunity in dealing with
the Internet. One of the things that FTC has built up is a considerable amount
of experience in dealing with -- that there are a whole myriad of -- it's not
one-size-fits-all on the Internet. And we want to encourage a lot of different
experiments in enforcement and trying to get companies to do audits and so on.
If the safe harbors encourage that experimentation so that good practices can
find their way into that safe harbor, then after developing a database and
factual basis of how those work, you can make decisions about whether you need
to go further and deal with criminal penalties and all the other paraphernalia.
I would start at -- but I wouldn't start at that end, which is with big
penalties and high standards for what is a safe harbor, because there's so much
experimentation and so many new people on the Internet.
But I think that
that is -- that what is the problem with the self-regulatory regime now is not
that people aren't trying these experiments, they don't know what a safe harbor
is. So, they don't know what to spend, whether it's worth it, whether if they
join E- Trust or BBB Online, whether they're going to be safe from prosecution
or safe from legislation. So, I think that that uncertainty is something that
your legislation begins to address. I mean we need to work on it, and Senator
Hollings...
HOLLINGS: In other words, we don't want to abandon the
Safe Harbor approach.
BERMAN: I do not think so.
HOLLINGS: Now, let's go one step further then. Does the simple
posting of privacy policy amount to actual privacy to the end user?
BERMAN: It does not amount to privacy if the statement is not
complete or it says, In some circumstances we do this, in some circumstances --
and it's conflicting, and we have examples in our testimony. It has to be a
complete statement in those four categories, and it has to give you adequate
information so that you know what the scope of collection and use is.
HOLLINGS: That's all I have today. I've listened to the testimony
and the questions, and I don't know what happened to the chairman, but I will
tell you this, that we thank you for coming today. There will be other senators
with questions. If you could respond to the individuals and to the committee,
that would be helpful, and right now this hearing is closed. The record will
remain open for two weeks.
END
NOTES:
Unknown - Indicates speaker unknown.
Inaudible - Could not make out what
was being said.
off mike - Indicates could not make out what was being
said.
PERSON: JOHN MCCAIN (94%); TED
STEVENS (72%); CONRAD BURNS (57%); SLADE
GORTON (57%); KAY BAILEY HUTCHISON (56%); OLYMPIA J
SNOWE (56%); TRENT LOTT (56%); ERNEST F
HOLLINGS (56%); JOHN DAVID ASHCROFT (55%); JOHN F
KERRY (53%); DANIEL K INOUYE (53%); RICHARD H
BRYAN (52%); RON WYDEN (51%);
LOAD-DATE: June 1, 2000 
