Joint Hearing Of The Subcommittee On Communications, Technology And The Internet And The Subcommittee On Commerce, Trade, And Consumer Protection Of The House Committee On Energy And Commerce - Behavioral Advertising: Industry Practices And Consumers...
Statement
Joint Hearing Of The Subcommittee On Communications, Technology And The Internet And The Subcommittee On Commerce, Trade, And Consumer Protection Of The House Committee On Energy And Commerce - Behavioral Advertising: Industry Practices And Consumers' Expectations
Chaired By: Representative Bobby L. Rush Co-Chaired By: Rick Boucher
Witnesses: Jeffery Chester, Executive Director, Center For Digital Democracy; Scott Cleland, President, Precursor LLC; Charles D. Curran, Executive Director, Network Advertising Initiative; Christopher M. Kelly, Chief Privacy Officer, Facebook; Edward W. Felten, Professor Of Computer Science And Public Affairs, Princeton University; Anne Toth, Vice President Of Policy, Head Of Privacy, Yahoo INC; Nicole Wong, Deputy General Counsel, Google Inc.
Copyright ©2009 by Federal News Service, Inc., Ste. 500, 1000 Vermont Ave, Washington, DC 20005 USA. Federal News Service is a private firm not affiliated with the federal government. No portion of this transcript may be copied, sold or retransmitted without the written authority of Federal News Service, Inc. Copyright is not claimed as to any part of the original work prepared by a United States government officer or employee as a part of that person's official duties. For information on subscribing to the FNS Internet Service at www.fednews.com, please email Carina Nyberg at cnyberg@fednews.com or call 1-202-216-2706.
REP. RUSH: Today is a joint hearing on the -- of the Subcommittees on Commerce, Trade, and Consumer Protection and Communications Technology and the Internet. And I want to welcome all of you to this hearing. And I want to just give you some advance notice that in about 20 minutes we will be called to the floor for a series of votes.
Some have estimated it to be -- was scheduled for about 27 votes on the floor, which is certainly going to extend the hearing. So we ask that you be patient with us. We'll try to conduct this hearing and try to be very mindful of your time, and -- but we will be -- our actions will be dictated by the House schedule, by the votes on the floor.
Now, I want to recognize myself for five minutes of opening statements. As I indicated, today the subcommittees on -- the two subcommittees, Commerce, Trade and Consumer Protection and Government, Technology and the Internet are combining our commitment to privacy, and our resources to conduct an extremely important hearing on behavioral advertising, industry practices, and consumer protections.
And I want to just take a moment to thank Chairman Boucher for not only his cooperation in our working together, our teaming up on this particular issue, but I want to thank him also for his past champion -- and championship and dedication to this very, very, important issue.
This is but one hearing along a continuum of legislative activity examining the domains of online and offline consumer privacy, and how companies handle and treat consumers' personal information. Most recently, the subcommittee on Commerce, Trade and Consumer Protection, which I chair, marked up H.R. 2221, the Data Accountability and Trust Act, a bi-partisan bill, which addresses security of personal information, breaches of that security, and corrects some of the resulting harms to consumers. I am hopeful that there will be more hearings.
There are currently no federal laws specifically governing behavioral advertising, nor do we have a comprehensive general policy -- general privacy law. As members of Congress, we have anticipated for some time that this hearing would be highly informative and very valuable in helping us answer the question that everyone seems to ask, is federal privacy legislation necessary or should companies be trusted to discipline and regulate themselves?
At this hearing I look forward to hearing from our very distinguished panel of witnesses about this growing trend on -- of online behavioral advertising. Market research firms have estimated that behaviorally targeted ad spending will reach $4.4 billion by the end of 2012. That number is eye-opening as it translates into almost 25 percent of all online display ad spending that is projected to be spent by year 2012.
As prevalent as these ads are becoming so too are the buzz words, which are purportedly needed to flesh out the appropriate contents of fair information principles and practices. Words and phrases, such as transparency, choice, notice, consent, consumer expectations, opt-in and opt-out seemingly mean different things to different speakers depending on an array of variables.
Such variables may include the identity of the user, whether he or she has registered with the visited website, whether the ads are being served by first or third-party sites, the sufficiency and conspicuousness of pre-existing privacy policies and disclosures, the robustness of user-enabled settings for managing user privacy, and the list can go on and on and on and on.
All of these variables are important to consider, but they can muddle the issue of whether legislation is needed. And I will be listening intently to your accounts of how upfront companies have been about the types of personal information that they are collecting from consumers, what they are doing with the information, and what choices and controls that consumers have over the subsequent use of that information.
And I want to thank all the witnesses for coming in this morning for sharing with us, taking away from your business schedule, to provide input -- much needed input into these matters that we have before -- that's before us today. And I want to thank all of the subcommittee members, and their staff, for so diligently preparing us, this subcommittee, for this hearing.
And now I want to recognize for five minutes, for the purposes of opening statements, the ranking member, Mr. Radanovich. Mr. Radanovich is recognized for five minutes for opening statements.
REP. GEORGE RADANOVICH (R-CA): Thank you, Mr. Chairman. And I want to thank you and Chairman Boucher and my fellow ranking member, Mr. Upton, on these hearings today. I think it's a good issue that we need to be talking about.
Privacy continues to be an issue of increasing concern to consumers. And I'm pleased that we look at -- looking at all the relevant issues to determine what the problems are, and what possible solutions exist. What was once thought to be an issue limited to business, with whom consumers had a customer relationship has been forever altered by the Internet.
Progression and innovation in computer and digital technology over the last 20 years has transformed many aspects of our lives. By the same token that progress has opened the possibility to potential abuses and invasions into our lives.
In the connected world of the Internet where data is instantaneously accessible to anybody in the world, we have learned how vast amounts of sensitive consumer data can be inadvertently disclosed or subject to more malicious and intentional theft.
We also know the main reason consumers should be concerned about the amount of personal information out there on the World Wide Web is that sensitive personal information can be used for harmful purposes, particularly identity theft.
Thankfully, we are addressing some of those concerns with the data security and data breach notification legislation moving through the committee right now. Our oversight into the data security issue opened our eyes to the types of sensitive personal information many institutions, ranging from businesses to government, maintain about us.
And while information is kept about us maybe for legitimate reasons that mandate data retention, for instance, for law enforcement purposes, most consumers do not fully understand how information gathered about us will be used or with whom it will be shared.
These concerns are legitimate. What is more, these concerns over keeping personal information private are exacerbated by digital technology and the capabilities of Internet technology.
Information that filled rooms of file cabinets, in a paper-based business can now be stored on devices that attached to a key ring, and can be sent over the Internet in seconds, making information theft- easy and often untraceable.
The ability to instantaneously collect, analyze and store consumers' online behavior for marketing purposes stretches this dynamic even further. The Internet quickly evolved beyond its original purpose as a communication tool to become a means of commerce, education, and social interaction.
A generation has been raised on the Internet with the ability to find information relevant to their interest, and communicate in ways that we could not imagine only 10 years ago. And most expect these services to be customized for their preferences. But many of these technologies and practices that deliver high levels of customization, present new challenges and concerns for consumers, primarily understanding what the tradeoff is for these services.
Do we need to relinquish personal information about ourselves and our Internet for the purposes of generating more user-specific advertisements in exchange for access to the information we seek on the Internet? And if so who has our access to this information?
The Internet has been a successful tool for commerce and has benefited consumers with convenience, choice, and savings. Relevant advertisements based upon user interest will be more beneficial to the consumer and business, which in concept is no different than the manner in which marketing research determines which advertisements are selected to be placed in magazines, newspapers, or on television based on the intended audience.
However, in practice, the Internet is different because of its ability to track preferences on a minute-by-minute basis. The question is how advertisers engage in the process of identifying their potential target-audience, specifically what information is used to generate targeted advertisements.
I have a son, who I would do anything to protect. And although I cannot monitor him every waking moment, and prohibit his ability to access the Internet, nor would I want to -- like any parent, I want to trust that he will be safe to surf online and interact with his friends without being unknowingly monitored or profiled.
While my son is in a vulnerable demographic, millions of Americans of all ages spend time surfing, posting, and shopping on the Internet. How their information is used, and what control the individual has over the collection of their information is at the center of the debate of whether we need a federal privacy law. And if so, how it should be structured and what activities it will address.
In the case of my son, I am concerned with the information being gathered and how it is used. I'm less concerned with who is conducting the behavioral profiling or what technology they are using.
I thank the witnesses today. And I look forward to your testimony, particularly hearing more about what the industry is doing to address many of these concerns in and of itself.
Mr. Chairman, I'm ready to work with you and the stakeholders to address identified problems, and ensure whatever solutions developed will equally apply to the behavior, regardless of who engages in it. Thank you, Mr. Chairman.
REP. RUSH: Thank you. The chair thanks the gentleman.
It is now my privilege and honor to recognize for five minutes for the purposes of opening statement, the chairman of the Subcommittee on Communications, Technology and the Internet, the gentleman from West Virginia, Chairman Boucher, for five minutes.
REP. BOUCHER: Well, thank you very much, Chairman Rush.
And I want to begin this morning by saying thank you to you and your very fine staff, and to Mr. Radanovich from California, your ranking member, as well as to Mr. Stearns and his staff for the excellent cooperation we've had among ourselves as the plans for this joint hearing of our two subcommittees have progressed. I very much look forward to our continued collaboration as we consider the need for legislation, and discuss the principles that privacy protection legislation should embody.
Broadband networks are a primary driver of the national economy, and it's fundamentally in the nation's interest to encourage their expanded use. One clear way Congress can promote greater use of the Internet for access to information, for electronic commerce, and for entertainment is to assure that Internet users have a high degree of privacy protection, including transparency about information collection practices and uses, and control over the use of the information that is collected from those who use the Internet.
I've previously announced my desire to work with Chairman Waxman, Chairman Rush, and ranking members, Barton, Stearns, and Radanovich, in order to develop legislation this year, extending to Internet users the assurance that their online experience will be more secure. Such a measure would be a driver of greater levels of Internet uses such as electronic commerce, not a hindrance to them.
Today's discussion will examine behavioral advertising and ways to enhance consumer protection in association with it. I'm a supporter and a beneficiary of targeted advertising. I would much prefer to receive Internet advertisements that are truly relevant to my particular interest.
In fact, I have bought a significant number of items based upon targeted advertising delivered to me from websites that I frequently visit. And so I have a deep appreciation of the value of targeted advertising from the consumer perspective.
It's important to note also that online advertising supports much of the commercial content, applications, and services that are available to Internet users without charge. And I have no intention of doing anything that would disrupt that very successful, in fact essential, business model for Internet-based companies.
At the same time, I think consumers are entitled to some baseline protections in the online space. Consumers should be given clear concise information in an easy defined privacy policy about what information a website collects about them, how that information is used, how long it is stored, how it's stored, what happens to it when it's no longer stored, and whether it's ever given or sold to third parties.
Consumers should be able to opt-out of first party use of the information and for its use by third parties or subsidiaries who are a part of the company's normal first party transactions, or without whom the company could not provide its service, all of that would fall within the ambit of opt-out.
Consumers should be able to opt-in to use of their information by third parties for those party's own marketing purposes. This arrangement should not prove to be burdensome. In fact it's very much in line with the practices of many, if not most, of the reputable service providers today.
I look forward to hearing from our witnesses about their reactions to this arrangement, and how it can best balance Internet business models that depend on online advertising with adequate protection for consumers' privacy.
For examples -- for example, have I suggested a workable online opt-in and opt-out consent arrangement or are there additional situations in which opt-out consent might sometimes be appropriate? What safeguards should be in place in order to ensure that consumers are giving meaningful consent to the sharing of their information, both on and off the Internet? What role could self-regulatory organizations play in a statutory arrangement that ensures that all entities that collect information about Internet users abide by a basic set of consumer privacy standards?
I also look forward to learning about emerging approaches to enhancing consumer choice, and control over the use of information through efforts like the Network Advertising Initiative and persistent opt-out cookies. What benefits could these services offer to consumers? What is the best way to inform consumers about the availability of these services? And again, how should the consumer's meaningful consent be procured?
I'm also interested in hearing a preview of what the future of behavioral advertising may hold, and what services it might enable, and how to accommodate privacy concerns associated with those future services.
I want to thank our witnesses for taking the time to join us here today. They represent a broad and diverse range of interests, and are all deeply knowledgeable about these subjects. We very much look forward to hearing your testimony.
Thank you, Mr. Chairman.
REP. RUSH: The chair thanks the gentleman.
The chair now recognizes the ranking member of the Subcommittee on Communications, the ranking member, Mr. Stearns, from Florida. He is recognized for five minutes for the purposes of opening statements.
REP. CLIFF STEARNS (R-FL): Good morning and thank you, Mr. Chairman. I also want to echo Mr. Boucher's comment that we look forward to working together in a bipartisan fashion on a very important bill. And I want to thank the witnesses for coming this morning.
I think for the most part you are going to educate us. You are the experts here, and we respect your opinions. We want to do no harm here.
So I think when we look at this possibility of federal legislation dealing with privacy, we want to make sure that its consumer centric. Consumers don't care if you are a search engine or a broadband provider. I just want to ensure that the privacy -- their -- assurance that their privacy is protected.
We must empower them to make these privacy decisions themselves. They feel, they know, how much -- what to be collected and what should not be collected. Congress cannot and should not make that decision for them. But it can play a role in making sure consumers have had the information simply to make their own choices.
That means companies should be as transparent as possible about what information they collect, and of course, how they are using it. That way consumers will be better able to make informed privacy decisions. This transparency should include robust disclosure and notice outside the privacy policy. Notice and disclosure needs to be clear and conspicuous so that consumers know that.
First, some information is being collected. Second, what is the information that is being collected, how is it being used. And third, how to prevent this information being collected, if they so desire. By giving the consumer more robust and transparent information, we can strike the proper balance between privacy protection and strong Internet commerce.
Furthermore, my colleagues, I want to emphasize two principles that should play a prominent role in our examination of this issue. First, we should apply the same privacy standard to companies that are engaged in similar conduct with similar information. But we should avoid applying those same standards to entities that do not use the same types of information for the same purposes, and do not have anywhere near the same volume of information about the perspective consumer.
For example, search engines and Internet advertising networks may use a consumer's visit to a particular website to create profiles for purposes not directly related to the reason for the visit. Other entities, like web publishers, collect information only to provide the very service the consumer has come for, our approach should recognize that.
Second, any legislation in this area should hold various parties accountable only for that which they know and control. We should be wary of efforts to make any one party responsible for the actions of others.
Consumers' online activities provide advertisers with valuable information upon which to market their products and their services. Collecting this type of information for targeted advertising is very important because it simply allows many of these products and services to remain free to consumers.
Without this information websites would either have to cut back on their free information and services or would have to start charging a fee. Neither result is good for the consumers.
Overreaching privacy regulation could have a significant negative economic impact at a time when many businesses in our economy are struggling. So let's be very careful on these issues before we leap to legislative regulatory proposals.
When I was chairman of the Commerce, Consumer Protection, and Trade, I held a number of hearings on privacies. I worked with Chairman Boucher, and we developed a Consumer Privacy Protection Act, which we dropped as a bill. This bill would have required data collectors to provide consumers with information on the entity collecting the information, and the purposes for which the information was being collected. I believe it was and still is a good base bill to use as we make -- as we move forward to develop a new privacy bill.
Also, I'd like to bring up an issue, perhaps many of us have thought about, and I don't want to bog down our discussion about it. Which agency will regulate and enforce privacy standards? Will it be the FCC or the Federal Trade Commission, a combination, or possibly a new agency?
I know this issue won't be solved this morning, but it's something we're going to have to work out and work through, and I look forward to doing this on a bipartisan fashion. And I'd be interested, if possible, if some of the witnesses could give us their feelings about how the jurisdiction of this privacy bill would be best supervised with.
So, Mr. Chairman, I would conclude by pointing out -- we've talked a little bit in previous hearings about deep (pocket ?) inspection. The point is that whether a company uses deep (pocket ?) inspection, or reads your e-mail directly, this should be part of the privacy rules in some way. So I think our witnesses can also help us on that particular aspect. So I look forward to hearing. And thank you for the opportunity to speak.
REP. RUSH: The chair thanks the gentleman.
The chair now recognizes the gentleman from Ohio, Mr. Space, for two minutes for the purposes of opening statements.
REP. ZACHARY T. SPACE (D-OH): Thank you, Chairman Rush and Chairman Boucher, Ranking Member Radanovich and Ranking Member Stearns, for convening us today on the topic of behavioral advertising.
I was struck when reviewing Professor Felten's testimony by a comment that he makes, quote, "Responsible ad services typically collect less information, and track users less intensively, than the technology would allow," end quote. To me, this means that just because we can doesn't mean that we should.
I certainly understand the need for companies to advertise on their sites. Doing so is what enables our constituents to access free content, products, and services online.
They also understand the desire of ad companies to supply consumers with ads that are more -- of more relevance to them. This is a better business model for the companies and potentially a service to consumers.
However, I want to make clear that one bad apple could spoil the whole bunch here. The moment online consumers believe their personal information is at risk of corruption, misuse, or theft would be the moment this approach we're discussing today will cease to work.
I strongly believe it is in the interest of all parties to disclose to consumers their advertising practices and intent, and to ensure the consumer's personal information is strictly guarded against security breaches and exploitation. I look forward to these conversations today, and to working with my colleagues on this issue as we move forward. I yield back my time.
REP. RUSH: The chair thanks the gentleman.
It's now my pleasure and honor to recognize for five minutes, for the purposes of opening statements, the ranking member of the full committee on Energy and Commerce. Mr. Barton is recognized for five minutes.
REP. JOE BARTON (R-TX): Thank you, Mr. Chairman.
As I look on the other side of the aisle I'm gladdened to see that none of the Democrats who played on the democratic baseball team are actually in the room. So I can congratulate them in their absence. And I won't have to do it face to face when I see them on the floor.
But last night, Mike Doyle, who is the manager of the team, and Bart Stupak, who is on this committee, played an amazing game. It wasn't their usual democratic bumbling error game. They actually played very well and as a team. And as a result they beat the stalwart Republicans 15 to 10.
John Shimkus, who is our starting pitcher, played an excellent game. And we had a number of Energy and Commerce Republicans, Mr. Gingrey -- Dr. Gingrey who's here, walked at a key time and later scored. Mr. Scalise, who is here, played second base some, and also did some base running and scored.
Mr. Pitts, who -- he came out and watched the game, and luckily didn't try to play, although we could have used his bombing skills from the Vietnam War. So in any way we raised quite a bit of money for charity and had a good time. And when you all see Mike Doyle, and you see that he's grinning from ear to ear, just congratulate him and tell him to take pity on the downtrodden Republicans who didn't quite have the stuff last night.
On this hearing, Mr. Chairman, I do want to thank you, thank Mr. Boucher, Mr. Stearns, and Mr. Radanovich for working in a bipartisan fashion to protect the privacy and security of every American's personal information. I'm glad that we are working on this in a bipartisan way.
I specially appreciate Chairman Rush's agreement to act on the Republicans' data security bill. That bill has implications for the broader privacy discussion. And I hope that that bill will move forward in the full committee.
Along with Congressman Markey, I chair -- co-chair the Congressional Privacy Caucus, so I'm glad that we're working on these issues in a bipartisan way.
I myself every few days hit the delete button and clean out all the various cookies on the computers that are in my office and at my home. It's amazing to me how many of those accumulate, and most of the time without absolutely any knowledge of myself or anybody else for that matter, that they're being put on our computer.
I think it's a big deal if somebody tracks where you go and what you look at without your personal approval. We wouldn't like that in the non-Internet world. And I personally don't like it in the Internet world.
The information about myself is mine. Unless I choose to share it I would just assume that it stay my information only. I think that I have the right to know what information people are gathering about me and the right to know what they're doing with it. And it's obvious that the public agrees with the statement that I just made, because poll after poll shows that they think that their information and their right to privacy is just as important on the Internet as it is in the non-Internet world.
When I open an e-mail for the new Dallas Cowboys stadium that is in my congressional district, I don't expect to begin receiving unsolicited ads for airline tickets to the Dallas-Fort Worth area or hotels also in my district in Arlington, Texas. It's obvious that people track what I do, and where I go, and try to take advantage of that.
Fortunately, technology has come quite a ways in protecting the individuals. We started looking at the spyware problem back in the 107th Congress, and thanks to the work of, among others, Congresswoman Mary Bono Mack, Ed Towns, Chairman Dingell, those spyware infections are not near the problem that they used to be.
However, today, companies continue to gather, maintain, and use data through a variety of technological methods. Some of those companies such as Verizon and Comcast are large companies. They're regulated in some parts of their business model. And I think they are trying to act appropriately.
There are other companies, so-called ISP locators that we don't even -- I personally don't even know their name. Then you have the in between companies the so-called edge companies like Yahoo and Google.
Put together it still is a little bit of a wild west out there. And I think it's time that Congress begin to look at that and try to bring some law and order to that particular wild west area.
I see that my time has expired, Mr. Chairman, so I'll submit the rest of the statement for the record; suffice it to say that I'm glad that you and Congressman Boucher are working with the Republicans and taking a serious look at this.
I also want to commend the private sector that's here today. It's my understanding that you're working together to come up with some voluntarily -- some voluntary rules. And it is always preferable, in my opinion, to do it through a voluntary market-based approach as supposed to a mandatory regulatory approach.
So in any event, again, thank you Mr. Chairman. And once again congratulations to the Democrats for winning the baseball game last night. I yield back.
REP. RUSH: The chair thanks the ranking member.
It's now my honor to recognize the gentle lady from California for two minutes for the purposes of opening statement, Ms. Matsui.
REP. DORIS O. MATSUI (D-CA): Thank you. Mr. Chairman, I want to thank you and Chairman Rush for calling today's joint hearing, and applaud both your leadership in addressing this important issue. I'd also like to thank our panelists for being here with us this morning.
Today we're here to examine the practices and consumer protections from a growing online advertisement practice known as behavioral advertising. As broadband access continues to expand across this country, more and more Americans will rely on the Internet for news information, online videos, and to purchase goods and services.
Yet Americans need to have trust and confidence that their personal information will be properly protected. Privacy policies and disclosures should be clear and transparent so consumers can choose what information they want to view and receive on the Internet, instead of inappropriate collection, and misuse of their information.
Consumers should also understand the scope of the information that's being collected, what it's being used for, the length of time it's being retained, and its security. The more information that consumers have, the better.
Moving forward, we must ensure that Americans are comfortable with using the Internet and know with confidence that meaningful privacy safeguards are in place or ensuring that we don't stifle innovation.
I thank you -- both of you, Mr. Chairmen, for holding this important hearing today.
And I yield back the balance of my time.
REP. RUSH: The chair thanks the gentle lady.
Now, the chair recognizes the gentleman from Kentucky, Mr. Whitfield, for five minutes, for the purposes of -- let me correct that -- the chair recognizes the gentleman --
REP. FRED UPTON (R-MI): It's okay. I will not --
REP. RUSH: No, my -- the chair recognizes the gentleman from Michigan.
REP. UPTON: I think my friend -- and I'll not take my two minutes -- that we have great attendance. We'll see what the attendance is after lunch, when we return after these votes.
I would like to associate myself with Mr. Barton's remarks. The information is yours. When you make a phone call, no matter who it is, you don't expect AT&T or Verizon to share the information with somebody else. You can imagine if you ordered a pizza on the phone and all of a sudden you get different pizza companies then coming in knowing that you're going to be subscribing to that.
That information is personal. It shouldn't be shared unless that individual allows and knows that it's going to be shared. It needs to be protected. It's nobody's business.
You don't expect to have someone follow you in your car when you go make an errand whether it be to a drycleaner or wherever you might go, and expect some competitor then to perhaps get the information to trace you back. So this is a great hearing. I look forward to it, and I yield back the balance of my time.
REP. RUSH: The chair thanks the gentleman.
The chair now recognizes the gentleman from Georgia, Mr. Barrow, for two minutes, for the purposes of opening statements.
REP. JOHN BARROW (D-GA): I thank the chairman. I'm going to waive an opening. But I'm going to thank the ranking member for his kind words of congratulation to the Democrats. And in solidarity with Mr. Pitts, I want to remind the ranking member that those of us who sit in the stands and cheer also serve.
(Laughter.)
Thank you very much.
REP. RUSH: The chair now recognizes the gentleman from Kentucky, Mr. Whitfield, for five minutes.
REP. ED WHITFIELD (R-KY): Thank you, Mr. Chairman.
We certainly appreciate all these witnesses being here today as we explore this very important subject. As the online companies use an array of sophisticated and ever-evolving data collection and profiling applications, it is important that we focus on protecting privacy.
Today, I think we'll be hearing about privacy policies of various companies, the data retention that they do, and as we proceed and think about legislation, it's imperative that we use a balanced approach and proceed with caution.
And I think if we do have any legislation, it certainly should apply equally to all entities throughout the Internet ecosystem. And I yield back the balance of my time.
REP. RUSH: The chair now recognizes the gentleman from Ohio, Mr. Pitts -- from Pennsylvania, Mr. Pitts, recognized for two minutes.
REP. JOSEPH R. PITTS (R-PA): Thank you, Mr. Chairman. I worked real hard on opening statement, but I -- I think I'll submit it for the record. Just let me say I believe that consumer privacy rights should be carefully guarded. I'm also encouraged by private industries' recent steps to further protect consumers.
It's my hope that if legislative action is taken that we'll do so in a careful manner, striking a delicate balance between the necessary steps we must take to protect consumers, and the ability for industry to continue to be successful. So with that I'll submit the rest for the record and yield back.
REP. RUSH: The chair thanks the gentleman.
The chair now recognizes the gentleman from Georgia Dr. Gingrey for two minutes for the purposes of opening statement.
REP. PHIL GINGREY (R-GA): Chairman Rush and Chairman Boucher, Ranking Member Radanovich and Stearns, I want to thank you for calling this hearing today on the emerging use of behavioral or interest-based advertising online.
While this type of advertising only represents a small portion of all online ads by 2012, this type of advertising is estimated to reach $4.4 billion in revenue. Therefore, it is important for these subcommittees to take a further look at this industry in order that we ensure the online privacy of consumers.
When hearing testimony from this panel today, I believe that it will be important that we focus on three components of any potential regulation that these subcommittees propose. First, it's important to distinguish what it is that we're going to be regulating.
Currently, most interest-based advertising is conducted through the use of web browser cookies. These encoded text files help indicate a user's online activity, thereby enabling advertisers to customize ads based on a series of preferences. However, as we have seen in the IT industry, particularly, over this last decade, technology moves very quickly, and if we are to propose regulations for this industry, then we must make the determination of exactly how and what we are going to regulate.
Mr. Chairman, we must also examine which federal agency would be best suited to coordinate any potential regulation. Both the Federal Communications Commission, FCC, and the Federal Trade Commission have jurisdiction over elements of behavioral advertising. Therefore, for the sake of consumers, if regulations are necessary, we must coordinate the efforts and responsibilities of these two governmental entities thereby allowing for industry growth while at the same time safeguarding an individual's private information.
Lastly, Mr. Chairman, we would also have to determine whom we would be regulating. Would it be the Internet Service Provider or the advertisers, or the web interfacing companies represented here today?
Accordingly, I think, we will -- it will be important that as we move forward we diligently take the time to hear from ISP companies and advertisers as a way to give us different perspective on this important issue that will continue to be crucial to the further development of online activity.
Mr. Chairman, the heart of this hearing is the American consumer, so our focus must be their overall protection. I look forward to hearing from the panel and I yield back the balance of my time.
REP. RUSH: The chair thanks the gentleman.
The chair now recognizes the gentleman from Louisiana, Mr. Scalise, for two minutes, for the purposes of opening statements.
REP. STEVE SCALISE (R-LA): Thank you, Mr. Chairman. I want to thank you and the ranking members of the subcommittees for having this hearing on behavioral advertising.
I'm pleased that both subcommittees are examining this issue, as well as the greater issue of data privacy. I know that Congress and this committee have held hearings on data privacy in the past, but as we all know technology continues to advance and develop in ways that provide tremendous benefits to consumers. But these advancements and benefits can expose consumers to certain risks; therefore we must continue to examine ways to ensure consumers don't have their personal information compromised.
The technology industry is one of the most advanced and competitive industries in our country.
It is also one of the most beneficial, both for consumers and for our economy. We are able to share information, exchange ideas, and conduct commerce in ways that were never imagined just a few decades ago.
The industry also provides millions of good high-paying jobs for people all across this country. One thing that I think we must -- that must be pointed out is that the industry has evolved and grown on its own with little regulation from the federal government.
Some would say that the government's failure to regulate this industry is one of the reasons it has grown and provided so many good jobs. Yes, there have been bad actors in the industry, and there are issues we must address in protecting consumers' personal information.
But I hope that we would proceed with caution when stepping in or when drafting legislation in this area. I hope the focus of today's hearing is how we can protect consumers and their personal information and what steps the industry will take to do that.
I hope today's hearing does not focus on how the government can improve the industry. As we continue to delve into this industry, in this issue today, and future hearings, we should focus on the consumer and what will offer consumers the greatest transparency into the online practices and give them meaningful control over their personal information.
For this reason, I believe that self-regulation is sufficient, and if privacy regulatory requirements are needed, they should be consistent across the industry and not be greater for one technology compared to another. Everyone involved in online advertising, ISPs, search engines, advertising networks, website publishers, and others should all be subject to the same requirements, and Congress should not try to pick winners and losers.
After all, consumers are not always aware that their Internet activities are being tracked. They care about what information is collected, and what it's used for. They want to know if this is going on, and if so they should be able to opt-out if they so choose and be assured that a breach of their personal information will not occur.
I look forward to the hearing and the comments from our panelists today, particularly on self-regulation and what changes they will make to ensure that protection of personal information, and what changes they plan on making, moving forward. It is important that these committees and subcommittees understand their positions and activities as well as all the implications of these new advertising practices. Thank you. And I yield back.
REP. RUSH: The chair thanks the gentleman.
As I indicated earlier, there is a vote appearing on the House floor. It's a series of votes. And so we will recess the committee until the completion of those votes, and we will reconvene 15 minutes after the completion of those votes. The committee now stands in recess. (Sounds gavel.)
(Recess.)
REP. RUSH: The committee will reconvene. I certainly want to thank each and every one of you for your patience. I want to also apologize for the time that you have been forced to spend here. This has been an abnormal day with a lot of abnormal activities.
And I might add it has been a record-breaking day, we've -- according to some note, we've had at least 54 consecutive votes one after another, and this never happened before as -- that we know. So -- it's not something we are proud of, but the fact is that it's been that kind of a day.
And we're going to proceed, move right to our witnesses. I want to start on my left to the right. We will proceed with introducing our witnesses.
Mr. Jeffrey Chester is the executive director for the Center for Digital -- okay, well, let me -- all right, let me -- okay. This is the correct. Let me start over again.
Mr. Edward W. Felten is professor of computer science at Princeton University. Next to Mr. Felten is Ms. Anne Toth. She is the vice president of Policy and head of Privacy for Yahoo. Ms. Nicole Wong is the deputy general counsel responsible for Privacy for Google. Mr. Christopher R. Kelly is the chief privacy officer at Facebook.
Mr. Jeffrey Chester now is executive director of the Center for Digital Democracy. Mr. Charles D. Curran -- is that how you pronounce that? Curran -- is the executive director of the Network Advertising Initiative. And Mr. Scott Cleland is the president of Precursor LLC.
Well, again we want to thank the witnesses for their patience and for their appearance before the subcommittee this morning. It is the practice of this subcommittee now that we will swear in all the witnesses. So would you please stand and raise your right hand?
(The witnesses were sworn.)
REP. RUSH: Let the record reflect that all the witnesses have responded in the affirmative. And now we will ask the witnesses to enter into opening statements.
And Mr. Felten, you are recognized for five minutes or thereabouts. Okay, so please pull the mike in front -- yes. Turn it on, and let it rip. Thank you.
MR. FELTEN: Thank you, Chairman Rush, Chairman Boucher, for the opportunity to testify today.
My name is Edward Felten. I am a professor of computer science and public affairs at Princeton University. I am here as a technologist in my -- I'm a computer science professor, and I'd like to explain some of the technology behind behavioral advertising.
The most serious privacy concerns are raised, not by the presence of advertising, but by the gathering of information about users that can be used either to target ads or for other purposes. I'd like to describe what technology makes possible. Responsible ad services do not do everything that's possible. And I don't mean to imply otherwise. Others on the panel can describe what their own systems do.
To explain what this technology allows, I'd like to walk through a scenario illustrated by the diagram on the last page of my written testimony. And if I could have the display please, of the PowerPoint. We're trying to bring that up, sir.
What I'd like to describe, Mr. Chairman, is a scenario involving behavioral advertising. Thank you. And this -- in this beginning of the scenario I go to a weather site, and I look up Thursday's forecast for Washington. The weather site sends me a page with the forecast information, and a hole where the ad should be. And along with that page it sends my computer a command, telling it how to find the ad.
Following these instructions, my web browser connects to an ad service -- shown here at the bottom -- and asks for an ad. Along with this request, information is sent to the ad service about me, the fact that I'm looking up Thursday's forecast for Washington, and the fact that I normally lookup the forecast in Princeton, New Jersey. The ad service remembers this information.
The ad service sends an ad which is inserted into the page. The service also sends an ad, in this case, related to travel to Washington, because I looked up the Washington, D.C. forecast. The service also sends along a so-called cookie, which contains a small unique code, which in this example in the diagram is 7592, and my computer stores this cookie.
Later I visit a social network page, which also contains an ad. Again, the page has a blank space for the ad, and my computer contacts the ad service to get an ad. My computer automatically sends along the cookie that the service provided earlier.
This request for an ad carries more information about me. It says that I'm interested in baseball and jazz, which the social network site knows, and that my name is Edward Felton. The ad service recognizes that the cookie is the same as before, so it knows that I'm the same person who looked up D.C. weather earlier.
And it adds the new information to its profile of me.
The service sends back an ad. This time it's an ad for Washington Nationals' tickets, because I looked up Washington weather earlier, and I'm interested in baseball. Notice that the ad is connecting -- the ad service is connecting the dots between things that I did on different sites between something I did on the weather site and something I did on the social network site. This allows it to better target ads, and also to build up a more extensive profile about me.
Next, I go to a bookstore and lookup books about travel in Hawaii. The bookstore site sends this information to the ad service along with another ad request. Again, the cookie allows the ad service to link together my bookstore activities with my earlier activities on other sites. The ad service sends back an ad for jazz CDs, because it knows I like jazz, because the social network site told it.
By this point the ad service knows enough to identify me. It knows I live in Princeton, and it knows that my name is Edward Felton. The ad service buys access to a third-party commercial database using its -- using what it knows about my identity to get more information about me. In this example, the ad service gets my credit card -- my credit report, and my insurance history, which it adds to my profile, along with the other information it had.
And finally, I go to a news site that uses the same ad service. My computer again requests an ad. The ad service in this case sends an ad for budget Hawaiian vacations. It knows that I'm interested in visiting Hawaii, because I looked at Hawaii book at the bookstore. And it knows I'm interested in a low-cost trip because it has my credit report.
The news site sends information about what I was reading. In this example I was reading about cancer treatments. This information is added to my profile as well.
In this scenario the ad service got information in three ways. First, content providers sent along information about what I was doing on their sites, and what I had done in the past. Second, the ad service connected the dots to link my activities across different sites at different times. And third, the ad service accessed third- party commercial databases. All of this information ended up in my profile.
The result was well-targeted ads. But also the creation of an electronic profile of me, containing sensitive information, which could, in principle, be re-sold or re-used for other purposes.
Now, ad services are not the only parties who can assemble such profiles. But large ad services do have a prime opportunity to build profiles due to their relationships with many content providers who can pass along information about users, and due to the ad service's ability to connect the dots by linking together a user's activities across different websites.
All of this is possible as a technical matter, which is not to say that responsible ad services do all of it, or even most of it. Ad services may be restrained by law, by self-regulation, or by market pressures. What is clear is that technology by itself cannot protect users from broad gathering and use of information.
REP. RUSH: Mr. Felten, I'm embarrassed to say this, but would you please bring your statement to a close. You extended your time.
MR. FELTEN: Thank you, Mr. Chairman. I was just wrapping up.
I just wanted to thank the committee for holding this hearing, and for giving me the opportunity to testify. Thank you.
REP. RUSH: Thank you so very much.
Ms. Toth. Is it Toth or Toth?
MS. TOTH: It's Toth.
REP. RUSH: Toth. Ms. Toth, you are recognized for five minutes for the purposes of opening statements.
MS. TOTH: Chairman Boucher and Rush, Ranking Member Stearns and Radanovich, members of the subcommittee, I appreciate the opportunity to appear before you today at this important hearing.
My name is Anne Toth, and I m Yahoo's vice president of Policy and head of Privacy. I joined the company over 11 years ago, and became one of the very first dedicated privacy professionals at an online company. Quite simply, my job is about making sure Yahoo earns and maintains its users' trust each and every day.
Yahoo was founded by Jerry Yang and David Filo, who were trying to help people find information that was useful and relevant to them among the clutter of the early World Wide Web. What began as a directory of popular websites quickly grew into a globally-recognized brand that provides a wide range of innovative and useful products and services to 500 million users worldwide.
The Internet has changed a great deal, and this hearing recognizes its importance in our global economy. Gone are the days of one-size-fits-all Internet content. Our consumers expect not only that Yahoo will meet their needs, but that we will anticipate those needs as well. The same is true for advertising. Consumers are more likely to click on advertising that speaks directly to them and their interests.
For example, Yahoo might deliver ads featuring hybrid cars if a user has spent a great deal of time on Yahoo Green or has recently browsed car reviews on Yahoo Autos. Put simply, customized advertising helps consumers save time and energy. As you may know, Yahoo offers our industry-leading products and services largely for free.
Our business also depends almost entirely on the trust of our users. It has been paramount to our growth, and it's critical for our future success. Our approach to privacy couples front-end transparency, meaningful choice, and user education with backend protections for data that limit how much information and how long personal identifiers are maintained.
Let's start by talking about transparency. Our leading edge Privacy Center, which you can see in the slide that's been projected, provides easy navigation, information on special topics, and gives prominence to our opt-out page -- and actually if we could move to the next slide -- making it simple for users to find and exercise their privacy choices. We have also experimented with a number of ways to provide notice and transparency outside of standard privacy policies, giving users multiple privacy touch points.
We must also put control in the hands of our users. We have an opt-out that now applies to interest-based advertising, both on and off the Yahoo network of websites. Whether a user touches us as a first party publisher, or as a third party ad network, we want them to have a choice.
We also didn't want users to have to redo their opt-outs again and again, and took the further step of making our opt-out persistent for users who've registered for a Yahoo account. This means that these users who clear their cookies will not inadvertently clear their privacy choices at the time.
The final aspect of the front end of privacy protection is user education. For over a year Yahoo has displayed on average 200 million ads per month that explain our approach to privacy. All of these front-end steps are complemented by backend protections. We focus on security and data retention as core aspects of protecting backend privacy.
We recently announced the industry's leading data retention policy. Under this policy we will retain the vast majority of our web log data in identifiable form for only 90 days. This dramatically reduces the period of time we will hold log file data in identifiable form, and vastly increases the scope of data covered by the policy. The limited exceptions to this policy are explained more fully in my written testimony.
We believe that our front-end backend approach to privacy builds a circle of trust with users, providing transparency, meaningful choice, and extensive education coupled with strong security and minimum data retention.
Much attention has been recently paid to the question of whether an opt-out or an opt-in approach to user control in the area of interest- based advertising is best. The answer is both.
The decision about whether to ask for opt-in consent or give users the opportunity to opt-out depends on the individual services being provided and the information being collected. Most advances in online privacy protection have come as a result of industry initiative and self-regulation. Market forces drive companies like Yahoo to bring privacy innovations to customers quickly. As one company leads, many others follow or leapfrog by innovating in new ways.
So as Congress considers its role in helping protect consumer privacy online, Yahoo hopes that legislators will consider an approach that enables providers to keep pace, not only with technological advances, but with consumer demands and expectations as well. I am very proud of Yahoo's record of trust and commitment to privacy, and the industry's history of self -- responsible self-regulation.
I look forward to sharing our experience with you in more depth, and I'm happy to answer your questions. Thank you.
REP. RUSH: Thank you, Ms. Toth.
Now, the chair recognizes Ms. Wong. Ms. Wong, you have five minutes or thereabouts.
MS. WONG: Thank you.
Chairman Rush and Boucher, ranking members Radanovich and Stearns, and members of the committee, I'm pleased to appear before you this evening to discuss online advertising and the ways that Google protects our users' privacy.
Online advertising is critically important to our economy. It promotes freer, more robust, and more diverse speech. It enables many thousands of small businesses to connect with consumers across the nation and around the world. It helps support the hundreds of thousands of blogs, online newspapers, and other web publications that we read every day.
Over the last decade the industry has struggled with the challenges of providing behavioral advertising. On the one hand well- tailored ads benefit consumers, advertisers, and publishers alike. On the other hand we recognize the need to deliver relevant ads while respecting user's privacy.
In March, Google entered this space and announced our release of interest-based advertising for our AdSense partner sites and for YouTube. Interest-based advertising uses information about the webpages people visit to make the online ads they see more relevant. And relevant advertising has fuelled much of the content, products, and services available on the Internet today.
As Google prepared to roll out interest-based advertising, we talked to many users, privacy and consumer advocates, and government experts. Those conversations led us to realize that we needed to solve three important issues in order to provide consumers with greater transparency and choice, which are core design principles at Google.
First, who served the ad. Second, what information is being collected, and how is it being used. And finally, how can consumers be given more control over how their information is used.
This evening I'd like to show you how we answered each of those questions with the launch of interest-based advertising, which includes innovative consumer-friendly features to provide meaningful transparency and choice for our users. When you see an online ad today you generally don't know much about that ad. It's difficult to tell who provided the ad, and how your information is being collected and used.
Google is trying to solve this problem by providing a link to more information right in the ad, as you can see where it's labeled, "Ads by Google." This is very different from current industry practices, but we believe that it is important to provide users with more information about the ad right at the point of interaction. We believe that this is significant innovation that empowers consumers. And we think that this is the direction that many in the industry are going.
If you're curious about getting information about the ad, you can click on the Google link and navigate to an information page about Google ads, which you can see here. On this page you're invited to visit our Ads Preference Manager, which helps explain in plain -- in a plain language user-friendly format what information is being collected, how it's being used, and how you can exercise choice and get more information about this advertising product works.
Here is the Ads Preference Manager. This innovative tool allows you to see what interests are associated with an advertising cookie -- the DoubleClick cookie -- that is set in the browser you're using. In this case Google has inferred from my -- that my cookie should be associated with hybrid cars, movie rentals and sales, and real estate. This is because I've visited sites using the browser, about hybrids, movies, and real estate.
Before Google introduced the Ads Preference Manager, most users had no idea what interests were being associated with their cookies online by advertising companies. We're the first major company to introduce this kind of transparency.
Now, you can see those interests. And if you don't agree with those interests, maybe you're not a movie fan, or you simply don't want to see ads about movies, you can delete any one of them, or as -- or few or as many as you want. So for example, if you want to delete movie rentals and sales, you can do that with one click, and I've just done that. Likewise, you can add any interest you like.
Note that Google does not use sensitive categories. So there is nothing in here about sexual orientation, religious affiliation, health status or the like. But there are many, many other options. For example, if you are a sports fan you can associate your cookie with sports. And with a click I've decided that I'd like to receive ads personalized for sports fans.
If you prefer not to see interest-based ads from Google you can opt-out at any time with one click. After you opt-out, Google won't collect information for interest-based advertising, and you won't receive interest based ads from us. You will still see ads, but they may not be as relevant.
The opt-out is achieved by attaching an opt-out cookie to your browser. Opt-out cookies in the industry, however, have traditionally not been persistent, that is, they are often inadvertently deleted from the browser when a user deletes her cookies. So our engineers have developed a tool that it was not only -- that was not previously available, that makes Google's opt-out cookie permanent, even when users clear other cookies from their browsers. After you opt-out just click the download button, and follow the instructions to install a browser plug-in that saves your opt-out settings even when you clear cookies.
I hope this gives you a better idea of how Google shows interest- based ads, and how we provide users with transparency in the right place at the right time, as well as meaningful granular and user- friendly choices for setting ad preferences or opting out. Thank you very much for your time.
REP. RUSH: Next we welcome Mr. Kelly. Mr. Kelly, you're recognized for five minutes.
MR. KELLY: Thank you very much.
Chairman Rush and Boucher, and ranking members Radanovich and Stearns, and members of the subcommittee, thank you for this opportunity to address important privacy matters on the Internet.
We agree with you that protecting privacy is critical to the future growth of the interest economy. Facebook now serves more than 200 million active users worldwide, roughly 70 million of whom are in the United States. We are a technology company that gives people the power to share their lives and experiences in an authentic and trusted environment making the world more open and connected.
Facebook's privacy settings gives user -- give users control over how they share their information, allowing them to choose the friends they accept, the affiliations they choose, and how their information is shared with their friends, and if they desire, the world at large.
Today, I would like to make four key points. First, Facebook's user-centric approach to privacy is unique, innovative, and empowers consumers. Our privacy-centric principles are at the core of our advertising model. Second, in offering its free service to users, Facebook is dedicated to developing advertising that is relevant and personal without invading users' privacy, and to giving users more control over how their personal information is used in the online advertising environment.
Third, we primarily achieve these objectives by giving users control over how they share their personal information that model real-world information sharing and providing them transparency about how we use their information in advertising. And fourth, the Federal Trade Commission's behavioral advertising principles recognize the important distinctions made by Facebook in its ad targeting between the use of aggregate, non-personally identifiable information that is not shared or sold to third parties, versus other sites' and companies' surreptitious harvesting, sharing, and sale of personally identifiable information to third-party companies.
Facebook understands that few of us want to be hermits, sharing no information with anyone. Nor do many of us want to share everything with everyone, though some do want that. Most people seek to share information with friends, families, and -- their family and others that they share a social context with on a regular basis, seeking to control who gets our information and how they have access to it.
People come to Facebook to share information. We give them the technological tools to manage that sharing.
Contrary to some popular misconceptions, full information on Facebook users isn't even available to most users on Facebook, let alone all users of the Internet. If someone is searching for new friends on Facebook, all that she might see about other users who are not yet her friends would be the limited information that those users have decided to make available.
Most of our users choose to limit what profile information is available to non-friends. They have extensive and precise controls available to choose to who sees what among their networks and friends, as well as tools that give them the choice to make a limited information -- set of information available to search engines and other outside entities.
We are constantly refining these tools to allow users to make informed choices. Everyday use of the site educates users as to the power they have over how they share their information, and user feedback informs everything that we do. Facebook is transparent with our users about the fact that we are an advertising-based business, and we explain to them fully the uses of their personal data that they are authorizing by interacting with Facebook, either on Facebook.com, or on the over 10,000 Facebook Connect sites throughout the web.
Ads targeted to user preferences and demographics have always been part of the advertising industry. The critical distinction that we embrace in our advertising policies and practices, that we want this committee to understand is between the use of personal information for advertisements in personally-identifiable form, and the use, dissemination, or sharing of information with advertisers in non-personally identifiable form. Users should choose what information they share with advertisers.
This is a distinction that few companies make, and Facebook does it because we believe it protects user privacy. Ad targeting that shares or sells personal information to advertisers -- name, e-mail, or other contact information -- without user control is materially different from targeting that only gives advertisers the ability to present their ads based on aggregate data.
So to take in Dr. Felten's example, if you were to navigate to the social networking site in his example, if it were Facebook, that -- we would not be sharing with the ad provider that he was Edward Felten, or that he likes jazz. So on Facebook, a feedback loop is established where people know what they are uploading, and receive timely reactions from their friends.
The privacy policy and the users' experience inform them about how advertising on the service works. Advertising that enables us to provide the service for free to users is targeted to the expressed attributes of a profile and presented in the page -- the space on the page allocated for advertising, without granting an advertiser access to any individual user's profile.
Unless a user decides otherwise by directly and voluntarily sharing information with an advertiser, advertisers can only target Facebook advertisements against non-personally identifiable attributes of a user derived from profile data. Facebook builds and supports products founded on the principles of transparency and user control. And we thank you very much for the opportunity to present our philosophy in the approach to online advertising before this committee.
REP. RUSH: The chair thanks the gentleman.
The chair now recognizes Mr. Chester for five minutes.
MR. CHESTER: I want to thank the chairs, and ranking members, and the members of the committee for their interest in privacy, for holding this hearing, and to support their efforts to, I think, help Americans get a fair digital data deal. And that's what they deserve.
Just very quickly, before I make four points, I submitted my testimony in writing. It tries to lay out for the committee the broad parameters of the interactive advertising system, as we know it in the United States, all the various elements that now are shaping this very powerful system. So you can look at that if you want more information.
I've been working on these issues for 15 years, looking at online advertising, online marketing, digital communications. I last worked closely with the Commerce Committee, back in 1998, when we led the campaign that established with your legislation the Children's Online Privacy Protection Act. Right now that's the only online privacy law. You -- it was a bipartisan effort. And what we did for kids, we now need to do for teens and adults.
Imagine a world -- and this is the world that we've created, and you've already spoken about it, both -- the chair spoke about it, Mr. Barton spoke about it, others have spoke about it. Imagine a world where every move, you are being watched. Whatever contents you read, what you buy, how much you're willing to spend and how much you're not willing to spend, where you go, what you like, what you don't like, all that being compiled.
Outside databases being used to even build up this even larger profile of who you are, even includes your race, whether you are a low income, or middle class. They call it in the online ad industry digital fingerprints or user DNA.
But this very powerful system that's invisible and unaccountable to the average American is constantly collecting, and refining, and storing all this information and making claims and assumptions about you, your reputation, without any accountability to you as the consumer, let alone as the citizen. That is the online advertising system today, as we know it.
It's different from traditional advertising, because as you yourself described, right, it's able to track you minute by minute, minute by second. And your information is being sold in online ad auctions in milliseconds. They know who you are, and they are selling access to us. So it's an incredible system that we've created.
And it's now enmeshed in almost everything we do online, watching online videos, even e-mail, doing searches, playing games. This broad data collection system, there is a digital data collection arms race going on as they build this incredibly sophisticated system.
And -- but I want to make it clear for my second point that our call for privacy and consumer protection rules isn't about undermining the role of online advertising and marketing. That has an important role to play. It's the underpinning, the foundation of our modern publishing system. Our -- really our new way of life in the digital age. We need to have online advertising and marketing.
But we need to do it.
And it's not about any particular company here, or sets of companies. It's about the overall practices that the industry has created to collect all this information and to use all this information with these very powerful multimedia, in their own words, immersive online advertising services that are not understandable and controllable, and definable by consumers.
I think to me it's very clear if you look at the issue of what's called sensitive data, which I'm hoping you're going to work on, and in particular, financial data. When you look at what happened during the recent financial crisis, online advertising played a major role in encouraging people to take out those subprime mortgages. Online advertisers and mortgage companies were some of the biggest advertisers on the Internet during the boom period that led to the current crisis.
People had no idea when they were taking out a mortgage or taking out a loan what exactly they were getting, because this system was defining them in certain ways and making them various offers, once again, non-transparent to them. And as a result, they -- and I think we -- have had to face the consequences. That's why just as with the financial system we need some regulation here that puts the system into balance.
Yes, they can thrive and build this business, and we can be innovators, but yes, consumers get to ensure what data is being used and how it's used. And they have a chance to change it if it's incorrect. So consumer groups around the country are calling on you to enact legislation as soon as possible, to bring fair information principles up to the digital era.
Self-regulation has failed. They've been working -- with all due respect to my friends here, they've been working on self-regulation for 15 years, and all you have is more and more data collected every minute. Americans shouldn't have to trade away their rights to control their information and have some autonomy in their affairs, whether it's buying a mortgage, looking up a prescription drug, or buying a car, doing anything else, without having to give their data up.
There is a balance. I hope you will help us restore it. There is a win-win possible here. Thank you.
REP. RUSH: Thank you, Mr. Chester.
Now, the chair recognizes Mr. Curran for five minutes.
MR. CURRAN: Thank you, Chairman Rush, Chairman Boucher, and members of the subcommittee. I'd like to thank you on behalf of the Network Advertising Initiative for the opportunity to discuss both the economic benefits and the privacy implications of online behavioral advertising.
The NAI is a coalition of advertising networks and other online marketing companies dedicated to responsible business practices and effective self-regulation. Originally founded nine years ago, the NAI has grown to include more than 30 online leading -- leading online advertising companies, including all 10 of the largest advertising networks. Today, through the NAI's website, consumers can learn more about or opt-out of online behavioral advertising by any or all of the NAI's member companies across the many thousands of websites on which such advertising is served.
Today's hearing focuses on both industry practice and consumer expectations. The NAI and its members are committed to online advertising practices that strike the right balance between consumer's economic and privacy expectations. We believe that consumers enjoy the diverse range of websites and services that they get for free, thanks to relevant advertising. But we must also provide consumers with meaningful notice and choice.
Tens of millions of Americans benefit everyday from free web content and services made available on the web because of banner advertising served by NAI members. These ad-supported services include news, blogs, video, photo sharing, and social networking services. NAI members support these websites by connecting them with advertisers, and by using web browser cookies to serve their visitors with more relevant and compelling advertisements.
NAI members provide websites with a broad variety of services. They help smaller websites combine their audiences so they can attract larger advertisers. They help advertisers gauge the success of their campaigns across multiple sites. And they also make online advertising more interesting and useful to consumers by using non- personally identifiable information about user's activity within an ad network to try to predict their likely interests.
In the early days of online behavioral advertising, more than 10 years ago, advocates and regulators challenged industry to provide appropriate privacy protections around browser cookies. The NAI's self-regulatory code was established to meet that challenge, and continues today to apply the same core principles for our members.
First, users should receive clear and conspicuous notice on the websites that they visit where data is collected and used. Second, users should have the ability to opt-out of behavioral advertising. Third, sensitive data should not be used for online behavioral advertising without a user's affirmative consent. Fourth, a user's affirmative consent should also be obtained if personally identifiable information is merged with information previously gathered about the user's web browsing within an ad network.
As these technologies have matured and the online marketplace has diversified, the Federal Trade Commission has called on industry to broaden and enhance its approach to self-regulation. The NAI and its member companies believe that self-regulatory approaches should be as dynamic as the online marketplace that they serve. And we are moving quickly to respond.
The NAI member companies are working to develop technologies that would support enhanced consumer notice in or around behaviorally based banner ads. This would allow users to learn more about behavioral advertising, and to make choices directly from the ad itself. Additionally, to help protect user's choices, the NAI is implementing technology to improve the durability of user opt-out preferences stored in browser cookies.
The NAI believes that its current opt-out approach strikes the right balance in consumers' expectations for today's cookie-based advertising. The model combines an opt-out for the use of non- sensitive, non-personally identifiable information to deliver ads, with an opt-in requirement for uses of sensitive or personally identifiable data. This preserves a default experience in which websites provide users with more, rather than less relevant advertising.
Users have multiple options to control behavioral advertising, either by using opt-outs offered by the NAI's members or their own easily accessible web browser tools. Any significant changes to this model, such as requiring a user's opt-in, even to non-personally identifiable uses of cookies to improve ad relevance, could pose a profound risk to both the user experience and the economic model for ad-supported web services. As they navigate from site to site, consumers could be inundated with recurring opt-in prompts, asking their permission to serve relevant ads.
Consumer rejection of this approach could uproot the revenue model that supports many websites today. It's vital to the continued growth of web services that the right balance is struck between the economic, technological, and consumer protection considerations relating to online advertising. The NAI looks forward to working with the subcommittees as they consider these important online privacy issues. Thank you.
REP. RUSH: The chair thanks the gentleman.
Now the chair recognizes Mr. Cleland for five minutes.
MR. CLELAND: Thank you Mr. Chairman, both you and ranking member.
As a leading Internet expert and consultant I obviously have Internet companies as clients, I -- which include wireless, cable, and telecom broadband companies in the communications sector, and Microsoft in the tech sector. However, I want to emphasize my views today are my personal views, and not those of any of my clients. What I want to do is talk about the Internet problem and then the Internet solution.
So what's the Internet privacy problem? Well, technology has turned privacy upside down. Before the Internet it was inefficient, it was costly, and it was difficult to collect private information. Now it's hyper-efficient, cheap, and easy to invade privacy. So through inertia what we have is a default "finders keepers, losers weepers" privacy policy.
Now, second, most American incorrectly assume that the privacy they enjoyed offline in the past is the privacy they have online. And that's not true. Third, all the technology mega trends out there, social networking, cloud computing, Internet mobility, Internet of Things, all of them will dramatically increase privacy risks online.
Fourth, there is a significant faction in the technology community that really take -- views privacy negatively, as in some parts antithetical to the behavioral advertising and the Web 2.0 model.
Now, fifth, a problem is that increasingly the underground currency of the Internet is private data. Now, private information is very valuable. But in the absence of a system where consumers can assert ownership and control over their private information, privacy can be taken away from them for free, and profited from, with no obligation to, or compensation due, to the affected consumer.
Fifth part of the -- sixth part of the problem, and that is, we now have a technology-driven Swiss cheese privacy framework, which may be the worst of all possible worlds. Simply, the haphazard framework we have gives a user no meaningful informed choice to either protect themselves or benefit themselves in the marketplace arena of their private information.
So what's the solution? I think it's very simple. You have a consumer oriented consumer-centric approach that's technology and competition neutral. Think about it. It's consumer's private information that's being taken and exploited, without their consent. Since it's consumers that are most at risk of having their information misused or used -- or stolen, wouldn't it be logical for our privacy framework to be organized around the consumer?
Now, clearly, businesses should be free to fairly represent and engage consumers in a fair market transaction for their private information. Now, it's fair market transaction where consumers are able to effectively understand and negotiate the risk and reward involved with sharing their private information. Moreover, since the consumer is the only one that knows which information about their personal situation or their views or their intentions or their interests, which ones they are comfortable with sharing, shouldn't it be the consumer that is in power to make those decisions?
So if Congress decides that it's going to legislate in this area, I think one thing is obvious, and that thing is that you should have consumer framework that would be superior to the current technology- driven framework. That's because it would emphasize protecting people, not technologies.
It would empower consumers with both the control and the freedom to choose to either protect or to exploit their privacy. It would prevent competitive arbitrage by creating a level playing field, and it would allow you to stay current with the constant changing innovation because you're not technology-oriented, you're consumer oriented. And lastly, you're going to be able to accommodate both sides, the people who care very much to protect their privacy, but also those who care less and would like to exploit their private information.
So in closing, I think we can do better than the current "finders keepers, losers weepers" privacy policy that's the de facto policy of the United States. I thank you, Mr. Chairman and Ranking Member for the opportunity to testify.
REP. RUSH: The chair thanks the gentleman. Now, we will engage -- the committee will engage the witnesses in a series of questions, and the chair recognize himself for five minutes for the purposes of questioning the witnesses.
Ms. Toth, in your testimony you discussed meaningful choice for consumers. And this is a principle that everyone agrees is a good one. However, it appears that the only choice for consumers using Yahoo is to opt-out of receiving quote, "interest-based advertising" end of quote.
It seems that they can't opt-out of Yahoos' collection of information and tracking. Can you clarify exactly what the consumer's choice is with Yahoo's opt-out? If consumers ask to opt-out of behavioral advertising, does your company continue to collect data on their browsing habits?
And then I have another question. Does the opt-out only stop the displaying of targeted advertising or lowers, does it stop the collection of data? Does your firm offer consumers any way to opt-out of tracking and data collection? Will you answer those three questions for me, please?
MS. TOTH: Sure. So our opt-out -- you're correct, it's not an opt-out of collection of data, it's an opt-out of use of data. So there are a number of reasons why we collect data. And primarily, that relates to the display of advertising. So advertisers pay us to show advertisements, and so we have to know if those ads were delivered and shown.
So we collect information in order to report that information back to the advertisers who are paying for those ads. But another reason why, it has a lot to do with the way we operate our websites. So if we were to stop collecting data when a user opts out, then there are a number of users we suspect would opt-out and engage in behaviors on the site that may not be legitimate behaviors; that may be abusive or fraudulent behaviors.
So we're continuing to collect information, but when the user opts out, we are no longer showing them behavioral advertisements. We are opting them out of that use of their data.
So we are a website that offers a number of different services. Ad serving is one of our many businesses. So we have other uses of the data as I described. So I think I'm not sure if I understand the other questions specifically as being different from that one, is -- and maybe I misheard, but there -- so to the extent that data is no longer used for advertising, that's what the opt-out applies to.
But the opt-out that we offer is actually a very -- it's very clearly provided to users, and it is actually very easy to find. So we think that that actually matters a great deal. The other thing actually that I'll mention is that what we offer on the back-end is anonymization of that data within 90 days.
So if users have a concern that there's a great deal of data being collected, we hope to be addressing that on the back end by anonymizing the vast majority of our data within 90 days. What's really notable about that is that our policy doesn't just apply to search log records or to a specific type of log files, but really all of our log systems, including the log systems that inform our advertising capabilities.
REP. RUSH: So a consumer cannot opt-out of data collection at all?
MS. TOTH: The consumer can't opt-out through the data collection --
REP. RUSH: Cannot opt-out. They cannot opt-out of data collection.
MS. TOTH: No, there are other tools at the browser level that would address that. For us, our systems don't work that way.
REP. RUSH: Sure, right.
Ms. Wong, can you answer the same question for me?
MS. WONG: Sure. Let me start by sort of describing our approach to privacy and data collection on our sites generally because I don't know if you're a regular Google user. Google actually has a design philosophy of always trying to minimize the amount of data we collect about a user in the first instance. So almost all of our services actually don't require a user to provide any personal information at all.
When you go to Google search, you don't have to register. You simply type in your search. If you type in a search and you're not signed in or registered with us, what that means is the only thing we get back is what all of us here, what our all websites get, which is sort of a standard what we call log line that records -- a computer is asking you a question, and that question comes with two things that can be identifying a user. One is an IP address, which your ISP assigns to you and other is a cookie, which is what Anne referenced.
Neither of those things for Google are tied to an individual. You can't know it's Nicole or Chris or Anne based solely on the IP address and the cookie. It's just to be clear about the type of data we collect. We do provide an opt-out, as I was demonstrating in our presentation, for the use of that cookie and IP address data to target ads.
In other words, when you click on the opt-out, what it does is instead of getting a unique cookie, which is a series of numbers and letters, what you get is what we call the opt-out cookie. And that opt-out cookie literally says in it "opt-out," so that the data that we collect goes into a huge pool of all users who have the data opt- out cookie. It's completely aggregated, which means we can't see an individual user in that pool of data that's been identified as opt- out.
REP. RUSH: The chair's time is up. The chair now recognizes the Ranking Member Mr. Radanovich for five minutes. And at the conclusion of his question and answer, the chair will relinquish the chair to the chairman of the Communications Subcommittee at the point then.
REP. RADANOVICH: Thanks. Thank you, Mr. Chairman, and welcome members of the panel. Your testimony was very interesting.
My first question goes to Mr. Curran, is it? From your testimony I understand that you're involved in a broad industry-wide effort to create self-regulating principles and that these principles, you're going to be releasing these principles pretty soon I understand, within about 30 days.
Can you expand a little bit on what we can expect you to address on those? And I'm particularly interested about the enforcement areas of these principles.
You need to point your -- there you go.
MR. CURRAN: Thank you. Actually, I think there are two different answers to your question because there are two different things going on. And in my long-form testimony I detailed some of the work going on with the NAI in terms of our member companies, which are primarily advertising networks and other online marketing companies, to essentially further the development of technology that will allow, as Ms. Wong showed you with her presentation of notice inside the banner ad, really to get together to advance an infrastructure that would allow any entity serving a behaviorally targeted ad, or any party responsible for a behaviorally targeted ad, to deliver that kind of notice in connection with an ad. So that's the work that the NAI has been pursuing from a technology perspective.
REP. RADANOVICH: Right.
MR. CURRAN: Separately, I think your question relates to a far broader industry dialogue that's been not led by the NAI, but instead by the IAB, the DMA, the AAAAs, the ANA and also the BBB. That's a lot of acronyms.
REP. RADANOVICH: That's much clear now.
(Laughter.)
MR. CURRAN: But I think the key takeaway here is that certainly the FTC has indicated that broader self-regulatory approach is what's needed for industry. And that is very much an effort in that direction of actually establishing principles similar in spirit to those of the NAI to apply on an ecosystem-wide basis.
And my understanding is that the rollout of those principles is in weeks. And we're so much supportive of those efforts. And I think they are very much part of a trend of really a momentum towards exactly what the FTC call for in terms of really a very vigorous engagement by --
REP. RADANOVICH: Thank you very much.
Ms. Wong, I'd love to ask you a question regarding your comments or support of establishing a uniform online and offline framework for privacy. Now, I'd love to have you clarify what uniform means and does it mean that it should apply to all entities and engage in collecting or using and sharing online information, whether they are ISPs or application providers? Should it be straight across the board or are there different applications?
MS. WONG: Yes. And I think I have two answers to that. As an initial matter, Google and a number of the folks at the table here have been really working hard to think about federal comprehensive privacy legislation. And if I were to encourage the committee to do anything, I think it is backing something like that because our history on privacy legislation has really been about sectorally trying to regulate privacy with children, with health, with financial, so that for a user on the Internet, their Internet experience is seamless.
They go from their bank to their doctor to their web service seamlessly and don't realize that different privacy laws apply. The importance in showing that users continue to trust the use of their data on the Internet is to have baseline privacy law across industries. And to get to your second question about --
REP. RADANOVICH: Yeah, well let me ask this. I'm going to clarify it a little bit. When you say uniform, does that apply to, say, content providers that provide content over Google? Would they be subject to the same private -- is that what you call uniform online privacy?
MS. WONG: Right.
REP. RADANOVICH: Yeah.
MS. WONG: So, yes, there would be baseline standards for all companies in terms of notice to users, access and control for users, and security for that data.
REP. RADANOVICH: Okay, thank you.
Ms. Toth, in Yahoo, recently you announced that there will be -- that you will completely erase IP addresses at the end of its data retention period rather than just deleting a few numbers of its practice -- as is the practice of a number of your competitors. If you don't need the IP addresses for fraud prevention or anything else, what's the utility in keeping the IP address at all, and why the fractional numbers and why don't you just dump it right away?
MS. TOTH: So, actually -- I think we actually have slides in there of our data retention policy and the process steps that we take. So for the vast majority of our data, at 90 days we de-identify the data, we apply our four-step process to remove identifiers.
REP. RADANOVICH: Okay.
MS. TOTH: The IP address is one of those identifier that's stored in the logs. And that, for us, we completely delete that identifier at 90 days with the exception of the fraud and abuse systems, which hold it for up to six months, and then it's deleted. So we store that data only for as long as we need it for the purposes of providing our services and then we de-identify the records and that gets to the IP address.
The IP address is typically, in the context of use, have more to do with customizing a user's experience along the lines of geography, those sorts of things, but it is de-identified and it is removed in 90 days. So does that answer your question?
REP. RADANOVICH: Good enough.
MS. TOTH: Okay.
REP. RADANOVICH: Thank you very much.
REP. BOUCHER: Well, I again want to express apologies to our witnesses for the lengthy delay. We were on the House floor a bit longer than we had anticipated and you were very patient. We want to express the committee's appreciation to you for your willingness to stay with us and provide what has been some truly excellent testimony.
I'm going to propound a series of questions and then recognize other members who are here. Some of them have made the point in written testimony, and I've heard it made otherwise apart from this hearing, that there can be a meaningless opt-in and a meaningful opt- out.
And I would assume that the difference with regard to meaningfulness depends to some extent on the degree of disclosure that is made to the user. So what I would like is to get your statement of what you think the elements of a meaningful opt-out would be. Who would like to answer?
Mr. Chester?
MR. CHESTER: Thanks. I think we need an opt-in. And my rule of thumb is that, you know, this has to be done in a durable way to make --
REP. BOUCHER: Well, Mr. Chester, before you alter the question and answer the question you wish I had asked, let me see if we can get you or someone to answer the question I actually did ask.
MR. CHESTER: All right.
REP. BOUCHER: Ms. Wong?
MS. WONG: I'll give it a try. And I agree with you, with the concept of, like, there are good opt-outs and there are bad opt-ins. I think a bad opt-in is, you know, an opt-in slipped in, in a long provision at the beginning of a contract relationship with your user that they forget over time.
And so there could be continued data collection in the life of your relationship with that user that the user has completely forgotten about. A good opt-out is an opt-out that's presented again and again to the user as a meaningful choice to them.
So in our interest-based advertising, for example, one of the things that we're trying to do is to put ourselves in front of the user so that we encourage them to engage with their own data. That's the purpose of that ads by Google link in the ad because we want them to know when you're looking at this page, it's not just the New York Times that you're looking at, the ad is from Google and you should engage with that data. The purpose of our ads preference manager is, again, to give the users a sense of control so that they change their behavior and start to engage and take control of their own data. And I think that --
REP. BOUCHER: So you would make full disclosure to the user of what information is collected about the user, you would describe how that information is used once you have collected it, and then you would provide the opt-out opportunity?
MS. WONG: That's right.
REP. BOUCHER: And would those be the meaningful elements of opt- out as far as you're concerned?
MS. WONG: I think that's right. The continued engagement with the user --
REP. BOUCHER: All right. Now, let me ask Mr. Chester who I know is very interested in taking part in this discussion what his response to that be.
MR. CHESTER: Well, my rule of thumb is this, that it has to be done workably. The companies should be telling the consumer what they tell perspective clients because when you see what -- and I've included some of that in my testimony, when you see what they are telling their clients and their perspective clients or when they're reporting on the results of the data collection, a system they have created with the advertising, they are talking about massive collection of data that's far beyond the kin of what might be presented in a simple opt-out.
So they need to be honest and tell people exactly what's about to happen. It can be a scale here, but if you read what they are doing, and including, frankly, the companies here, if you read what they are saying, and also have the applications, the interactive applications, when you read the literature, the interactive applications have been designed, the online video to get people to give up more data. So they have to be honest and --
REP. BOUCHER: All right, thank you very much. If we were to draw a regulatory line of some sort that is focused on the collection and use of personally identifiable information, should we include within the definition of what is personally identifiable information, the IP address?
Mr. Chester is saying yes. Let me see if any have any different views. Everyone agrees that.
Well, okay, Ms. Wong?
MS. WONG: I will give it a try again. I think our position is that the IP address can be personally identifying depending on your relationship with the user. So, for example, if you are the ISP that assigned that IP address, what it means is that you are actually billing that user every month and you're having credit card or billing information from them, which means you can in fact associate the IP address -- you as the ISP assigned -- with a real person.
If you're in a position like Google where -- with an unauthenticated user where you don't know who is attached to that IP address, it's not personally identifiable.
REP. BOUCHER: So you're saying it would be personally identifiable if it is associated with other kinds of information about the user.
MS. WONG: That's right.
REP. BOUCHER: Some of which might be quite sensitive, even personal?
MS. WONG: That's right.
REP. BOUCHER: Would you -- you would probably say it is not personally identifiable if you have that in isolation perhaps with an opt-out cookie?
MS. WONG: Right.
REP. BOUCHER: All right. I think I understand your position. In the time I have remaining, let me ask about the possible role that self-regulatory organizations might play in a statutory scheme that would extend privacy rights to Internet users.
Several questions about that. I know we have well-regarded SROs in existence today. Many of the major Internet companies are affiliated with one or more SROs. And I'm concerned if we add a statutory scheme on top of that in order to assure that every Internet user has the understanding that his online experience is secure because all website will have to comply with a certain set of fundamental privacy assurances; how we do that in association with continued viability and usability for the SROs.
So just a couple of key questions. How would a user who feels aggrieved because the SRO, for example, may not have complied with the principles it signed up to comply with get recourse? Should there, at some point, be access to a federal agency to seek that recourse? And how could we make sure that every website actually complies with a minimum set of guarantees? So who would like to try answering that?
Mr. Cleland?
MR. CLELAND: Well, I think you're trying to get to something that actually works, and I think you're trying to get to an accountable system. One idea I would offer that whether it's self- regulatory or governmental is that there needs to be some audit that's occurring on a regular basis.
Those can be automated audits or they can be personalized. They need to be random because what you're talking about is meaningful, we're talking about accountable, and if you care about those two words and those two concepts and principles, there needs to be some verification.
REP. BOUCHER: All right. Other comments, Mr. Chester?
MR. CHESTER: I just, you know, there's a role for self- regulation but I just have to underscore that self-regulation has failed. The only reason the NAI is upgrading its principles was because of the controversy that occurred over the Google DoubleClick merger.
When all these consumer and privacy groups made so much trouble, that then the FTC said, okay, we got to do something about privacy principles.
And then the NAI, after many years of being asleep, you know, decided, okay, we're going to revamp them.
The only reason the companies have reduced their retention time is because the European Union has been pressing them. So it's the forces of regulation that's actually bolstered the failing self- regulatory system.
REP. BOUCHER: So you would agree, would you not, Mr. Chester, that if the statute imposed certain fundamental guarantees and they meet your definition of what those fundamental guarantees of privacy should be, for example, that an SRO that then enforces those fundamental guarantees or has those as its core principles that are a condition to membership, such an SRO could be effective, could it not?
MR. CHESTER: I think the history of self-regulation certainly in media and telecommunications, like in the kid's area, has been that the self-regulatory structure is only as good as the law that has in fact been the foundation.
REP. BOUCHER: Thanks. On that note, my time has expired. And I'll recognize the gentleman from Florida, Mr. Stearns for five minutes.
REP. STEARNS: Thank you, Mr. Chairman, and let me also reiterate your comments. This is the first time I think in the history of Congress that we had this kind of procedure on the floor. We had over almost 55 votes and they were over almost eight hours. And so you have hit sort of a perfect storm, so your patience is appreciated, and we appreciate your staying.
Ms. Toth and Ms. Wong, any given day people come to your sites, let's call that X, they all come to your site. How many of those -- what percent of those people actually go to your privacy? Ms. Toth?
MS. TOTH: We don't calculate it as a percentage. Overall, the number of page use that -- of users who come to our privacy policy remains a fairly low number overall.
REP. STEARNS: So let's say just take a 1,000 people, just to make it easier, 1,000 people, you couldn't even tell me if it's 10 percent or 1 percent or 1/2 percent?
MS. TOTH: It's certainly far lower than 1 percent.
REP. STEARNS: Yeah, so it's very, very small.
MS. TOTH: Uh-huh.
REP. STEARNS: And Ms. Wong, how about you?
MS. WONG: You know what, I don't know, and I can try and get back to you with a number, but off the top of my head I don't know the number of users --
REP. STEARNS: No one on your staff can just even give a ballpark? I mean, it's not 10 percent.
MS. WONG: I'm sure it's lower than the number of overall visits we get. Here's what I do know, which is that a year ago or so we started uploading videos to explain our privacy practices. And what we're seeing there is that users are engaging with us in this --
REP. STEARNS: Yeah, because it's a video, okay.
MS. WONG: Because it's a video, and they are rating them and telling us what works for them and what doesn't. And I know that -- notice is a really important thing for this committee. We have to find better ways than a pure privacy policy to engage with our users to make them --
REP. STEARNS: And videos might be a good way.
MS. WONG: And videos might be a good way.
REP. STEARNS: Now, each of you mentioned that you were willing to give to the consumer the information that you have collected and give it in sort of in categories. And is this information that you're going to give -- this has been sensitized, or you have put together a summary and given it to the customer. Will you let the user actually see your raw data or at least actually see what you collect? Will you ever allow him to get to the point they can actually see what you collect?
MS. TOTH: I would actually love it if we could. I'd like you to see some of the data that we actually do collect because I think it's --
REP. STEARNS: So I could actually see it if I wanted to?
MS. TOTH: Right.
REP. STEARNS: And not just get your categories --
MS. TOTH: We have a slide that shows our log files or a sample of what we collect in the log files. We -- I don't think actually a consumer would engage with that in a way that would be meaningful for the consumer because it's a very technical expression of a user's interaction with us on the site.
So what we do in our behavioral -- in our interest-based advertising and the behavioral targeting systems that we use is to take those visits and categorize them based on the types of interactions.
So if a user visits sports, they will have a score that indicates they visit sports. The actual log files themselves would probably not be useful for a consumer to engage with. It's a series of -- it's actually quite difficult to explain in plain English what is in a log file for --
REP. STEARNS: Okay, but the customer would have access to is what you're saying if they wish to?
MS. TOTH: Well, the customer -- we don't actually make it available because they are no tools that actually generate log files in a way that would be easily accessible for consumers. What we give consumers is ready access to our privacy policy, educational links, opt-out opportunities that are abundant across the site.
REP. STEARNS: Okay.
MS. WONG: So -- I mean like the demo that we did for you about our ads preference manager is an attempt to make that interface real, right, which is demonstrating the interest categories that are assigned to a cookie in order to target advertising because I think Anne is correct that if the user won't read our privacy policy, they are surely not going to read code.
REP. STEARNS: No, okay.
Mr. Chester, before you can answer that question also, what do you do with the bad actors? I mean, we sit here and we pass the bill and we set up opt-in and opt-out procedures, and we've got Yahoo and Google, but what are you going to do with the bad actors and how -- I mean is it possible that in addition to developing this legislation so that all 50 states have one set because each state now is developing a different and so there might be a need for us in the federal level to develop it so that you don't have 50 states with 50 different policies.
So I guess my question is two-fold. What do we do with the bad actors, and is it a possibility that you could set up good housekeeping seals that everybody would say, ah, I'm safe with this site, bingo, I can go into it and feel comfortable. And the bad actors wouldn't get it. And then you can differentiate it and say, I'm not going to fool with those?
MR. CHESTER: I think if you passed the legislative standards, right, that would be the baseline; everybody would know basically they are protected. You now have a changed FTC potentially. And hopefully, you're going to reauthorize it soon.
I mean, the FTC has been hampered in going after the bad actors. It's been constrained from really looking as closely at this market as it should be. It hasn't had the resources and it's also been in conflict.
There's now a new chairman there, there's a new director of consumer protection.
They really want to move on this issue, and they could in fact be empowered to go after the bad actors in a much more vigorous way. Of course, we don't want to see state preemption consumer advocacy --
REP. STEARNS: Yeah, I understand. Now, and when I've had hearings on this, Mr. Chairman, one of the problems we found is that there's no reciprocity between countries, and you had the bad actors outside the United States. And so, part and parcel of this is to develop a legislation with other countries where you have reciprocity so that you can go after corruption and fraud, and there is that ability to do what otherwise -- no one is going to comply with the federal bill when they'll be in another country.
MR. CHESTER: Well, I do think we are falling behind the Europeans and it's something ironic. There are going to have a better privacy policy and build a whole new online commerce business that's privacy friendly when we're lagging because they are moving. Look, a lot of the -- the market is really being shaped, and this is something positive about the industry. We are creating this global interactive market.
REP. STEARNS: Right.
MR. CHESTER: Yes, there are European companies, yes, there are Asian companies, but they in fact have created the standard, and that is terrific. What happens here can shape the rest of the world. As for profiles, you can see company after company says I've all this information about an individual consumer, I would hope that under your legislation that consumer could see all the detailed information that's being collected about them.
REP. BOUCHER: Mr. Cleland?
MR. CLELAND: Yeah, I think if Congress is serious about this, you need to focus on the concept of deterrence. I mean, if privacy violations or repeated violations are important, there needs to be a significant penalty of whatever is appropriate. But if legislation is passed and there's no deterrent and there's also no significant way of getting caught, meaning independent audits of some type, it will not have teeth, it won't be meaningful, and it won't be accountable.
So I really -- if you're serious about this, you really need to be thinking about how do you take unaccountability, which is a problem across the Internet, not just with privacy, and try and address that and create more accountability. It's never going to be perfect, but it's a key.
REP. STEARNS: Mr. Chairman, if you'd give me a little slack here, I just want to bring this last question, which really is also we, as legislators, are grappling with, and that's the regulatory side versus the enforcement. Mr. Cleland talked about the enforcement. And we have two jurisdictions here. We have the FCC and the Federal Trade Commission.
So I'd like to just start to my left and just go down and perhaps you could give us a feeling of how you think this should -- bill should come together in terms of jurisdiction with the FCC and the Federal Trade Commission. I mean, some people think, well, the FCC could be the enforcer, and the FTC could be the regulator. But I would be curious, each one of you. If you don't mind, take a few moments, Mr. Chairman.
MR. FELTEN: I would see this as closer to an FTC issue. I think it's fundamentally a consumer protection issue.
REP. STEARNS: So both for regulatory and enforcement?
MR. FELTEN: Yes.
REP. STEARNS: Okay.
MS. TOTH: I would agree with Mr. Felten. We've worked for a very long time with the Federal Trade Commission on issues of consumer privacy online. We feel very comfortable and believe that they are well-versed to address this issue.
REP. STEARNS: Ms. Wong?
MS. WONG: I have to say I feel a little bit out of my depth in terms of understanding the jurisdiction between federal agencies, but like Anne and -- we've worked for quite a while with the FTC. In my experience in watching them over the last 10 years is they have brought very effective enforcement actions.
MR. KELLY: I would say as well that we've worked extensively with the FTC so far along this. And they also have a great deal of expertise in the competition area, which is one of the things that's driving better technology throughout the industry in terms of providing users more transparency and more control over their data. So the FTC has developed a great deal of expertise in this area.
MR. CHESTER: I'd like to see a joint taskforce because in fact the FCC will have expertise at the network level and particularly with cases with DPI, Deep Packet Inspection. There's a real here for the FCC, but when it comes to the ad itself and the consumer experience itself, it's the FTC.
MR. STEARNS: Yeah, I mean, because this is going to envelope -- once you get broadband war, you're going to see voiceover Internet, you're going to see everything over the Internet. And so all communication is going to be through that media. And so, you know, I think the FCC has a part and parcel role.
Mr. Curran?
MR. CURRAN: I think I'd echo the nod to the FTC. Certainly in terms of our business model for cookie related activity, the FTC for over a decade with it's workshops on the technology has been instrumental in raising awareness of the policy and technical issues and very much determined in setting the direction for self-regulation. As for other business models and other regulatory schemes, I wouldn't be able to speak to that.
REP. STEARNS: Okay, Mr. Cleland?
MR. CLELAND: FTC as the lead in close coordination with the FCC. The only problem would be is if jurisdiction got in the way of passing -- if you want to pass legislation. That would be the only tragedy.
REP. STEARNS: Thank you, Mr. Chairman.
REP. BOUCHER: Thank you very much, Mr. Stearns.
The gentleman from New York, Mr. Weiner is recognized for five minutes.
REP. ANTHONY WEINER (D-NY): Thank you. Could I ask perhaps for the -- for Ms. Wong to talk a little bit about your experience developing Chrome, which is your search -- your what's it called?
MS. WONG: Browser.
REP. WEINER: Your browser. Wouldn't it possible through that vehicle that when you download it that your first page is tell us what information you'd like to know about the pages you're visiting and what information that you'd like to share, and maybe a collection of boxes you can check or not check?
It's similar to kind of what Facebook tries to do. Although they don't do it right in your face, they kind of have, you can share this, not that. That seems to be even more -- even a better place to think about the true gateway to the experience.
If I wanted to do that through Chrome, would I be able to do that in someway? I mean, I know I can go in and erase the cookie and I can erase my browser history, but can I do something like that?
MS. WONG: Right. Thank you for that question.
REP. WEINER: You're welcome.
MS. WONG: And I'm a little bit at a disadvantage because I'm not an engineer, just a lawyer, and our engineers do amazing things.
I think that -- so I don't know if there's any limitation on what they can do. I know they're working very hard to build privacy controls and to --
REP. WEINER: Well, perhaps, if I can interrupt you, maybe Mr. Felten can tell me about the technology possible here.
MR. FELTEN: Sure. The information flows that users might be concerned about mostly happen not at the browser, but after the user has interacted with a website or a content provider. So what that means is that technical controls would exist mostly not in the browser but in the websites themselves. Now --
REP. WEINER: But let me interrupt on that point. But if you have a fairly finite number of browsers that most people use, let's say for the purpose of this conversation it's five, you know, I don't know, I mean, that basically probably account for most of what people do, and the browsers are themselves competitive with one another, you can argue that the browser industry grew out of people's dissatisfaction with Explorer.
So why couldn't you say that if you want your website to come up when you're traveling through Firefox, you have to have certain of your own information that you're giving us about what we can tell our users? Isn't that kind of a technical solution -- not solution, but a technical way to kind of service a gatekeeper for a lot of websites?
MR. FELTEN: Yes, and certainly there are things you could do along those lines to -- so that the browser could help the user express their preferences and the browser could in a technical way query a site and see what promises the site makes about uses of data.
There have been efforts to do this in the past. There was a standardization effort called P3P, the Platform for Privacy Preferences, which defines such a standard. And for reasons that are a subject to debate, the standard didn't stick; it wasn't popular.
Nonetheless, I think this is a fruitful approach. And I for one would be happy if the companies got together and had a discussion again about how to do this.
REP. WEINER: Mr. Kelly, tell us a little bit, if you could, about your experiences in stepping on the toes of people's privacy concern. I mean, it seems to me that we, to some degree, have three companies that have succeeded because consumers with a lot of different choices have chosen to use Google, chosen to use Yahoo, chosen in large numbers to go to Facebook.
Could it be that the reason they are choosing your three services in particular is that you are the -- you're being self-selected by an active consumer marketplace that thinks that privacy works on your sites?
Now, you just had an experience, it's an ongoing one, where you have had kind of a conversation with your members about privacy. How does it work differently on yours than say -- what search engine do you use when you're searching the Internet personally?
MR. KELLY: I mean, it's usually Google.
REP. WEINER: Okay. How is your privacy experience as a consumer of Google different than as a member of Facebook? Is it at all?
MR. KELLY: Well, I think that all three of these sites have succeeded because they are providing great user experiences overall. And in some cases, those are privacy. And because we've based a business on identity and personal information and the effect of sharing with that with people who share a social context with you, we knew going in that privacy was going to be a critical issue for us. And our goal has been to build technologies that allow people to make choices.
So one of the things that's gotten lost in lot of the mix in the discussions of social networking is that friending, whether you friend somebody or not and how you connect to them, is in and of itself a privacy setting. It determines what information that you see on Facebook. And that's been a great experience for us.
When you look at Google or Yahoo as a search engine, they are looking to deliver a different experience there. They are looking for you to type in a word or two and get back something that they think is the most relevant experience for you to get you to the page that you need to go next. If you use other services on those sites, they are providing different experiences there.
Our goal has been to build technology that empowers users and lets them make their own choices about how they share information. We've aimed to extend that into the advertising realm as well.
REP. WEINER: Mr. Chester, I know you want to answer this question, but let me build on it and you can go ahead and, for my last few seconds, you can answer. But take me back to 1986, or even 1996, I don't even know when this phenomena at all began. You could buy someone's credit report from three different companies.
You could probably find aggregators of information that help car dealers figure out who to send their information to. You could probably scrub public records to find out what kind of a home that they own and how much taxes that they pay.
It seems to me that there have always been resources that allowed someone to do 75 percent of what you described in your testimony as the thing we're protecting against. And we've acted here in Congress to try to limit access to that information.
But to some degree wouldn't you agree that consumers have pretty much now have a lot of tools that inform their experience? I would argue without even knowing and I bet you there are places I can go on the Internet to even find little software plug-ins I can probably download to let me know who's doing what with -- and what websites are good or bad at protecting information.
So it's a two-part question. One, isn't a lot of the stuff that you're most concerned about going to be out there whether you don't plug into the Internet at all? And secondly, isn't to some degree the marketplace allowing -- aren't consumers allowing the winners to be the good privacy company? So why don't you take both those --
MR. CHESTER: Polls after polls after survey, including the one that you see Berkley just released about a week ago, 10 days ago, say that the most users, most consumers have no idea about what's being collected, how it's being used, how it really works. I honestly believe -- and I think this is going to come out as part of this debate, and frankly, that's why we need good privacy legislation because it's going to undermine public confidence -- people don't really know what's going on inside Facebook, and the third-party developers, and all the data flowing out.
They don't know what Google is collecting across its various interests. If they knew, they would, in fact, I think, be more concerned. So consumers don't know the polls show that. This is a whole different world here, right, than it was back in 1996 or '98 when we did the Children's Act.
You are talking about the instantaneous merging of a vast number of offline databases with online behavior minute by minute that is adopted to an individual's actions and reactions with various online environments, including all the personal information they put on their social networks. This is a completely different system that's been created.
And finally, you know, I mean, I have a 16-year-old. I look at this as the world that will be here very soon. We will be buying our mortgages on this mobile phone not -- in a not too distant future. This is the dominant way we're going to be doing business, through the PC and the mobile phone. It's a whole different world that has been created. On the one hand, we should be proud of it; they created it for us. We just have to make sure that consumers are protected.
REP. WEINER: Thank you, Mr. Chairman.
REP. BOUCHER: Thank you very much, Mr. Weiner.
The gentleman from Louisiana Mr. Scalise is recognized for five minutes.
REP. SCALISE: Thank you, Mr. Chairman.
When we talk about opt-in versus opt-out and I would imagine for business model purposes opt-out is the preference because if you force somebody to opt-in, I would think it would probably limit the number of people that would want their data to be collected on the front end. But if they do go through the process of opting out, are they actually stopping their personal data from being collected or they just -- not getting the targeted advertising?
And then if Ms. Toth could start.
MS. TOTH: When a user is opting out, for us that is an opt-out of not collection, but of use of the information. But I also want to be careful about the use of the term "personal information" because very often what's being conveyed to us is information that's specific only to a browser that's used to customize advertising. But even that level is what the user is able to opt-out of in terms of that data being used.
REP. SCALISE: Right. And there are different levels, of course, if you're just going on to a browser, and I think Ms. Wong talked about that. If I just go on to Google and do a search, there's different information, maybe, just my IP address. But then if I actually use Yahoo for an e-mail account, then clearly I'm going to be giving you a whole lot more information and then you'll have access to that. And if I choose to opt-out of that, what am I opting out of there? Am I -- are you not going to be collecting that data any more or you just not going to be getting the targeted advertising?
MS. TOTH: So the way that we do it at Yahoo is that when a user opts out we are no longer showing them targeted advertising and we are not using their information in that particular way. Yahoo offers a wide array of products and services as you mentioned e-mail, search, a wide array of different --
REP. SCALISE: Maybe social network services.
MS. TOTH: Correct. Some social networking, exactly. So when a user opts out, we opt them out of the delivery of targeted advertising. But we also recognize that users may not want us to have that much information about them. So we take great pains to de- identify the data as soon as we can. We spent over a year looking at every single product, every single data system at Yahoo to really try to minimize the amount of time that we hold data about users.
REP. SCALISE: Right. And then -- I know we got limited time, so Ms. Wong, and then Mr. Kelly.
MS. WONG: Sure. I think it's roughly the same answer that I gave earlier which is, we really collect very little data from users when they are searching the IP address and the cookie. And the opt- out for our interest-based advertising is an opt-out for those targeted ads. And what it means that -- is that the cookie you're getting is not uniquely identified. It just drops the query that you sent us or the data that we've got into a bucket of all opt-out cookies.
MR. KELLY: So -- and because our service is based on sharing personal information with others, we inevitably end up collecting a great deal of personal information so that we can effectively share it with others. And actually use it for people to retain their -- retain people's photo albums for them which they usually expect to be retained indefinitely. In certain circumstances, in particularly in our advertising products where we are innovating and where people may not be used to a presentation in a particular way, we've allowed for opt-outs in those instances because we think it empowers users. It allows them to say, I'm not comfortable with this at this point. But they can reconsider that at a later time.
Our goal overall, and I think the goal of this committee, and any legislation it considers, and any enhancement of regulatory authority should be to make sure that consumers have real power to make those choices. We've tried to embody that in technology as much as we can and you are here trying to embody it in law and trying to encourage the regulatory agencies to continue to meet their burdens and their obligations under existing law.
REP. SCALISE: And I apologize to interrupt. I've only got a minute left. There is something else I want to ask, especially as it relates to the e-mail services if -- in both for Yahoo and Google if you can answer this. If a user of Yahoo, or Google, or any other e- mail service decides that they want to opt-in or they don't want to opt-out to all of those agreements and you can collect whatever information you want from them.
But let's say they then send me, and I don't have that service, and they send me an e-mail. I didn't agree to any of those issues. Do you read e-mails from people that are -- a Yahoo or a Google e-mail subscriber, do you read through those e-mails to gather information in any way?
MS. TOTH: Yahoo does not scan the content of e-mail communications in order to show targeted advertising.
REP. SCALISE: Or for any other purposes?
MS. TOTH: We don't -- well, there are at least some purposes for -- there is a process that actually removes viruses from e-mail that's an automated process. But we don't use the content of communication --
REP. SCALISE: For advertising?
MS. TOTH: -- for advertising.
REP. SCALISE: Ms. Wong?
MS. WONG: Yeah. So we're using that same technology that scans for viruses and also scans for spam. It's basically technology that looks for patterns in text. And we use that not only for the spam blocking and the viruses, but also to serve ads within the Gmail users' experience. So importantly like the --
REP. SCALISE: So if two people are exchanging an e-mail about a sporting event and they are talking about going to the game and then, maybe, they are going to want to go out for a drink afterwards, could they maybe then expect to get an advertisement about which different bars are offering specials after the game?
MS. WONG: So they won't get an e-mail with an advertisement, but for --
REP. SCALISE: But they may --
MS. WONG: -- a Gmail, only the Gmail user will be able to see ads that show up just like they show up on the side of our search results that are keyed to specific words, they are key words, just as if you typed them into our browser that are calling from our repository of millions of ads to deliver an ad that's targeted to the content that you're reading.
REP. SCALISE: So if that was a two-way conversation, one was the Gmail subscriber who agreed to or didn't opt-out of the privacy, but the other person in that conversation was not a Gmail user, clearly not someone who opted in or opted out, would any part -- because in an e-mail thread they could have had maybe four, five replies and you've got a long thread built up. And it's not just going to the Gmail's information that's going to be there. The person who is a non Gmail user is also going to be included in that thread. Would any of that information be read?
MS. WONG: That non Gmail user will not have any ads targeted to them at all.
REP. SCALISE: Is any other data collected from that conversation?
MS. WONG: Their data sits in their -- the recipient's, the Gmail recipient's e-mail archive or --
REP. SCALISE: So if you've got algorithms that went through that Gmail e-mail, then when you were reading things in that e-mail some of the things that you were reading would have been --
MS. WONG: Were scanned.
REP. SCALISE: -- part of the thread of a non Gmail subscriber.
MS. WONG: That's right.
REP. SCALISE: How does your privacy policy handle that? Because that person clearly has absolutely no knowledge of you reading their e-mail, they surely didn't agree to it, and they didn't have the ability to opt-out. So how is that handled?
MS. WONG: Yeah. Just to be really clear, this isn't -- there are no humans reading e-mail at our company.
REP. SCALISE: But even if it's a -- if it's a software algorithm that's --
MS. WONG: It's a software algorithm.
REP. SCALISE: -- trained to go through and look for keywords or key information, their e-mail address, of course, is going to be in there. So you would be able to know who that person is, at least from their e-mail address, but also you would be able to have access to the information.
Do you have anything in those algorithms that prevents that information that's not Gmail related to be read from a person who didn't agree to or have the ability to opt-out of the privacy?
MS. WONG: It would have to be that the user decided they did not want to receive that e-mail from the person who sent it to them. So this is fully in control of the Gmail account holder. And they can refuse to receive e-mails from certain people.
REP. SCALISE: So you would be putting the burden now of privacy collection --
MS. WONG: Our --
REP. SCALISE: -- on a user of Gmail --
MS. WONG: Our --
REP. SCALISE: -- or someone who actually has a Gmail account?
MS. WONG: So our user and --
REP. SCALISE: But your user actually knew what your policy was.
MS. WONG: Yes.
REP. SCALISE: And could today, right now, go online. As you showed, you've got many opportunities for your users to opt-out.
MS. WONG: That's right.
REP. SCALISE: The person who is the third party, who is the non- Gmail subscriber, who is part of the thread, does not have that same access. So how can you put the burden on the person who sent the e- mail?
MS. WONG: No, no, no. The person who sent the e-mail has -- they had sent their e-mail to their friend. That user is not going to get any ad targeted at them. We're not going to have any information about that user at all.
REP. SCALISE: Or was any of their information read?
MS. WONG: But for the fact that we hold their e-mail because we are the e-mail service provider for the Gmail account holder which is the same as any other webmail service.
REP. SCALISE: And I guess the real question is how is that person -- the Gmail subscriber clearly has the ability to protect their privacy, to opt-out if they so choose. Maybe some of their data were collected --
MS. WONG: By not using the service.
REP. SCALISE: -- but they could opt-out. But the third party that they sent the e-mail to, who then replied back to them, who is contained in that thread doesn't have that same ability, but yet their data is subject to being searched in the same way.
MS. WONG: As --
REP. SCALISE: And so how -- I guess that's a --
MS. WONG: That's true. But that occurs with every webmail service because every web --
REP. SCALISE: No, but I think Yahoo just said that they don't do the same thing.
MS. WONG: Every webmail service scans their e-mail.
REP. SCALISE: I'll ask Ms. Toth if that's -- is that --
MS. WONG: Every webmail service scans their e-mail for spam, scans it for viruses. It is the same process.
REP. SCALISE: But also for targeted advertising, I think, you said you all do scan it for targeted advertisements. Ms Toth said they do not.
MS. TOTH: We do not target -- we don't target --
REP. SCALISE: And I guess in the case where they are scanning it for other services that would be, maybe, sold to a third party, how does the person protect their privacy when they never had the same opportunity to opt-out that the original Gmail subscriber who sent the e-mail was able to have the same access?
MS. WONG: Right. To be very clear, no user's information is sold to any third party. No information about the sender of an e-mail to a Gmail account is kept or --
REP. SCALISE: No, but if it is double clicked and --
REP. BOUCHER: Mr. Scalise, you are now past 10 minutes of time and we're going to wrap up and move on --
REP. SCALISE: Yeah, if I could get that in writing, maybe, the answer to that. Thank you.
REP. BOUCHER: That's fine.
If any of the witnesses would like to respond to that last question in writing that would be highly appropriate.
The gentleman from Vermont is recognized next, Mr. Welch, for five minutes.
REP. PETER WELCH (D-VT): Thank you.
I want to join my colleagues in apologizing for our delay and appreciation for your patience although I think I might have -- rather have your job today than ours.
(Laughter.)
Ms. Wong, in your written testimony you noted that the committee should continue our efforts to explore the privacy issues. I mean this is, obviously, an incredibly difficult issue both because of the complexity of making this work and assuring confidence to users and because of basic questions about what should be private and what isn't.
I'm asking that you expand on that and what ongoing efforts are -- is Google making about the merging of online and offline data and the issues that are created as a result of that. So I'll start by asking you, if you would comment on that and probably ask a few others as well?
MS. WONG: Sure. And I actually think there's -- this is a multidimensional question. I think, absolutely, there's an obligation on industry to do the right thing because the trust of our users is incredibly important.
REP. WELCH: Right.
MS. WONG: I also think that there is a role for groups like Mr. Curran's group, the self-regulatory groups, which continue having us innovate on best practices. I think that the best thing that has happened in the last few years is that all of the major Internet companies are competing to create better privacy technologies. And that is really phenomenal.
There is also a role for government because, to be very clear, there are bad actors. And so, there is an -- a role for oversight into the range of players on the ecosystem and the conduct that they engage in. And thing that I think is most important and the reason it should apply to both online and offline is that there -- the companies that you have here all face our users, are all invested in deepening the relationship with our users. There are companies that do not face the public, that are behind it, and that need more oversight because nobody knows what they do with their data.
REP. WELCH: Mr. Curran, you want to comment? Do you have anything else to add and it's a kudo to you for the role that you play.
MR. CURRAN: Very kind. I'd simply say, I think, we have an obligation to tell you about our successes and our areas of improvement as self-regulatory organizations as it relates to -- and also to, I think, to work with you to explain the somewhat complicated technologies that go around the different business models.
I don't believe that I have a diverse membership so that we're not at a position of having a legislative view at this time. But we are very much committed to educating the committee on the technologies. And I think today's hearing has been very helpful in that in terms of, in effect, helping you discern the exact technical infrastructure that goes into all of this online advertising.
REP. WELCH: Well, let me come back to Mr. Kelly. You know it's -- the Congress is never going to be able obviously to address technical issues. It's not our competence, it's not our job, it's not what we should do.
What specific things in terms of policies, I ask you, Mr. Kelly, would it be -- would you be recommending that Congress do in order to protect privacy which is our proper concern, but do it in a way that doesn't strangle innovation?
MR. KELLY: And that is a critical role that you do have is to protect the innovation in American technology and how we've been able to lead the world in this area. But obviously, protecting the privacy of American consumers is -- it's critical to us and to other companies in the technology industry, but not everyone.
And so there are many actors out there who are tasked and see their role as gathering data and building personal profiles of people with no notice, no consent, no control. I think that the Congress' regulatory action should be largely directed there. We have a set of existing -- extensive regulations that we've talked tonight about are work with the FTC as a technology industry in this area, there are the bans against deceptive practices and other activities.
But still there are many technology companies out there, whether they be spyware vendors, whether they be, sort of, just surreptitious collectors of and aggregators of personal data that deserve the attention of this committee, the Congress, and existing regulators.
REP. WELCH: Okay. Thank you. My time has almost expired and I'll yield the balance of my time.
MR. CLELAND: Could I answer?
REP. WELCH: Up to the chairman. I think I'm almost at it.
REP. BOUCHER: Yeah, that's fine, go ahead, Mr. Cleland.
MR. CLELAND: Yes. I think the key concept of what you're looking for that the FTC and others should build on is longstanding fair representation law. We obviously have a huge gap. Jeff mentioned a lot of the polls out there. Consumers don't have a clue about all the stuff that's being collected on them, not a clue. And so if you believe in fair representation and you take the facts of all the people that have been dealt with in the Internet and they don't know what's going on, there is a serious breakdown in fair representation.
REP. BOUCHER: Mr. Chester, please.
MR. CHESTER: Bear with me. All the companies here including the members of NII, as far as I can see, are increasing the amount of data they are collecting on consumers, right? It's not that there's a question of best practices they are building and expanding their data collection. That's the nature of the business, that's the nature of the online advertising system to build out these very sophisticated approaches.
Therefore you need to have rules, you need to have -- you need to bring PII up to date. So you know -- because you don't need to know your name anymore to know who you are, you need to protect sensitive data and you have to have the FTC be a better watchdog.
REP. BOUCHER: With that Mr. Welch, your time has expired and let me say thank you once again to our witnesses for what truly has been an informative session, long delayed but well worth our time talking to you. And we thank you very much for taking your time all day, in fact, to talk to us.
And I have clearance for unanimous consent from the minority to place on the record a letter to the subcommittee, the joint subcommittees actually, from the Federal Trade Commission concerning the subject of today's hearings; a letter from Data Foundry, a data company based in Austin, Texas. Without objection, those will be made a part of the record and without objection the record of this proceeding will be kept open for a period of three weeks so that other members of the subcommittee can submit to our witnesses questions in writing.
And as you receive those questions from the members if you could respond to them promptly, that would be much appreciated. Well, thanks again to you for an excellent hearing. This hearing stands adjourned.
Source