[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]

NEW TECHNOLOGIES AND INNOVATIONS IN THE MOBILE AND ONLINE SPACE, AND
THE IMPLICATIONS FOR PUBLIC POLICY

=======================================================================

HEARING

BEFORE THE

SUBCOMMITTEE ON
INTELLECTUAL PROPERTY,
COMPETITION, AND THE INTERNET

OF THE

COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES

ONE HUNDRED TWELFTH CONGRESS

SECOND SESSION

__________

JUNE 19, 2012

__________

Serial No. 112-116

__________

Printed for the use of the Committee on the Judiciary

Available via the World Wide Web: http://judiciary.house.gov

U.S. GOVERNMENT PRINTING OFFICE
74-641 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, gpo@custhelp.com.

COMMITTEE ON THE JUDICIARY

LAMAR SMITH, Texas, Chairman
F. JAMES SENSENBRENNER, Jr., JOHN CONYERS, Jr., Michigan
Wisconsin HOWARD L. BERMAN, California
HOWARD COBLE, North Carolina JERROLD NADLER, New York
ELTON GALLEGLY, California ROBERT C. ``BOBBY'' SCOTT,
BOB GOODLATTE, Virginia Virginia
DANIEL E. LUNGREN, California MELVIN L. WATT, North Carolina
STEVE CHABOT, Ohio ZOE LOFGREN, California
DARRELL E. ISSA, California SHEILA JACKSON LEE, Texas
MIKE PENCE, Indiana MAXINE WATERS, California
J. RANDY FORBES, Virginia STEVE COHEN, Tennessee
STEVE KING, Iowa HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona Georgia
LOUIE GOHMERT, Texas PEDRO R. PIERLUISI, Puerto Rico
JIM JORDAN, Ohio MIKE QUIGLEY, Illinois
TED POE, Texas JUDY CHU, California
JASON CHAFFETZ, Utah TED DEUTCH, Florida
TIM GRIFFIN, Arkansas LINDA T. SANCHEZ, California
TOM MARINO, Pennsylvania JARED POLIS, Colorado
TREY GOWDY, South Carolina
DENNIS ROSS, Florida
SANDY ADAMS, Florida
BEN QUAYLE, Arizona
MARK AMODEI, Nevada

Richard Hertling, Staff Director and Chief Counsel
Perry Apelbaum, Minority Staff Director and Chief Counsel
------

Subcommittee on Intellectual Property, Competition, and the Internet

BOB GOODLATTE, Virginia, Chairman

BEN QUAYLE, Arizona, Vice-Chairman

F. JAMES SENSENBRENNER, Jr., MELVIN L. WATT, North Carolina
Wisconsin JOHN CONYERS, Jr., Michigan
HOWARD COBLE, North Carolina HOWARD L. BERMAN, California
STEVE CHABOT, Ohio JUDY CHU, California
DARRELL E. ISSA, California TED DEUTCH, Florida
MIKE PENCE, Indiana LINDA T. SANCHEZ, California
JIM JORDAN, Ohio JERROLD NADLER, New York
TED POE, Texas ZOE LOFGREN, California
JASON CHAFFETZ, Utah SHEILA JACKSON LEE, Texas
TIM GRIFFIN, Arkansas MAXINE WATERS, California
TOM MARINO, Pennsylvania HENRY C. ``HANK'' JOHNSON, Jr.,
SANDY ADAMS, Florida Georgia
MARK AMODEI, Nevada

Blaine Merritt, Chief Counsel

Stephanie Moore, Minority Counsel

C O N T E N T S

----------

JUNE 19, 2012

Page

OPENING STATEMENTS

The Honorable Bob Goodlatte, a Representative in Congress from
the State of Virginia, and Chairman, Subcommittee on
Intellectual Property, Competition, and the Internet........... 1

The Honorable Melvin L. Watt, a Representative in Congress from
the State of North Carolina, and Ranking Member, Subcommittee
on Intellectual Property, Competition, and the Internet........ 2

The Honorable Lamar Smith, a Representative in Congress from the
State of Texas, and Chairman, Committee on the Judiciary....... 4

The Honorable John Conyers, Jr., a Representative in Congress
from the State of Michigan, and Ranking Member, Committee on
the Judiciary, and Member, Subcommittee on Intellectual
Property, Competition, and the Internet........................ 5

WITNESSES

Scott R. Shipman, Associate General Counsel, Global Privacy
Leader, eBay Inc.
Oral Testimony................................................. 8
Prepared Statement............................................. 10

Morgan Reed, Executive Director, Association for Competitive
Technology
Oral Testimony................................................. 19
Prepared Statement............................................. 22

Chris Babel, Chief Executive Officer, TRUSTe
Oral Testimony................................................. 33
Prepared Statement............................................. 35

James Grimmelmann, Associate Professor of Law, New York Law
School
Oral Testimony................................................. 62
Prepared Statement............................................. 65

APPENDIX
Material Submitted for the Hearing Record

Response to Post-Hearing Questions from Scott R. Shipman,
Associate General Counsel, Global Privacy Leader, eBay Inc..... 98

Response to Post-Hearing Questions from Chris Babel, Chief
Executive Officer, TRUSTe...................................... 100

Response to Post-Hearing Questions from James Grimmelmann,
Associate Professor of Law, New York Law School................ 103

Prepared Statement of the Consumer Electronics Association (CEA). 104
OFFICIAL HEARING RECORD
Material Submitted for the Hearing Record but not Reprinted

February 2012 White House green paper entitled Consumer Data Privacy in
a Networked World: A Framework for Protecting Privacy and Promoting
Innovation in the Global Digital Economy. This paper is on file at
the Subcommittee and can be accessed at: http://www.whitehouse.gov/
sites/default/files/privacy-final.pdf

March 2012 FTC report entitled Protecting Consumer Privacy in an Era of
Rapid Change, Recommendations for Businesses and Policymakers. This
report is on
file at the Subcommittee and can be accessed at: http://
www.ftc.gov/os/2012/03/120326privacyreport.pdf

March 2012 report, a project of the Pew Research Center, entitled
Search Engine Use 2012. This report is on file at the Subcommittee
and can be accessed at: http://pewinternet.org//media//Files/
Reports/2012/PIP_Search_Engine_Use_
2012.pdf

NEW TECHNOLOGIES AND INNOVATIONS IN THE MOBILE AND ONLINE SPACE, AND
THE IMPLICATIONS FOR PUBLIC POLICY

----------

TUESDAY, JUNE 19, 2012

House of Representatives,
Subcommittee on Intellectual Property,
Competition, and the Internet,
Committee on the Judiciary,
Washington, DC.

The Subcommittee met, pursuant to call, at 10:07 a.m., in
room 2141, Rayburn House Office Building, the Honorable Bob
Goodlatte (Chairman of the Subcommittee) presiding.
Present: Representatives Goodlatte, Smith, Chabot, Poe,
Chaffetz, Marino, Watt, Conyers, Chu, Deutch, Lofgren, Jackson
Lee, and Johnson.
Staff Present: (Majority) Vishal Amin, Counsel; Olivia Lee,
Clerk; and (Minority) Stephanie Moore, Subcommittee Chief
Counsel.
Mr. Goodlatte. Good morning. This hearing of the
Subcommittee on Intellectual Property, Competition, and the
Internet will come to order, and I will recognize myself for an
opening statement.
Today we are holding a hearing to examine the public policy
issues raised by new technologies in the mobile and online
spaces. It is clear that some of the central policy issues for
both consumers and companies are the issues of privacy and data
collection. Privacy continues to take on greater importance as
more Americans not only use the Internet and mobile devices,
but also share their personal information with companies on the
Web. Privacy policies and the technological safeguards that
companies implement will help guide consumers on what they
should expect from those who handle their personal information
and set expectations for companies that use personal data.
As Congress continues to look at privacy issues online, it
is important to have a firm understanding of what the industry
practices are. Today's hearing will explore what mechanisms the
private sector is currently employing to protect Internet and
mobile users. It will also highlight the technological
innovation and development that has occurred in this space.
There have been astonishing advancements in the delivery of
products and services online, and as a result there are privacy
implications for a variety of new technologies, some of which
were not even in existence a few years ago. Many in the private
sector already have policies and procedures in place to police
themselves to ensure they are following best practices. Groups
like TRUSTe, the Association for Competitive Technology, the
Application Developers Alliance, the advertising industry
through its AdChoices program and others already help to
provide best practices, independent analyses of privacy
policies, and recommendations for enhancements. We will learn
more about how some of these groups work in the field today.
As Congress begins to look into these issues, we need to
realize that the technologies that we are discussing did not
even exist a few years ago, and some have only come to the
forefront in the past few months. And with any new technology,
it is important that as we think about how best to protect the
interests of consumers and the Internet user community, we
continue to encourage and not stifle innovation.
One of the most important things private-sector companies
can do to self-regulate and innovate when it comes to privacy
is to make their notices and privacy policies easy to
understand. If the consumer understands the trade-off he makes
when he accepts an app program or service, then the consumer
will make an informed decision.
The easier it is for consumers to understand all privacy
notices and policies, the easier it is for companies to compete
on the basis of their privacy policies, and the easier it is
for consumers to vote with their wallets.
I look forward to hearing from all of our witnesses on the
efforts that they have taken to help build in privacy
protections. As they develop their products to safeguard
consumer information about what more can be done to increase
transparency and ensure that as American companies seek to
operate abroad in markets like Europe and Asia, innovation is
not impeded by undue regulatory burdens or barriers to market
access.
And with that it is my pleasure to recognize the Ranking
Member of the Subcommittee, the gentleman from North Carolina,
Mr. Watt.
Mr. Watt. Thank you, Mr. Chairman. I appreciate you holding
this hearing.
I believe that privacy is one of the most fundamental
values of the American tradition, yet today even a majority of
the Justices of the Supreme Court posit that as a society we
are faced with novel challenges in determining the, quote,
``new normal,'' close quote, for privacy expectations in the
digital age.
There is little doubt that the digital environment has
created opportunities for society that often come at little or
no financial cost to the user, but I believe it is
inappropriate to classify these opportunities and services as
free. Information is currency, and users are, without
exception, required to surrender incredible amounts of personal
information in exchange for the services they enjoy.
While Internet users have some responsibility to self-
censor and restrict the intimate information they share on
various platforms, the reality is that many online users have a
false sense of privacy because they don't understand the
lengthy and complex privacy policies they are compelled to
agree to in order to use the service. As a result, online users
often share lots of personal information unknowingly and to
unintended audiences.
Their personal information has been marshaled, analyzed and
monetized in ways consumers have come to resent. A March 2012
study by the Pew Research Center found that two-thirds of
Internet users have negative views about search engines
collecting information about them to produce personalized
search results. Two-thirds of Internet users also report that
they, quote, ``are not okay with targeted advertising because
they do not like having their online behavior tracked and
analyzed.''
I am further concerned that this type of consumer profiling
may limit, rather than enhance, the experience and the horizons
of distinct groups based on race, ethnicity, religion and other
factors that we are probably not even aware of yet. If users
are constantly fed products and facts in areas in which they or
someone like them have already expressed an interest, their
intellectual curiosity and development may be stunted.
Earlier this year both the Department of Commerce and the
Federal Trade Commission completed reports following
stakeholder participation to address mounting concern about
consumer privacy. The White House Green Paper enumerated seven
broad principles that it urges be enacted into law as flexible
baseline standards governing consumer privacy.
The Green Paper recommends that industry leaders develop
specific codes of conduct to implement for consumer privacy
principles. The FTC's report takes the additional step of
identifying best practices that could, and I believe should,
serve as a guide for industry in developing the codes of
conduct.
The Administration has determined that the first round of
stakeholder meetings will center on mobile applications which
raise serious questions about the security of data concerning
children and geolocation information concerning all users.
Parents must be able to feel secure that the apps they download
to educate or entertain their children aren't secretly
collecting or sharing private data or location information from
the host device.
Although some industry actors have been giving lip service
to and others have been really working to establish privacy
standards and to provide users with a better understanding of
the ways in which their information is used, it seems clear to
me that consumers remain in a vulnerable position in which they
are required to place an enormous amount of blind trust in
online companies and app developers.
Just last week the FTC announced an $800,000 settlement
with Spokeo, a data broker that compiles vast amounts of
information on consumers from both online and offline sources.
In the first FTC case to address the sale of data from the
Internet and social media sites in the employment context, the
FTC charged that Spokeo violated the Fair Credit Reporting Act
by marketing consumer profiles to recruiters and human resource
professionals without regard to the accuracy of information and
without advising the users how their information would be used.
The FTC was empowered to act because of the protections
contained in the Fair Credit Reporting Act.
The FTC settlement was announced just as President Obama
signed an Executive Order to let the morass of Federal policies
and practices that impede broadband deployment on Federal
lands. The Executive Order will not only lower the cost of
broadband Internet access, it will also speed the delivery of
connectivity to communities, businesses and schools. President
Obama said in his statement, quote, ``By connecting every
corner of our country to the digital age, we can help our
businesses become more competitive, and our students become
more informed, and our citizens become more engaged,'' close
quote.
With greater access comes the responsibility to ensure that
our citizens enjoy an online experience that is safe, reliable
and respectful of personal information. So I support the
direction the Administration is taking us, and continue to
believe that Congress should enact baseline privacy legislation
that will provide certainty to both consumers and companies,
and promote a healthy online economy.
Justice Thurgood Marshall wrote years ago that, quote,
``Privacy is not a discrete commodity possessed absolutely or
not at all,'' close quote. The devil is always in the details,
but I hope that the witnesses will be able to address some of
the best practices recommended by the FTC.
Finally, I am also concerned that without a baseline set of
principles with the force of law, privacy policies may be used
by larger players in an anticompetitive manner to drive smaller
players and start-ups from the market to the detriment of
online consumers. I look forward to hearing from our witnesses
about how we can embrace new technologies without discarding or
abandoning the right to privacy.
And I yield back, Mr. Chairman.
Mr. Goodlatte. The Chair thanks the gentleman and is
pleased to recognize the Chairman of the Judiciary Committee,
the gentleman from Texas, Mr. Smith.
Mr. Smith. Thank you, Mr. Chairman.
America's economic success has been built on innovation.
Ten years ago there was no such thing as Facebook or Twitter.
Just 5 years ago there was no such thing as an iPhone or an app
store. Today, mobile apps number in the hundreds of thousands
and are largely developed by individual innovators and small
businesses.
As new technologies have emerged, like mobile apps, social
media, online advertising and data analytics, the cost for new
business entry have come down. But as new Web sites and apps
are developed, companies must work to ensure that they maintain
the trust of their customers.
Trust is the essential element for consumers to adopt new
apps or technologies. When we hear about privacy breaches, like
what happened when Google collected large amounts of private
data over Wi-Fi networks, we have to be concerned. With every
overcollection of privacy data, the first excuse is that the
engineers or programmers went beyond what they were told to do.
That excuse may fly once, but ultimately it is neither the
engineers' fault nor the programmers' fault, it is the
company's.
In the Internet economy, online services are generally
provided to consumers at little or no cost, and behind these
online services are hundreds or thousands of employees and
millions of dollars in hardware and equipment. The Internet
economy runs on data. There is an implicit bargain between an
Internet service and the consumer that includes an exchange of
information or data instead of cash. When a consumer receives a
free email account or a cloud storage space, or uses a search
engine, social media Web site or app, there is a collection of
data that allows a company to construct their service and
provide targeted advertising or related data-analytic services
to the consumer.
As Internet companies have developed new technologies,
their privacy policies have had to evolve. Many companies now
institute privacy by design, where privacy protections are
built directly into their software and hardware products from
the beginning.
Incorporation of the best practices for privacy is
essential as new products are developed online. For example, I
read that Google and Apple are building even more detailed maps
that rival defense satellite imagery. Though this ensures that
we will never get lost if we drive or walk through a new city,
we also need to ensure that when images are taken in
residential areas or in people's backyards, that their privacy
is protected. This is another place where privacy concerns
should not have to be raised by Congress or the media. They
should be addressed before the products are even announced.
The growth in smartphone use and mobile apps has created an
entirely new business sector, from Instagram to new mobile apps
for established online Web sites and companies. This new
business sector is composed mostly of small businesses and
individual programmers. As we will hear from our witnesses
today, many of these small businesses are just a couple of
software programmers, not two programmers and a lawyer, and so
they often need assistance from more established players as
they work to incorporate privacy protections into their
software.
The mobile and Internet playing field is broad, and the
specific technological protections may be unique to particular
technologies, but as companies incorporate privacy protections
into their services, it is important for them to provide
privacy policies that are understandable and reasonable. This
way it is clear to the consumer what the bargain is that they
enter into when they use a Web site or mobile app.
I look forward to hearing from all of our witnesses today,
and I hope their testimony allows the Subcommittee to learn how
the technology industry works to incorporate balanced privacy
protections that will inform and protect consumers.
Thank you, Mr. Chairman. I yield back.
Mr. Goodlatte. Thank you, Mr. Chairman.
I am now pleased to recognize the gentleman from Michigan,
the Ranking Member of the Judiciary Committee, Mr. Conyers.
Mr. Conyers. Thank you, Chairman Goodlatte and Ranking
Member Watt.
This is a very important hearing, and there are new
services being offered online and through smartphones and other
devices that largely depend on the continued gathering and use
of personal information which is ultimately turned into a
product for sale. And this hearing is going to devolve, I
think, into an issue of whether we get the self-regulation
theory advanced, we will all be good and trust this Committee,
or whether we are going to go along and develop the Consumer
Privacy Bill of Rights. And that is where we are going to end
up, because there is an explosion of the collection,
dissemination of personal information, and therefore these
organizations have an incentive to collect as much data as
possible about Internet users.
And what I think should come out of this hearing is the
notion that consumers deserve to know how their data and
privacy are being impacted by mobile and online platforms.
Today we don't know that. And that is why this hearing by this
Subcommittee is extremely important.
The size and power of online companies allow them to obtain
and aggregate many types of personal information. Otherwise why
would Facebook be valued at a worth of over $100 billion? Well,
the answer in large part is because of the treasure trove of
personal information that they collect, much of which, like
other companies, we don't know much about.
Now, we have been dealing with the size and power of online
companies that allows them to obtain and aggregate all this
personal information about users. Google recently has had to
change its privacy policies, and there is concern about its
ability to obtain information through an individual's use of
various products the company offers. There are so many
different ways to get this information out there, that when
they get it together, they have far more information than is
generally recognized.
And so I, for one, am interested in learning how we can
increase the authority and the power of the Federal Trade
Commission to take action against privacy violations. The FTC,
in my view, needs direct enforcement authority so that it may
take action against those who violate consumer privacy even if
a company doesn't violate its own published private policy.
And while companies should develop online guidelines, we
must remember that enforcement is critical to consumer
protection. The FTC has the responsibility to ensure that
competitors are not allowed to play by different rules.
And so, Mr. Chairman, thank you for allowing me to add my
comment before the witnesses begin.
Mr. Goodlatte. I thank the gentleman for his comments.
Without objection, other Members' opening statements will
be made a part of the record.
We have a very distinguished panel of witnesses today. Each
of the witnesses' written statements will be entered into the
record in its entirety, and I ask that each witness summarize
his testimony in 5 minutes or less.
To help you stay within that time, there is a timing light
on your table. When the light switches from green to yellow,
you have 1 minute to conclude your testimony; and when the
light turns red, well, that is it. It signals the witness' time
has expired.
Before I introduce our witnesses, I would like them to
stand and be sworn, as is the custom of this Committee.
[Witnesses sworn.]
Mr. Goodlatte. Thank you very much, and please be seated.
Our first witness is from the district of the gentlewoman
from California, Ms. Lofgren. And so it is my pleasure to yield
to her for the purpose of introducing Mr. Shipman.
Ms. Lofgren. Well, I thank you, Mr. Chairman, for your
courtesy in allowing me to introduce the Associate General
Counsel of eBay that is, in fact, located in the 16th
Congressional District. Scott Shipman has been with eBay from
the beginning. In fact, he started at eBay when he was a law
student. And the one lawyer there was absolutely overwhelmed,
and so he was there at the beginning to deal with the privacy
policies of eBay, and he is here to tell us about those
successful policies. As he said at our collective law school,
he had done the right things without even knowing it back as a
law student.
He now has firsthand experience with the privacy compliance
and risk assessments at eBay; the cross-border data transfers,
including the EU; the personal information transfers through
corporate mergers and acquisitions; and all the other privacy-
related issues that this major corporation faces.
He teaches international data protection at Santa Clara
University School of Law as a lecturer, and he serves along
with me on the high-tech law advisory board at our mutual alma
mater Santa Clara Law School. He coordinates the legal high-
technology internship program at eBay in connection with Santa
Clara Law School, and he is a board member of the Consumer
Privacy Law Forum. He is a member of the International
Association of Privacy Professionals, a member of the Chief
Privacy Officers Council, on Conference Board, as well as, of
course, being admitted to the California State Bar. I am so
glad he is here to share his expertise with us.
And it is good to welcome you here, Scott, from the Valley
and to D.C.
Thank you, Mr. Chairman, for allowing me to introduce
Scott.
Mr. Goodlatte. Thank you, Ms. Lofgren.
And I have had the pleasure of speaking at the State of the
Net West Conference, which has been hosted at the Santa Clara
University School of Law on a number of occasions.
So, Mr. Shipman, welcome.
Our second witness is Mr. Morgan Reed, Executive Director
of the Association for Competitive Technology. Mr. Reed
specializes in technology issues and has been working closely
with mobile app developers and companies on privacy issues for
years.
Mr. Reed previously worked for a Taiwan-based trading
company handling North American sales operations. He received
his B.A. in Political Science from Arizona State University,
and did graduate research in Chinese at the University of Utah
and the Shi Ta University in Taiwan. I hope I have that
pronounced correctly.
Mr. Reed. Close enough.
Mr. Goodlatte. Our third witness, Mr. Chris Babel, is the
CEO of TRUSTe, a leading company and authority on Internet
trust and privacy. Previously Mr. Babel served as Senior Vice
President and General Manager of VeriSign's worldwide
authentication services business, where he was responsible for
strategy, sales, marketing, product and support. He also
managed VeriSign's SSL and Managed Security Services business.
Earlier in his career he worked at Morgan Stanley in their M&A
and Corporate Finance group. Mr. Babel received his B.A. in
Mathematical Methods in Social Sciences and Economics from
Northwestern University.
And our fourth witness is Mr. James Grimmelmann, professor
of law at New York Law School. Professor Grimmelmann studies
technology issues relating to IP, virtual worlds, search
engines, online privacy and other topics. Prior to law school
he worked as a programmer for Microsoft. He received his J.D.
from Yale Law School and his A.B. in Computer Science from
Harvard College.
Welcome to you all. And we will begin with Mr. Shipman.

TESTIMONY OF SCOTT R. SHIPMAN, ASSOCIATE GENERAL COUNSEL,
GLOBAL PRIVACY LEADER, eBAY INC.

Mr. Shipman. Chairman Goodlatte, Ranking Member Watt and
Members of the Subcommittee, thank you for the opportunity to
testify today about eBay Inc., and what we are doing to enable
commerce and engender trust through the use of innovative
consumer privacy protections. My name is Scott Shipman, and I
am the associate general counsel and global privacy leader for
eBay Inc.
eBay empowers and connects millions of buyers and sellers
throughout the globe through eBay marketplaces, Paypal, GSI and
other mobile technology-based businesses; therefore, many
people associate eBay and Paypal with enabling e-commerce.
However, it is important to note that eBay is not just about e-
commerce. We are about commerce.
The traditional boundaries of offline and online retail are
blurring. We recognize that retailers and sellers of all sizes
need a partner who will help them succeed in this rapidly
changing, consumer-driven environment. We want them to succeed,
and we are that partner.
Over the years we have learned one of the keys to success
is engendering consumer trust and confidence. A critical
component of that trust is privacy. It is hard to build
consumer trust when you are not respectful of their personal
information. To foster that trust we have had to meet customer
privacy expectations with every product we offer. I would like
to take the next few minutes to highlight some of the
successful privacy-related programs and products that have led
to eBay being rated one of the most trusted companies for
consumer privacy.
Since eBay's inception our core privacy commitment is eBay
will not sell the personal information of our customers to
third parties for marketing purposes. However, we also
recognize consumers need more meaningful choices on how their
data was used for behavioral-targeted advertising; therefore,
eBay developed and implemented a program called AdChoice.
The AdChoice program works as follows. Third-party
advertisements on and off eBay have an AdChoice link. When eBay
users click on the link, they see a pop-up window that gives
them the ability to specify their advertising preferences. eBay
users can also opt out of receiving third-party behaviorally
targeted ads and read our privacy policy through that link.
eBay's AdChoice program offers a server-based mechanism,
not their traditional cookie-based mechanism. This means
choices and preferences are permanently stored and not erased
when a user clears their cookies.
Paypal and its ``shop without sharing'' design is another
perfect example of innovative technology that encourages
consumer privacy and consumer control. The beauty of Paypal is
it allows consumers to pay for a good or service without ever
having to expose their credit card or bank account information
to merchants. Not only does this privacy-enhancing technology
allow consumers to fully enjoy the convenience of online and
mobile commerce, but it also allows merchants to receive
payments without the cost and potential liability associated
with processing and securing financial information. It is a
win-win for both consumers and merchants.
Looking now at the exciting mobile space, mobile
applications and technology continue to grow in popularity and
importance. Through the launch of several new and exciting
mobile applications, eBay has experienced rapid growth in the
mobile arena. However, being a leader in mobile and geolocation
technology is more than just offering cool new services; it is
also about balancing the needs and wants of the consumer
against the creep factor that is sometimes associated with the
collection and use of geolocation and mobile data.
eBay is building mobile applications that offer the same
transparency, choice and level of privacy protection as our
traditional Internet services. eBay has made it a policy that
all consumers must opt in to turn on geolocation for all eBay
Inc., mobile applications, and we give consumers the ability to
decide what communications and notifications they want to
receive and how.
A perfect example of an eBay mobile application that
encapsulates the privacy by design philosophy is WHERE. WHERE
provides personalized hyperlocal recommendations, offers and
deals to millions of mobile consumers. WHERE does not associate
personally identifiable information with location data without
explicit consent. Finally, WHERE does not collect, maintain or
track a consumer's location history.
I have talked a lot about technology, but my last example
focuses on best practices and compliance. In addition to eBay's
privacy principles and the practices described in our privacy
policies, eBay has established a set of corporate rules
approved by the Luxembourg National Data Commission. These
corporate rules are a commitment by eBay to protect our users'
personal information regardless of where the data resides.
Our corporate rules do not just protect the personally
identifiable information of our European users, but of all eBay
Inc. customers and employees globally. eBay was actually the
first e-commerce company to receive this approval and the first
company to receive approval for employee and customer rules.
To conclude, we recognize that privacy is a key component
of our customers' experience and the trust they place with us.
As technology changes, as the world changes, expectations will
continue to change. eBay's role is not to guarantee absolute
privacy in a vacuum, but to build a relationship based on
trust. It is our hope that in the years to come, the trust
within that relationship will only grow stronger, and our
customers will know and trust that we will get it done right.
I sincerely appreciate the opportunity to testify before
the Committee today, and I look forward to your questions.
Mr. Goodlatte. Thank you, Mr. Shipman.
[The prepared statement of Mr. Shipman follows:]

__________
Mr. Goodlatte. Mr. Reed, welcome.

TESTIMONY OF MORGAN REED, EXECUTIVE DIRECTOR, ASSOCIATION FOR
COMPETITIVE TECHNOLOGY

Mr. Reed. Thank you.
Chairman Goodlatte, Ranking Member Watt, Members of the
Committee, my name is Morgan Reed, and I want to thank you for
having today's hearing on New Technologies and Innovations in
the Mobile and Online space and the Implications for Public
Policy.
My organization, the Association for Competitive
Technology, is an international trade association representing
more than 5,000 app developers. We make the cool apps that run
on your smartphone, and your iPads, and, hopefully, the new
Microsoft tablet and the next device after that. I am a
licensed developer, too, having worked on network protocols and
debugging games, so I have actually dug into the nitty-gritty
of how you build software programs.
Here is the great news: Our industry is showing amazing
growth. We have hit more than $20 billion today on an expected
path to $100 billion by 2015. Apps are expanding into new
markets, including enterprise and mobile health, which will
help make Americans more efficient at work and healthier at
home. And while Americans own more than 350 million mobile
devices, developers are seeing real potential in foreign
markets. China's largest telecommunications company has more
than 800 million subscribers; the number 2, 200 million; the
number 3, 100 million. With adequate intellectual property
protection, those subscribers could become customers for our
American developers.
Now, I understand this Committee would like to spend some
time today talking about consumer data privacy and how we make
it work in this new, more mobile world. What we have learned in
working through several multi-stakeholder efforts is that we
need to address privacy in a comprehensive way, not one that
creates siloed solutions for each technology, especially since
those silos are disappearing every day.
The biggest revolution in our industry is happening right
now, and it is called responsive design. Technology is giving
us the tools to make one app that will look good on a mobile
device and will also look good on a television, and it will do
so seamlessly.
Everyone in the technology industry has to take part and be
responsible for improving the state of privacy security and
transparency across all of these industries and devices. Our
app developers are no different, and we are committed to
working this out with government, industry, civil society and,
most importantly, our customers.
During the past year ACT has reached out to our membership
and other developer organizations throughout America to discuss
the importance of data privacy. We have gone coast to coast and
have reached hundreds of thousands of developers. Our message
has been simple: know what data you are collecting, know who
you are sharing that data with, and be transparent with your
customers.
We have also been participating in multi-stakeholder
efforts, including the California AG's work on mobile platforms
and the White House's NTIA multi-stakeholder effort.
But throughout all this talk about stakeholders, I realize
that this can easily be seen to imply large, faceless
corporations. I wanted you to remember today that the
incredible innovation happening is being driven by thousands of
small businesses working to build applications that educate,
motivate and enrich people's lives. Therefore, I thought I
would take a minute to introduce you to some of the
stakeholders whose voices we are working to have heard
throughout these efforts.
Chairman Goodlatte, in your district Vision Studios
produced TextGauge. It is an app for parents to prevent teens
from texting while driving.
Congressman Watt, in your district we have got Monster
Physics. It is a great app that makes physics fun and is
available for adults as well as kids.
Congressman Conyers, in your district JacAPPS is building
the app for the Detroit International Jazz Festival. It is an
amazing application.
Congressman Smith, in your district My Patient Solutions
helps patients navigate the health care system by giving them
tools to better understand diagnosis and treatment options.
Congressman Marino, we have social meetup apps done by
MeetMe! in your district.
Congressman Quayle, in your district we have a brand new
entrant. ABN just won the contract for the 2012 PGA Phoenix
Open, and that will have location-based technology to allow you
to go on-the-ground navigation with the spectators.
Congressman Deutch, in your district one of our members,
Dave Noderer, built an app for Big Brothers and Big Sisters
that allows Bigs to know activities that they should be looking
at doing with their Littles.
Congressman Griffin has OrderPath. It allows medical
personnel to display in-patient and observation data to help
streamline patient care, and it is aimed at rural districts.
Congresswoman Chu, in your district Awesome App; it is for
electricians and engineers that helps them do their job more
efficiently and, importantly, more safely.
Congressman Chaffetz, you have got one of the biggest dogs
in the fight. Infinity Blade II is built in your district,
millions of downloads, and it is built by a very small company
right in your district.
Congresswoman Lofgren, we have got a great app in Pinger.
It allows people to send free text messages all across the
world without having to necessarily have a specific text plan.
Congressman Poe has got iTaxable that provides answers to
your tax filing questions and an extensive database of
information.
Congressman Jordan, you have got Ranch Rush. It is a game
that puts a farm in your pocket, allowing users to harvest
fresh produce, gather eggs from ostriches, collect honey from
bees, and whip up ketchup from tomatoes.
Congressman Nadler has got one that helps you sign your
signature on your iPad instead of having to find a fax machine.
So I think as we think about today's questions about
stakeholders, you need to remember that in every single one of
your districts, and in every district here in Congress, there
is a small business stakeholder whose voices we need to have
heard as part of this privacy discussion.
Thank you for your time, and I look forward to your
questions.
Mr. Goodlatte. Thank you, Mr. Reed.
[The prepared statement of Mr. Reed follows:]

__________
Mr. Goodlatte. Mr. Babel, welcome.

TESTIMONY OF CHRIS BABEL,
CHIEF EXECUTIVE OFFICER, TRUSTe

Mr. Babel. Thank you.
Chairman Goodlatte, Ranking Member Watt and distinguished
Members of the Subcommittee, my name is Chris Babel, and I am
the Chief Executive Officer of TRUSTe, a leading provider of
privacy technology and certification solutions to online
companies. Based in San Francisco, TRUSTe offers a suite of
privacy solutions to help businesses increase consumer trust
and engagement across their Web sites, mobile applications,
online advertising and cloud-based services. Over 5,000
companies, such as Apple, AT&T, Disney, eBay and Yelp, rely on
TRUSTe to ensure compliance with evolving and complex privacy
requirements and to build trust with consumers.
I would like to highlight three topics in my remarks before
the Subcommittee today: first, the consumer privacy
perspective; second, new privacy challenges and the
technologies TRUSTe and others offer to address them; third,
why we think that self-regulation has been successful in
protecting consumers online.
First, through consumer research we submitted in the
written testimony, we know that consumers are concerned about
privacy online on both their PC and mobile devices. Take
mobile, for example, where 74 percent of consumers believe it
is very or extremely important to understand what personal
information a mobile application collects. Eighty-five percent
want to be able to opt in or opt out of targeted mobile ads.
These concerns are causing the consumer to become more engaged
in their privacy decisions and more likely to take control of
when and how their data is collected and used.
Research also highlighted that 59 percent of consumers
generally trust that Web sites are protecting their privacy
online, showing that businesses can build trust and alleviate
privacy concerns through investments in privacy best practice
and privacy technologies.
Second, there is explosive growth in privacy services
offered to consumers. In TRUSTe's first 12 years in existence
through 2009, we grew it from offering one to four services
focused on Web site privacy only. In the past 2\1/2\ years we
have launched over 10 new services spanning Web sites, mobile
applications, online advertising and cloud services.
Taking mobile as an example, since all of you carry mobile
devices, the challenges are that less than one-third of mobile
applications have a privacy policy today, and when they do,
they are difficult to read and need to handle sensitive topics
like location information.
TRUSTe offers application providers a free mobile privacy
generator, as well as paid services to certify that mobile
applications have strong privacy, as well as notice and choice
mechanisms for consumers regarding mobile ad targeting.
There have also been entirely new industry efforts, like
the Digital Advertising Alliance that have been formed to
provide consumers notice and choice around online targeted
advertising. TRUSTe is the largest independent provider of
services for the DAA. We have also partnered with the
Application Developers Alliance to educate mobile developers on
important privacy issues as part of a countrywide educational
road show. Technology is evolving more rapidly than ever, and
solutions for consumer privacy protection are keeping pace.
Third, self-regulation is a critical component to online
privacy, and TRUSTe has helped thousands of companies self-
regulate their online privacy for 15 years. Self-regulation is
valuable in that it helps companies facilitate global best
practices, which simplifies the management and cost of these
programs while increasing accountability. Self-regulation can
also evolve with technology changes to meet the ongoing needs
of consumers. And finally, through safe harbors and due
process, self-regulation can provide strong incentives for
compliance.
Looking forward, it is clear that consumers are becoming
ever more aware of how their personal data is collected and
used online, which is important as technology changes, like the
decreased cost of bandwidth, computer processing and storage
allow for the analysis and use of vast databases of
information. Self-regulation provides a flexible privacy
protection framework that can quickly adapt to these rapidly
changing technologies.
Today, industry has made great progress in self-regulating
their privacy practices, and though there is much work to be
done, we are confident that the goal of protecting consumers
while continuing to innovate will be achieved.
Thank you for the opportunity to testify today. I look
forward to your questions.
Mr. Goodlatte. Thank you, Mr. Babel.
[The prepared statement of Mr. Babel follows:]

ATTACHMENT

__________

Mr. Goodlatte. And, Professor Grimmelmann, you get the last
word.

TESTIMONY OF JAMES GRIMMELMANN,
ASSOCIATE PROFESSOR OF LAW, NEW YORK LAW SCHOOL

Mr. Grimmelmann. I would like to thank Chairman Goodlatte,
and Ranking Member Watt, and all the Members of the
Subcommittee for inviting me to testify today. My name is James
Grimmelmann, and I am a professor at New York Law School.
Although I am happy to respond to any of the Subcommittee's
questions on any of its topics, my testimony today will focus
on privacy.
The central goal for privacy policy online and on mobile
devices must be empowered consumer choice. Good privacy
technologies and good privacy laws enable people to choose
whether, when and how open they want to be about their lives.
I would like to endorse three essential principles for
making real consumer choice a reality. The first is usability.
A choice that consumers do not know about, cannot find, or
cannot understand is no choice at all. The second is
reliability. A consumer who has expressed a choice is entitled
to expect that it will be respected. And the third is
innovation for privacy. Users benefit from good tools to help
them manage their privacy.
A good example of these principles in action is social
networks. Their value depends on controlled access. Everything
from a private email from a mother with advice to her daughter
in college to a confidential discussion group for recovering
alcoholics requires sharing with some people, but not with
others.
The proliferation of social networks with different
technical models of sharing represents innovation for privacy
in action, but that privacy must also be usable and reliable.
People have lost jobs, been stalked and been splashed across
the tabloids because privacy settings on social networks were
too confusing for them to understand.
I am particularly concerned about what I have called
privacy lurches; sudden and unexpected shifts in a social
network's information-sharing practices. For example, Google
mishandled the launch of its Buzz social network in 2010.
Without clear warning Google exposed the names of users' email
contacts to the world. This made Google Buzz, in one reporter's
words, a danger zone for reporters, psychiatrists, lawyers, and
everyone else for whom confidentiality is essential to their
job.
The Buzz rollout violated the principle of reliability. It
changed Gmail's privacy practices in a way that users could not
have anticipated and that was capable of causing significant
harm to them. A Federal Trade Commission investigation resulted
in a settlement designed to prevent similar mistakes from
happening again. And I have also suggested that privacy lurches
may expose companies to legal liability for distributing an
unreasonably dangerous product.
Another example of the principles is online behavioral
advertising; the use of unique identifiers known as cookies to
track users and to customize the ads they see. Some users
appreciate receiving relevant advertising; others find the
tracking creepy. Industry participants recognize this
difference in opinions and offer users a choice of whether to
be tracked.
One of the best ways to ensure that these choices are
usable and reliable is through innovation for privacy promoting
the development of tools that users can use to manage their
tracking preferences and express them clearly to Web sites and
advertisers. The best innovation here has come from Web
browsers, antivirus software, and plug-ins that help users
block and delete unwanted cookies. And the current consensus
process to develop a ``do not track'' standard is another
encouraging step.
All of these innovations can succeed only if they are
respected by Web sites and advertisers. The Federal Trade
Commission has taken important action against companies that
circumvent users' privacy-protecting technologies, and the FTC
and Congress should ensure that Web sites are not permitted to
second guess users' expressed privacy preferences.
Thank you for the opportunity to speak with you today, and
I look forward to your questions.
Mr. Goodlatte. Thank you, Professor Grimmelmann.
[The prepared statement of Mr. Grimmelmann follows:]

__________

Mr. Goodlatte. I will now begin the questioning of the
witnesses.
I believe that consumers have the relevant information
about--if they have the relevant information about privacy
policies, they will make informed decisions about how to allow
their information to be used, and will choose what services to
use in part based on their comfort level with those privacy
policies. I would like to ask each of you what your
organization is doing specifically to make privacy policies
more transparent and easier for consumers to understand. And we
will start with you, Mr. Shipman.
Mr. Shipman. Sure. Thank you.
The expectations in managing privacy with consumers is a
never-ending battle. It is not something that you can simply
come out with a particular policy and say, ``Okay, we have
written this as clearly as possible, and we can rest on our
laurels.'' So this is something that continues to evolve.
From the inception of eBay's privacy program, we have
actually created in 1998 a chart, and at the time it was fairly
simple, because you could have a chart with three or four
classifications or groups of entities that you share
information with.
Mr. Goodlatte. I am going to have to get you to get to the
point because I have got several questions and several
witnesses to answer. So tell us what you are doing right now
and prospectively.
Mr. Shipman. Absolutely. The focus right now is around
bringing icons, bringing specific logos or vignettes, whether
it is via video or other types of embracing new technology, to
be able to answer questions the customers have. AdChoice is a
perfect example where we have links there embedded into
advertising and through other types of things like that.
Mr. Goodlatte. Excellent.
Mr. Reed?
Mr. Reed. So we have an interesting situation in that we
represent the developers. And so we have been trying to give
developers tools. We have run a series of privacy boot camps
where we spend the entire day focusing on getting a developer
from walking in the door, saying, ``Okay, I need this privacy
policy,'' to when they walk out the door not only having
privacy, but understanding the tools they need to have to have
a narrative with their customers.
And very specifically, one of the ones I would like to
highlight is our work with Moms With Apps, where we have
created a set of icons that have been adopted by some of the
privacy policy generators, including Privacy Choice, and in
talks with TRUSTe as well, so the developer can select the
icons immediately when they build their privacy policy so when
it shows up for the user, bam, they can see it. It doesn't
collect information, it doesn't link to the Web, or it does.
So, one, we have to empower developers; and, two, we are
working on building tools to inform our customers what those
privacy policies mean.
Mr. Goodlatte. Thank you.
Mr. Babel.
Mr. Babel. Sure.
So TRUSTe helps Web sites through a privacy policy
generator generate their first privacy policy. Big companies
might have attorneys that do that; small companies, start-ups,
three people in their garage need help. Particularly around
mobile applications we find that is critical. As I mentioned in
the testimony, about a third of mobile applications even have a
privacy policy today, so we are really trying to help people
start by having a privacy policy.
The second thing we do is once people have privacy
policies, we help make certain that they are good, of high
quality, clear, transparent, easy to read, easy to understand,
and that is where we help the company have a certified privacy
policy where we say it meets a good high bar, and that the
company is following and actually doing what their privacy
policy states.
Mr. Goodlatte. Thank you.
Mr. Reed, many Internet services are free and are monetized
through targeted ads and data collection. How much would app
prices go up, or what would it cost to use a search engine or
social media Web site if companies were restricted from the
data that they could collect?
Mr. Reed. Well, I think we have to look at two sets of
numbers: One, what is the change in the way that we develop
apps; and, two, when it comes to the actual impact on the
industry. If you remove all ads altogether, I think you would
see some enormous impacts. If you remove strictly ads that use
information, and you just do context-based ads, the estimates
run about 20 percent, a loss of about 20 percent of income for
those that are ad supported.
The reality is that the model right now, we are looking at
trying to make sure that we get apps that we get paid directly
and supplement through advertising. So it probably would cost
us about 20 percent of revenue.
Mr. Goodlatte. Mr. Babel.
Mr. Babel. I think one of the key unique factors in mobile
versus Web sites, just to point out quickly, is that mobile
actually has a monetization mechanism where you can go back to
the extent that someone were to opt out of ad targeting and go
back and say, I am limiting the features of this mobile app and
pushing you to a charged version. In the Web site version of
the world in that ecosystem, 15 years ago we started giving out
free content online, and it would be very hard to go back to
that paywall.
As we have read industry research, although I haven't done
it ourselves, we have seen similar numbers to those that Morgan
has proposed in terms of the drop-off in advertising, but it is
not something that we have tracked and have estimated directly.
Mr. Goodlatte. Let me ask the three of you what your
greatest concerns are about the European Union's recent efforts
to impose a regulatory regime in Europe.
Mr. Shipman.
Mr. Shipman. I think the challenge within the EU is
certainly that we are looking for standards that create
international operability, and so any change in one particular
region for a global company destabilizes that operability. And
while we certainly have received approval through the binding
corporate rules for operations in Europe and used that as our
global standard, changes in that and more restrictions in that
certainly make that much more difficult for us.
Mr. Reed. We are short on time, so I am going to echo
Chairman Smith when he said the problem we have with it is just
the same. We are not two developers in a garage--we are two
developers in a garage, not two developers and a lawyer. The
difference between us and Europe will create a lot of
difficulties for our developers.
Mr. Goodlatte. Mr. Babel.
Mr. Babel. Yes. Our clients, whether they be domestic
clients or international clients, are challenged by the fact
that there are just different requirements by country. And when
you are a big company and trying to manage your portfolio of
Web sites across users from each different region, it is
challenging to implement technologies to address that. It is a
lot of hard work; it is a lot of hard work up front.
And to be honest with you, most companies have not met the
deadline for the U.K. Cookie Audit Compliance that was May 25.
In fact, most government agencies in the U.K. have not met that
deadline as well. So it gives you a sense for the challenges
that are involved with this policy implementation.
Mr. Goodlatte. Mr. Grimmelmann.
Mr. Grimmelmann. As the others have mentioned, the lack of
harmony across many countries is a significant problem, and it
leads to situations in which especially the small players have
difficulty even finding out all the laws they need to comply
with.
Mr. Goodlatte. Thank you.
The gentleman from North Carolina Mr. Watt is recognized.
Mr. Watt. Thank you, Mr. Chairman.
The Ranking Member of the full Committee Mr. Conyers raised
a difficult issue that I want to ask some questions in here
relating to legislation versus self-regulation. The
Administration's blueprint contemplates baseline legislation
complemented by a self-regulatory model to implement the
Consumer's Bill of Rights. So let me ask a couple of questions
in this area.
Do we, in fact, need a Federal Consumer Bill of Rights or
something maybe not called that, but some Federal baseline in
this area to deal with privacy? And if not, two questions
arise. Wouldn't that leave it open in this Internet thing,
which clearly is across State borders, for State by State by
State to enact legislation? And wouldn't that leave it open for
self-regulation, which is okay if people behave, but is not all
that enforceable if people do not behave, I guess is the
question?
So Mr. Shipman, Mr. Reed, Mr. Babel, and Professor, if you
can address those couple of questions in there, I would be
appreciative to you.
Mr. Shipman. Absolutely. And thank you for the question.
I think the challenge, as you highlight, is, with self-
regulation, it leaves customers with uncertainty. eBay has long
supported a Federal omnibus privacy bill, and the key reasons
for that are largely to provide the small and large businesses
that we do business with to provide that level of certainty.
Mr. Watt. So you think there should be a Federal standard
of some kind.
Mr. Shipman. Yes, we do.
Mr. Watt. Yeah. Okay.
Go ahead.
Mr. Reed. Yes, we have been active supporters of the NTIA
effort. And I do think, as we get through this, we should talk
about ways that the government can enforce bad behavior. I
definitely think that is something where, from in particular a
small business, it is very important to see the government step
in and bring harsh actions against companies that do violate
people's privacy, because nothing gets the message clearer to
our members.
Mr. Watt. Of course, the first step is to have a clear set
of rules about what the standards are.
Mr. Reed. Yes, exactly.
Mr. Watt. Okay.
Mr. Reed. And so, yes on that, good on enforcement.
Mr. Watt. Okay.
Mr. Babel. I think we have seen at TRUSTe self-regulation
work, and work effectively. And, in particular, over the last
few years, with the beginnings of the DAA effort around
AdChoices, you have seen self-regulation accelerate quite
rapidly in the last few years to reach out and touch consumers
and give them----
Mr. Watt. So what happens in self-regulation if you have
self-regulation and you or your members or your customers or
clients don't live up to what they agreed? What remedies do I
have to enforce that, or who enforces those standards?
Mr. Babel. Sure. So, in TRUSTe's case, where we certify
companies for good privacy, the first thing we do if there is
an issue with one of those clients is help them get back into
alignment with our guidelines for----
Mr. Watt. Got that, but----
Mr. Babel. If----
Mr. Watt [continuing]. My data is already out there at that
point. So how do I get a remedy?
Mr. Babel. The second thing we do is eliminate them from
the program. And, in fact, last year we eliminated----
Mr. Watt. That still doesn't give me a remedy.
Mr. Babel. The third remedy that we have put in place to
the extent that there is egregious behavior, is we have, in
fact, referred people to the FTC. And the FTC has taken action
in some----
Mr. Watt. So there has to be a Federal standard.
Mr. Babel. There has--yes, we have----
Mr. Watt. Okay. All right. Okay. I am----
Mr. Babel [continuing]. Refer to it----
Mr. Watt. We are back there. All right.
Go ahead, Professor.
Mr. Grimmelmann. A Federal baseline would first bring
important clarity to the area. And, in addition, all of the
processes of consumer choice and bargaining, where Web sites
offer bargains to users and explain the tradeoffs, only work if
the consumers have an entitlement to their privacy to begin
with. If we don't have a baseline, then they don't need to
respect it.
Mr. Watt. All right.
Now, is there anybody out there in the industry that is
advocating for no Federal baseline? Are there any voices out
there, or do you all represent pretty much the standard belief?
If so, it seems to me we can quit vexing about whether we need
a baseline and start vexing about what we put in the baseline.
Is that right? Anybody out there got a different opinion about
this, I mean, I guess is the question.
Mr. Reed. I guess the only nuance that I would add is that
the good partabout what NTI is doing--and it will be a lot of
work--is that it is being built bottom-up as a multi-
stakeholder effort, where we are going through long, intense
meetings talking about the meanings of words and the
definitions. So it is actually working from the standpoint of
what technology is capable of doing and gives us the option to
change it as we become capable of doing new things.
So I think it is important that it not be a government-
imposed, top-down pressure, but it be developed by
technologists as a way to handle when we change our stuff.
Mr. Watt. In the meantime, are the laws that are already
out there--I mean, I assume there are gaps. Are there laws that
are already out there that provide some kind of protection?
Mr. Reed. I would say it's more than some.
Mr. Watt. Yeah.
Mr. Reed. I think the Federal Trade Commission has already
shown that it has some teeth. We obviously have regulation on
HIPAA. We have regulation Gramm-Leach-Bliley. So, depending on
what kind of data you have, there are more than a fair number
of regulations.
Beyond that, this Committee knows we also have antitrust
laws to deal with companies that are large players that
cavalierly disregard people's privacy time and time again. So
if you can't curb behavior through FTC, you can always go and
look at antitrust as well.
Mr. Watt. Mr. Chairman, my time has expired, but, as I told
the Chairman, I am going to have to leave to go over and hear
Jamie Dimon testify in my other Committee. So let me make a
unanimous consent request before I leave, Mr. Chairman, to
offer into the record the February 2012 White House green
paper, ``Commercial Data Privacy and Innovation in the Internet
Economy: Dynamic Policy Framework;'' number two, a March 2012
FTC proposal, whatever, report, ``Protecting Consumer Privacy
in an Era of Rapid Change: Recommendations for Businesses and
Policymakers;'' and a March 2012 report, ``Search Engine Use
2012,'' a project of the Pew Research Center.*
---------------------------------------------------------------------------
*The submissions referred to are not reprinted in this record but
are on file with the Subcommittee and can be accessed at:

---------------------------------------------------------------------------
http://www.whitehouse.gov/sites/default/files/privacy-final.pdf;

http://www.ftc.gov/os/2012/03/120326privacyreport.pdf; and

http://pewinternet.org//media//Files/Reports/2012/
PIP_Search_Engine_Use_2012.pdf
Mr. Goodlatte. Without objection, those will be entered
into the record.
And I will turn the Chair over to the Chairman of the
Committee.
Mr. Smith [presiding]. Mr. Babel, let me address my first
question to you. Actually, you have already answered my initial
question in response to a question by Mr. Watt, but I wanted to
follow up on the idea of how enforcement worked when it came to
individual online businesses that might violate the best
practices. And you responded to Mr. Watt and said, ultimately,
if there was a clear violation and there wasn't any response,
you would refer online businesses to the Federal Trade
Commission, I think. Have you ever had occasion to do that?
Mr. Babel. Yes, we have.
Mr. Smith. In how many instances?
Mr. Babel. There has been one instance that is in my
knowledge, one instance in 2008 of a company called Classic
Closeouts, which----
Mr. Smith. And what did the FTC do?
Mr. Babel. They took action. It was settled I think late
last year with a $2-million-plus finding.
Mr. Smith. Okay. And how many online businesses, in your
judgment, have violated the best practices that you have
endorsed?
Mr. Babel. So, last year in our written testimony we
provided something we call the transparency report, where we
walk through number of customers and number of certifications.
Mr. Smith. Right.
Mr. Babel. And each year I think there is two important
data points. One is the number of companies that come to us for
certification and never get certified because they don't pass
the standard to begin with. And that is about 8 to 10 percent
of all the clients that are approaching us for certification
never meet the bar. The second thing is that, in last year, 11
companies violated, kind of, what we think are best practices--
--
Mr. Smith. Okay. And of those 11, you referred 1 to the
FTC?
Mr. Babel. Not last year. The referral to the FTC was in a
prior year.
Mr. Smith. Right. Okay. Thank you, Mr. Babel.
Mr. Shipman, let me address a question to you and perhaps
to Professor Grimmelmann as well. And it is this: We have
heard, I think, from all witnesses today about the need for
online businesses to protect consumer data. My question goes a
little bit farther. Should consumers be able to find out what
personal data has been gathered about them?
Mr. Shipman. Absolutely. And, in fact, within our corporate
standards that we have had approved through Luxembourg, that is
a requirement that we meet.
Mr. Smith. Okay.
Do any of the witnesses today feel that consumers should
not or do not have a right to know what personal information
has been gathered about them?
Okay.
Next question is, should consumers be able to opt out of
the process that gathers that personal information about them?
Mr. Shipman, what do you think?
Mr. Shipman. I am going to give you a multipart answer on
that one.
Mr. Smith. Okay.
Mr. Shipman. There are certain components of collection
that are required. eBay certainly has financially related
institutions.
Mr. Smith. Uh-huh.
Mr. Shipman. We process financial transactions as well as
all kinds of e-commerce transactions and commerce.
Data that is essential for the safety, security, antifraud,
in that area, we cannot allow consumers to opt out of.
Certainly, for marketing purposes and other types of secondary
uses, we can allow----
Mr. Smith. You would allow them to opt out. Okay. Thank
you.
Professor Grimmelmann, do you have an opinion on that?
Mr. Grimmelmann. In the context of first-party collection,
where the consumer is dealing with a Web site----
Mr. Smith. Yes.
Mr. Grimmelmann.--Mr. Shipman expresses a very clear and
correct view.
Mr. Smith. And you agree with him. Okay.
That concludes my questions. The gentleman from Michigan,
the Ranking Member of the full Committee, is recognized for his
questions.
Mr. Conyers. Thank you, Chairman.
Mr. Reed, we have heard a lot about self-regulation here--
too much, as far as I am concerned. I don't know what you think
this Committee--what others, not you, think, that we make
rules, we make laws, we have court decisions, and now we come
up with a ``let's go for self-regulation.'' We have been
hauling--all of the big tech companies have been in and out of
court repeatedly.
And so, can you give me a little more confidence about this
whole notion of self-regulating?
Mr. Reed. Well, I think the first thing we have to look at
is, does the FTC have enough resources? We start with that. But
I think you also have to look at continued behavior. There is
carrot and stick, right? Industry self-reg is a carrot; do
this, and you won't get the stick.
I think that for small companies, we are usually dependent
on platforms, and we are incredibly responsive to our
customers. Why? Because we are scared of losing them. I think
one of the things that concerns us very much that has been
happening in the privacy space is that some of the violations
have been actually done by big companies and one in particular.
You know, the Chairman brought up Wi-Spy. That trickles down
into the sentiment of the regular citizenry.
So, yes, I think it is critical that the resources are at
the FTC and that the DOJ is willing to step up and go after
those who don't respond to carrot and don't respond to stick.
Mr. Conyers. Yeah. But, Mr. Reed, a lot of this privacy--we
don't even know what is being collected, and we don't have any
way of getting at it. I mean, I see a huge problem still out
here, don't you?
Mr. Reed. Well, I think the question of what is being
collected, I think we can actually figure out what is being
collected. The larger question is, what happens to it after it
is collected? What is it combined with? Does that create
problems, and are people selling it in a way that is damaging
or causes harm to people's privacy? Does it make it hard for
them to get a job? Does it make it hard for them to buy a
house?
That is really the question. It is not what is collected;
it is what is done with the collection of that information
after, how it is assembled. And those are areas where I think
that there can be questions and we should find good answers.
Mr. Conyers. Thank you very much.
Well, we know what is being collected. Everything. Is there
anything that they--I mean, that is the nature of the problem.
I----
Mr. Reed. But I think it is worth noting that the Sears
catalog had information on people in the 1900's. They knew what
we were buying. And it is really about what is done to harm
people afterwards. That is really the kicker. Because, you
know, we all had the Sears catalog as a kid in our house, and
you would read it. Sears knew what you bought. They kept a
record of what you bought. That was a good thing. Do you know
if what they did with that information prevented you from
buying a house or prevented you from getting a job or prevented
you from getting insurance?
Mr. Conyers. Or hurting your credit.
Mr. Reed. Exactly.
Mr. Conyers. Let me turn to Professor Grimmelmann for a
continuation of this discussion. I mean, this is a very nice
conversation we are having here with four experts, but, I mean,
there is a certain element here of ``let's trust everybody to
do the right thing.'' The FTC is underfunded. Leibowitz, Jon
Leibowitz, the Chair, comes before us every year and makes the
case that they need more resources.
How do you see this discussion of giving benefit of the
doubt to these huge companies that are collecting what we don't
even--well, from my point of view, it is everything. We go back
to Sears in 1900. Well, guess what they are doing now, if you
think that was something.
Mr. Grimmelmann. I would like to say that some huge
companies can play an important role in building tools that
stop other huge companies from gathering lots of data. So, for
example, Apple puts significant restrictions in the iPhone that
limit the data that apps can collect so that the apps can't
gather location data without the user's express permission. And
Microsoft, in its most recent version of the Internet Explorer,
will be turning on the ``do not track'' header by default to
tell Web sites they should not collect data about users.
We can find ways to exploit the competitive process in the
industry, to have companies recognize privacy is an advantage
and help consumers keep personal data from other companies.
Mr. Conyers. But there are some that are disregarding the
tracking instructions of their consumers. You know that.
Mr. Grimmelmann. So, the advantage of that is that the
company that disregards the tracking request has now done
something that is explicitly deceiving the consumer and failing
to respond to the request, rather than just taking advantage of
their ignorance, which gives the FTC a surer basis for action.
Mr. Conyers. Thank you, Mr. Chairman.
Mr. Smith. Thank you, Mr. Conyers.
The gentleman from Pennsylvania, Mr. Marino, is recognized
for his questions.
Mr. Marino. Thank you, Mr. Chairman.
I am going to start with Mr. Shipman. And let's back the
bus up here a little bit, if you would, please. And if anyone
has anything to add to it, just chime in.
Let's start back with the scenario, a parent is having a
personal conversation with their son or daughter who is off to
college; or one corporation is having a confidential exchange
of information with another corporation concerning, let's say,
a merger. Once I hit that send button, let's educate the people
of where does that go and how many people or how many entities
have access to that even when I hit the delete and the other
side hits the delete? Do you understand my question?
Mr. Shipman. Yeah, sure. Basically, your question, just to
quickly summarize, is, when you hit send on an email, how many
different entities could it possibly end up with.
Mr. Marino. Even after I delete it.
Mr. Shipman. Sure, sure.
To me, the biggest challenge here--I mean, there are many
challenges. eBay is not an ISP; we actually don't provide
email, but I am knowledgeable enough to be able to provide a
few comments.
One of the toughest components here is access where you
have other governmental agencies or law enforcement or other
requests where the consumer may have no knowledge of that
information being requested. Beyond the technology components,
it had been deleted within the systems, within service
providers, within a custodial relationship----
Mr. Marino. Okay, I understand the law enforcement aspect
of it. I have been a part of it for 19 years. So just give me
your best estimate on how many entities would have that
information.
Mr. Shipman. Go ahead.
Mr. Reed. I think, let's break it into two camps. Is your
service a cloud-based, or are you just going from my company to
your company? If you are going company to company, not too many
entities in between will hold on to it.
But he raises the key point, which is a part of ECPA reform
in these questions, is that law enforcement has stepped in to
place collection points in the process----
Mr. Marino. Okay, let's exclude law enforcement for a
moment.
Mr. Reed. If you exclude law enforcement, company to
company, not much. If it is company to cloud provider and back,
then the cloud provider does have access to that information at
a certain level. Most----
Mr. Marino. Okay. Now, if several entities, even if it is
company to company, how long does that individual or that
entity have that information? Until they just delete it?
Mr. Shipman. So, once an email or other piece of data is
received, it is within that--if it is a responsible company,
they have a data classification and data retention policy. So,
depending on the classification of that data, it may be 7 days,
it may be 7 years.
Mr. Marino. All right, I am going to jump to the next one
then. Who best can answer this: What would prevent an employee
from obtaining that information and sharing it?
Mr. Reed. It depends on their status in the corporation.
Somebody who has the keys to the kingdom, so to speak, the
network nerd in the closet, he is going to have all of it.
Mr. Marino. So my point is----
Mr. Reed. Right.
Mr. Marino [continuing]. People have access to it and can
use it nefariously, correct?
Mr. Reed. Yes. And that is--yes.
Mr. Shipman. There is an important consideration here,
which is, there are tools that certain companies, certainly
eBay being one of them, deploys which do monitor and track
access to information within the organization. So not only are
employees based on permission have access or don't have access
to information, but also if there is anomalous activity, it is
detected, reported, and prevented.
Mr. Marino. Mr. Babel and then Professor, maybe you can
give me a quick answer on this. I am an individual that
questions ``do we want the Federal Government involved?'' In
fact, I take the position that the Federal Government spends
too much time in our lives to begin with.
So give me, Mr. Babel, if you can, please, give me your
opinion based on the fact that--can the industry police itself?
I have a little problem with the fox setting rules and
regulations for the henhouse. But give me a scenario, if you
would, contrast them, policing itself and needing Federal
regulations.
So if you both could answer that, please. Mr. Babel?
Mr. Babel. Sure. So I think that it is--you know, TRUSTe
has self-regulatory programs. The key asset that we have is our
band of consumers. So if we aren't living up to the standard of
making certain that people who no longer follow the standards
are out, like, for us, it is the whole company we are betting.
Our credibility is the key, meaning the program and its
credibility.
I think when it comes to legislation, one of the things
that I am concerned about is just, you know, what are the
unintended consequences of legislation? If you look at
something like CAN-SPAM, even that was a law that was well-
written, well-adopted, but at the end of the day, 90 percent of
email is still spam. It is not the law that eliminated the spam
in your inbox, it is technology.
Mr. Marino. I am running out of time here.
Professor?
Mr. Grimmelmann. I think that the companies you are most
going to want Federal intervention for are the ones who are not
TRUSTe members who are engaged in shady, gray-area marketing,
that conceal their tracks, click fraud, all kinds of shady
deals that are trying to rip consumers off.
Mr. Marino. Okay. Thank you.
I yield back. Thank you.
Mr. Goodlatte [presiding]. I thank the gentleman.
The gentleman from Florida, Mr. Deutch, is recognized for 5
minutes.
Mr. Deutch. Thank you, Mr. Chairman.
Mr. Babel, you said that 59 percent of people believe that
their information is protected. You touted that number. Four in
10 people are concerned that their information is not
protected, I presume is the balance of that analysis, the
balance of that polling.
I just want to talk about the self-regulation piece of
this, which a number of you had talked about. You have a
program, a privacy program, which, if I understand what you are
saying correctly, if a company adopts it, then they receive
your certification. Is that right?
Mr. Babel. Correct.
Mr. Deutch. And has that certification been given to the
largest companies? And what Mr. Shipman described sounds like a
really terrific privacy policy, which I will ask about in a
minute. But do they have your certification on their privacy
policy?
Mr. Babel. They are our client, yes.
Mr. Deutch. And do all of the--I mean, do the biggest, just
thinking about those companies with market dominance, does
Google have a certification, does Facebook have a certification
from you for their privacy policies?
Mr. Babel. One of the things we look at is the top 100 Web
sites listed by a company called Alexa that is based on
consumer traffic. And we have about 50 percent of those top 100
clients. So we have good penetration but certainly not all----
Mr. Deutch. All right. So just again, thinking about the
ones that we use most often, does Google have a certification
and does Facebook have--for their privacy policy.
Mr. Babel. Google is not a certified client of TRUSTe, and
neither is Facebook. We do work with them in some different
areas, but they are not certified clients of our program.
Mr. Deutch. And, Mr. Reed, when you talked about the
information to be collected, you said we should know what data
is being collected, who we are sharing it with, and being
transparent with customers.
Mr. Babel, is that a part of your certification? Do you
look at each of those?
Mr. Babel. Yeah, if we were to think of the highest three
levels of the certification, the business needs to first be
transparent, meaning tell people what they are collecting, you
know, if they are sharing it, how long they are holding onto
it. They need to give choice; would you like to not have that
data being collected? And they need to be accountable to that
choice.
So, yes, the tenets of what Morgan outlined are what----
Mr. Deutch. And I am sorry, I don't--unfortunately, I don't
know--I am learning a lot today, but I don't know well enough
the relationship between TRUSTe and some of the other
companies. What is it? I mean, when you say you have worked
with some of these other companies but they don't have the
certification, do you suggest to them what is missing? Or when
it comes to those three items that we just discussed, when you
look at a company with real market dominance, like Google, for
example, or like Facebook, is there one of those three that
they might be missing? Are there certain things that we ought
to be considering?
Mr. Babel. Think of it as, it is a totally different effort
that we are working on with them. I will give you the example
with Google. They have a business-to-business app marketplace,
where a business owner using Gmail can download an application.
We certify those applications, but it is in a partnership with
Google. So it is not related to, kind of, the three core
tenets. We don't work with them in our core certification
business. It is kind of a separate, adjacent thing.
Mr. Deutch. So I guess what I am really getting at is, when
you talk about self-regulation and the success of self-
regulation, for a company, any company that has real market
dominance, is that sufficient to rely on? Do the 40 percent of
consumers who are concerned their information is not kept
private, should they be satisfied with the privacy policies
established in a self-regulatory environment, if not every
company regulates themselves the same way?
Mr. Reed, you look like you want to jump in.
Mr. Reed. Well, I think you have to look at behavior. You
know, eBay is sitting here. They have a pretty good track
record so far on privacy. A lot of our developers use their
PayPal system to enable app purchases. It has worked out pretty
well. We haven't had those.
So I think your question about the size of the company is
not the first test. The first test is, what are they doing? And
if a company with dominance has the power to take it and kind
of thumb their noses at consumers, well, then, yes, I think
that is the kind of time where you have to start taking a look
and you have to start asking harder questions.
So it is not the size as much as it is the behavior that
really triggers this.
Mr. Deutch. Well, Mr. Reed, I mean, you are more familiar
with the industry than I am. Are there any companies that you
think are thumbing their nose at these privacy issues?
Mr. Reed. Well, I mean, I think we have heard the name
several times; everybody has been talking about it. I think
Google has--Google's privacy violations to date have certainly
raised a lot of concern. I think it is the ironic; you know, it
got so bad that the Jon Stewart show, ``The Daily Show,''
actually made fun of it on WiFi. So that----
Mr. Deutch. Mr. Reed----
Mr. Reed [continuing]. Harms all of us.
Mr. Deutch. Mr. Reed, I am almost out of time. Of the three
things that you point out--know the data being collected, who
it is being shared with, and being transparent with those
customers--which of those three do you think is most often
being ignored by any company that might be thumbing their nose
at these privacy issues?
Mr. Reed. I think in the case of Google, I think the
problem is that they haven't been transparent with what they
were doing. I think that was very clear onWi-Spy. It was clear
on the Buzz settlement. They haven't been transparent. And I
think that is an area that they need to improve or regulators
need to step in.
Mr. Deutch. All right. Thank you.
Thank you, Mr. Chairman. I yield back.
Mr. Goodlatte. I thank the gentleman.
The gentleman from Utah, Mr. Chaffetz, is recognized for 5
minutes.
Mr. Chaffetz. Thank you. Thanks, Mr. Chairman.
And thank you for all for being here. I appreciate it.
I wanted to highlight the idea that the Internet, the tech
sector is actually something in our economy that is working.
You are looking at growth in jobs and expansion of our economy,
this is one sector that is thriving.
One of my concerns is, while we have these deep-seated
needs to make sure that privacy is protected, that we are
protecting consumers, I think, Mr. Chairman, we also need to be
ultra-careful in making sure that we don't convolute the
process to a point where young entrepreneurs, new startups,
aren't able to start because there is such a mass of regulation
and uncertainty.
I do question the notion that the FTC is the right
organization. I wonder--we talk a lot about the teeth of the
FTC, but we can probably count on one hand where they have
actually taken action. And so I think that begs the question
of, should this be done in part by statute so that we can use
Article III Courts, as opposed to the FTC, which would be much
more readily available to a consumer or an individual. It is
just something, Mr. Chairman, that I think we need to continue
to explore, because I am not convinced the FTC is the end-all,
be-all.
I am also concerned that if we have multiple jurisdictions
here--the Consumer Financial Protection Board, for instance--
you are going to end up much like in the financial sector where
you have conflicting rules and regulations.
I think it is also important that the Congress stand up for
itself and not allow an Administration--I don't care which
party it is involved with--allow just simple rulemaking to push
through the process and not allow the back and forth and the
discussion that would happen in Congress. I think we have been
failing on that front in general.
There are a couple other areas that I would like you to
address. And our time is so short here, but, Mr. Chairman, I
think one of the things we have to further explore if we are
going to truly look at privacy is how do we deal with minors.
You know, my 11-year-old arguably knows more about using the
apps and the Internet than most people three, four, five times
her age.
We are going to also have to deal with the national versus
the international aspect and scope, which is obviously for the
need and the genesis of SOPA. That issue has not gone away. We
are still losing billions of dollars overseas, and we are going
to have to deal with that.
The other area that I am really trying to focus on and I
would like you to address--I didn't come to just give a big
speech--I would like you to actually address is, I think
Americans have a reasonable expectation of privacy. But how do
we define that? One of the things that I think we have to look
at is airspace. It is reasonable that if somebody walked down
your front yard, they could look at your front yard and see
your mailbox and your shrubs and whatnot. As we expand out and
start to use drones and satellites and other types of who knows
what kind of technology, what is the reasonable expectation of
privacy, say, in your backyard or on your private property?
And along with that is geolocation. I have sponsored a bill
on this. I think it is going to continue to go on.
Would anybody care to address, what is the proper balance
of airspace? You know, law enforcement use helicopters, right?
We have allowed that for a long time; we think that is a good
thing. But fuel is expensive. It is hard to get a helicopter.
Law enforcement can only keep it up for so long. But if you
have a drone that is up 24-7 or somebody that is going to--
where is that balance? Where is that line?
Anybody care to take a stab at that one?
Mr. Grimmelmann. I can say a little bit about that.
One of the encouraging things about the Supreme Court's
decision in United States v. Jones is that the Court endorsed
two different kinds of rationales for protecting privacy.
One of them, based in the majority, is rooted in the
historic law of trespass. And there, that might signal a
reinvigoration of the idea that the airspace closely above your
home is actually yours and not to be invaded. We have long
accepted that commercial airlines can fly far overhead, but
this might signal an attitude that we should protect your
sovereignty over your own space close to the ground.
And the second, coming from the concurrences, is the so-
called mosaic theory that continuous observation over a long
period of time can ultimately build such a complete portrait
that it does invade one's expectation of privacy.
Mr. Chaffetz. And I guess that is one of the challenges,
Mr. Chairman, we face. Because he is right; in the Jones case,
which is in large part what our legislation is modeled after,
is this idea that there is a toggling between an individual's
movements on private property and out in the public space.
Look, technology can be great. It can be so useful and make
people's lives better. But how do we actually craft something
without ruining the industry? That is the fundamental question.
I don't know if the other three care to jump in here.
Mr. Reed. We have a phrase in the office. We say, ``nobody
wants technology at the speed of government.'' And that is the
problem that the question that you point out raises.
You know, I speak as me, not as ACT. I would be totally
creeped out having a drone fly above my house all the time, 24/
7, watching my backyard. That is me; I am not speaking on
behalf of our members.
But by the same token, a plane flying overhead isn't the
problem. So we have to look at the behavior question, really.
The plane flying overhead has an intent. It is going from point
A to point B. It doesn't intend to be looking in my backyard.
The drone positioned over my house watching everything that
happened and whether or not I mowed the lawn on Sunday has the
intent of watching what I am doing.
So I think that part of what--part of how we need to look
at what technology empowers is, what is the intent of the
person who is putting that technology in place? What do they
want out of it? And that helps us guide the question of what is
appropriate airspace in certain aspects that allows for
wireless transmission to happen without impeding it with a lot
of government regulation.
Mr. Shipman. Yeah, if I could just add, I think, you know,
the work that eBay and a number of other organizations have
done in really framing what should Federal omnibus privacy law
look like really focuses--and Mr. Reed used the word
``intent''--it is use, it is use-based obligations.
With data, there is an intended use and there is an
obligation that needs to come with that intended use. And you
can look at each type of use: Is it fulfillment? Is it
providing a service? Is it flying from point A to point B? And
with that data collection and use comes obligation.
Mr. Chaffetz. Mr. Chairman, with all due respect--my time
is well past gone--I would appreciate the industry continuing
to look at this, because I think it is an incomplete answer. It
is not sufficient enough to say that is the intent, because
what does a celebrity, for instance, in southern California do?
You can see TMZ putting drones up trying to follow celebrities
in their 10-mile zone--that is what ``TMZ'' stands for,
right?--24-7.
So intent is not sufficient enough. I think the industry
has also got to catch up on how to help us define that, because
Congress has the ability to ruin people's lives, and I would
rather not see that happen.
I yield back.
Mr. Goodlatte. I thank the gentleman.
The gentlewoman from California, Ms. Lofgren, is recognized
for 5 minutes.
Ms. Lofgren. Thank you, Mr. Chairman.
And as Mr. Chaffetz has indicated, I have some reluctance
to see Congress weigh in on these issues in a heavy regulatory
manner because we don't work at Internet speed, we work at a
different speed. And, you know, that is a good thing. I mean,
we can't make mistakes quickly. But, certainly, the technology
will move much faster than we can. And so I have been
interested in how industry might establish standards that
prevent a heavy regulatory load.
And along those lines, I am wondering how this process is
working relative to the recent decision on Internet Explorer to
make the default ``do not track.'' I understand that there--
and, certainly, Microsoft has the right to do that. Has that
had an impact on the industry-wide effort to reach consensus on
``do not track'' or not?
Professor, could you answer that question?
Mr. Grimmelmann. So, the decision has been discussed within
the working group that is building the standard. Some of the
participants in that group, including representatives from
Google, Yahoo, and Adobe, have taken the position that Internet
Explorer should be defined to be noncompliant such that Web
sites could say, I think you are using Internet Explorer,
therefore I am not going to honor your ``do not track''
request. And I think this is simply an attempt to sabotage the
standard. It won't work if Web sites can second-guess the
user's statement, I don't want to be tracked.
Ms. Lofgren. Well, the question, I guess, is for me, what
is the default? What kind of transparency is available to the
user? And, also, what kind of accountability is there if the
user's choice is, in fact, not honored by the person
representing the choice?
And I guess the question is, who owns this data? Maybe that
is something that does need to be established in law, that the
individual has an opportunity to enforce their own choices. Do
you think that is an approach that would be helpful for
Congress to take?
Mr. Grimmelmann. The default right now is that Web sites
collect but offer the user an opportunity to opt out. I think
users should have the opportunity to choose tools that protect
their privacy by saying, ``Do not collect,'' and if Web sites
disagree with that choice, they can communicate with the user
and say, ``Here are the benefits we could offer you if you
turned tracking on.''
Ms. Lofgren. Right. And that is--for example, I use
Firefox. I don't know why, but I have always used it. And I
have ``do not track'' turned on in my Firefox because that is a
choice I want to make. But it means that there are some things
I can't do on Firefox, which is a decision I have made.
Isn't it just--wouldn't it solve our problem in the
Internet world if we were just transparent to users and gave
them enforceable choices?
Mr. Grimmelmann. Yes.
Ms. Lofgren. Now, let me ask about the--you know, Mr.
Chaffetz, great minds think alike. I was also thinking about
the drone issue. And I am told that in August the FAA is
actually going to do some rulemaking on what drones can
collect, which is kind of an odd regulatory role.
Recently, the FTC had a workshop on the use of facial
recognition technology. Because this isn't just an online
phenomenon. I mean, you go into every store in America,
practically, and there is a camera that is taking pictures of
the shoppers. And with facial recognition technology, you can
now aggregate data about individuals, who they are. And, I
mean, that is an immense amount of data that we I don't think
have any rules about.
What are your thoughts on that?
Mr. Reed. Well, the good news is that technology industries
have actually been thinking on that. There are actually trade
association efforts to develop best practices. And probably the
best example I have seen to date on this is, strangely enough,
Connect by Microsoft. They put together an incredibly
comprehensive program prior to putting the Connect in your
house. And you would say, well, why would that matter? But you
realize, they are essentially facing a camera from the
television at you. And so they did an entire privacy-by-design
prior to launching Connect strictly on the question of facial
recognition.
So the good news is smart people are starting the day
saying, ``how do we deal with this?''
Ms. Lofgren. Well, but the issue is--and we have plenty of
Fourth Amendment rules for the government, and that is
important, I mean, obviously. But what we are talking about
here is not the government but the private sector----
Mr. Reed. Right.
Ms. Lofgren [continuing]. Which we celebrate. I mean, the
private sector is the job creator of our country, the engine of
economic growth. And yet, the capacity to know everything about
individuals because of technology that has been deployed, and
yet individuals may not even be aware that their picture is
being taken with facial recognition technology. They may have
absolutely no privacy.
And I don't think we have any standards that are set for
that use of big data. I mean, correct me if I am wrong.
Mr. Shipman. No, actually, I think in that regard the
online and mobile spaces are arguably doing a better job----
Ms. Lofgren. Yes.
Mr. Shipman [continuing]. At communicating what information
is collected and how it is used. And I think that, as we see
these technologies move into retail, that certainly companies
like eBay that work with retail partners can form that
partnership and can educate and help them with their use and
their need to know their customer and how to balance that
appropriately.
Ms. Lofgren. I know my time is up, but I would just say
that, you know, we need to have rules--individuals have to have
the ability to enforce their understandings, either through the
FTC or through private rights of action. But we have not really
looked at all to the non-online issues that may be even more
severe than what people are paying attention to. Because
everybody who goes online knows it is an issue. Nobody knows
that the drone is in the sky or that the corner grocery is
collecting their data.
Mr. Reed. No, you are exactly right. And we all saw in the
retail space that Target knew a young lady was pregnant before
she had been able to tell her family. And that was not the
online data collection at all; that was strictly from the
retail store. So you are exactly right.
Ms. Lofgren. Thank you, Mr. Chairman. My time is up.
Mr. Goodlatte. I thank the gentlewoman.
The gentlewoman from Texas, Ms. Jackson Lee, is recognized
for 5 minutes.
Ms. Jackson Lee. I thank the Chairman very much.
And I thank all the witnesses for their testimony.
And I follow my colleague from California with the same
quizzical concern about the extensiveness, the vastness of the
issues dealing with Internet use and the concerns that we now
have facing the American public or the world public. And so I
want to raise some questions on that issue.
But before I do that, Mr. Reed, do you know the apps that
are from Houston?
Mr. Reed. I do. We have more than a few. From your
district, we actually have--oh, there is a great app built by
an African-American woman in your district who actually won the
challenge grant from challenge.gov that helps people look up
the average pay for the jobs they are applying for and helps
them negotiate in their favor, because it tells them the public
data, what the average rate of pay is. And it is an app, so you
walk into your job interview and you know----
Ms. Jackson Lee. And you are well-informed. Do you have
some others that you can either refer us to or print out for
us?
Mr. Reed. Absolutely. But that one in particular was one
that was really remarkable.
Ms. Jackson Lee. It is remarkable and probably gives
shockwaves to future employers. But I appreciate that.
Let me stay on the line of reasoning of my questions about
privacy and use. Two examples. First, on the front page of the
Web site CNET, there is a moving story of a paralyzed man who
uses his eyes to tweet. This story demonstrates the enormous
potential of the Internet.
How can this man be secure in knowing that when he uses a
Web browser like Internet Explorer and chooses ``do not track''
that his instructions will be followed and not ignored?
Who wants to take that question? Professor?
Mr. Grimmelmann. The important part there is that once ``do
not track'' is standardized, I hope that Congress and the FTC
will see fit to treat that as an enforceable practice, either
under the principles of contract law or as a deceptive trade
practice. A consumer's request not to be tracked should be
honored.
Ms. Jackson Lee. And how long--or what should we do to move
that standardization forward in terms of the industry, to move
forward on the standardized practice?
Mr. Grimmelmann. Fortunately, the working group that is
discussing it has an active and aggressive schedule. As long as
they are aware that Washington is watching and hoping for them
to succeed and waiting for the results, I think that is the
most important thing you can do now.
Ms. Jackson Lee. So you would say contract law, and what
would be the other enforcement?
Mr. Grimmelmann. The FTC's ability to prohibit unfair and
deceptive trade practices.
Ms. Jackson Lee. And my concern would be, what are we doing
now? But I appreciate what you are saying is that we are on the
right track.
Let me also add this question. I appeared this morning
discussing another topic, which is immigration reform, on C-
SPAN, but a question was raised before I came on. In a Google
official report by Dr. Dorothy Chou on the alarming number of
requests for government censorship, the United States was
number one.
But the question is, the government has a special role and
responsibility. What should Congress' role be in monitoring,
permitting or opposing censorship by the government? I will go
to the professor, but I would like some others to chip in.
Mr. Grimmelmann. So, law enforcement requests come from a
wide variety of sources, government both in the United States
and abroad. And so the role of Congress there is, in part, to
monitor the requests coming from the United States entities
and, in part, also to work with U.S. companies over the
pressure they are receiving from foreign governments to censor
and to help give them the protection and reassurance of the
United States Government that we support free expression around
the world.
Ms. Jackson Lee. But are you saying we make statements? I
mean, because it is--we are asking to protect what we are
transmitting. So the point is that the government is making
these points that they need to, in essence, protect what they
have.
Mr. Grimmelmann. There was a conversation that has been
going on for a number of years over global Internet freedom
principles, and part of that is in a discussion about possibly
legislating responsibilities for United States companies to be
transparent about their degree of compliance or resistance to
foreign censorship attempts. Google's transparency about
requests it receives was actually quite helpful in
understanding the pressure that governments put on our
companies to do their dirty work.
Ms. Jackson Lee. I think that is a very sensitive question
that is appropriate for a congressional review.
Let me go to Mr. Babel to talk of the challenges of privacy
as you established your company.
Mr. Babel. Sure. The challenges are really in helping
companies and consumers kind of meet that best practice of
where there is trust by consumers that the companies are doing
the right thing. So our kind of sole role for existence is
helping clients, customers understand what best practices
around privacy really are and helping them prove to consumers
that they are doing the right thing with their, you know,
personal information. So that is what TRUSTe is really there in
helping the ecosystem know and understand and balance that
trust relationship between business and entities.
Ms. Jackson Lee. Are your customers bankers or banks?
Mr. Babel. There are a few banks, but it is really more
focused on more online companies and technology companies. And
we assist banks with other regulations that they have.
Mr. Goodlatte. Thank you. The time of the gentlewoman has
expired.
Ms. Jackson Lee. I yield back.
Mr. Goodlatte. The gentleman from Georgia is recognized for
5 minutes, Mr. Johnson.
Mr. Johnson. Thank you, Mr. Chairman.
And I must admit that I was just a little disturbed, Mr.
Reed, when you kind of left me out of the equation. I am
sitting here right in front of you, closest to you; we could
almost breathe on each other. And you didn't mention any apps
from----
Mr. Reed. I can talk about your app. It is good. I will
give you it right now. It is a great app that allows you to pay
for your parking spot with your mobile phone. It is actually
one that a lot of us already use. It is called Parkmobile. It
is a great app. Lets you pay for parking with your mobile
phone. There you go.
Mr. Johnson. Oh, I tell you, thank you.
I also found one from Decatur, which is where I represent,
Ping, a subsidiary of Ping Media Group, Incorporated. It is a
provider of mobile coupons and promotions which enable
retailers and vendors to communicate directly with their
customers via mobile phones.
And then I got another one. A young man, 17 years old, his
name is Albert Renshaw, out of Gwinnett County, which I also
represent. He has developed Apps4Life--A-P-P-S-4, the number,
L-I-F-E--which offers WiFi texting without a wireless
connection. And I thought those were pretty good.
But I will now get into the meat of my concern. A breach in
security protocol by a company such as eBay that exposes
private customer information to the public could result in
death or grievous bodily injury to a customer whose private
information was divulged wrongfully. The consumer certainly has
a right to recover damages for his or her injury, or their next
of kin for their death. I am sure you all would not disagree
with that. And they have a right to seek a recovery in a court
of law. But one of the--and that is one of a consumer's basic
rights.
But that right is being chipped away at with these
mandatory pre-dispute arbitration--mandatory arbitration
clauses in these consumer agreements, which prohibit the
individual, the aggrieved party, from being able to sue in
court. Instead, they are forced into mandatory arbitration
where the arbitrator is selected by the company. The arbitrator
may or may not be a lawyer. The arbitrator does not operate in
a public courtroom, but it is a private, secret proceeding,
maybe held miles away, hundreds and thousands of miles away,
from where the aggrieved party actually lives.
There are no rules of Federal procedure, rules of civil
procedure, rules of evidence, and no jury trial. You know, the
arbitrator decides the issue, and then once the arbitrator
does, there is no right to an appeal. This is a private system
of adjudicating disputes which consumers sign up for a consumer
agreement without any knowledge of the gravity of what they are
giving up.
Mr. Shipman, what do you think about that? Does your
company have to sue sometimes other competitors for various
things in a court of law? And do you think that it is important
that consumers have the right to take their matter to court as
well?
Mr. Shipman. So, certainly the scenario you paint is an
awful and terrible scenario for that family and one that I
would hope that we never encounter.
I think there are two important points here. The first is,
what are the terms that the company has with a customer? And--
--
Mr. Johnson. What does?
Mr. Shipman. What are the terms. Is there an arbitration
provision or not.
Mr. Johnson. Yeah.
Mr. Shipman. And----
Mr. Johnson. Do you know whether or not you have that in
eBay?
Mr. Shipman. In the case of eBay, we actually have a number
of choices for our customers, depending on the size of the
claim. If it is a financial-related claim, it may be available
to small claims action. If it is a larger claim, then certainly
you can bring that case. We don't have that arbitration
provision that would prevent someone from being able to be
heard and, you know, have their day in court.
The second theme that you talk about is information
security and the protection of information. And, certainly, you
know, a responsible company has thousands of people devoted to
making sure that the information that is entrusted with us is
taken care of appropriately. Because the last thing we want,
certainly, is that scenario that you paint, because that is
awful for not only our business but also for our customers.
Mr. Johnson. Well, certainly. And it is not that the
company would intend for any harm to come to one of its
customers because of a breach. It could happen, though, pretty
easily given the fact that this marketplace is in its earliest
stage of development and growth and mistakes can be made along
the way with various applications. Something may have a bug
that needs to be worked out. And it is definitely possible for
someone--let's say, a woman whose husband or boyfriend, you
know, wants to do some damage to them and, due to a breach of
information, is able to follow through with that, either, you
know, character-wise or reputation-wise or either coming to the
house and cutting her up into a million pieces. You know, it
could happen.
And if it does happen, then if eBay decides that, okay,
this claim is not worth that much, then it will go through a
certain procedure, and if it is deemed by eBay to be larger
than that, then it goes into--then the person has a right to go
to court. Is that what we are talking about?
Mr. Shipman. Well, you know, again, I mean, very awful
scenarios that you are painting. But----
Mr. Johnson. But, I mean, it is true. Anything might
happen.
Mr. Shipman. Nonetheless--and, certainly, we can follow up
with you afterwards. We would love to work with you.
You know, our clause allows consumers to decide what the
remedy--you know, what avenue they have available to them. We
don't limit all claims to arbitration. So I think that is, you
know, the salient piece.
Mr. Johnson. Okay.
Mr. Shipman. The second thing is, on this issue of a
security breach, what we have seen to date--and I can't
summarize and you don't want me to summarize all of the
legislation and the caselaw--but what we have seen to date is,
where there is a harm--and in the cases that you are providing,
there are clear harms--then it is likely, I believe, that you
would see damages be appropriate. Where we have seen no harm--
no financial identity theft, no physical harm--the cases that
we have seen generally tend to say that there is not liability
in that regard.
Mr. Johnson. I understand.
Professor Grimmelmann, your response, sir, or insight?
Mr. Grimmelmann. I agree with him that where there is
physical harm to the individual who has been hurt as a result
of the breach, then, yes, the courts are available, and they
have been willing to hear those suits.
I am concerned somewhat that the breaches that do not
result in immediate provable harm but nonetheless reduce the
information security for all of us by leaking financial
information on many consumers that can lead to acts of identity
theft that can't specifically be tracked back to that one
individual breach have resulted in harm not provable in a court
of law, and so, therefore, there is no redress against it.
This is why data-breach notification laws and other efforts
to shine a light on this and enforce basic information security
practices against industry participants are important.
Mr. Johnson. Uh-huh. Class action litigation could play a
part in deterring willful misconduct that could ensue.
Mr. Goodlatte. The time of the gentleman has expired.
Mr. Johnson. I noticed that red button has been on ever
since I started talking, so I don't know how long I have gone,
Mr. Chairman. But it doesn't seem like 5 minutes, though.
Mr. Goodlatte. Without objection, the gentleman will be
recognized for 1 additional minute to sum up his ideas.
Mr. Johnson. Thank you.
Yeah, class action litigation, where a number of people
have suffered just a small amount of harm, but the class action
litigation, which can result in a verdict of some importance in
terms of the amount, could act as a deterrent and is good for
public policy, in my opinion.
What would be your response to that, Professor Grimmelmann?
Because I don't want to--I don't want to personalize this with
eBay. eBay is no different than all of the other entities out
there that are very popular with consumers. So I will ask you,
Professor.
Well, I will ask Mr. Reed. What do you think?
Mr. Grimmelmann. This is an area----
Mr. Johnson. Go ahead. Go ahead.
Mr. Grimmelmann. This is an area in which you are concerned
about arbitration, which is extremely important, and this is
also an area in which class-action litigation has been
important for privacy. Facebook has recently settled a lawsuit
over its marketing a commercial product using individuals'
pictures to say, ``James just watched `WALL-E.' Don't you want
to watch it, too?'' to their friends. And a class-action
lawsuit resulted in a $10 million settlement.
Mr. Johnson. Thank you.
Mr. Goodlatte. The time of the gentleman has expired again.
Mr. Johnson. Thank you, Mr. Chairman.
Mr. Goodlatte. And having allotted him 10\1/2\ minutes on
his 5 minutes of time, I am going to take the privilege of
asking a clarifying question for the witnesses.
To me, self-regulation means companies publish their
policies, and then if they engage in deceptive practices by not
following those policies, then under existing law the Federal
Trade Commission would have the authority to take action for
false advertising or whatever the case might be.
What I want to know for sure here is, does anyone here
believe that the Federal Government should impose a one-size-
fits-all regulatory approach or that the Federal Government
should proscribe specific privacy policies to specific
companies or in general?
Mr. Shipman?
Mr. Shipman. No, I don't think the government should draft
specific privacy policies. I think we should leave that to
industry and those that are innovating the services and
technology.
Mr. Goodlatte. Thank you.
Mr. Reed?
Mr. Reed. Exactly the same. I agree completely. That is not
the position the government should be in.
Mr. Goodlatte. Mr. Babel?
Mr. Babel. I would agree, and also agree with your view
that self-regulation with, kind of, a proper backdrop with the
FTC is a good program to continue.
Mr. Goodlatte. Mr. Grimmelmann?
Mr. Grimmelmann. I agree that government should not
regulate specific privacy policies. It should make sure that
consumers have effective notice of what those policies are and
have enforcement when those promises are broken.
Mr. Goodlatte. Thank you very much. That definitely is
clarifying information from all of you.
I would like to thank all of our witnesses for their
testimony today. This has been a very informative hearing.
And, without objection, all Members will have 5 legislative
days to submit to the Chair additional written questions for
the witnesses, which we will forward and ask the witnesses to
respond as promptly as they can so that their answers may be
made part of the record.
And, without objection, all Members will have 5 legislative
days to submit any additional materials for inclusion in the
record.
And, with that, I again thank all of our distinguished
witnesses.
And the hearing is adjourned.
[Whereupon, at 12:02 p.m., the Subcommittee was adjourned.]

A P P E N D I X

----------

Material Submitted for the Hearing Record

Response to Post-Hearing Questions from Scott R. Shipman,
Associate General Counsel, Global Privacy Leader, eBay Inc.

Response to Post-Hearing Questions from Chris Babel,
Chief Executive Officer, TRUSTe

Response to Post-Hearing Questions from James Grimmelmann,
Associate Professor of Law, New York Law School

Prepared Statement of the Consumer Electronics Association (CEA)