THE FORUM ON TECHNOLOGY & INNOVATION
+ + + + +
PRIVACY IN THE INFORMATION AGE,
PART 1:
INTERNET PRIVACY
+ + + + +
WEDNESDAY,
APRIL 26, 2000
+ + + + +
This transcript was produced from tape provided by the Forum on Technology & Innovation.
P-R-O-C-E-E-D-I-N-G-S
(12:28 p.m.)
MR. ROONEY: My name is Peter Rooney and I direct the forum for Senator Rockefeller, Senator Frist, and the Council on Competitiveness and we're all delighted that you're here today. I have a few housekeeping matters to take care of and then Senator Rockefeller will really get the show rocking and rolling.
First, I want to acknowledge the only reason that we're able to do this is with the generous support of three terrific organizations: The W.K. Kellogg Foundation, The Alfred P. Sloan Foundation, and The David and Lucile Packard Foundation.
They have been terrific in helping us keep this going at a very high level. I would like to point your attention to what's in your briefing packets today. On the backside of the first piece in your packet is today's agenda. We're going to follow the usual format, which most of your are used to by now.
Senator Rockefeller and Senator Frist will briefly introduce the topic, introduce the speakers all at once, then the speakers will speak for a maximum of ten minutes each and give you their overview of the privacy issue, and then the Senators will open the floor to your questions and moderate the ensuing roundtable discussion.
We have microphones on the floor. I know that it's a very tight room, but we prefer if you come to the microphone, live questions are always more exciting. Again, please give priority to congressional staff at the microphones, they're are the main reason that the Senators are here doing this.
But if you are shy, or can't get to a microphone, the second item in your briefing packets are green question cards. If you fill out these cards, early on when the questioning starts, hold them up, we'll collect them from you and we'll pass them up to Senator Frist and Senator Rockefeller and they'll ask questions on your behalf National Press Club style.
Finally, I want to draw your attention to the third item, which is an evaluation card, a blue card. Please take a few minutes at the end of the session to fill this out and drop it off on your way out of the room. We do pay attention to what you say and they help us shape these briefings.
Thank you very much.
SENATOR ROCKEFELLER: Thank you, Peter. I want to say at the beginning that -- really to our speakers as well as to all of you, we had another 50 to 100 people who wanted to be here, but we are having problems, which Bill Frist and I are working on, in getting the kinds of rooms like Hart 216, that we need. And that we used to get on regular basis.
And what's happening is that we're getting either committee rooms or other rooms and then we're being bumped. And that means that we have a very crowded room with a whole lot more people who wanted to be here, and who can't be here.
I think Bill and I both feel very badly about that. And we're both working very hard to try and make it so that you have maximum comfort and we get the most number of congressional staff to be able to be here, which is obviously the point of the whole thing.
So having said that, what we try to do is to -- and I'm also starting this right on time, looking at Elizabeth, because it's so unusual for me to get here before Bill Frist, but I'm taking advantage of the opportunity.
We've got a three part series on privacy, because it's that kind of fundamental, important issue. And it's a hot issue and, you know, that makes it interesting and controversial and therefore more fun. So today we are going to the internet privacy issue. And then for the next session we'll cover financial records privacy. That will be one session and then the next will be medical and genetic records privacy and that will be the third session.
So those three in a row, I don't have the dates for you right now, probably because they are not established.
Anyway, it's that kind of an issue and it needs to get this kind of exposure. You know, basically, my very quick overview of it and that's Americans are very concerned. They're more concerned about this than virtually anything and a San Francisco firm and it's an interesting quote, 92 percent of online households say, "Don't trust companies to keep personal information confidential, no matter what they promise."
And 82 percent believe that, "Government needs to step in and regulate how companies use personal information," and then I think you all probably seen that really rather amazing Business Week cover story on internet privacy in which they flat-out called for a four part federal regulation. Which is not what you would start out expecting from Business Week.
On the other hand, the free flow of data is the blood stream of the IT community, the new economy and everything that's going on. In other words, if you start where do you stop
We have to be very careful about what we enact, particularly we in Congress who are more behind the curve than a lot of other folks, which is why we do this Tech Forum and why you are also important and why we need a bigger room.
And the whole concept of regulating and interfering with data flow is something that has a consequence. And do we understand the consequences of it? And have we discussed not just the ethics, but the economics and all the rest of it? Well, that's what our panelists are going to do.
Some people say that consumers are well informed on these things and they can make choices as to -- what will be the consequence if they do something and then there are others that say no they don't. You know, they think they do, but they don't or they can't read it or don't read it. Or they are in a hurry so the opting in and opting out, and all of the rest of it just becomes kind of an academic thing which they bypass and thus, are "Being used without knowing it."
And targeted advertising and personalized commerce are two of the things that are there. So the up and down of it, is it's not simple. The Senate Commerce Committee typically, when we were faced with internet taxation three years ago, we made the absolutely brilliant decision to do nothing for three years.
And everybody thought, "Hmm, that's a sound policy decision." And it was really because we had absolutely no idea what to do, because that was the first year that the Senate even had the internet.
So, you know, Congress acting is of consequence and Elizabeth if he's not in sight, then I get to introduce these three panelists. I'm so happy I can't tell you. Okay.
Kevin Ryan is President and Chief Operating Officer, and he is right here, of DoubleClick, Inc., which is the largest and my introduction has, purveyor which I consider to be a pejorative word, so I'm going to change that word or you fill it in, but I don't like the word purveyor -- of banner advertising on the web and we all see it. DoubleClick has enjoyed incredible growth under his leadership and it's sort of the big star in New York's Silicon Alley.
Kevin is on the front lines of the privacy debate, as he faces a very unique challenge of gathering accurate information on consumer tastes and buying habits, while at the same time trying to insure protection of their personal data.
The second speaker, Fred Cate, who is right here, is one of America's foremost authorities on privacy in the electronic domain. He is Professor of Law and Indiana University, he's Director of the Information Law and Commerce Institute, and the author of a lot of articles and books on privacy including one called, Privacy in the Information Age.
The third one over there, Jason Catlett, is President and CEO of Junkbusters.com, which is a unique for-profit web site that gives consumers tools and information to control advertising. So you can see we've got a little set up here for a little interesting conversation. And also direct marketing on their desktops to control that. He's a computer scientist by training, with expertise in data mining, web-based marketing.
So each of our speakers will speak no more than ten minutes. And then we will open it up and I will encourage them to argue with each other, but I will also -- I told them beforehand, that you're the point of all this, so that your questions and your concerns, those of you who are congressional staffers in particular, are what we are most interested in.
So Kevin you are up.
MR. RYAN: Thank you Senator. We definitely appreciate the opportunity to come down here, because the Internet is an incredible development that has happened, really from a business point of view, over the last four, maybe five years.
And that exciting development as you probably are seeing, or impacting you on a personal level, it's impacting potential policy. In fact, hardly any issue right now can be tackled that doesn't involve the Internet in some way. It's growing so quickly that it's hard to put a line in the sand right now because things will change in three months, but that's what makes it intellectually interesting, that's what makes the tremendous job growth that's it's creating. That's what makes it fun for all of us.
In this, what the Internet is doing is becoming pervasive in our lives. Whether it's in a commerce form, in an advertising form, in an information form, in just about everything that happens. As part of that, and because it's so fundamental the privacy element is crucial and so I think the scrutiny and analysis that has happened recently is very beneficial long term for developments on the internet and sessions like this are very important, too.
Because within the discussion of privacy what falls under privacy when you do a consumer focus study, is actually multiple topics. It could be credit card, it can be Social Security number, it can be hackers, it can be marketing information, there are all kinds of things that fall under that.
And so we want to distinguish those and understand who does what in this value chain, and therefore what is the impact and what should we do?
At DoubleClick, what we have always felt is that if consumers are not comfortable, if they don't feel good about being on the Internet, whether it's for a commerce point of view or an advertising point of view, then the Internet cannot be successful. So it is absolutely fundamental to these businesses, to the consumers, to the government, to everyone, that we can get to the point that consumers do feel comfortable.
And I think, right now the reality shows that not everyone is comfortable exchanging personal information on the Internet. They are nervous about what's going to happen. So there is a real issue that we need to solve if we want to continue the growth.
Let me talk about what DoubleClick does, I'll give you three minutes on that, and then we'll talk about how that fits into the privacy debate and what should go with going forward.
Doublclick was founded just over four years ago, with two people and today has 2,000 employees. We will end this year at about just under 3,000 employees. We are all over the world, we are the leading provider of third party ad sales and ad serving for just about all of the major countries in Europe, the United States, and throughout Asia.
In doing so, we've created a business model that relies at the foundation on what the Internet can do differently and that is through the technology, what can happen is that you can make sure that the right person gets the right ad.
We've all seen a Super Bowl ad and maybe some people were interested in that product and some people weren't. What's more effective, if we could do it, and everyone has always wanted to do it, is say that maybe only half of the people see that one Super Bowl ad and half see the other Super Bowl ad, but it has never been possible.
The Internet is only effective if we can make sure that this advertising works and therefore, can push to keep this Internet free. What DoubleClick does then is -- has created the technology that allows -- if you come in to see the Wall Street Journal web site, which is one of the couple thousand clients that we have, they use our technology.
And so the technology will be that they sell their own ads on their web site and you will come in -- we can recognize that the person is coming from Washington, DC, and therefore you'll get an ad from a car dealer in Washington, DC. I'll never see that ad, because I live in New York. That makes it much more effective and creates an advertising opportunity for a car dealer that would have never existed before.
By doing that hundreds of times, in fact, we have a hundred thousand different types of ads running, it means that over time that advertising can be sold effectively. Which is better for the web site and better for the consumer.
It's better for the consumer in two different ways. One if you offer people a choice and say, "You can see random advertising," we'll use TV as an example, that for you can see just random ads that have nothing to do with your interests or you can see ads that are linked to your interest, but it will be the same number of ads.
Remember there is nothing that we do that impacts the number of ads that you see, it's just putting in a more relevant one, instead of a less relevant one. If you give people that choice they'll say, "Yeah, I'd rather see the relevant advertising."
The second thing is that people love having TV for free. And they do that because advertising is effective, now TV has the advantage of thirty second commercials, which are very powerful.
On the Internet you are getting a much smaller commercial. You are getting an ad, in some form, it can be a banner, it could be a text link. And that to make it effective, to be competitive at all, is going to have to be targeted so that it's reaching the right people that are interested in buying a Volvo or interested in cars or interested in travel or something like that.
So in order to make these things free, and to make these web sites work, we have to make sure commerce and advertising have a chance to survive. But we can only do if the privacy is being protected and people feel comfortable. That's the balance that conceptually and graphically we need to strike.
Let me give you a great example, which is that if you look back five year's ago at the business model, in fact, at DoubleClick business model we looked at whether or not subscription models was going to be the future of the internet. So everyone would pay money, just like your cellular telephone and if you paid money you would get to have web access and site-by-site you would have subscription fees. And what worked out was much better than that.
We, in launching the business, decided that, you know, I think it can be advertising supported, it will be free for people. So, that has been the model of the Internet and you have seen even people like The New York Times, that had a subscription model have really gone to an advertising supported model.
The fact that the Encyclopedia Britannica, which when I was growing up cost 2,000 dollars, so we couldn't get Encyclopedia Britannica, because we just couldn't afford it. Now, that is available for free on the Internet, because it is advertising supported and that is an incredible development.
Multiply that out, the Senator and I were just talking about DSL access. He's very excited because he's getting DSL at home, faster Internet access. That's -- there are people now, just last week, we issued a press release we are working with someone that's going to offer DSL access, which is fast, high-speed internet access for free. Advertising supported. I think that's a great development for everyone, especially when we get onto digital divide questions.
So in this trade-off there, what we need to do at the same time is balance off the privacy concerns, which are very real, with the need of businesses to have effective marketing. How do we do that?
One, we need to provide notice and choice. So what people need to know is their name is being out at all, if their name is being used, what we've always recommended that if a name is going to be involved, it should absolutely there that says this, if you're giving your name and it's going to be linked to other information then you should have the ability to opt out right there.
You don't have that ability right now in most of the offline world. Buy a shirt from the Gap, buy a shirt from the Gap catalogue, you don't have the ability to opt out there, but on the internet we've been holding it to a higher standard and that's fine, we should offer that opt out. And we do if it's -- if it can have your name linked to it.
Even on the anonymous part, which is to date, just a reminder everything that we've done has been anonymous. We'd like to introduce products that have the ability to link a name, but we have not done so yet.
On the anonymous part we also offer the ability to take that even a step further. We want, currently, the way that our anonymous targeting works, is that you go to a web site, you are in a sport site, so you see a sports ad. There is a record, that some user, using a cookie and a number, has seen an ad.
What advertising and consumers would like to be able to do is make sure, right now that you don't see the ad too many times. So at the end of three times we stop showing you the ad, but if you felt uncomfortable with the ad in anyway, what DoublClick did at the very beginning, years ago was create technology that allowed you to opt out. So you go to our web site, you don't have to know anything more than that.
It takes ten seconds and the ad will be completely turned off, you'll be anonymous every single time. It's a hundred times easier than anything I've every seen for direct marketing, for all of the catalogues that I get, for the phone lists I'm on, things like that. This is a whole new step and the technology is an advantage there. That opt out is a very important part.
The second part is there are two types of information. Generally, there is information that is sensitive and information that is not sensitive. We have always committed from the very beginning that we are not using any of the sensitive information, so that if you went to a health site we wouldn't want to use that information in anyway, even anonymously on another site. That's another commitment.
Other things that we've done is that we've run the largest public service campaign in the history of the internet. It's going to be a hundred million ads, reaching fifty million people that we have paid for, that have ads that link back to a privacy choices web site that then has links to privacy groups, Jason's company, all kinds of companies out there, to try and get more information out there, because more information makes people feel better.
We named the Chief Privacy Officer, the former Commissioner of Consumer Affairs in New York City and we established -- we are in the process of establishing a privacy board. We have the chairman, who is the former State Attorney General from New York, Bob Abrahms.
We're taking a lot of steps here, to make sure that people feel comfortable, but as an industry I don't think we are all of the way there yet. I think what we want to look at over the next year or two, for the time being, I think it's a difficult issue to legislate right now. Most of the bills that have been introduced whether it's the Markey Bill (or the Schumer-Hatch Bill, everything that they have recommended in the pro-privacy bills are things that -- ways that we live under that right now.
But I think it's a moving target and a tricky one to do right now, as people are learning through forums like this, but I think over time, we have to do the right thing and make sure that there are no bad actors out there. What I have seen in the past, I use as an example is the credit card fraud. Three years ago hardly anyone would use a credit card on the Internet because they were concerned about credit card fraud.
What happened in the last three years that allowed e-commerce to explode? No legislation, really no security protection, basically people got used to it and people felt more comfortable and realized that fundamentally, there wasn't that big of a risk in the beginning.
So the final key, is that when we look through and talk to consumers about what they were most concerned about. It had to do with their credit card numbers, their Social Security numbers. Which is information that DoubleClick doesn't have, but a lot of these issues usually get rolled together. Hackers, which is information again, which is really separate from us, that people were the most comfortable with marketing information if they were getting a benefit. And I think over time, if we can continue to allow web sites to be successful, by selling advertising, by getting products to people that want them, it will provide a tremendous, tremendous benefit to consumers.
The concern I have overall, the challenge to the Internet is less -- actually to DoubleClick's model, because we'll be over a billion dollars in revenue next year. We'll be profitable starting next quarter. The model is less concerned with us, than it is our clients who are web sites, some of whom are struggling. Many of whom, in fact, most of whom are not profitable yet.
Long term we only have -- there are only three alternatives. Either they become subscription based, or they have to merge together or go out of business in some way and reduce the number, or three we have to have advertising and commerce be more successful than it is right now.
The trend is good, I think we just need to continue that and it's going in the right path. So fundamentally, I think we have seen the most exciting developments in the industry that I have seen in my lifetime, over the last four years and I think if we can all focus enough time and energy on this and keep working with consumers, keep working with consumer groups, keep working with industry. We can strike a middle ground there and make sure that people feel comfortable about privacy on the Internet. It's a very important issue.
Thank you.
(Applause.)
MR. CATE: If you gained weight while sitting up here you would have trouble getting to the podium. Thank you very much. I am delighted to be here. Let me say Senator Rockefeller was saying before we started, that he was commenting about the importance of the Senate's staff and I think that this is something that many of us have come to appreciate that the opportunity to talk to Senate staff, who typically when we testify before Congress, are seated behind us. The chance to talk to you face-to-face is in fact very attractive and on this issue particularly important.
I have only four points. That should be two and a half minutes a point, but it probably won't average out exactly like that. And here they are.
First, right, I think we all agree, I hope we all agree, privacy is enormously important. It's critical to our participation as a society and a democracy. It's critical to the economy, particularly the Internet economy where we know people will not go if they do not have confidence that their privacy is protected. And it's a topic of enormous concern.
Frankly, probably a topic that polls reflect greater concern than you could even rationally justify, but we understand it's enormously important to voters today. Second -- that was easy that only took thirty seconds.
Second, restricting information flows, in order to protect privacy always inevitably imposes costs. It imposes costs on consumers, it imposes costs on businesses, it imposes costs on the economy as a whole.
Now what I want to spend a moment focusing on is that often these costs are often quite significant and seldom are they readily perceived or fully anticipated. Now this should come as no surprise, right you've all heard information -- the lifeblood of the 21st Century economy, especially on the Internet. Right. The Federal Reserve Board governor, Edward Gramlich, testified just last summer before Congress and I quote, "Information about individuals needs and preferences is the cornerstone of any system that allocates goods and services within an economy."
These are not simply hollow words. You have tremendous examples of benefits, information sharing allowing businesses to ascertain their customers needs and to meet them rapidly and efficiently. Expanding consumer access to a wide variety of services and products. Improving customer convenience, enhancing efficiency, allowing consumers to be informed rapidly and at low-cost, in other words, target marketing of opportunities most likely to interest that consumer. Preventing and detecting fraud and other crimes.
Finally, promoting competition, particularly if we think on the side of innovation and the entrance of new businesses, the ability to acquire information in the market from somebody else, rather than have to wait 'til every customer comes to your door, one after the other, so that you can compile information, is a tremendous incentive to new entrance into the market.
You have, I think, many other more specific examples of these types of benefits in the red or as they like to say the paprika covered report in your packets that deals with just one segment, and that's public records. But those benefits are multiplied many times when we look across the volumes of information available in the market.
So what we are presented with is really what I always call a "privacy conundrum." On the one hand privacy is important, on the other hand so is the open flow of information. Interfering with the latter to protect the former, imposes costs, okay.
Now, the last two points. To protect as far as possible, the value of information, to avoid as far as possible the unintended consequences of regulation my research, not to mention more than 200 years of Constitutional juris prudence suggests tremendous caution, before the government undertakes to restrict information flows in order to serve any purpose, including protecting privacy.
Now, let me be clear. This does not mean that privacy goes unprotected. It means instead that we look at first to market responses and individual actions, right, for a number of reasons.
One, is that market responses and individual actions, for example, employing a technology, opting out, using something to protect your own privacy, more sensitively measures privacy interests.
Therefore, it allows consumers to value their own privacy against the cost and inconvenience of not allowing data about us to not be used. I'll give you a very specific example. I fly a lot and everytime I call the airlines I have to give them my credit card again. Even though they are looking at my credit card on their screen, right there, from the 18 previous flights I took this month, because they have adopted a policy that says for privacy reasons they won't volunteer my credit card number, I have to give it them. Right.
Allowing me to tailor that, to say "No, you know, I opt out of that level of privacy protection, just use the credit card on file, I'll run the risk." It allows me to then value the inconvenience or the cost that goes along with using or not using that information.
Now this is especially true in the Internet environment, where there are readily available, easy to use, and either low or no-cost technologies and services that allow us to browse anonymously, shop anonymously, even download or ship anonymously.
Moreover, the very technologies of the Internet that make this type if you will, market driven, or self generated privacy protection possible. The very technologies also make it possible for consumer to search out and compare privacy policies. So I can say in a competitive market when comparing life insurance polices or credit card offers or what have you, I can look right across the spectrum of privacy policies and see who is most sensitive to the types of issues that concern me.
Now, to be perfectly frank, these types of privacy protection are not merely more sensitive, they are not only more tailored, they are often more effective than government regulation.
Right, think about this in the context of the Internet. A technology that blocks my identity, gives me real privacy, it gives me real control over my information. Compared with that, a law that gives me the right to sue if you disclose my information in a way that I didn't agree too or go to a regulator, is a far second. It's a distant second. It's the not same type of privacy, it is a legal right, but it is not privacy in the same sense.
Yet, ironically, enacting laws that create a disincentive for the development and use of private sector privacy protections -- enacting laws that set the standard that say this is privacy protection, we are defining it for you as matter law, it will act as a disincentive for the development of these market mechanisms. Right.
Why should anyone do it? Why should Jason Catlett, who you'll hear from in a moment, develop Junkbusters if the law already sets a floor so that the tailoring of privacy that I'm talking about is no longer practical, it's no longer affordable.
Again this is especially true in the context of the Internet. Remember it's not only the fastest growing medium in human history, but it's also the most global medium. Technologies and other methods that allow me to actually protect my privacy are more valuable to me than a national law someplace that I can try to enforce if all of the conditions are right.
Finally, the last point. When government intervention is necessary, and I do believe there are occasions when government intervention is necessary. For example, where sensitive information is disclosed in a noncompetitive market, so there is no option, there's no other alternative. When that intervention is necessary it should respond effectively to a specific harm.
If I leave with nothing else today in your minds, it should be those words. The government's action should respond effectively to a specific harm. It should interfere with individual rights as little as possible. It should interfere with competitive markets as little as possible. It should impose the least cost consistent with effective protection and it should be easy or even intuitive to use.
Well, with much of the privacy legislation that is currently being debated it's frankly difficult to discern this first principle -- it should effectively respond to a specific harm.
Frankly, it's sometimes difficult to discern even what privacy harm is intended to be redressed at all. Let me give you just one example, and with this I will end. For example, in an effort to protect privacy enacted a statute prohibiting the use of arrestee addresses, obtained from law enforcement agencies for marketing products or services.
But explicitly in the same statute permitting such information to be published for journalistic purposes.
Now, it's difficult to take seriously the state's claim that sending a letter to an arrestee, offering the services of an attorney or a private investigator would invade her privacy while publishing her address in the local newspaper would not invade her privacy.
This as Justice Stevens called it, "Overall irrationality eviscerates any rational basis for believing that this amendment with truly protect the privacy of these persons."
The goal of all of the government's privacy efforts, whether legislative, judicial, regulatory, what have you, should be to help empower consumers, us, to obtain real privacy protection without broadly regulating or taxing information flows or promising more than any law can deliver.
I look forward to this discussion and now I'll hand it over to Jason.
(Applause.)
MR. CATLETT: Thank you very much and thank you for inviting me today, Senators. When I came to this country from Australia, eight years, to join the research staff at AT&T Bell Laboratories, I never imagined that I'd have the opportunity and the honor to address a group of Washington's leading policy makers on a question of such importance to the economy, to technology, and to human rights. So I'm really grateful for the opportunity to discuss it with you today.
As a technologist who has spent an enormous amount of time trying to develop technology and distribute it for protecting privacy, I can assure you that technology alone is not going to protect the privacy of Americans.
What Americans need are legally guaranteed rights to stop information about them being used without their consent. Now, technology has the habit of making it much easier to grab data and to distribute that data, so Congress has often responded to new technologies in specific ways to prevent invasions of privacy.
For example, in 1991 Congress passed the Telephone Consumer Protection Act, which simply banned junk faxes where no prior business relationship existed. Another example is the Video Privacy Protection Act of 1988, which essentially requires the consent of an individual who rents a video cassette, before the renter discloses the title of that video to another party.
Unfortunately, this law doesn't apply to movies delivered over broadband Internet connections for example. In 1998 the Congress responded to the Internet with at least two laws. The Digital Millennium Copyright Act and the Children's Online Privacy Protection Act, which took effect on Friday.
Experience shows that it's important to either frame legislation in non-technology-specific terms or to update it as new technologies supersede the particular language of the old statutes. Now because the United States has few technology independent privacy laws, many Internet businesses have rushed into the opportunity to adopt information practices that are so intrusive to privacy that they would be illegal if conducted in other, older media.
And to illustrate this with an analogy, with the telephone network, imagine for a minute that you have on this panel with you today a representative from a fictional phone company, called Orwell Long Distance. Let's call this representative George.
Now George tells you that the drop in profits in phone companies in recent years have been placing huge stresses on the telephone industry, but George fervently believes in keeping toll-free calls free for all telephone subscribers. So Orwell Long Distance is introducing a wonderful new service for personalizing phone calls.
First OLD will use speech recognition systems to spot key words in you telephone conversations and over time OLD's computers will build up a profile of the kinds of goods and services that you're interested in based on what you say on the phone. It combines this information with Yellow Pages information about the kind of businesses that you call; clubs, bars, pizza parlors, et cetera.
So that it can provide you with more personalized telemarketing calls. Calls that you find more interesting, less repetitive, and more according to your individual speaking and dialing habits.
Now, some privacy extremists have objected to this kind of surveillance as they put it. Particularly the people who haven't heard of OLD before, let alone signed up with them. They hadn't realized that simply by dialing an 800 number or receiving a call from a consumer who uses OLD, that that would start a record for them in OLD's databases.
Now, George is quick to assure you that OLD doesn't currently sell transcripts of your conversations or even provide an keyword data to unaffiliated companies, but to go the extra mile Orwell Long Distance has appointed a Chief Privacy Officer and George now outlines to you a six point package to persuade you policy makers not to pass any law that might materially impede OLD's information practices.
First, OLD does not use any sensitive information, such as when you call the offices of your doctor or attorney or if you call phone sex 900 numbers, or if you have any conversation involving children. So we've cut out sensitive information completely and second it's appointed a firm of chartered accountants to ensure that in rigorously adheres to its policy of only recording keywords from you conversations with nonsensitive companies and other consumers.
Third, it's embraced the four privacy principles of the online privacy alliance, namely, notice. OLD publishes a privacy policy giving full disclosure of its practices and it's even promoted its existence to consumers through its own privacy options web site and an extensive ad campaign.
Second, choice. Consumers can call an 800 number to opt out of the targeting. Of course, this only opts out of OLD's personalization service and not any of its 600 competitors.
Third, access. OLD guarantees each consumer the inalienable right to see the phone number and street address that OLD has on record for them and to fill out their own change of address forms if they wish.
Fourth, security. When personal data is transmitted to OLD telemarketing call centers, it is always fully encrypted. And if OLD every decides to sell transcripts of profiles from your phone conversations they will be delivered by armored car.
So George claims all this is evidence that OLD is deeply committed to protecting your privacy, but I wonder how many of you would be convinced. And let me just ask, Kevin are you happy with OLD's practices?
(Laughter.)
MR. RYAN: Well, I'll give a full response to that in a second. Thanks.
MR. CATLETT: No answer, Senator? No comments yet, Senator are you happy with OLD's practices?
SENATOR ROCKEFELLER: I would not be happy.
MR. CATLETT: And Fred Cate?
MR. CATE: No, I wouldn't.
MR. CATLETT: And could I have a vote? How many people are happy with OLD's practices? How many people are unhappy with OLD's practices? I think we have a clear majority here. Okay.
The point of my allegory here is that OLD's fictional practices in telephone, which would be illegal under present law, are closely analogous to the practices of several web-based advertising companies.
These companies monitor the key words that you type into search engines and other forms, and they monitor the specific pages on web sites that you go to that carry their ads.
Some of these companies have your name and address attached to a cookie, but most people have never heard of their name. Now that raises two important questions.
First, why aren't these practices illegal on the Internet? And secondly, how can it be that they can part with the four privacy protection principles of the online privacy alliance and trustee, civil industry groups and, indeed, the Federal Trade Commission?
When anyone who has used a telephone can see that they are plainly unacceptable violations of privacy.
Well, the answer to that question is that Congress is being served a dull and boring lie about what is necessary to protect privacy. Many members of Congress have already dismissed the idea that self-regulation will protect privacy. That was an obvious nonstarter. But the online privacy alliance and other groups of internet companies that hope to prevent the passage of legal privacy protections, have formalized this industry-wide fiction that they hope will you fall for when you draft privacy legislation.
The key piece of slight of hand is the word choice. What choice means to them is any token opportunity to opt out of some uses of personal data, no matter how burdensome or ineffective the procedure may be. An effective law would use the word consent, instead. Called in the jargon, opt in, and this corresponds to the desires of 90 percent or more of Americans in any survey when they are asked about whether companies should be able to use information about them without consent.
And on the Internet consent can be obtained very easily with just a mouse click. Indeed opt in e-mail is a multibillion dollar business, while opt out junk mail is reviled and spurned by most marketing companies and is illegal in some states.
An effective law would also limit the use of personal information to the purpose for which it was obtained. These are the real principles of fair information practices, formulated by the Organization for Economic Cooperation and Development in 1980 and since adopted into the law of most developed countries, including most recently, Canada.
That is what is necessary to protect privacy. We take it for granted on the phone. Why don't we have it on the Internet?
Recent surveys that Senator Rockefeller showed -- told us indicate that the support for privacy legislation is running between 57 and 82 percent. And surveys also show that the number one reason for nonparticipation in e-commerce is fear for privacy. So why don't we have it in this democracy of ours.
This summer the Federal Trade Commission will present you with another report on Internet privacy. Last year's report, which the Electronic Privacy Information Center's, Mark Rotenberg, described in testimony before the Senate as, "One of the oddest reports on privacy ever produced by a government agency," recommended that Congress not pass any law on internet privacy, with only one commissioner in dissenting.
The FTC may tell you to do nothing again this summer, but there is really little point in waiting for their deliberations, because the FTC's model legislation essentially follows the OPA's fake protections based on opt out. That will not fix the problem as the allegory of Orwell Long Distance shows. What you plainly see, unfolding before you is the Orwell Internet Service. Big Brother has been superseded by big browsers and the big browsers don't want to be required to ask permission before grabbing all of that personal information. The solution is plain and it's what people want, to be asked for their consent before personal information is used.
The question is whether Congress will give them the legal rights necessary to protect their privacy.
Thank you.
SENATOR ROCKEFELLER: Thank you.
SENATOR FRIST: We're going to allow Mr. Ryan to comment.
(Laughter.)
SENATOR FRIST: Do keep your comments fairly short and the question and answer will be able to come right -- again and again back.
Again green cards, we'll be walking around. Don't hesitate to come to the microphones, the live interactions are always a little bit better. I've already got a number of questions here that pick up on the statements that have been thus far.
Mr. Ryan.
MR. RYAN: I think Jason brings up a great question there and a great metaphor in a different industry and so the question is how do these things apply across industries. And it's a good example to focus on, because it highlights a couple things.
Obviously, I wouldn't -- no one would want anyone to have access to my private conversations and so if you do the same thing for e-mail, I think it would be a terrible example. I think it would be a terrible thing in phone calls to have -- to pull out words that you are doing.
The question is then, let's look at faxes, e-mail, and advertising and just explain why they are a little bit different. Sort of -- spam faxes was something that legislation was passed -- I'm totally supportive on that to get rid of that. I think spam e-mails are in a different category than advertising supported web sites and should be treated differently. We have an e-mail business that we are just starting, and an advertising business. E-mail because it's intrusive, so that if I send you a thousand e-mails tomorrow, that is intrusive on your life and so you should have some protection on that. The question, though, is if you go to -- of you come to my web site, which I have spent millions of dollars to support, to put together, to provide information, and all I'm asking in the trade-off that you have chosen to come mine -- there are a hundred thousand web sites out there.
The question is the inalienable right to come to my web site and control everything on there and so what our clients are telling us is, "Look, that trade-off there, is that you should come to the web site if you want to. You don't have to, but if you choose to come to the web site then I need to show you an ad to pay for it."
And in that exchange it's a different exchange than the e-mail, which is why that most people in consumer groups will say that there is a different standard there. Which is why at the fundamental level, if you have an Internet business -- if you're the Gap and you have a catalogue, a web site, and a store.
Should you disadvantage the Gap in one type of business versus the others if you are buying exactly the sweater and the same transaction is occurring?
That's why it's an important question to answer. I wouldn't at all, like a hundred percent of the people in this room support what he talked about, but that's why it's fundamentally different and those differences are important to highlight.
SENATOR FRIST: Good. Thank you. I think both the allegory, as well as the statements, as well as the policies that we have to go -- and ultimately, either legislate on or not, does show this big difference between online/offline.
And the difficulty we actually have in drawing the line between the two, the ease of access, the storage, the dissemination, easy collection of data. So this discussion actually is very helpful to us as well.
AUDIENCE MEMBER: -- arena, is the idea that there is information being collected about them that creates a profile of them, that is sort of somewhere out there on the web and that people can tell -- maybe not personal information, but characteristic information about them from an aggregated set of information.
Yet, I think that's what happens a lot of time in the offline world, in terms of marketing and other things that go one. And so, you know, I think there is a goal to try and translate the protections that people think have in the offline world, onto the online world. Some might say we that are entitled to additional protections online.
I was wondering how Kevin, Fred, and Jason might be able to respond to the analogy, is what DoubleClick is doing, collecting information like what is already happening in marketing? Or how is it different? We got a little bit into that, but that's my question.
SENATOR FRIST: Let's ask each to respond if they like.
MR. RYAN: It's a great question and I think that right now the levels, the standards that we're using in the online world are much stiffer than the offline world.
If I asked you how to get off a list, any type of list right now in the offline world I think you would have a lot of trouble doing it. And I don't even think you remember seeing an opt out button anywhere in the offline world, for just about any data.
So I think already we are already we're offering a lot more protection, but technology can do that and I think it's very helpful.
SENATOR FRIST: Other comments?
MR. CATE: I think the question actually, really highlights this very important point, which is certainly what's being done online is different to the extent that it is far more effective, there is a lot more data generated, that data is able to be collected and used more easily.
The question is, does that difference make some legal difference? Does that difference matter? And here I think you sort of come back to this question, I warned you these are the words that I was going to keep focusing on.
What is the harm that you are trying to prevent? Is the harm that you are going to get an offer you might be interested in? In which case, I'm not sure that's an interesting issue for the law makers to take up.
Is the harm that you are going to be manipulated into doing something? Then that would come under, sort of, some of the traditional law we've used on subliminal advertising, things like this. Where in fact, there is a level of manipulation. It doesn't focus on the data collection, it focuses on using it in a certain way that violates a law.
So that's what I think you keep coming back to is, what is it that we are worried about here? Maybe there is a place for law there.
MR. CATLETT: Thanks. There is absolutely key difference between the offline catalogue world and the world of online advertising, which is that profiles can be built using a pseudonym, using a cookie, that may not be attached to any name, but a name can be subsequently be attached and that very large profile can then be personally identified and come back to haunt you.
So that's the main difference --
SENATOR FRIST: Let me go to go a question a here, which really has to do with the harm that Fred mentioned, and the question is, DoubleClick sees privacy protection as being in its business interest because it is such a well known, and publicly -- or maybe probably, accountable company. But shouldn't privacy legislate the bad actors? Those companies with less public accountability? Those that collect information in less obvious ways? And then the whole question of whether or not market forces are sufficient.
Fred.
MR. CATE: Well, I mean, I guess the answer to that is yes. Virtually all law is directed at the bad actors, we don't typically think of sort trying to regulate just for the people who aren't going to do something that troubles us to start with. More specifically, I think the question is how do you regulate for the bad actors without necessarily imposing the costs on everybody else?
In other words, how do you target what it is that you want stopped without targeting all of the things that were valuable and we want to continue?
And you keep coming back to this, I think you have to be more specific. What is the harm that you're after? If it is just data collection, it's just hard to define that as a harm. It's hard to make that case. What is the actual use of that data that is harmful?
Clearly, there are harmful uses, identity theft is a perfect example. Using data in a way to impersonate another person is a problem and is against the law. I mean it was against the law, and now it has, again, been made against the law by Congress.
So you come back to that, how is it being used? Absolutely, that could be criminalized, it might be useful just to consider real world analogy. Which is, we target all sorts of criminal activity that we don't approve of -- you know, murder or assault. We don't make using public roads against the law because some people may use them to then get some place to commit a murder or an assault. We target the end behavior we want to put an end to.
SENATOR FRIST: Let me just turn as a follow-up to that to Mr. Catlett, another question, again that comes from the audience.
Are you currently working with legislators to craft legislation that adequately addresses the privacy issue?
MR. CATLETT: I'm not. I'm not based in Washington. I would be very happy to help individuals here who would like some advice. My e-mail is Jason@Junkbusters.com.
I highly recommend the Electronic Privacy Information Center who do terrific work in this town on information practices. The kind of information practices legislation that I would recommend to anyone, the Fair Information Practices of the Organization for Economic Cooperation and Development in 1980 and if you want a copy of them just go to Junkbusters.com/fip.html.
SENATOR ROCKEFELLER: At the microphones.
AUDIENCE MEMBER: Mr. Cate, I noticed that in your discussion of Brandeis’ discussion about privacy, you quoted him for the right to be let alone, which is the right of an individual to be let alone. And then I thought you mixed apples and oranges, because then you spoke about how he thought the sunlight was a disinfectant, but that's really on the acts of public men in public office.
The question you just raised a moment ago, I thought, which you were talking about privacy as a right only insofar as that it doesn't harm me. And I think the basic question is, who owns the property or the information that I yield, implicitly, perhaps for a narrow purpose?
And it sounds to me like you're saying that someone who goes onto the Internet who only thinks they are giving it for one narrow purpose, unless he, she or it suffers harm, then it's available for whatever purpose that you want.
And I don't think most people agree with that, I think they only believe that they're only giving information that belongs to them, for a limited purpose and you're suggesting unless they experience some harm, it could be used for whatever purpose you want when you collect it.
Am I correct in my understanding of my position?
MR. CATE: Yeah. Yes. I think you're exactly correct. What I'm stating is more or less exactly what has been, today been the end, the last forty years of the constitutionalization of information law.
That is nobody owns information out right. You can own expression, you can own the way it's put together, but you cannot own the content, our laws do not extend to that. And under the First Amendment you can communicate that in many different ways, including to an unwilling audience, you can distribute it, you can access it, there are all sorts of things that you can do with it. And that we have never historically said, one person can own a fax about themselves.
I'll give, you know, again a real world example. If you walk down the street, you don't get to preserve that as private. You don't get to say that the fact that I walked down the street into this adult bookstore, that's private. If you took my picture you can't do anything with it, but what the Court has consistently said is, no it's not. That is not where the right of privacy resides --
AUDIENCE MEMBER: We are talking about how business is going to handle the information and whether or not people are going to feel comfortable in an economic setting. And I think if they understand it's a Wild West setting, which you suggest as opposed to walking down a public street, that they are giving personal information about their habits. That is something they may not be prepared to compromise.
SENATOR FRIST: Jason.
MR. CATLETT: I would actually like to ask a further question. You said you weren't happy with Orwell Long Distance's scheme, why where is the harm?
MR. CATE: I'll tell you where the harm is, which is one of the things that we know, and you know better than I do. Is if we do not allow any private space for the communication between two parties of private information, we dramatically increase the cost of being citizens in this economy. That means if I want to communicate with my Senator, I can't do it on the phone if I want it to be private. The difference, of course, in the Orwell setting -- you're talking about communication between two parties. The parallel, of course, is e-mail and not web sites, so the question then is can you listen in on e-mail?
The second thing is when Congress enacted the laws that make those conversations private, and I'm glad they did, we had a monopoly phone provider. So you had no market, you couldn't say, as people do today, you know, for free DSL service and a free computer, I'm willing to -- listen in on my e-mail. I don't care.
You know, for two thousand dollars worth of value, I'll trade you that information. I'd be willing to bet you'd get the same thing if you had in a competitive phone market, if you said, "Look, you can have free phone service and we can listen in for certain codes words, subject to the limits that you gave."
I bet you there would be people who would take advantage of that.
SENATOR FRIST: Let me go quickly to a question, that is a fundamental question and I guess everybody can answer.
Do any of you believe that the average consumer understands what information is being collected about them today?
MR. CATLETT: Thank you. It's very difficult to tell. We don't know how much information the average marketing has about you. There have been a couple of cases where it has come out. For example, a woman in Ohio got a shocking letter from an incarcerated prisoner or rapist and he seemed to know all about her. He knew about her because of information that he had typed in from surveys that she had responded to, while he was in prison.
During the discovery process it came out just how much information this company had about her. According to The New York Times it was 25 closely- typed printout pages, including 900 pieces of information, down to the kind of hemorrhoid remedy that she used. So that's just from one company and this company has many competitors that have more extensive databases. So the answer is we don't know.
And that's why right of access to the information held about you is very important, both from the individual autonomy point of view and also as a public incentive to companies to avoid excessive data collection.
SENATOR FRIST: Let me just ask in the room, because before -- I'll get too educated on this, the same question. You have to vote yes or no.
The question is do any of you believe that the average consumer understands what information is being collected about them? So do you believe -- raise your hand, do you believe that the average consumer understands what information is being collected about you?
Say yes? All right.
Say no?
(Laughter.)
Okay. I guess we can go on and on about that.
MR. RYAN: But I do think that if you separate online and offline and we work in online and offline, that there is far more information actually offline, that is being collected and being put together than there is online.
MR. CATLETT: Kevin can I follow-up on that?
SENATOR FRIST: Go real quick and we'll go to the microphones, we've got two questions out there.
MR. CATLETT: You're company recently purchased Abacus Direct, which I believe has approximately two billion pieces of transactions, about approximately 88 million individuals, is that approximately correct?
And you have approximately, maybe a hundred million cookies now and about how many pieces of information are associated with each cookie would you have?
MR. RYAN: In anonymous cookies, we deliver billions of ads everyday. Some people have opted out, so some people are --
MR. CATLETT: Look at figures about your disk drive supplier, I would guess there is about one megabyte associated with each individual cookie. Would that be approximately correct?
MR. RYAN: I have no idea per person, but there is a tremendous amount of -- number of ads, and for our accounting purposes we track where each ad goes to make sure we can bill someone for it.
Absolutely, there is a tremendous amount of data, but it's not linked to a person's name.
SENATOR FRIST: I get banners, do I have cookies in my computer?
MR. RYAN: Yes. A cookie is used in -- literally, almost every single web site, for content. A cookie is part of your browser.
SENATOR FRIST: Yeah.
MR. RYAN: So it has nothing to do with the sites, but yeah, content, commerce, and advertising all use the cookie.
SENATOR FRIST: And do I, in my computer at home and my computer at the office, do I have your cookies in my computer?
MR. RYAN: Absolutely.
(Laughter.)
SENATOR FRIST: Absolutely.
MR. RYAN: I'm sure you have -- you have a cookie and probably a thousand sites, if you use it a lot, that have access to your cookie file. Unless you've turned it off, which you can.
SENATOR FRIST: Okay. Sorry we've taken so long to get back to the microphones. To the microphones.
AUDIENCE MEMBER: Apparently, Mr. Ryan and Mr. Cate --
SENATOR FRIST: Can I ask one more question? How do I turn it off?
(Laughter.)
SENATOR FRIST: They -- do I have to go to DoubleClick and spend thirty seconds there.
MR. RYAN: No. It's a valid question. There are two different things, one is you can turn your cookie off overall, for everything and that is part of you browser and you just have to go there and look at the instructions and do that.
SENATOR FRIST: How long would it take me to do that?
MR. RYAN: I mean, if you know where you are going it takes about thirty seconds, but it probably will take you a couple minutes to figure out.
SENATOR FRIST: All right.
(Laughter.)
MR. RYAN: No, but anyone. Anyone. It took me a couple of minutes.
SENATOR FRIST: And that turns off anybody who sends me cookies?
MR. RYAN: Yes, you can have it can notify you if anyone wants to send you a cookie. And then what we offer, which very few sites offer, is the ability -- let's say you wanted to keep getting cookies, but you didn't want to have a DoubleClick cookie.
What we offer is the ability to just be able to turn off the DoubleClick cookie, which goes across the whole -- any site that we deal with.
And we've encouraged other companies to do the same thing, not everyone has taken us up on this, but I think it's a great thing for anyone who feels uncomfortable. And frankly the people who don't want to get targeted advertising, I think they should turn it off and not get it.
And that takes -- you go to our web site, I guarantee you it will take you ten seconds.
AUDIENCE MEMBER: I have kind of a group dynamic question, going here. Mr. Cate and Mr. Ryan recommend that we veer away from legislation and let the market provide a solution for this privacy issue. And the theory being that opportunities will be created for companies to come in and profit by protecting our privacy if we just allow the market to do it.
And there is -- the other gentleman on the panel, he has a company that does just that, yet, he recommends that we use legislation. So that seems significant. So I'm wondering if you could explain why that is.
MR. RYAN: Well, I'll take a shot at
that --
AUDIENCE MEMBER: Well, I would like Mr. Catlett to also, because I'm sure he has a strong opinion on the matter.
MR. CATLETT: You go first Kevin.
SENATOR FRIST: Anybody start.
MR. RYAN: Two things. Fred is actually a hundred percent convinced, in some ways, that there should be no legislation almost ever. I am not quite in that category. I think right now, I don't think for the following reason and it all boils down to there is 150 internet users in this room, and if we asked you what is the harm that has occurred to you specifically in banner advertising, to date, and what would you cite as something that has hurt you in banner advertising?
Not e-mail, banner advertising. And what are we trying to solve there. And I have a feeling, because I have done this many times that -- and in a hundred people, not one person would come up to me and say. "Actually, I've had a problem." I can't find anyone who has had a problem yet.
If there is a problem though, if we are sitting here a year from now and twenty people stand up and say, "You know what this is a big problem." Then I think we should legislate it.
To answer why Jason is more supportive, he has a for-profit company that is positioned in this market, as Fred said, at an opt and standard and so legislation would raise everything to benefit his company.
SENATOR FRIST: Okay.
MR. CATE: I think in keeping with the panel I should tell you what Jason thinks about this.
(Laughter.)
MR. CATLETT: I came to this question as a technologist with a no experience in public policy and I tried -- I've written software to do cookie management, to block banner ads, I've build a web site that tells people how to protect their privacy from telemarketers and all sort of intrusions and spoken to or e-mailed with thousands of consumers around the country about their practical experiences.
And really, I've come to the conclusion, empirically that laws are essentially to protect privacy here. It's nothing doctored in -- I would however like to get back to Kevin and ask him what is your problem with Orwell Long Distance's model.
MR. RYAN: As I've said before, the part of private conversations is just like e-mail and I think common sense is the issue.
MR. CATLETT: Suppose we eliminate the conversations between individual consumers. So we only monitor conversations between bars, pizza parlors, and so forth.
MR. RYAN: You know, what people say in private conversations, I think, when I've talked to people about this, the common sense answer is that that is a private conversation as opposed to a commercial transaction when free information is given to one player and then it is return I will see ad for that information being shared.
So I think it's fundamentally different in that way.
MR. CATLETT: Well, when I call a bar and ask them what time they are closing this evening. There is nothing terribly private under your standards there. Why shouldn't U.S. West be able to sell the information that I go to bars that are open late and use that to target telemarketing calls to me?
MR. RYAN: Well, I think if we narrowly defined it and said that under Fred's case that if you sign up for one service that offers one product, just the DSL or net offers. That when you sign up for that product and understand what that difference is, that maybe people should make it available and they can decide what's more effective.
But I think the personal conversations are a different level and I think they should be treated differently. Just as e-mail protection I think there is just a bigger First Amendment right without me being a scholar on this.
SENATOR FRIST: Let's go to the two microphones and a question.
AUDIENCE MEMBER: Yes, Drew Clark with National Journal’s Tech Daily. I've got a question about my right to opt out for Mr. Ryan and my right to opt in to privacy invasion for Mr. Catlett.
First, for Mr. Ryan. Tell me how -- you spoke about opt out and that's your preferred model, but how does that address the consumer who never hears of or doesn't know of DoubleClick? How on earth can I conceivably opt out of something that I don't know is on my computer?
And for Mr. Catlett. Well, you've asked two follow-ups on why they object to Orwell Long Distance. What do you have to say about what Fred Cate said to you, "Do I have the right to opt in to privacy invasion by subscribing to Orwell Long Distance if I choose to do so?"
MR. CATLETT: Yeah, if I may jump in. I think you should have the right to subscribe to Orwell Long Distance subject to a number of protections.
First, you should have access to the profile that Orwell Long Distance builds up about you. And the deal should be completely specified that the uses that Orwell Long Distance is going to put this to should be spelled out and if they want to change that, then they should have to get you permission again.
So, you know, just a privacy policy subject to change is not acceptable. I'm basically a libertarian. I tend to think if people want to sell both of their kidneys, they should be able to just as long as they know what the deal is.
(Laughter.)
MR. RYAN: On the first question -- on terms of opt out, again two levels based on the level of the information. I think that the extent that a name is involved, the opt out -- in our product idea, what we had required our sites to do, who were going to participate in this -- there has to be an opt out, right as you put in your name.
So it has to be a privacy policy and an opt out right there on the screen. And then it's up to people to read that, and most people do. It's right there. In terms of anonymous behavior that is going to a web site from another, the standard is different, because it's a different level of information.
We have no idea who you are, we don't know your name, we don't know your e-mail address. It's a question of delivering banner advertising and so there at the bottom of every screen you can see that the ad comes from DoubleClick. I would love to have it be DoubleClick right above the ad, but the reality is that that the content providers want to put their name up there instead of us.
But I think what we've seen over the last couple of months is that not everybody does know, but a remarkable number of people do know and the reality is that they choose even not to opt out at all.
AUDIENCE MEMBER: If you are going to put the opt out right there, why not just make it opt in? If it's going to be clear --
MR. RYAN: Because the general standard in most direct marketing has been an opt out. And I think we don't want to be in a position to disadvantage the Internet development versus the offline development.
If you look at taxation, the government has chosen to proactively advantage the Internet. Here all I'm saying is that I think it should be at a similar standard that people are comfortable with offline. The reality is that because of the placement and the effectiveness and the time period, it's a hundred times more effective and present for the consumer than it is offline.
So I think that is a major advantage, but still strikes the balance with the web site and its desire to get advertising.
MR. CATLETT: Kevin, could I just quickly dispute that? The standard for e-mail --
MR. RYAN: That would be a first.
(Laughter.)
MR. CATLETT: But the standard for e-mail marketing is opt in and it is not opt out and it's the appropriate one, so I think harking back to the direct mail example doesn't really -- isn't really valid. You can hark back to the phone example.
MR. RYAN: I think we covered the difference before, but the difference was that if I send you a thousand e-mails tomorrow, that is far more intrusive and has a different standard than if you were going to come to my web site and see an ad, and see my free content on that site.
So that's why I think the two are different. One is a thousand things you didn't ask for, the other one is -- I think every consumer understands that they are going to see an ad, it's just a question of which ad. So I think it's more logical --
SENATOR ROCKEFELLER: We're going to go to the microphone, to the table, and then to the other microphone.
AUDIENCE MEMBER: I want to get away from advertising and cookies into another technology that hasn't gotten much attention yet, which I think might start getting a lot of attention.
This so-called DRM, Digital Right Management technologies. There has been, of course, tremendous concern about piracy of copyright intellectual property, starting with music, gone into video, and now about books, which they are being digitized and being put online.
And the people who want to make sure that the piracy is limited and that content creators and owners are going to companies which provide these technologies, which basically limit use. That you might buy a song and it says you've purchased this song under license.
You can listen to it for six months, if you want to listen to it longer you have to pay again. You can burn one CD-ROM, but you can't make anymore copies. You can pass it on to a friend. They can listen to it once and then if they want it they have to pay for it.
And all of these are, of course, are tied to compensation which usually involves some identification through the payment system.
So my question particularly to our panelists on this end, have you looked at these and do you think the ability to track what content you're accessing and how many times you're accessing it, is no big deal? Or that it is of significant concern and is something that should be looked at?
MR. CATLETT: Yeah, I'm always delighted when people bring up copyright and rights management in the privacy context, because say the question of use limitation -- limiting the free flow of information are very parallel between copyright and privacy. And it's astonishing how Congress Passes the Digital Millennium Copyright Act in 1998 that has the most Draconian penalties.
Million dollar fines, imprisonment against individuals who misuse information and don't respect the restriction on the flow of information set by other parties and who have interest to protect. Whereas, in privacy the poor consumer has got zip and legislation passes.
So when companies tell you that they are deeply concerned with the free flow of information on the Internet. Think copyright, there are two standards there, but to return to the question, it is really a tremendously important area that if we have paper use, that gives an opportunity for the copyright holder to monitor the actual use of the data each time it's done.
And they have two legitimate interest there. One is copyright -- extracting the appropriate royalties, preventing fraud and so forth. And another is gaining marketing information from that which can be very valuable and very beneficial; however, the information must be handles fairly.
It must not be a surveillance device in the way that it became for other instances such as, Real Networks for example.
MR. CATE: But it might be just be worth a small comment to say that the Digital Millennium Copyright Act did, if fact, contain a privacy provision relating to that information. So, in terms of the specific example, Congress has already legislated the privacy of that information.
SENATOR ROCKEFELLER: Okay. You and then I have a question.
AUDIENCE MEMBER: I'm a little bothered by the Orwellian example just because, two parts. The first part is, doesn't the Electronic Communication Privacy Act already govern and cover the privacy of e-mail communications to a certain extent. So your example of someone trying to listen into an e-mail conversation and use information from it is already illegal, number one.
Number two --
MR. CATLETT: My example was not e-mail. When you type in information through a form to a web site --
AUDIENCE MEMBER: Oh, okay. I -- but the other part was even a communication to a commercial entity. Say you are sending an e-mail to a commercial web site or a commercial company, but I see what you are saying. It is the typing it in.
The second thing is, your example seems more analogues to me to DoubleClick following someone around on a retail street and seeing which store that they walk into.
MR. CATLETT: Well, they do.
AUDIENCE MEMBER: Right, but that's something in the offline world that I could do legally, today. I could go and follow them around, see what store they walk into, copy that information down. Again, I think there is a dichotomy between communications which is covered at least to a certain extent under the law and following someone around which is what DoubleClick could do.
MR. CATLETT: Well, if you want to follow the street shopping analogy you would actually have to have a bar code placed on the shopper's shoulders and you'd have to have bar code readers in every shop and not just one in every shop, at the entrance, but at every shelf. So that if you pick up a can of beans, then that -- the fact that you looked at something there was recorded and then you would have to have that tallied across many, many shops. So the physical analogy to that is truly Orwellian, so I think that's a good analogy.
SENATOR ROCKEFELLER: Let me just ask a question of my own, if that's okay? Sort of philosophical for the panel, because the whole world of the Internet, e-commerce, etc. has come up so relatively suddenly. It's like it's a world to unto itself, and therefore we treat like a world unto itself.
Now if you go back and look at industry, let's just say the manufacturing industry which evolved over a couple hundred years. And we gradually began to become aware that there were some of those industries who were doing some major polluting and then President Nixon in 1972, I think started the EPA. Now, if there -- the analogy that I want to draw is what is the difference between something which is new, dramatic, exciting. Clean by nature, in terms that it doesn't pollute streams, but can there be other consequences from it, but because it's so new and dramatic and exciting and has it's own stock market so to speak.
It gets a kind of awesome treatment, which says all right there are a lot of really good players in that industry, but there may be some bad players, but on the other hand if you get around to doing rules and regulations or federal legislation.
You know, let's concentrate on what good it might do for society and the fact that it's world-wide anyway, so what difference will it make. But the fact of the matter is, if people pollute streams that's what you have to have regulations for. Because there are bad actors out there and we understand that in manufacturing.
In the world of start up commerce, which is not of -- in the new economy sense. Eight out of ten businesses that start particularly, small businesses fail. In the world of the Silicon Valley, nine out of ten that start up fail. So while they are in the process of failing, they are probably trying to find niches and do things, which can be stunningly aggressive -- in this case, for the purpose of this discussion, privacy. And then they may fail or they may not. They may do very well.
So philosophically, what -- why shouldn't the Congress or the government being paying attention to the bad actors on the assumption that if you have eight out of ten people are good actors, but two out of ten are bad? They could do a lot of damage over a period of a few years you can pollute an awful lot of rivers with a relatively few number of bad manufacturers.
Anybody?
MR. CATE: Well, you should. I wouldn't argue against that at all and point of fact, I would say generally we don't think of that in being the first instances of being the responsibility of Congress, but it being first of regulatory agencies. But if you today, make a promise on the web regarding a privacy policy and you do something different, the next thing you find is a letter from the FTC, telling you they'll see you in court.
You know, we've got banks settling for multi-million dollar settlements with state attorney generals. We've got laws, including those recently passed, and those longstanding against identity theft and other forms of fraud. There are all sorts of tremendously bad activities that take place on the Internet that are against the law, should be against the law, those laws should be vigorously enforced. It may be that there is room for more laws. That there may be more types of bad activity than what we've currently got law to deal with. I think that's the place where, again, I'm not arguing against regulation. I'm saying to take a regulation and say, "No data will move," it will be opt in across the board, which is what a number of states have looked at legislation that says this.
The Senate currently has some that would do a similar thing to say that because you want to get at the bad actor, is too broad brush of a approach to get at something that should be gotten at.
MR. RYAN: Again, I think it gets back to just establishing the harm and being clear on the problem we are trying to solve. Again, you know, your credit card number is one issue, you Social Security number is another issue. Advertising services is a third issue and I think if we are hearing pervasive problems from this group here or multiplied by a thousand, based on banner advertising. Then it is something that we should correct, I'm just not hearing it out there.
But I will tell you that my fear is actually your point, I'm not concerned about DoubleClick, but I am concerned from an industry point of view that there could be bad actors out there. But even with that, I would ask you out there -- forget DoubleClick. You've obviously seen banner ads and text links from probably hundreds of players, from all kinds of countries.
And what are the issue that have really hurt individually and where is the harm that we need to correct? That's what -- even there I don't see it yet. If it comes we should correct it.
MR. CATLETT: Could I -- thank you. When we talk about bad actors, I don't think most legitimate businesses should be considered bad actors, you should consider whether the standards of their information practices are acceptable. And as you pointed out Senator the Internet causes a tremendous amount of innovation.
Everyone is looking for a niche, everyone is looking for a new edge. And people try out business models that may not seem acceptable to most people.
And I think if you have the kind of nonconsensual surveillance of people through looking at the keywords that they type into search engines, looking at the web sites that they visit, building up this profile over a period of years, running several megabytes. I think most people regard that as unacceptable.
And it's not really a matter of saying these people are bad, it's a matter of setting down a level of acceptable behavior for everyone. And I think your environmental analogy is a very good one. You might consider, say, junk faxes or telemarketing calls at ten p.m., it's not strictly an environment, but it's sort of the personal environment.
It's a kind of pollution. It's a noise pollution, it's an intrusion and so forth. And similarly these very large profiles that are being built up and stock piled, I think that has an analogy with environmental waste.
SENATOR ROCKEFELLER: Okay. Then one question from the audience and I thank you all for that.
And it was mentioned by our previous speaker, at that microphone, the discussion has so far focused on business to consumer commerce are there any difference to any respect to b-to-b commerce and then specifically such, should trade secrets and propriety information be protected as much as personal privacy?
He referred to intellectual property, but he didn't ask that question directly. Should it be protected as much as privacy?
Anybody?
MR. CATE: Let me say, I mean, trade secrets are protected and by far, I think, we would agree than most forms of personal information. But you might remember though, to be a trade secret you have to have something that has been kept secret. That there has been a deliberate effort to keep secret.
This is another issue we come back to with privacy, which is if we say all information about people -- we're going to start with the assumption as private. You have to have opt in consent, that's suddenly picked up everything. Right.
Trade secrets are only those things where you have --there has been some, it comes almost back to the Fourth Amendment juris prudence. There is some subjected expectation of privacy and an objective expectation of privacy. You know, this comes back to this harm principle.
That if we simply talk about all information, across the board --
MR. CATLETT: All personal information.
MR. CATE: All personal information across the board, we have got such a broad brush, that where -- if you stop the flow of that. The basis on which all credit is granted in the country, the basis on which all marketing is done. The basis on which the fabric of the economy operates, without being clear about what it is you were trying to get at, you know, what are we using this sledge hammer to get at?
What is the fly we are trying to kill with this? I think that is the crux of the issue.
SENATOR ROCKEFELLER: Okay.
AUDIENCE MEMBER: Thank you. I have a question in terms of the potential political uses of the information. If there is a company that keeps data profiles and so forth and the principles dislike a political candidate that is going to run, or -- and wanted the public to know about their credit card purchases, financial affairs, buying habits, medical history, whatever.
Does the law permit that information to be published into the newspaper or disseminated over other media, and is that appropriate in terms of the free dissemination of information, or does that cause a problem?
I was wondering if you could comment on what the law would provide. Can that information be given out? And what you feel the law to be.
MR. RYAN: Without being a lawyer, in our case, I can refer to us. Information, since we don't have our own web sites, we work with other partners that we've legally, contractually committed that any information that we have, individually cannot be shared.
So as to an individual web site, you would have to ask them as to what their understanding is of their data collection policies. But we can absolutely cannot.
MR. CATE: I think we've discussed this issue before and you would think by now I would have an answer to it. What I would say is that absolutely the law should prohibit that type of use. In other words, if you can show the demonstrable harm there focused on the individual, the specific person, that would be an entirely appropriate place.
But, then we back up and remember that for forty years our elected public officials, appointed public officials that the law provides them virtually no protection whatsoever, because the Court has interpreted the First Amendment to say, effectively, that you are fair game for anything.
Now if we are willing to say, you know, that was okay in the newspaper context, but no longer. You know, we're going to write different rules in this context that's a choice that the Congress might make. And whether the Court would uphold is anybody's guess, but let's be clear. It would be a big divergence from what went before. It would be a big change from was in before.
When we talking about the political figure, if we're talking about the wholly private person, though, and now suddenly you want to use that to focus on that specific person, that strikes me as very likely to show a demonstrable harm and the sort of thing that Congress should regulate.
AUDIENCE MEMBER: And how would you suggest Congress address that?
MR. CATLETT: I would just like to remind everyone about the Video Privacy Protection Act of 1988, which was prompted by Judge Bork's having his video rental titles poured over by a journalist. And Congress acted with startling speed to a very perceptible harm there.
Unfortunately, it does not apply to movies, I would think to movies watched over streaming video through some sort of broadband internet connection and I think it's an example how Congress really needs to revisit and other statutes in response to new technologies.
AUDIENCE MEMBER: A comment and then a question. The comment is, fuzzy TV is free. Good TV from a cable is not at all free, and I can show you my bill -- let me put it in a scenario, and it's mostly for you Kevin, any react --
If a person were -- let's not. I was going to say if a person -- say if they opt out of all of the ads or you've tracked their habits and they click off ads and they never buy anything from those ads, is there a possibility in the future if you are tracking all of that information, that advertisers will start denying those kinds of people certain services. Total web sites, or music, or other ads.
MR. RYAN: You know, I don't think so. I'm not sure how you do it or why you do it. I think you would be showing -- part of the value when you show ads is you're showing a Coca Cola banner and who knows if those people drink Coke or not. But it's worth some value there and if you take it out and don't show an ad or something, there's just a blank spot there.
So I think that's a small percentage of the audience that doesn't buy anything, and the purpose of advertising is to get recall numbers in there. So you just think of Coke instead of Pepsi, of something like -- so I don't think so.
MR. CATLETT: Could I refer the question to Business Week, about two weeks ago with the cover story on web lining, which is basically the practice of red lining or selective targeting. And I think it does raise interesting questions of individual autonomy and equity in consumers.
MR. RYAN: Although those questions are by no means limited to the web, I mean that is the current case. I mean if you go down to your retailer and you buy a lot of activities the early announcements, the coupons that you get in the mail will be different than if you don't go down or if don't allow them to collect your information when you do.
Frequent traveler programs, I mean you think of a hundred examples where we make opportunities available to people on differential basis, based on how much they take advantage to those opportunities.
SENATOR ROCKEFELLER: Okay, we've got two more question, your one and then I have one more here.
AUDIENCE MEMBER: Okay. One quick before my question. It may legal for marketing specialists to walk behind any given consumer with a note pad and take notes as to what they buy and where they go, but if we started getting thousands of constituent letters complaining about people walking behind them all of the time with notepads, I'm sure it would be illegal in a hurry.
And my question has to do with the disclosure when we passed the banking bill, that was seen to be the privacy panacea, that while disclosure isn't necessarily everything that we would want it to be or isn't perfect solution for privacy, it seemed that everyone agreed as a minimum for privacy that there be disclosure. And in this case what if there was a disclosure for anytime that information was
being gathered, aka this cookie is brought to you by DoubleClick.
Something along those lines, I guess my question for Mr. Ryan is, would that be possible -- I mean would that, and then for Mr. Catlett, is it technologically possible to do that and would this provide us any level of benefits for privacy protection?
MR. RYAN: And you absolutely, right now, have that ability you could just go to your browser and ask to be alerted whenever every cookie comes. What is most interesting about that, is that if -- for people who do that and are alerted to every single one, almost everyone turns it off, because at the end of the day -- we did a focus group of consumers and we found that people who are knowledgeable web users were far less concerned about privacy, because they understood the implications very well.
People who are most concerned are the ones who just starting to use the internet and don't know how it works yet, and are worried about it. People who get to know it are feeling much better about.
AUDIENCE MEMBER: Actually, if I could clarify, I probably wasn't clear, I meant more of the people who put the cookies on your computer, if they were required to disclose when they are putting the cookie on, and who they are, so you can backtrack and be able to opt out, because if don't know who's putting the cookie on there is no way for you to opt out.
MR. RYAN: That is more of a browser question, but that actually does notify you when -- if you go to web site and there's going to be a cookie, if you go to Yahoo, it will notify you that Yahoo is trying provide a cookie, or DoubleClick or anyone. So that absolutely -- you can do that right now.
MR. CATLETT: First, I'd just like to refer Kevin's statement that privacy concerns diminish over time with Internet experience. Forrester Research, Jay could you raise your hand. Jay is from Forrester and they produced an excellent survey that showed that concerns about privacy do not diminish significantly over time.
Secondly, to come back to the basic question, does disclosure solve the problem?
Plainly not. Orwell Long Distance is being extremely up front about what their monitoring of your telephone calls, there's full notice there, but it's not going to solve the problem.
SENATOR ROCKEFELLER: Now, before this last question remember that you have evaluation forms and those are incredibly important to us. You think that we don't mean it but we do. It effects what we do, it effects -- you know, we want you to come back and all of your friends to come back.
The last question is this, and it refers to what Jason just referred to, and that is the Business Week article on internet privacy policy. And it says that they argue in that magazine that an opt in system is the best, overall -- in the best overall interest of the Internet industry. And I would welcome comments from the panel.
MR. CATE: Well, first of all, that is not what Business Week argued. Business Week argued that opt out was the preferred solution and that opt in should be used in specific situations. The other thing that you might note about the Business Week story, is that if you turn about forty pages on, you get to another article, in the same issue talking about too little information in the market. It's hurting consumers when they --
(End of Tape 1, Side B.)
(Beginning of Tape 2, Side A.)
MR. CATLETT: -- limits the use to the specified purpose and when the industry was presented with the possibility of such legislation, in the late '60s, early '70s. They recoiled with horror and claimed that this would destroy their business, in fact, the credit card business has gone onto to flourish, I think in large part because of the protections provided by the Fair Credit Reporting Act.
MR. RYAN: I think we'll see over time how this balance weighs out. As you can tell, I think that over time if people are not comfortable -- if we are here a year from now, or two years from now, and we're not seeing the progress that we have seen on credit card transactions on the Internet. Then I think we should revisit it.
Or if the fact we see consistent bad actors and everyone in this room feels uncomfortable, then I think we should revisit it. And it could at that point, improve the industry. I just would be nervous doing it now in such a fast growing industry without the clear indication of harm, but I think it is something to absolutely watch and that's why you're holding these sessions and it's very helpful.
SENATOR ROCKEFELLER: Which takes us back to the opening statement that 92 percent expressed dissatisfaction, but are evidently still using the service, so we shall see.
Thank you. You have been terrific and thank the panelists.
(Whereupon, the Forum concluded.)