1 2 3 4 UNITED STATES OF AMERICA 5 DEPARTMENT OF COMMERCE 6 AND 7 FEDERAL TRADE COMMISSION 8 - - - 9 PUBLIC WORKSHOP ON ONLINE PROFILING 10 - - - 11 Auditorium 12 Department of Commerce 13 Building 14 1401 Constitution Ave., N.W. 15 Washington, D.C. 16 Monday, November 8, 1999 17 18 19 20 21 192 1 AFTERNOON SESSION 2 (2:45 p.m.) 3 SESSION III: THE ROLE OF SELF-REGULATION 4 MS. BURR: We're going to get started 5 with our afternoon panel. We've heard a lot this 6 morning and we're now going to turn to the 7 question of what the role of self-regulation is. 8 We're going to have two presentations before we 9 call the panel up this morning. To start with, 10 we're going to have Austin Hill from Zero-Knowledge 11 Systems give us a presentation. Is 12 Austin here? Great. 13 (Applause.) 14 REMARKS OF AUSTIN HILL, PRESIDENT, 15 ZERO-KNOWLEDGE SYSTEMS, INC. 16 MR. HILL: Thank you. As mentioned, 17 my name is Austin Hill. I think most everyone 18 was at the last panel. Zero-Knowledge Systems is 19 about consumer privacy online, giving consumers a 20 choice to understand how their data is being 21 used. The idea is not that we don't know 22 anything, just very little, about our customers. 23 That's the goal behind the company. 24 I want to talk about a couple of 25 different things very briefly and do a demo of our 193 1 upcoming software that's being released in 2 December called "Freedom." 3 When we were designing Freedom, the 4 idea was to come up with a couple different 5 solutions to the problem of privacy on the 6 Internet. One of the big things with Internet 7 privacy is the idea that the actual 8 infrastructure, the underlying TCICP protocol, 9 this is something that was designed 25 years ago 10 and kind of got out of the lab. It wasn't 11 something that people said, we're going to put 12 medical records online, we're going to do 13 commerce and shopping. Everything after that has 14 just been layered on top. 15 We employ a bunch of really bright 16 cryptographers who look at how do we design 17 networks so that the network privacy is built 18 into the infrastructure, so it's not something 19 that afterwards you try and layer on top of, but 20 you can actually build it into the protocols. 21 So one of the key parts of this is 22 something we call the Freedom Network. Now, the 23 Freedom Network builds on the idea of separating 24 out information about a user from where they're 25 going online. Just because you're using a public network 194 1 doesn't mean you want everyone in the 2 public to know what you're doing. 3 So one of the things we do is, a 4 consumer goes to browser the Net, if they have 5 our Freedom software installed we relay all their 6 packets with different layers of encryption 7 through a series of servers around the world. 8 What this ends up doing is making sure that no 9 one, not even Zero-Knowledge, knows the identity 10 of the customer as they go online. 11 That's the start. That's the 12 infrastructure. So this is an example of how a 13 packet would transfer or be formatted. There are 14 multiple layers of encryption, and as the packet 15 leaves the computer we have wrapped it with a 16 different layer of encryption for each one of the 17 servers. 18 So it leaves the client's PC and it 19 goes to one of the first servers. That first 20 server only knows the identity of the client PC. 21 It then sends it on to another server. That 22 server then passes it on to the final server, 23 which would connect to the end web site. 24 So now the client is browsing and he 25 appears to be coming from the final server. So there's 195 1 no linkage to the client's actual IP. 2 This becomes real important as we look at things 3 like static IP addresses, IP Version 6 that has 4 unique identifiers, because it allows the user to 5 separate out the identity at an infrastructure 6 and a technical layer so that the network itself 7 doesn't reveal or compromise our identity, the 8 same way walking around on the street does not 9 compromise our identity. We may choose when we 10 walk into an establishment to identify ourselves 11 with a loyalty card or a credit card if we want 12 to pay that way, but simply by walking down the 13 street we're not giving up any privacy. 14 So the goal of the Freedom Network is 15 to establish that first basis. Then on top of 16 that we talk about separating out identity and 17 building an identity management system. Now, the 18 goal behind our identity management system is 19 something we refer to as "Nyms," "Pseudonyms." 20 Now, the goal behind Pseudonyms is to be able to 21 establish online personas that are separate and 22 unique from your real identity. 23 The idea that we're going to 24 establish in the future a single identity system 25 that acts as a national passport is very against privacy. 196 1 But at the same time, for transactions 2 like commerce, applying for health information 3 online, insurance applications, we need better 4 forms of identity. We need a way that we can 5 certify who we're talking to. 6 A lot of those situations, it's a 7 true identity certification. For instance, we're 8 not going to ask our doctor for X-ray information 9 under our handle "Looking for a Date at 10 Hoffman's." You want a true identity if you're 11 going to be asking for health care information. 12 But a lot of uses, let's say for instance talking 13 about health care concerns or you're taking part 14 in a support group online, you don't want it 15 associated with an insurance application. You 16 don't want it associated with all your 17 activities. 18 So Zero-Knowledge promotes the idea 19 of being able to separate out your identity so 20 that you have a unique identity for each one of 21 your online activities. Now, Zero-Knowledge does 22 that by establishing these Pseudonyms, and I'll 23 give you a quick example of how these Pseudonyms 24 work. 25 (Screen.) 197 1 I just have a web page. I think 2 that's Richard Smith's work. 3 (Pause.) 4 We're waiting for the demo. There we 5 go. Okay, so this is Freedom. You'll see that 6 it's sitting in a toolbar just beside my browser. 7 I have the ability with a pulldown menu to select 8 one of my identities. Each of my identities is 9 completely unique. It has its own e-mail 10 address, its own cookie file. It is completely 11 separated from any of my other identities, the 12 goal being I can create an ID, "Cancer Support at 13 Freedom.net," and that's separate from anything I 14 do with e-commerce, and I know that my activities 15 cannot be profiled across ID's. 16 Part of how we do that is we maintain 17 and separate out information. This is an 18 identity called "Half-Finger," so you have an 19 icon representing it. So there is the e-mail 20 address. You can define your security settings 21 for how much encryption you want, so you can 22 trade off speed versus performance. 23 We can also look in the cookie 24 folder, and if you look into the cookie folders 25 with this Pseudonym you can see all the cookies 198 1 and you can selectively block per site or you can 2 block all cookies. So under one of my identities 3 where I have a higher concern for privacy, let's 4 say health care activities, I might choose to 5 block all cookies, where under another one of my 6 identities I might choose to only block cookies 7 from ad-serving networks, but accept a cookie 8 from Yahoo. 9 So it allows the user to selectively 10 choose which cookie they want to receive. At the 11 same time, if we go into another one, another 12 identity, and we look at the cookies, the cookies 13 are completely separate for that different 14 identity. So what we're allowing users to do is 15 gain the benefits of technologies like cookies, 16 digital certificates -- each identity has a 17 digital certificate and can authenticate itself -- but 18 not have to compromise their true identity, 19 which is a really important innovation, because 20 the idea on the Internet is not for everyone to 21 be anonymous. 22 Total anonymity fights back against 23 community. We want to establish relationships. 24 We want people to know who we are. We want to 25 maintain loyalty with a brand. If we're buying 199 1 or frequenting the same establishment over a long 2 period of time, that organization might want to 3 give us discounts, loyalty reward programs. But 4 by using a pseudonym-based relationship that is 5 separate from your true identity, it stops the 6 abuse of that site exchanging your data with 7 another, because every partner and every person 8 you interact with you can manage your identity 9 set, so you don't have to compromise more than 10 you are planning to. 11 MR. MEDINE: Thanks very much, 12 Austin, for an example of how the technology can 13 address some of the concerns that we've heard 14 about throughout the day. 15 I want to turn now to Jerry Cerasale 16 from the Direct Marketing Association. Jerry's 17 certainly a veteran of the FTC and Commerce 18 Department workshops. He's the Senior Vice 19 President for Government Affairs of the Direct 20 Marketing Association, which seeks to raise the 21 bar for privacy practices by assuring that its 22 members adhere to certain privacy practices. 23 Jerry. 24 REMARKS OF JERRY CERASALE, 25 SENIOR VICE PRESIDENT, GOVERNMENT AFFAIRS, 200 1 DIRECT MARKETING ASSOCIATION 2 MR. CERASALE: Thank you very much, 3 David. 4 I'm in the process here of just 5 setting up my computer. Let me talk to you very 6 briefly before I show you this very simple, this 7 very simple demonstration. One, why DMA has 8 placed this? As you can see, I'm not 9 technologically literate here, so this is going 10 to be a very non-technical operation. 11 What's coming up is a panel on self- 12 regulation and the DMA is very much a proponent 13 of self-regulation. In July we required a 14 privacy promise to be a member of the DMA and any 15 member of DMA in any form, any medium that 16 collects information, personally identifiable 17 information, and transfers it to third parties 18 must let the consumer know and must give them 19 opportunity to opt out. 20 I think that's the situation as we 21 look at what we're talking about here today, is 22 ad servers, and we don't think it's very 23 different for them, either, in a situation where 24 you go to a web site and then turn onto, click 25 onto a banner ad. You're really in a situation 201 1 where there are three parties at play. There is 2 the web site that you're visiting, probably the 3 publisher. 4 I don't know if this is going to work 5 here. 6 (Screen.) 7 Yes, it does. 8 The web site that you're on is the 9 publisher and you have the advertisement, the 10 advertiser whose ad you click on, and then you 11 have an ad server that's between that. Clearly, 12 you know the web site you're on and they would 13 have a privacy policy. You know the advertiser 14 you clicked to and hopefully they have a privacy 15 policy. 16 But it's likely that you don't have 17 the foggiest idea who the ad server is. So we 18 took a look at that and said, how do we get 19 notice and choice, which is the key to the DMA's 20 privacy promise? We believe the place to give 21 notice in the first instance falls on the 22 publisher, the web site that you originally go 23 to. They already have the obligation, if they're 24 DMA members, or they should have the obligation 25 if they collect personally identifiable 202 1 information themselves and give it to third 2 parties, including the ad server; they must 3 disclose it and give you an opportunity to opt 4 out. 5 We think that they should also 6 disclose to you whether or not they have any 7 relationship with a third party ad server and to 8 let you know that the third party ad server may 9 be independently collecting information on them, 10 and to give you a hot link to the privacy policy 11 of their contractual third party ad server. 12 From the ad server's point of view, 13 we think that they have the obligations that any 14 DMA member would have, that they provide notice 15 to the types of information they collect, what 16 they do with the information, and if their 17 navigational data is to be used in an 18 identifiable manner by the ad server that should 19 be disclosed. And there should be an opportunity 20 of choice for the consumer. 21 It's that simple: Let the consumers 22 know and give them a choice. The point of view 23 here is what's different with this situation is 24 when do you give them notice and who should give 25 them notice, because you don't have a 203 1 relationship between the consumer and the third 2 party ad server. So that's the real important 3 thing that we're trying to push here. 4 The DMA in 1997, in trying to help 5 people put privacy policies on their own web 6 site, created a privacy policy generator at our 7 web site. You just answer a few questions and it 8 will print out what your privacy policy is. 9 Well, 1997 is a long time back in Internet time, 10 so we've decided it needed to be updated, and ad 11 servers is clearly one of the areas where we want 12 to update. 13 So we've added a few things to it: 14 whether or not you use cookies and things on ad 15 servers; if you decide to change your policy on 16 how you're going to use information; access and 17 correction; and security and some form of 18 reinforcement -- of enforcement, excuse me. 19 What I'd like to do is take you, if 20 this thing will move me there, to the DMA privacy 21 policy generator that is on our web site. 22 (Screen.) 23 This is it. These actual forms will 24 not be up. The web site is up, but item number 4 25 -- excuse me -- item number 5 will not be up 204 1 until later this week, whether or not you collect 2 cookies. We didn't have anything on it before in 3 1997. We think it is important to let people 4 know whether or not you place a cookie, not 5 collect cookies, excuse me; and if you do place a 6 cookie, what use you put it to. 7 So you can see the checklist. I 8 don't know if you can read it. You just click on 9 "Yes, I collect cookies" -- "I set cookies," or 10 "No, I don't," and then what uses you put it to. 11 Then there's an "Other" policy there where you 12 can add it in. So we would hope everyone would 13 answer that. 14 Then we go down to these other 15 privacy policy statements here, like name, 16 address, e-mail addresses, phone numbers, 17 etcetera. Those were all on our 1997 web site. 18 We've added this other one, "Ad servers," whether 19 or not you partner with someone, and if you do to 20 make a statement that in fact you do partner and 21 that they may collect information on you. 22 I've typed in, not to dump on any 23 company, "www.jerry.com" in order to show you in 24 a later slide what the privacy policy said. But 25 that would be there, and we'll try and make a hot 205 1 link with that. 2 We also added item number 12, which 3 has to do with dual uses. I think that was 4 something that came up in the panel this morning, 5 that we suddenly have a privacy policy, I've seen 6 it and I've given some information out, and you 7 decide to change that privacy policy. You decide 8 to change the uses, how you're going to let 9 people know, etcetera, and this is a series of 10 questions telling you what you will do and how to 11 notify the web site. 12 Another question that constantly 13 comes up is access, whether or not you allow 14 access, what information you can see. You can 15 see down at the bottom the last click there is 16 "No information that we have collected and that 17 we maintain about them," so that you do have the 18 negative option, you do not allow access. But 19 these are things that you can check off, and it's 20 not one or the other; it's all that apply, in the 21 hope that we can make it easy for not just larger 22 companies, but all companies who have a web site, 23 to go someplace, answer a few questions, get a 24 privacy policy that's fairly comprehensive about 25 what they do, and give it to their attorneys to 206 1 switch things around, but then can quickly get it 2 up on their web site so that we can get 3 information to customers and consumers so they 4 know what's happening and have some choices, 5 because we want e-commerce to continually grow, 6 and the only way it's going to grow is if there's 7 consumer confidence and consumer confidence comes 8 from knowing what the web site is doing with 9 information. 10 Besides, if you sell something you've 11 got to deliver the product and it has to have 12 good quality. But really, the idea is we want 13 people to go searching on the web and taking a 14 look at our privacy policies. 15 Finally, we put out what kind of 16 security we have on the web site. We have some 17 additional questions in there about financial and 18 medical information that you can see, and you'll 19 be able to go to that web site and take a look at 20 it if you'd like. 21 Then on enforcement, if you have a 22 complaint where do you go. We put the DMA on 23 there. We added the FTC. I didn't put David 24 Medine's phone number on there, just a general 25 phone number. I was tempted to put David's on 207 1 there, but we didn't do that. You're quite 2 welcome. 3 So that's pretty much where it is. 4 As you can see, way down at the bottom you can 5 generate this web page in HTML, you can e-mail 6 it, you can make it in hard copy, and so forth. 7 We do ask people to e-mail a copy to the DMA so 8 we know how many people use it. I'm not sure how 9 many people do that for us, but we do get a few 10 of those and know people have done it. 11 That's pretty much what we have done 12 to try and make it so that customers have an 13 opportunity to know if information is being 14 collected, to have an opportunity to say, no, 15 don't do it. And hopefully, with this 16 understanding we can make the web experience 17 rewarding, that people will not be afraid to go 18 surfing on the web, that they will not be afraid 19 of data that's not personally identifiable, that 20 helps them enjoy and get to places without re- 21 registering, don't see repeat ads, etcetera, and 22 not be afraid of it. 23 Thank you very much for your time and 24 thank you, David, for having me. 25 (Applause.) 208 1 MR. MEDINE: Thank you, Jerry. These 2 were all helpful pieces of how companies and 3 trade associations are responding to some of the 4 concerns we've heard throughout the day. 5 We'd like to now invite up the 6 panelists for the third panel. 7 MS. BURR: Just the keep you on your 8 toes and so that you don't get used to the usual 9 format here we're actually going to ask the 10 panelists to introduce themselves, and we'll 11 start way over on the end with Dan and just go 12 around. 13 MR. JAYE: Yes, I'm Daniel Jaye, 14 Chief Technology Officer and co-founder, Engage 15 Technologies. 16 MS. WANG: I'm Elizabeth Wang. I'm 17 General Counsel of DoubleClick. 18 MS. OAKES: I'm Lynn Chitow Oakes, 19 Chief Operating Officer for Flycast. 20 MR. ZINMAN: I'm Dave Zinman, VP of 21 Marketing and founder of AdKnowledge. 22 MR. HILL: I am Austin Hill. I still 23 have Zero-Knowledge. 24 MS. BRUENING: I'm Paula Bruening. 25 I'm the Director of Compliance and Policy for 209 1 TRUSTe. 2 MR. CERASALE: Jerry Cerasale, Senior 3 Vice President, Government Affairs, with Direct 4 Marketing Association. 5 MR. ROBERT SMITH: Robert Ellis 6 Smith, Publisher of Privacy Journal. 7 MR. CATE: Fred Cate. Because I was 8 confused, they invited me back. 9 MR. HENDRICKS: Evan Hendricks, 10 Editor and Publisher of Privacy Times. 11 MR. KAMP: John Kamp, Senior Vice 12 President, the American Association of 13 Advertising Agencies. 14 MR. LUCAS: Steve Lucas, Senior Vice 15 President from Industry and Government Relations, 16 PrivaSeek. 17 MR. LORDAN: Tim Lordan with the 18 Online Privacy Alliance. 19 MR. SHEN: Andrew Shen, Policy 20 Analyst, Electronic Privacy Information Center. 21 MS. BURR: I don't know if it's 22 intentional or not, but we seem to have 23 segregated the tables here. So I'm going to turn 24 to the table on my right. 25 We've heard a lot of very interesting 210 1 things today about this technology, about its 2 benefits, about the concerns that it raises with 3 Internet users. The topic of our panel this 4 afternoon is how self-regulation can help in this 5 area. 6 So I'd like to talk to the companies 7 and ask, what do you think? 8 MR. JAYE: Thank you. On behalf of 9 my colleagues in the Internet network advertising 10 business, I'd like to thank the Federal Trade 11 Commission and the Department of Commerce for the 12 opportunity to participate in today's workshop. 13 (Slide.) 14 Earlier this year, a group of 15 companies in the Internet advertising business 16 began talking with government officials about 17 issues surrounding advertising on the Internet. 18 They included 24/7 Media, AdKnowledge, AdSmart, 19 AdForce, DoubleClick, Engage, Flycast, 20 MatchLogic, NetGravity, and RealMedia. 21 The first thing to know about our 22 companies is that they are not mysterious 23 entities taking profiling technologies to 24 dizzying levels which threaten consumer privacy,l 25 nor are they gathering data in a deliberately 211 1 secretive way. Our companies are among the 2 leading providers of advertising solutions to web 3 publishers in advertisers, and the services we 4 offer have substantial economic benefits for both 5 consumers and companies. 6 According to Dr. Westin's most recent 7 survey, we are providing services that most 8 consumers want to receive using technology 9 adapted to the Internet. For example, most 10 smaller and medium sized web sites use our 11 services or similar services, and it's very 12 important to preserve the ability to deliver 13 effective services via third party ad servers to 14 allow these medium and smaller sites a chance 15 against the larger portals and the larger, more 16 established sites. 17 The goal of the group was to explore 18 ways in which we could collectively address the 19 types of consumer concerns and perceptions about 20 profiling that we have heard this morning. 21 Although our companies do not deal directly with 22 consumers on the Internet, we believe we can play 23 an important role in increasing consumer 24 confidence and contributing to the growth of 25 electronic commerce. 212 1 To that end, we in the industry are 2 announcing the launch of the Network Advertising 3 Initiative, NAI. Our goal is to develop a 4 framework for self-regulation of our industry. 5 We believe our industry is distinctive because we 6 have no easy way to communicate directly with 7 consumers. Our business is not to make our own 8 web sites known to consumers. Our business is to 9 make our customers' web sites more useful to 10 consumers. 11 To do that, we provide a wide range 12 of advertising solutions to consumer-oriented web 13 sites, to support their development and growth. 14 Elizabeth Wang will talk in more 15 detail about what we have been working on. 16 MS. WANG: Thank you, Dan. 17 As many of the commenters today have 18 pointed out, there are significant benefits to 19 Internet advertising for consumers and the 20 industry. For consumers and web sites, it is the 21 reason why content on the web is available for 22 free or for nominal cost. For advertisers, 23 Internet advertising takes advantage of a medium 24 uniquely suited to delivering the right message 25 to the right consumer at the right time. 213 1 Our companies use technology to help 2 advertisers deliver tailored messages to 3 consumers. In fact, every consumer who uses the 4 Internet has likely seen the banners and other 5 advertising our companies deliver. 6 As Dan Jaye and Martin Smith 7 discussed this morning, the NAI companies collect 8 information in order to make decisions on which 9 ads to send to whom. Some NAI companies create 10 profiles about consumers in order to tailor that 11 message. As Dr. Westin's survey demonstrates, 12 most consumers want a more relevant message and 13 are willing to accept profiling, but they also 14 want to be given notice about the information 15 that is collected and used and a choice not to 16 participate in some uses of the collected 17 information. 18 Our companies understand consumer 19 concerns. As Lynn and David will explain, our 20 companies are fully committed to the principles 21 of notice and choice for consumers. 22 Today we are announcing the key 23 tenets of the Network Advertising Initiative: 24 First, each NAI company will continue to provide 25 consumers with a clear explanation of the 214 1 information it collects, how that information is 2 used, and the benefit to consumers of such use. 3 Second, for consumers who choose not 4 to receive tailored messages, each NAI company 5 either currently provides or will soon provide an 6 easy to use method to opt out from such 7 tailoring. 8 Third, our companies are committed to 9 consumer outreach and education to let consumers 10 know about our companies and the role we play in 11 delivery of tailored messages over the Internet. 12 In other words, we have heard consumers' concerns 13 and we are committed to addressing them. 14 Now I'll turn the microphone over to 15 Lynn Chitow Oakes from Flycast, who will explain 16 more about our commitment to notice and choice. 17 MS. OAKES: Thanks, Elizabeth. 18 NAI companies are committed to 19 providing consumers with notice and choice about 20 Internet advertising. We believe that adherence 21 to fair information practices and data management 22 that we are going to describe today are in 23 accordance with the consumer expectations and 24 desires as outlined in Dr. Westin's survey and in 25 our own business experiences. 215 1 We believe that education is the key 2 to developing consumer confidence on the 3 Internet, and for that reason our companies are 4 committed to educating our business customers 5 about the data collection and use issues 6 associated with Internet advertising. This 7 includes the benefits of both the responsible 8 flow of information and fair information 9 practices. 10 We are also committed to educating 11 consumers about data collection and use issues 12 associated with Internet advertising. As Dr. 13 Westin's survey clearly indicated, most consumers 14 are willing to share information, even personal 15 information, with companies like ours if they are 16 provided with notice and choice. 17 As a first step toward meeting 18 consumer expectations, NAI companies will be 19 establishing an informational web site located at 20 www.networkadvertising.work, as pictured on the 21 screen behind me. This web site has been 22 developed to provide consumer awareness about our 23 industry and provide an easily accessible and 24 convenient place for consumers to exercise choice 25 regarding the use of their data. 216 1 Our companies also adhere to the fair 2 information practices developed by the Online 3 Privacy Alliance and other organizations 4 interested in privacy. To that end, all the 5 Internet advertising sites owned or controlled by 6 one of our companies will disclose their data 7 collection and use practices on their web sites 8 in a clear, concise, and conspicuous manner and 9 in language that consumers can understand. 10 These disclosures will include the 11 following: what data are collected and what data 12 are not collected; how the data are used, 13 including whether they will be combined with 14 personally identifiable data from any other 15 source; what other data are collected and how 16 they are used, including the use of data for ad 17 management; and lastly, what opt-out procedure 18 are available for consumers who decline to have 19 data used to create a profile. 20 In addition, our companies will at a 21 minimum request that their customers, whether 22 they are publishers, e-commerce sites, or 23 networks, disclose their own data collection and 24 use practices, including posting a link to either 25 the NAI companies' web sites or the NAI gateway 217 1 educational web site. We will also ask them to 2 post a privacy policy that is consistent with 3 fair information practices. 4 I'd like now to turn this over to 5 David Zinman at AdKnowledge, who will talk to you 6 about data collection and use. 7 MR. ZINMAN: Thanks, Lynn. It's 8 definitely a pleasure to be here. I appreciate 9 the time. 10 First actually, I'm going to address 11 the commitments our companies are making with 12 personally identifiable information that's 13 collected. I want to be clear that not all of 14 our companies currently collect personally 15 identifiable information. However, all of us 16 have agreed to abide by these principles. 17 Second, I'm going to discuss the 18 commitments NAI companies are making regarding 19 the collection and use of ad management and 20 reporting data which is non-personally 21 identifiable. This is important because the 22 ability to collect information about consumers in 23 a non-personally identifiable way is unique to 24 the Internet. 25 Here's the commitment NAI companies 218 1 are making for personally identifiable data: 2 First, our companies that collect this data will 3 notify consumers about the collection and use of 4 their data. At a minimum, we will let consumers 5 opt out of unrelated or secondary uses at the 6 time this data is collected. 7 Second, if that data is linked to 8 other personally identifiable information, our 9 companies will give consumers the opportunity to 10 opt out. 11 Third, in accordance with fair 12 information practices, NAI companies that collect 13 personally identifiable information will make 14 reasonable efforts to provide timely and 15 appropriate access to that information under 16 policies that each of us will post on our web 17 sites. 18 As has been discussed, our companies 19 are able to collect information from browsers 20 that's not personally identifiable. We call this 21 data ad management and reporting data. It can 22 include type of browser, type of operating 23 system, IP address, date and time of visit, and 24 ad viewed. This kind of data is used by our 25 companies to transmit, to sequence, and to report 219 1 on ads shown to customers. 2 Let me emphasize again, this data is 3 associated with a browser which is not personally 4 identifiable. The commitment our companies are 5 making today is to provide consumers with the 6 ability to opt out of the use of this data for 7 profiling and thus opt out of the services 8 associated with profiling. 9 However, consumers will not be able 10 to opt out of the transmission of this data for 11 basic ad management and statistical reporting 12 purposes. These data are necessary to deliver 13 the ads and provide advertisers with information 14 about how many users saw the campaign. So for 15 example, today it would be almost impossible to 16 sell advertising space without being able to tell 17 the advertiser how many users will see their ads. 18 Our companies will post notice to 19 consumers about our data collection and use 20 practices on our web sites. We will also give 21 consumers an opportunity to opt out of the use of 22 this data for profiling purposes. Consumers can 23 opt out by going to a designated location on each 24 of our companies' web sites or through a gateway 25 educational site we described earlier, and it's 220 1 displayed here. 2 As a way of informing consumers about 3 their choices, we will ask all of our customers 4 and participating web sites to link to our 5 individual sites or the gateway educational site. 6 So with that description, I'd like to 7 turn it back over to Dan to sum up. 8 MR. JAYE: Thank you. 9 We believe that the principles we are 10 developing will ensure the continued growth of 11 consumer confidence in the marketplace. However, 12 there is one more element necessary. Although we 13 know that we will follow these industry 14 principles, we want consumers to be assured as 15 well. 16 For this reason, our companies are 17 committed to not only complying with these 18 principles, but also to join or retain a third 19 party organization that provides periodic audits 20 of compliance with our privacy policy. This 21 includes organizations such as TRUSTe, BBBOnline, 22 WebTrust, as well as nationally recognized 23 accounting firms that provide such services. 24 Watch our web site in the coming 25 months. You will see information about our 221 1 companies, what we do, how we do it, and how 2 consumers can exercise choice. We will pursue 3 activities to promote consumer confidence and 4 trust. 5 We believe the measures we are 6 implementing are the foundation of a self-regulatory 7 framework for our industry that will 8 protect privacy while allowing the effective 9 advertising that makes the web free. We look 10 forward to working with our colleagues across the 11 industry to fulfil the commitments we have made 12 today. 13 Thank you. 14 MS. BURR: Thank you very much. 15 I'd like to turn to the rest of the 16 panel to solicit questions about what we have 17 just heard. And let me remind the audience that 18 we do have question forms and that people will be 19 going, picking them up and delivering them up to 20 us. 21 Andrew. 22 MR. SHEN: I think it's fair to say 23 everyone in this auditorium believes that 24 consumers should have the right to control their 25 information. However, I think there is really a 222 1 distinction to be seen between what the companies 2 are providing in terms of control and what 3 consumers want. 4 Fair information practices have four 5 different -- 6 VOICE: A little louder, please. 7 Speak into the mike. 8 MR. SHEN: Sorry. Is this loud 9 enough? 10 MS. BURR: It's working. Just bring 11 it closer. 12 MR. SHEN: Fair information practices 13 consist of four different elements: notice, 14 which is providing information to the consumer 15 about how the information is being collected and 16 how it's going to be used; consent, which means 17 that the person gives affirmative permission for 18 the companies to use that information; access, so 19 the consumer has access to the information that's 20 being collected on them, what is contained in the 21 profile; and security, so that information is not 22 distributed to other third parties. 23 The self-regulatory proposal done by 24 the NAI does not meet all those requirements. 25 Online advertising is something that happens 223 1 without the knowledge of most consumers, so the 2 opt-out option is not really a good way to 3 approach the problem because most consumers don't 4 know that this is occurring at all. 5 MR. JAYE: We believe that it's very 6 important for us to address those consumer 7 confidence issues. That's one of the reasons why 8 we have stepped forward and said that we would 9 like to provide choice to consumers even for non- 10 personally identifiable information. Fair 11 information practices literally to this date have 12 generally been interpreted to apply to personal 13 data, personally identifiable information. 14 We have taken a step forward and 15 understood the sensitivity of the information and 16 said that we are committed to providing an opt-out for 17 the innocuous information that we use for 18 non-personally identifiable profiling. 19 MR. MEDINE: I think it might be 20 helpful to clarify what your intentions are with 21 regard to the opt-out for non-personally 22 identifiable information. I don't think it's 23 immediately clear how it could be used for some 24 forms of ad management but not for profiling. 25 Could you maybe explain in a little more detail 224 1 exactly what information is going to be captured 2 through the use of the cookies and how it will or 3 won't be used? 4 MR. JAYE: Certainly. One example 5 that we talk about in terms of profiling is the 6 use of a cookie to manage an identifier that then 7 could be used to build a profile for that web 8 site visitor. That type of information, we can 9 provide an opt-out and some companies around the 10 table have already done that by allowing that 11 cookie to be set to an arbitrary value like opt-out that 12 would be a signal to a web site to 13 remember that this browser is one of a number of 14 browsers that are not to be tracked. 15 However, it is also possible to have 16 other cookies on the computer that are being used 17 for application management or other purposes. 18 The most prototypical example would be for 19 counting unique visitors, being able to correlate 20 an ad click with the ad that was displayed, being 21 able to try to avoid duplication of ad displays. 22 In other words, avoiding repetition of the same 23 ad over and over again. 24 These uses are not targeting per se, 25 but they are important to the operation of the ad 225 1 industry. And once again, this is an industry 2 that is extremely important to nascent and 3 entrepreneurial web sites, as well as many medium 4 and in fact very large web sites that don't have 5 the infrastructure or manpower to staff these 6 services internally. 7 MR. ZINMAN: I just want to follow up 8 and say that one of the reasons that we're taking 9 this significant step is because fundamentally we 10 have a different relationship with the consumer 11 than a web site, where a person sees it. Most 12 consumers don't know we exist, so we need to go 13 the extra mile to allow the consumer to have 14 complete choice, even if it's only of information 15 that isn't personally identifiable. 16 So related to your question, your 17 question related to personally identifiable 18 information, which there's no question that you 19 have to be -- every company needs to adhere to 20 fair information practices, but on information 21 that's not even personally identifiable we're 22 willing to go the step to give the consumers the 23 choice as to whether we retain that information. 24 MR. MEDINE: So I understand, the 25 limits are that you would know which ad I have 226 1 seen so it's not delivered to me again, but you 2 wouldn't know anything about me in order to 3 decide which ad I should receive if I have opted 4 out? 5 MS. OAKES: Absolutely. 6 MR. JAYE: That is what is provided 7 in our initial step of the principles. 8 MR. MEDINE: Another question in 9 assessing any self-regulatory system, one issue 10 is how broad is it, how much of the industry does 11 it cover? I know you're all fierce competitors, 12 but I suspect not all the competitors are in the 13 room today. Give me a sense of what percentage 14 of the industry the people who are part of the 15 NAI constitute? 16 MS. OAKES: The majority of folks 17 that are in the third party ad surveying are at 18 the table. There are ten companies involved that 19 represent, an estimate that we put together 20 today, actually about 85 percent of ads served on 21 the Internet today. 22 MR. ZINMAN: It is very difficult to 23 determine that, but if you look at just the 24 companies that are involved with doing just the 25 infrastructure work of delivering advertising, 227 1 the vast majority of those ads that are served 2 are served by companies that are part of this 3 group. And I'd suspect that if there are a few 4 remaining companies that contribute significantly 5 to this, that they're going to be interested in 6 joining this as well. 7 MR. HILL: First of all, I want to 8 commend the Network Advertising Initiative. I 9 certainly think that any attempt to make the 10 process more transparent to users and get users 11 involved should be commended. I don't think that 12 there is one solution that fits all. Technology 13 can't solve the problem in and of itself. I 14 don't think regulation can solve the problem in 15 and of itself. At the same time, industry 16 efforts like this I think do a lot of good. 17 I have a couple of specific 18 questions. I'm just going to lay them out, let 19 you guys individually take it. You talked about 20 how fair information practices, the difference 21 between this and traditional fair information 22 practices that Andrew touched on, is because it 23 is not personally identifiable information, where 24 there is opt-out versus opt-in. 25 The question I would have is, for the 228 1 cases where members of your group do adopt 2 personally identifiable information, would the 3 group be requiring them to adopt an opt-in for 4 that purpose that go the extra step? 5 The next question I would have is, 6 being that I think this group represents the good 7 players in the industry, the players who are 8 trying to make an initiative to protect 9 consumers, how would this group feel about some 10 sort of legal framework for redress and 11 accountability for bad players, so that in 12 situations where people aren't adhering there is 13 a legal framework to hold that person 14 accountable? 15 MS. WANG: Actually, in addressing 16 your question, Austin, I want to characterize 17 something, the way you characterized fair 18 information practices. The principles are 19 notice, choice, security, and access. Choice is 20 not opt-in. Choice is really, it can include 21 opt-out, and in the United States it's always 22 been opt-out, hardly every opt-in, except in very 23 sensitive situations like medical, financial, 24 kids. 25 So that's actually -- so in fact 229 1 there's a very key thing in our principles today 2 and that is we are following the fair information 3 practices principles. We're not expanding them. 4 We're not extending them. We're not saying that 5 opt-in is the right answer for personally 6 identifiable information. In fact, we believe 7 opt-out with clear notice and an effective opt-out cookie 8 and an easy method to opt out actually 9 more than satisfies that requirement of the fair 10 information practices. 11 There is something that our 12 companies, the fact that we deliver ads and we're 13 not apparent to some consumers, although I think 14 we are quite apparent because certainly people, 15 consumers, know who we are even though they're 16 not in advertising or they're not web publishers. 17 I think we're more apparent than most people give 18 us credit for, and sometimes many of them are our 19 investors as well. 20 But getting back to your point, the 21 reason why in our situation the opt-out included 22 some information that was acquired for ad 23 targeting really went to the fact that it's a 24 relationship issue. We don't have a direct 25 relationship with the consumer. So it's an 230 1 easier issue for web sites, web publishers, that 2 deliver their own advertising on behalf of 3 advertisers, because the consumer knows whom 4 they're dealing with. 5 In our situation, we went the extra 6 mile, as Dave put it, and allowed for the opt-out of non- 7 personally identifiable information 8 collected in the routine course of delivering an 9 ad or even delivering content to a consumer 10 because of the situation that we find ourselves 11 in, that we are business to business companies 12 and not direct to consumer companies. So I just 13 wanted to clarify that one point, that we are in 14 fact not saying that -- we're not at all 15 expanding on anything that the OPA has put forth 16 in the few years. 17 To your second point, on legal 18 framework for accountability, the very critical 19 part of our principles and one that Dan Jaye 20 mentioned is that we are all going to agree to 21 join third party auditing organizations to make 22 sure that other people agree that we do what we 23 say we do, because certainly we have every 24 intention of following our own principles. 25 In terms of the accountability, 231 1 consistent with other self-regulatory regimes, it 2 is this third party auditing that will provide 3 for the accountability. 4 MR. HILL: Just to follow up on that 5 question, so in a situation like we have seen 6 this week with RealAudio, where they had a TRUSTe 7 privacy seal, there were activities, and TRUSTe 8 hasn't come down with their result, but that some 9 people would feel weren't disclosed or honest, so 10 the enforcement level that you're talking about 11 would be the withdrawal of some sort of seal? 12 MS. WANG: Well, I don't know any of 13 the details of that RealJukebox situation other 14 than what I read in the paper. But wouldn't you 15 agree that it was very effective, the self-regulatory 16 mechanism there? The market came down 17 very hard and RealNetwork did the right thing 18 right away. I think to me that's just evidence 19 that it works extremely well, and that's just one 20 of many instances. 21 MR. HILL: I'm not commenting on the 22 benefits, the strengths and the weaknesses. I'm 23 just asking for this organization if that's the 24 desired enforcement mechanism, is the withdrawal 25 of outside audit seals if someone is a bad 232 1 player? So a bad player in the network would 2 find themselves without an audit seal? There 3 would be no accountability or redress? 4 MR. HILL: But could a consumer go 5 and hold that company accountable, sue them? Do 6 you guys advocate some sort of framework? If 7 someone says, I don't want to be in NAI, I don't 8 care, I'm going to profile, should there be a 9 framework? 10 MR. ZINMAN: I think there's another 11 method of control that we need to get out here, 12 which came out in the second panel, and I'm not 13 going to articulate it as well as Dan Jaffe, but 14 I'm going to try, which is that the advertisers 15 do not want to be associated with companies that 16 abuse the trust of consumers, and all the 17 companies in our industry, our lifeblood is the 18 respect and responsibility that we hold with our 19 consumers, the advertisers. 20 So every company that represents any 21 significant advertising dollars is going to feel 22 a lot of pressure to make sure that they are 23 responsible to consumers. So I think companies 24 are going to naturally be pushed into a self-regulatory 25 environment with or without 233 1 regulation. 2 MR. MEDINE: I just want to add, of 3 course, the Federal Trade Commission's deception 4 authority to bring cases against companies that 5 don't honor their privacy promises, both to 6 consumers and business partners. I also thought 7 it might be useful at this point just to hear 8 from Paula Bruening from TRUSTe. 9 MS. BRUENING: Thank you. I'd like 10 to make two points, one that would speak directly 11 to the RealNetwork issue and one that probably 12 speaks more to the general issue of relationship 13 that everyone's been talking about. 14 First of all, without going into 15 tremendous detail, RealNetworks is a TRUSTe 16 licensee and I think the people in this room and 17 definitely on this panel are aware of issues that 18 were raised earlier last week about the 19 collection and transmission of user data via the 20 RealJukebox consumer software. As it turned out, 21 after we made an initial inquiry it turned out 22 that, as our license agreement and program is set 23 up right, we were not able to act on that because 24 our program governs information that is collected 25 through a web site and that was not the kind of 234 1 information that was being transmitted. It was 2 not at issue in the RealNetworks instance. 3 However, we have taken this as an 4 opportunity to look very closely at the issue of 5 information that's collected in this manner, and 6 this is our opportunity to expand the program to 7 include that kind of data collection and 8 transmission. 9 We do believe that RealNetworks has 10 done the right thing. They have taken a lot of 11 steps on their own and with TRUSTe to address the 12 issue, and we have worked closely with them over 13 the last week. We're going to be looking at some 14 very specific things that we can work on with 15 RealNetworks to assure that our relationship with 16 them is good and we can continue to be sure that 17 they're doing the right thing and that our 18 program is acting optimally. 19 I think for the future what we will 20 be looking at is a program that deals with this 21 kind of consumer software transmitted data, and 22 that's going to be our project in the coming 23 months. So I just want to get some clarity on 24 that as we're going forward. 25 The other point that I wanted to make 235 1 I think speaks to what everyone's been talking 2 about, relationships with consumers and how that 3 pertains to seal programs in general. I think 4 one of the things that we work on on a daily 5 basis and requires some of the hardest thinking 6 that goes on at TRUSTe is looking at these 7 relationships that are increasingly growing 8 between companies on the Net and are becoming 9 increasingly complex. 10 I think that our job is to as much as 11 possible clarify what those relationships are and 12 what their implications are for consumers as it 13 pertains to collection and sharing of 14 information. We know that companies want to have 15 as much as possible seamless and hassle-free 16 experiences for their consumers on the web, but 17 at the same time we have to assure that there is 18 consistent notice that is going on as a consumer 19 is traveling through their web experience. And 20 we know that they may be going to different URL's 21 that may be governed by different privacy 22 policies. 23 So what we're challenged with is 24 making sure that the consumer is clear as their 25 taking these travels on the web as to when 236 1 they're in safe space, when they're not, and when 2 their privacy policy has changed. So to the 3 extent that that mirrors what we're seeing in 4 online profiling and to the extent that Dr. 5 Westin's findings are an indication of what the 6 consumer is looking for is notice and choice, I 7 think it's our challenge as we move forward -- 8 and maybe this is the topic for the next workshop 9 -- to figure out what is effective notice. 10 It's good to have principles. It's 11 very important to have principles and it's a 12 wonderful first step, but how do you go about 13 implementing those in a very complex kind of 14 environment where real estate is very valuable, a 15 seamless experience is very valuable? 16 So we have to really decide, whose 17 responsibility is this? Is it the advertiser's? 18 Is it the online business? Is it both? What's 19 adequate and effective notice and how do you 20 provide for opt-in and opt-out as you're making 21 your way on the web? 22 MS. BURR: We're going to go to John 23 Kamp, then Evan Hendricks. 24 MR. KAMP: I don't have anything to 25 say. 237 1 MS. BURR: Thank you. 2 Evan Hendricks. 3 MR. HENDRICKS: Thank you, John. 4 As a matter of clarification, is it 5 my understanding we're only here to ask 6 questions\? 7 MS. BURR: I wanted to see if there 8 were any questions about how the program worked. 9 MR. HENDRICKS: Yes, I have one, 10 because \ somebody sitting in this seat at a 11 \Department of Commerce meeting on ratings, when 12 he was giving ratings one to ten, how good is the 13 privacy policy, \, I'd say this one might be up 14 to about a 2.5. 15 One of the issues of fair information 16 practices that everyone agrees on is access to 17 your own information, and I don't see that listed 18 here. So I wanted you to address the access to 19 information. 20 Second of all -- and I have a series 21 of questions, so you might want to jot them down 22 and I'll get them all out of the way so we can 23 move on. Second of all, DoubleClick right now, 24 clearly you're in the business of collecting 25 personally identifiable information. If you're 238 1 not, it certainly appears that you are, 2 considering that you've acquired Abacus. 3 So the question in all of our minds -- let 4 me finish the question. 5 It looks like you're in the business 6 of acquiring personally identifiable information. 7 So I wonder, what is your projection? How many 8 files on how many individuals do you expect to 9 gather information? The credit reporting 10 agencies are willing to disclose they have 11 records on 180 million Americans. So considering 12 that your opinion poll that you paid for shows 13 that you got a response that 52 percent of the 14 people support using personally identifiable 15 information for online and offline behavior the 16 tailor ads, so what are your projections on how 17 many individuals you expect to collect 18 information on? 19 MS. WANG: You want to answer the 20 first question? 21 MR. HENDRICKS: The last question is 22 on access to information. 23 MR. JAYE: I would prefer to address 24 the specific question about NAI principles and 25 then I'll hand the mike over. 239 1 In terms of access, right now we have 2 left it, because there are lots of different 3 business models and not all the companies in NAI 4 gather personally identifiable information. We 5 have not explicitly addressed access at the NAI 6 level. It's something that we're looking at. 7 With regard to non-personally 8 identifiable information, once again, it is not 9 strictly true that access needs to be provided to 10 non-personally identifiable information. That 11 being said, let me comment on why many of the 12 companies do not provide access to non-personally 13 identifiable information-based profiles. The 14 problem is authentication, because we don't know 15 who the consumer is. We have no way of 16 authenticating that a person who's asking for 17 access to a non-personally identifiable profile 18 is in fact the person associated with that 19 profile. 20 Because we've made a commitment to in 21 many cases keep that information secure and not 22 to share it with other people, because we can't 23 authenticate the consumer, we can't display that 24 information. We are very interested, however, in 25 looking at new technologies and new techniques to 240 1 solve this problem, because we would like to 2 provide it if we can find a way to solve the 3 Catch 22 between not knowing who the consumer is 4 and being able to prove that they are who they 5 say they are. 6 MR. MEDINE: Why not just use the 7 consumer's own cookie to give them access to 8 their information? 9 MR. JAYE: The concern is that, once 10 again, cookies are not a strong identification 11 technique. We don't provide typically the 12 profiles out to any third party who has a cookie. 13 So the issue is, if we allow somebody just to 14 enter a cookie and say, show me this profile, 15 there are situations, for example in an office 16 environment, where a co-worker might have easy 17 access to the cookie file of another co-worker. 18 So once again, it's an area that we 19 keep thinking about. We would like to provide it 20 if we can solve the security issues. 21 MS. WANG: To your second question, 22 which has to do with DoubleClick's impending 23 merger of Abacus -- and it's impending because it 24 hasn't happened yet -- we don't own the Abacus 25 database. And it's something that seems to be -- we 241 1 don't own the company, we don't have any new 2 products. 3 But I will answer your question in 4 good faith, which is you want to know, you want 5 to know how many profiles we think we'll get 6 after the merger and whether or not we currently 7 collect personally identifiable information. The 8 answer is we do collect personally identifiable 9 information through our Netdeals site, where we 10 sponsor a million dollar sweepstakes. 11 Do we link that information to 12 anything? No. Will we link it after we acquire 13 Abacus? The answer is yes, and that's clearly in 14 the consent and notice, very easy to understand. 15 So I don't really think that there's anything -- 16 there's no question or no confusion there. 17 As to your question of how many 18 people, how many profiles, do we think we'll get 19 that are linked, well, it's always subject to 20 clear notice. It's always subject to their not 21 having opted out after they received the notice. 22 I don't know what the projections are. I don't 23 think we can project right now. 24 But I sure hope it's a lot because, 25 as Dr. Westin's survey and as you pointed out, we 242 1 did sponsor their survey, but that doesn't make 2 it -- you seem to suggest that that's improper 3 somehow. But really what it demonstrates is 4 DoubleClick's commitment to understanding in an 5 academic and a precise way what consumer concerns 6 are. 7 What the survey does demonstrate is 8 that, given notice and consent, consumers are not 9 averse to, not averse to linking, the linkage of 10 personally identifiable information with other 11 information, or the delivery of additional 12 marketing material online, and for those who are 13 adverse to it we provide a very easy to use, very 14 easy to understand opt-out. So really that's the 15 answer to your question. 16 MR. HENDRICKS: Thank you. I don't 17 think that's improper at all for you to pay for a 18 survey. That's clearly a constitutionally 19 protected activity. I think if you're going to 20 make a survey like that, paid for by the industry 21 to support its business practice, then in the 22 public policy forum I think it's appropriate to 23 fund a study to provide some balance, so a survey 24 could be -- with differently structured 25 questions, I think that you might actually find -- you 243 1 wouldn't have to do that. I think it's the 2 role of the FTC or the Commerce Department. 3 MS. WANG: So when is your survey 4 going to come out? 5 MR. HENDRICKS: How many files does 6 Abacus have? I mean, you're going to merge this 7 company. Can you give me a ballpark figure on 8 how many people they have files on? 9 VOICE: 99 million. 10 MR. HENDRICKS: How much? 11 VOICE: 99 million. 12 MR. KAMP: Thank you. I wanted to 13 respond to something, Austin's question -- I 14 can't tell if the microphone is on. Is it? 15 VOICES: No. 16 MR. KAMP: I want to respond first to 17 a bit of Austin's question about, what about the 18 law in this area, and I wanted to really sort of 19 clear the decks and come back to this discussion. 20 This whole section is labeled "The Role of Self- 21 Regulation" because it reminded me of 1992, when 22 the Commerce Department first was working with 23 the White House on the National Information 24 Infrastructure Advisory Committee to the 25 President. There was a thought in this building 244 1 and elsewhere that advertising would have no 2 place in this medium at all. It just wouldn't be 3 useful there. 4 There were several of us who came to 5 this building and made the argument that we had 6 difficulty. They were nice to us, but they were 7 very skeptical that advertising does have a place 8 and in fact advertising may very well be the way 9 in which this medium would be available to all 10 people. 11 Their concern about communication 12 have's and have-not's and ensuring that all 13 people in our society had this medium available 14 to them, advertising was one of the responses to 15 that. It was long after that that there was a 16 group called CAIE created, Coalition for 17 Advertising and Information and Entertainment, 18 where we came and developed a set of self-regulatory 19 guidelines and policies which, 20 interestingly enough, have all of the elements 21 that Andrew suggested there, and we continue to 22 stand by them. 23 With that, we applaud the ad-serving 24 group coming forward this morning, this 25 afternoon, and working on this and coming forward 245 1 and saying we understand what we're up to, we 2 plan and we intend to do right. And I suggest 3 that we not worry about creating laws in this 4 area until we have allowed this self-regulation 5 to play itself out. 6 I being a former regulator at the 7 Federal Communications Commission, can tell you 8 that when in 1997 the Federal Trade Commission 9 did its first sweep on privacy policy on sites 10 none of us were particularly surprised to find 11 that under 15 percent of the sites that they 12 visited had privacy policies. 13 But I think more of us were even sort 14 of taken back by how one year later, when there 15 was a similar sweep done after self-regulation 16 had been in place, fully in place for some time, 17 that nearly 80 percent of the sites had privacy 18 policies on them of some type. As a former 19 regulator, I must say that that is something that 20 could not have been achieved by the government. 21 Government regulation mandates could not have 22 sped, gotten the industry there any faster than 23 that. In fact, I don't think it would have gone 24 that fast. 25 So those who are very interested in 246 1 developing laws should recognize that the Federal 2 Trade Commission has taken the right stance in 3 the past by encouraging us to continue to do the 4 kinds of things that the people coming forward 5 with this program have today. 6 MR. MEDINE: Andrew is next. I want 7 to just make it clear to the panel that we're now 8 open to the broad topic of self-regulation. 9 People are free to direct questions, but they can 10 also discuss unrelated issues to the NAI 11 proposal. Andrew. 12 MR. SHEN: I'll go ahead and 13 apologize. I'm going to ask another question 14 about the self-regulatory proposal. 15 VOICE: Move the mike closer. 16 MR. SHEN: I'm sorry. Can everyone 17 hear me? 18 VOICE: No. 19 MR. SHEN: No? 20 MS. BURR: Just talk louder. 21 MR. SHEN: Anyway, a couple people, 22 David and Elizabeth, have said you guys have gone 23 the extra mile to include some partial 24 implementation of fair information practices, 25 even though this information is not necessarily 247 1 personally identifiable. But you can't really 2 deny that this information has a very high 3 potential to be potentially identifiable. 4 People have debated back and forth 5 over the course of the day that it may be 6 difficult, maybe, to find the person that this 7 information correlates to, but it can be done. 8 MR. JAYE: It can be done? 9 MR. SHEN: Right. 10 MR. JAYE: If you assume a set of 11 circumstances, at which point we would no longer 12 consider it non-personally identifiable 13 information. In other words, talking about what 14 might happen and what might not happen, there are 15 lots of different possibilities. However, with 16 regard to the information we gather, when we say 17 we gather information and use it in a non-personally 18 identifiable way, that is accurate, 19 that that is how we are going to use it. 20 Now, if our privacy policies change, 21 if we should start to have different practices, 22 there are different ways of interpreting that. 23 But at Engage, at least, the way we would 24 interpret it is the information we gathered under 25 past privacy practices we would need to go out 248 1 and get proactive consent from a consumer before 2 we started to treat data that we gathered under 3 an assumption that it was non-personally 4 identifiable as personally identifiable. 5 So I take issue with a position that 6 says that there is no such thing as non-personally 7 identifiable, because I think that it 8 holds out the possibility that consumers will not 9 be able to get the advantages out of the 10 Internet, the free services that are advertiser- 11 supported, if we draw a broad brush and say, now 12 anything could be personally identifiable in some 13 circumstances, so let's not create that category 14 for non-personally identifiable information at 15 all. 16 MR. HILL: Just a clarification, 17 Daniel. So are you saying that, does the NAI as 18 a group have a policy on fundamental change of 19 notice? So if you collect data under one 20 practice and then change at a later date, you had 21 mentioned that Engage believes you require 22 consent and an opt-in for that change of 23 practice. Otherwise you have to stay under the 24 previously advertised policy. 25 Does the NAI as a group have a policy 249 1 on how they approach change of practices, so if 2 they have a merger or an acquisition and it's now 3 in someone's business interest to make it 4 identifiable how would your group suggest dealing 5 with that? 6 MR. JAYE: Well, as David Medine 7 pointed out, when we make a public policy 8 statement his organization certainly has 9 enforcement capabilities if we violate that 10 privacy principle. Now, with regard to changes -- 11 MR. HILL: Yes, I'm talking about 12 revision. 13 MR. JAYE: Yes. In terms of revision 14 with regard to prior data collection, that's an 15 area that we have not explicitly called out at 16 this time. What I will say is that this is a 17 process we have gone through over the last, I'd 18 say, about eight or nine months since the initial 19 meetings with the government. 20 There are a number of areas that we 21 will in the coming months as we look to expand 22 the group to include other industry members, we 23 will need to tackle certain issues and we welcome 24 input about particular issues that people think 25 might make a better self-regulatory framework. 250 1 MR. HILL: Thank you. 2 MS. WANG: I just want to -- you were 3 talking, you say that if notice has been given or 4 choice has been offered and the consumer had done 5 one thing and provided the information, if later 6 on the practice had changed, the answer is -- and 7 it's not an answer that's particular to NAI, it's 8 really an answer particular to fair information 9 collection practices generally -- you need to 10 look at the original notice and see whether or 11 not the new use was contemplated in the original 12 notice, because you had asked the consumer for 13 permission to do a certain thing and if you 14 change that thing or you add to it, then, 15 depending on what that thing is, it could be that 16 you need to go back and provide additional 17 notice. 18 MR. HILL: Just to follow up on that, 19 do most of your guys' privacy policies have the 20 right to change the policy practices without 21 consent or permission currently? 22 MS. WANG: I don't understand the 23 question. 24 MR. HILL: Well, a lot of privacy 25 policies I've seen include -- and I assume it's 251 1 legal speak that gets put in there by a lot of 2 lawyers, but it's: we reserve the right to 3 change this policy at any time without consent or 4 permission from the user. By agreeing to this 5 policy, you're agreeing to all future privacy 6 policies that this company may issue. 7 That's generally a clause that's in 8 most privacy policies. So I'm asking, is that 9 currently this group's practice, to include it? 10 MS. WANG: I think those members of 11 our group that are members of TRUSTe and other 12 organizations probably have restrictions on what 13 they can say along those lines. Again, I go back 14 to my initial answer, which is that everybody has 15 to comply with general fair information 16 collection practices in how they would view that, 17 and that's really the answer. I think I can't 18 without specifics -- 19 MR. MEDINE: Tim has been waiting 20 patiently over here. 21 MS. BURR: And Steve seems to have 22 been pulling the microphone closer. 23 MR. LORDAN: On behalf of the Online 24 Privacy Alliance, I want to applaud the 25 advertising industry for this self-regulatory 252 1 initiative. It's particularly important and we 2 applaud you. In response to Dan's comment that 3 we look forward to working with you as well, to 4 follow up on what John said with regard to the 5 speed at which self-regulation can work, I think 6 it's remarkable the time it took for this group 7 of companies to come together and put forward 8 this initiative. 9 Lastly, I'd like to ask you, can you 10 comment a little bit further on how you plan to 11 work with your business partners and share your 12 practices with them and how that's going to work 13 as far as notice goes? 14 MS. OAKES: Yes, I'll be happy to 15 answer that question. As an organization, as a 16 group of companies, we individually have 17 participated in solutions that address your 18 question. But as an organization we intend to 19 work with our business partners to put 20 information specifically about the third party 21 ad-serving relationships that they have in their 22 current privacy policy with a link directly 23 either to our individual web sites if there's a 24 one on one relationship or to the NAI web site, 25 so consumers will understand there is a third 253 1 party relationship involved and access to our 2 privacy policies as individual companies and as a 3 group. 4 MS. BURR: We're going to do Steve, 5 Jerry, Evan, then Fred. David told me that was 6 the right order. 7 MR. LUCAS: Thank you. 8 I think that no one on this panel 9 would deny that today the practice of profiling 10 has occurred without any real notice, any of the 11 major factors -- notice, choice, access, or 12 consent, or the knowledge of consumers for the 13 most part. And I think that we too applaud the 14 work of this organization. 15 But I have some concerns over the 16 whole notion of not requiring an opt-in. To me 17 an opt-out, if you start with an opt-out and 18 information is collected and then later on a 19 person decides they don't want that information 20 used any more, especially when your privacy 21 policy says that we share information with third 22 parties, at that point I would argue that an opt-out, 23 while it doesn't allow the company to use 24 that data any further, you still have a 25 proliferation of data. 254 1 MR. JAYE: Steve, could you just 2 clarify. Are you talking about PII information? 3 MR. LUCAS: Yes. 4 MR. JAYE: Okay, but not non-personally 5 identifiable information? 6 MR. LUCAS: Right. We can get into 7 that in a second. But I think that not having 8 the consumer opt in first -- I don't see why, if 9 we're going to take a positive step, that we 10 don't take the whole step and say, let's go to an 11 affirmative opt-in at that point as opposed to an 12 opt-out. If you take a look at what's 13 happening in Europe, that's required as opposed 14 to -- an affirmative action as opposed to an opt-out. 15 The other thing is, we do, we support 16 a self-regulatory model. We believe that a self- 17 regulatory model has the potential to be the way 18 to go. We think that if the industry doesn't 19 step up there may be a need for some legislative 20 mandates to establish a framework which we can 21 all work on. 22 Having said that, we also have 23 decided that it's important both to provide consumer 24 education as well as the opportunity for 25 consumers to be able to go to a site and opt out 255 1 of targeted advertising as well as profiling. 2 Today we actually announced the launch of a site 3 called Myprivacy.org. The purpose of that site 4 is again to provide consumer education, but also 5 to provide an opportunity for consumers to 6 specifically request not to be targeted, both 7 through the use of personally identifiable 8 information as well as to be tracked through the 9 use of cookies. 10 Having said that, we think that all 11 these efforts -- we applaud any effort that 12 brings the industry closer to a fully 13 permissioned model, because we hear all the time 14 that the goal of the industry -- in fact, someone 15 on the panel said it -- the goal is to send the 16 right ad to the right person at the right time 17 with the right offer. I think it's time that the 18 term "right" is the right of the consumer to 19 determine when, where, and how any information 20 that's being used, being collected and used -- 21 they have the ability to control that. 22 Having said that, I do have a couple 23 of questions. That is, we're seeing a lot more 24 of companies out there on the web either 25 acquiring companies that have an offline presence 256 1 or we know that there are practices out there 2 that sites collect data -- use data that's been 3 collected offline. Does your organization plan 4 on any disclosure that would require, outside of 5 COPPA, which I believe does require some 6 disclosure when data is being used from offline 7 data sources -- do you plan on disclosing the 8 fact that you're using data that's been collected 9 from offline sources and that data has been added 10 to that profile? 11 Without providing the consumer 12 access, the consumer has no way of knowing that 13 you've created a profile with data that has not 14 been collected from the consumer online and data 15 that hasn't been permissioned. 16 MS. WANG: I guess that's my 17 question. Your first question, which had to do 18 with consumer choice, and this would be 19 DoubleClick specifically. 20 MS. BURR: Elizabeth, can you pull 21 the mike up. 22 MS. WANG: Oh, yes. Thanks, Becky. 23 The NAI principle provides for 24 consumers to have choice at the time of data 25 collection, personally identifiable data 257 1 collection, and the opportunity to opt out, and 2 you're asking why we would not offer to opt in. 3 Actually, I want to clarify our opt-out, because 4 if at some point a consumer gave me an address in 5 connection with the sweepstakes with the full 6 notice that, oh, we're going to connect offline 7 data to you -- and by the way, in answer to your 8 second question, the answer is yes, DoubleClick 9 would do that, would specify at the point of data 10 collection that that information would be 11 connected, linked with offline data, more data 12 from other sources. So that's the answer to your 13 second question. 14 But in answer to your first question, 15 if later, if I'm the consumer and I signed up, I 16 did not opt out at that point, and then two weeks 17 later it occurs to me, hey, I really didn't want 18 that to happen, you can always come to the 19 DoubleClick site or go back to the site where you 20 originally opted, where you originally provided 21 the information, the sweepstakes site, and get 22 linked to the DoubleClick site and opt out then, 23 and that opt-out would be effective for as long 24 as you have that browser or until you delete your 25 cookie file. 258 1 MR. MEDINE: Can I just ask a 2 clarifying question on that. It wasn't clear at 3 the beginning that the opt-out that applies to 4 personally identifiable information is as broad 5 as the opt-out for non-personally identifiable 6 information, because as I understand it for non- 7 personally identifiable information it's for use, 8 whereas, just to clarify, for personally 9 identifiable information, I thought you could 10 only have a choice over third party transfers but 11 not any control over internal use by your 12 companies. 13 Could you describe if that's the 14 correct interpretation? 15 MR. JAYE: No, that's not correct. 16 The opt-out on PII data, personally identifiable 17 information, is over all use. On non-personally 18 identifiable information there are two 19 categories. There's a category that's 20 effectively the infrastructure of the web. The 21 infrastructure of the web requires us to be able 22 to, for example, be able to report on reach, 23 frequency numbers, etcetera. So we cannot 24 provide an opt-out to that. 25 In that category or the second sub- 259 1 category of non-personally identifiable 2 information is the ad delivery data, and that's 3 the data that's used for profiling and targeting, 4 and that we're providing an opt-out for across 5 the network. 6 MR. MEDINE: So, using Elizabeth's 7 example, if I changed my mind and I want to go 8 back, I can opt out of any future use whatsoever 9 of personally identifiable information? 10 MS. WANG: That's correct, yes. 11 MS. BURR: Jerry. 12 MR. CERASALE: Thank you. 13 I wanted to commend NAI for their 14 efforts here. And Lynn, I really was pleased 15 with your statement and I want to make sure I 16 understand it, because I think it agrees with 17 where the DMA is: that the best place for notice 18 is right away and it's really at the initial web 19 site where you go. I guess it's, using a term 20 that's been used here, the publisher. 21 And do I take it that you're going to 22 make efforts, you the NAI are going to make 23 efforts, to ensure that your -- the web sites 24 with whom you work are going to have in their 25 privacy policies a statement that would say: I 260 1 have an agreement with XYZ company that can 2 collect information and have a hot link to your 3 privacy policy, so that the consumer would then 4 know what the web site's policy is and then what 5 your policy is, so you can then establish the 6 relationship there with the consumer to do the 7 opt-out? 8 MS. OAKES: Couldn't have said it 9 better myself, absolutely correct, and we look 10 forward to working with your organization to make 11 that happen. 12 MR. CERASALE: And then a comment on 13 Austin's question. It's my view if you get a 14 change, at least it's the view I think of the DMA 15 -- and I'll get a pink slip tomorrow if that's 16 not true -- the view of the DMA is if you change 17 your privacy policy, information that you 18 collected under the old privacy policy, and then 19 try and use that old information in your new 20 privacy policy, which has a very material 21 difference, I think that subjects you, that 22 company, to FTC review, because you collected 23 information under one pretense and then start to 24 use it under another pretense, and you have to 25 somehow give notice back to change that. 261 1 So I think that there is already a 2 law that is out there that covers that right now. 3 MR. HILL: Most of the practices in 4 this area right now under the original collection 5 of that data, it usually comes with the right to 6 change and revise the policy later. I'm not sure 7 if the FTC would consider that in their mandate 8 if the original data collected had the clause 9 attached to it that as part of giving us this 10 data we have the right to revise our policy. 11 That was my question. If the FTC 12 does have oversight that would be very useful to 13 know. 14 MS. BRUENING: TRUSTe's name came up 15 in the context of this discussion and I just 16 wanted to say that our license agreement provides 17 that if you do change your privacy policy you 18 must inform consumers that you're doing it and 19 then give them the opportunity to opt out. 20 We're also moving toward setting up a 21 situation that was precisely as was just 22 mentioned here, where if you have collected 23 information under a certain pretense of a certain 24 policy you have to continue to treat that 25 information in that manner even if you've ended 262 1 your relationship with TRUSTe. 2 MR. MEDINE: I'm not sure this is the 3 forum for us to give FTC advice, but clearly 4 there are deception implications if there are 5 misrepresentations about use, and obviously we'd 6 have to examine on a case by case basis changes 7 in use and what representations were made 8 initially and then what steps were made to obtain 9 consumers' consent for subsequent use. 10 MR. CERASALE: I just want to respond 11 to what Austin said. My view on that, and I'm 12 not going to put words in David's mouth here or 13 any of the Commissioners' mouths, is that I can 14 change price any time I want to change price, but 15 once you sign up, you click on the web that 16 you've purchased something for 10 dollars, and 17 before I fulfil I change the price to 12, I can't 18 charge you 12 dollars. That's deception. 19 So I think that it doesn't -- the 20 fact that I have the ability to change doesn't 21 change the matter of a material fact, that you 22 got information from. That would be my view. 23 That's my view on that. 24 MS. BURR: We're in radical agreement 25 on this: Evan and then Fred. 263 1 MR. HENDRICKS: Further, I agree with 2 Jerry's analysis of the law in that situation. 3 The one thing that's missing from the law is the 4 right of the individual to enforce his own rights 5 or have control over his own data, and that can 6 only be -- that's one of the main reasons 7 legislation is necessary, because a major part of 8 fair information principles is a remedy when 9 something goes wrong. Protecting privacy is at 10 its zenith when something goes wrong. 11 Now, in Europe where they are 12 protected by law\, they actually marvel at the 13 progress we've made in this country at getting 14 notices on web sites and at the self-regulatory 15 progress. So you can definitely pat yourselves 16 on the back because they look in admiration at 17 us. 18 So privacy will only be protected 19 when you have it covered by law and by self-regulation, 20 if you define self-regulation by 21 implementation. That's why I really congratulate 22 the FTC on this workshop, because I think it 23 shows the true determination to find a way to 24 protect privacy, because this scenario that we 25 have so far with this self-regulatory program 264 1 will never work. It is too far removed from 2 people. It puts too much of a burden. It 3 doesn't include enough fair information 4 principles. 5 If the FTC wasn't interested in 6 protecting privacy, they wouldn't focus on this 7 sector, which contradicts its policy that there 8 should only be self-regulation for the Internet. 9 So I congratulate the FTC for asking the hard 10 questions. 11 This has been a familiar pattern. 12 We've had FTC workshops. Different industries 13 have come up with self-regulatory programs. 14 Sometimes it's been like pulling a rabbit out of 15 the hat. I don't know if anyone remembers the 16 early years when Firefly was described as a way 17 of protecting privacy and a reason self-regulation would 18 work. Well, that's one program 19 or one example of something that's vanished once 20 we've moved on. 21 I think a real problem here is the 22 threat to e-commerce and the shaky confidence 23 that's being engendered here. You know, 24 DoubleClick, you mentioned that you thought the 25 RealAudio situation worked really good because 265 1 there was a public outcry and TRUSTe kicked in 2 and said they were going to look at it. But the 3 problem is information on millions of people was 4 transferred in violation of a policy without 5 people's knowledge and consent, and virtually 6 nothing's going to be done about it. That is not 7 any way to guarantee confidence in the Internet. 8 If you look at the Jupiter study and 9 the Forrester study saying that we are lowering 10 our projections for how much e-commerce will 11 generate if privacy is not taken care of, I think 12 those are very real things to look at and I am 13 very concerned that the existence of -- the way 14 you're operating, if you're going to collect 15 personally identifiable information and use it in 16 the kind of schematic that you've described, 17 you're going to just do nothing more except 18 produce distrust about the Internet. 19 The final thing is the enforcement 20 program here is flawed because you're hanging 21 your hat on the Alan Westin survey, which I think 22 we can talk an hour about why that should be 23 challenged, but also on the issue of TRUSTe. 24 TRUSTe, when the first Microsoft example came up, 25 TRUSTe said they couldn't do anything about the 266 1 information being transferred because it wasn't 2 transferred from the web site. Well, consumers 3 don't care if the information's not transferred 4 from the web site. They just want to know that 5 privacy's protected in relation to that company. 6 The question I have for Paula is, 7 this latest thing with Hotmail where I think the 8 information on the e-mail of, what, 40 million 9 people was at risk because of the technical 10 glitch in Hotmail. You did an audit by a third 11 party auditor. Yet you had to keep the name of 12 the auditing company secret. 13 One of the things in privacy is you 14 have to have a certain amount of openness and 15 transparency so you can breed trust. Yet in this 16 situation you could not reveal the name of the 17 auditing company. I don't see how that squares 18 with engendering trust or fair information 19 practices. 20 MS. BURR: I'm going to let Paula 21 answer that question. We have two questions from 22 the audience directed to TRUSTe, so I'll just 23 read them to you: As a third party auditor for 24 NAI, how will companies like TRUSTe redress and-or 25 enforce violations of these NAI practices? 267 1 Similarly, if a TRUSTe web site initially told 2 consumers that they only used non-identifiable 3 information, but later wanted to change that 4 policy to one that tied information collected to 5 specific individuals, what would TRUSTe require 6 them to do? 7 MS. BRUENING: Let me start with 8 Evan. And what time are we finished? 9 Let's see. First of all, the Hotmail 10 situation involved a security breach that we 11 understood potentially placed the privacy of that 12 information at risk. We asked our auditors to go 13 in and to take a look at it. 14 We were not at liberty to announce 15 who the auditors were. There were particular -- 16 I believe it was we were by law required not to 17 do that, and I don't know what you can do. I'm 18 not certain about that. We were not in a 19 position where we could do that. 20 MR. HENDRICKS: But we have to know 21 why, because you're in the trust business and 22 it's hard to trust if you don't know who's doing 23 the oversight. 24 MS. BRUENING: The important thing is 25 that we did have a third party auditor come in 268 1 and look at that and gave Microsoft a clean bill 2 of health. We can only operate under the rules 3 as they exist. If there was a situation where 4 that isn't enough, if we need to look further to 5 see if there's another way we should do that, 6 we'll look at that. 7 MR. HENDRICKS: Could you say which 8 rules? Are they the TRUSTe's rules or the 9 auditing company's rules? 10 MS. BRUENING: The auditing rules. 11 If there's a special provision and we decide at 12 some point it's got to be done in a different 13 way, we'll have to look at that. But under the 14 rules as they exist now, we did what we could do 15 to resolve that. We haven't gotten any more 16 complaints on that. I think it's a situation 17 that has been resolved satisfactorily. 18 Okay, the other two, do you have 19 those? The first question, about how would 20 companies like TRUSTe redress or enforce 21 violations of the NAI practices. First of all I 22 have to say, just because I'm sitting on this 23 side of the table, I have not had any prior 24 knowledge of this announcement. I heard it when 25 everybody else heard it, so I'm operating with 269 1 the information that I heard in the last half an 2 hour. 3 I think that, first of all, TRUSTe 4 requires compliance with fair information 5 practices and we would welcome working with these 6 companies to the extent that we think these 7 companies are willing to work toward fair 8 information practices. I haven't looked closely 9 at the provisions that you've announced, but that 10 would be very important. 11 I think that, to the extent we could 12 work with them, at this point, unless we look at 13 your program and decide something else would be 14 necessary, that this would be such a special 15 case, I think that NAI would probably fall under 16 the same rules that the rest of the licensees 17 fall under where we have a dispute resolution 18 process, that there are inquiries that we can 19 make with companies when there are questions 20 raised by consumers, that we can raise the level 21 of that inquiry of things aren't resolved, that 22 we can require audits. We have the ability to 23 refer to the FTC and we do ultimately have the 24 possibility to revoke a seal if that's necessary. 25 I have to reinforce, and I think that 270 1 the incidents of the last week have made clear, 2 that we're living and we're working in an 3 environment that's evolving and we have to keep 4 evolving this program. So I think that this may 5 well just present another challenge where that's 6 what we have to do. 7 MR. ZINMAN: Can I respond to just 8 one of those comments. Just one of Evan's 9 comments about after the RealJukebox thing I 10 think happened. I think we weren't in the 11 offices of RealNetwork, so we can't imagine the 12 scurry and fury that went around there when they 13 found out this was happening, but I do know, 14 being another company in the industry, when you 15 see something like that happen you respond 16 immediately by taking a look at your own 17 practices. 18 So I'd say that there was a lot of 19 response that happened within the industry, 20 people making sure that they weren't making any 21 similar mistakes. This is part of the dynamic of 22 a very fast-growing industry. So the challenge 23 is, do we want to criminalize all this behavior 24 or what we need to do is we need to work in a 25 self-regulatory environment where all the 271 1 companies who are involved in the fast pace of 2 change can kind of work at doing their best to 3 meet fair information practices and setting up 4 standards for future activities with new 5 technologies. 6 MR. HENDRICKS: I don't want to 7 criminalize it. I just want to create a civil 8 right of action so that if their wishes aren't 9 respected they can do something about it. 10 MR. CATE: Well, I at this late 11 moment would just like to briefly return to the 12 broader set of issues, although it's difficult to 13 do that without some reference to the discussion 14 that's already been had. So let me be very 15 brief. 16 First, self-regulation seems like -- 17 it's fairly unremarkable to say that it's a good 18 thing. That is, without regard to whether a 19 specific piece of self-regulation is, that it's a 20 good thing because it can deliver, backed up by 21 effective enforcement, it can deliver very 22 effective privacy protection. It can be far more 23 specific. It can be far more easily changed in 24 response to changing conditions than, for 25 example, the 60 years it takes Congress to enact 272 1 a bill or even the time it takes the FTC to act 2 on a matter. So the self-regulatory approach has 3 a tremendous amount to recommend it. 4 The second point, of course, goes 5 back really in some ways to the last panel and to 6 the issues more specifically dealing with 7 profiling, which is this issue of treating non- 8 personally identifiable information as having 9 this privacy interest. 10 The complexity or the oddity of this 11 is highlighted by the very problem of how do you 12 opt out of its use. I want to tell you not to 13 use information that's not about me or that you 14 don't know if it's about me, and you said, well, 15 we'll put a cookie on your computer. Well, again 16 we're back to where I was in the last panel, 17 which is now my computer has a privacy interest 18 and it's opting out, but if I use my laptop that 19 opt-out is no good. 20 This at least raises one potential 21 problem and it's not a novel problem in self-regulation, 22 and that is it's important that it 23 not create confusion. In other words, the goal 24 of self-regulation presumably is to be clear and 25 direct and let people know what they are opting 273 1 in or opting out of or what have you. 2 This is one of the specific points I 3 would raise with this, to be very clear that if 4 we're letting people -- if we're giving the 5 impression that you can opt out of non-personal 6 information, in fact we don't know realistically 7 what that means. 8 The point was mentioned earlier, opt-in 9 versus opt-out, whether -- I think it was you -- whether 10 this should be an opt-in 11 situation. I just can't let the sort of 12 reference pass without at least noting it's not 13 just six of one or half a dozen of the other. 14 The ramifications of one versus the other are 15 very significant, and even places like the EU, 16 which you mentioned, which have clear opt-in laws 17 on the books, we see increasingly using opt-out 18 as the de facto enforcement mechanisms, the way 19 in which they work. 20 This is particularly true, say, for 21 HR data in Europe. We have not see data 22 protection commissioners saying you have to go to 23 every employee and get them to opt in; they can 24 continue working there but not opt into this 25 system. What we have seen is a requirement that 274 1 you give notice and then give them a chance to 2 opt out. Even though the law says the opposite, 3 in practice opt-in just doesn't work in those 4 situations. That's one of the reasons, of 5 course, why we use opt-out almost exclusively, 6 with the exception for example of dealing with 7 children. 8 Finally, though, and very much on 9 point with the panel, one has to wonder to some 10 extent if technology isn't about to put a lot of 11 these concerns to rest. You know, we saw the 12 presentation earlier. We all know about other 13 types of technologies. We see new technologies 14 debuted all the time which make it increasingly 15 easy and affordable to browse the Internet wholly 16 anonymous, anonymous in every sense of the word. 17 I think as we think about self-regulation 18 one of the components that necessarily 19 has to be thrown in here is thinking about the 20 availability of these technological solutions as 21 well. 22 Thank you. 23 MS. BURR: Andrew. 24 MR. SHEN: I just have a comment 25 about regulation in general and about fair 275 1 information practices. I think it's important to 2 look at fair information practices not as a goal, 3 not as something we should aspire to reach, but 4 as something that consumers should have now. 5 We're talking about information collected from 6 individuals and, whether companies believe it or 7 not, this is information that they may want 8 control over. 9 I'm not going to refer to Dr. 10 Westin's survey. I'm actually going to refer to 11 a different survey done by Georgia Tech. I have 12 the results from 1997. Sorry I don't have the 13 more current ones, but this is based on more than 14 14,000 respondents, which I believe Dr. Westin's 15 survey was based on about 400. 16 It said that 87 percent of the users 17 believe they should have complete control over 18 the demographic data. Now, I can attest that 19 complete control follows notice, consent, access, 20 and security, not the sort of stripped-down 21 measures that we often see, like notice and opt-out. So 22 I think it's important to keep that in 23 mind, that consumers want more and the government 24 has the ability to provide it to them and that we 25 shouldn't rely on self-regulation as the only 276 1 model out there. 2 MR. JAYE: Could I make just one 3 comment? If we're going to bandy surveys about, 4 there's a very interesting result that Professor 5 Westin presented in Cambridge at the U.K. Privacy 6 Laws in Business Conference this summer. He 7 referred to it briefly this afternoon. But one 8 of the interesting results that came out in his 9 presentation was the fact that consumers in the 10 U.K., even though they have regulation, felt that 11 consumers in the United States had better privacy 12 protection than they did. 13 So the interesting anecdote there is 14 that regulation alone isn't a solution, either. 15 I think that self-regulatory frameworks are 16 absolutely essential. We believe at NAI that 17 this industry is so fast-paced, so moving, the 18 things we're talking about now almost no one 19 understood three or four years ago. 20 I think it would be very difficult 21 for regulations to be able to be enacted that 22 wouldn't necessarily hamper the growth of 23 electronic commerce and advertising on the 24 Internet. 25 MR. SHEN: Can I respond to that very 277 1 quickly. I hear that argument a lot, that the 2 Internet is moving very fast. We hear the phrase 3 "Internet time" all the time, that it's 4 impossible for the government to regulate on 5 specific issues, like online profiling and the 6 collection of information. But the fact is that 7 fair information practices are never going to 8 change. These are the cornerstones for the 9 ability of the consumer to control their 10 information -- notice, access, security, consent. 11 I mean, these are never going to be 12 changed, and these can be enshrined into law. 13 The FTC recently did a very good job on the 14 Children's Online Privacy Protection Act. It was 15 a very complex issue. They're dealing with how 16 parents should be involved in the process of 17 giving up the information on their children, but 18 the FTC did a very good job and it did it within 19 one year. So it is possible to do that and do it 20 effectively. 21 MS. BURR: Steve and then Jerry. 22 MR. LUCAS: Just two quick comments. 23 We haven't talked much about the economics of 24 what we're doing from the perspective that we all 25 know that click-throughs are dropping through the 278 1 floor. But yet we see example after example of, 2 when permission is asked, the acquisition rates 3 dramatically increase. People like Seth Goten in 4 his book talk about the fact that when he asked 5 permission from his consumers his acquisition 6 rate went from less than 2 percent to over 20 and 7 his cost of acquiring an individual name, if you 8 want to call it that, went, in the case of one of 9 the Wall Street firms, from $300 to $25. 10 So again, I just want to stress the 11 notion that there is clear evidence that 12 permissioning works from our industry 13 perspective. 14 Now, we talk about that cookies are 15 an essential fabric for the web, but they're an 16 essential fabric for maybe certain things and in 17 certain people's views. I would argue that 18 cookies are an essential fabric for advertisers. 19 They are not required for the web to function as 20 the web. That's first of all. 21 Second of all, I would also argue 22 that, even though we're looking at, say, hardware 23 negotiations with the EU and if those go through, 24 if the fair information practices agreed on don't 25 include the idea of an affirmative opt-in and 279 1 don't include the notion of specific and 2 unambiguous consent and don't include the notion 3 of access, we still have countries outside of the 4 EU that have very strict data privacy laws. 5 While I'm not suggesting that we fold 6 up the tent and agree with every data protection 7 law that's out there, most of the other countries 8 have similar types of fair information practices. 9 There's over $500 billion worth of e-commerce 10 that's at stake here between ourselves and 11 Europe, and at some point in time -- we can put 12 it off for as long as we want to and we can put 13 all the hope we want into safe harbor, and I have 14 all the confidence in the world that we'll be 15 able to solve this issue. 16 But if we don't, at some point we're 17 going to have to step up to these issues. 18 They're not going to go away. 19 MR. MEDINE: We have time for just a 20 few more comments, but I know you wanted to 21 respond on information-based marketing. 22 MR. ZINMAN: That's right. Just 23 quickly, I have no doubt that advertisers will do 24 whatever is necessary to improve the returns they 25 get from advertising. So I don't think we should 280 1 be debating the effectiveness of one method of 2 advertising versus another, because advertisers 3 are going to direct their money at the one that's 4 most effective. 5 So if you're right and if we have 6 another panel, next time everyone will be doing 7 permission-based marketing. 8 MS. BURR: Jerry. 9 MR. CERASALE: The only thing, don't 10 force a specific business model. I think that 11 the real key here is to give American consumers 12 the knowledge and they're going to make a smart 13 choice. They're going to vote with their feet, 14 or in this case they're going to vote with their 15 mouse clicks. 16 That's the real key here, is to have 17 some faith in the American public when you give 18 them knowledge and you give them choice that 19 they're going to make, they're going to make 20 their decision. They're going to vote and 21 companies are going to fail that don't provide 22 what they need. 23 I think that's really the important 24 thing here, is to try and make sure that we give 25 them notice. The problem we had here today is 281 1 that people didn't know what was there. It 2 wasn't transparent. It wasn't a relationship. 3 So create it and let the marketplace go and put 4 the faith back in the American consumer. 5 MR. KAMP: Jerry just made about half 6 of my points just there. I agree with him, but I 7 also think that one of the things that's going on 8 here is this is an awfully complicated system. 9 Computers for most of us are very fragile devices 10 that crash on us and make us crazy, and one of 11 the ways in which we get to where Jerry is is we 12 make these things a lot simpler than they are 13 today. 14 I think the fact that our law 15 professor was confused this morning doesn't 16 surprise me, and we have to get to that 17 simplicity in this area so that consumers can 18 understand the choices that they're able to make. 19 MS. BURR: The last word. 20 MR. HILL: Just in response to 21 Jerry's comments, I think one of the things we've 22 heard come out of this is this idea that a lot of 23 the privacy initiatives are anti-marketing. I 24 think that nothing could be further from the 25 truth. I know my company's going to spend $20 282 1 million this year on advertising. Most of that 2 or a large percentage of that will be online. 3 For us, we're looking for partners in 4 our advertising initiatives that can meet the 5 same standard of customer relationship that we 6 have for ourselves. And it's proving somewhat 7 difficult, but there is a growth. This group 8 does not represent all the advertising 9 initiatives. There are groups like Yesmail, 10 Yoyodyne, Alladvantage -- different initiatives 11 that have consent, permission-based. 12 One of the problems with the sole 13 economic "let's let it work itself out" is what 14 we saw with Firefly. Firefly came in and said: 15 We're going to build consent tools, permission 16 tools. And at the end of the day, whether 17 through execution or bad timing, Firefly went 18 almost bankrupt. That technology was acquired by 19 Microsoft and has been turned into the number one 20 profiling tool on the Net. 21 So that's the danger, is if we set up 22 these profiles and there's no redress for 23 consumers, when the companies that do fail 24 because profiling wasn't in the best interest of 25 customers, you've now got 80 million profiles on 283 1 the auction block ready to be sold to someone. 2 And if customers don't have a way to say, you 3 know what, I never agreed to engage in business 4 with this company, then I think we have a problem 5 with our framework. 6 So I think there are other options. 7 MR. MEDINE: Our apologies to Cookie 8 No. 247. We weren't able to get to your 9 question. 10 MS. BURR: That's emblematic of the 11 day. This has been a very interesting panel and 12 a very interesting day. Clearly, our work in 13 this area is beginning and the companies here 14 have told us that they are continuing to work and 15 want input from the people around the table, and 16 I imagine around the room as well, on the work 17 that they are doing. 18 So thank you for coming forward, and 19 we look forward to working with you on that. 20 We are going to go to some wrap-up 21 comments, but before we do, since everybody likes 22 to scoot out at the end, I'm going to give a few 23 well-deserved thank-you's before we do that. 24 This truly has been a team effort of the Federal 25 Trade Commission and the Department of Commerce. 284 1 Whoever said federal agencies don't work together 2 well was wrong. 3 So I'd like to thank -- and this is 4 for both David and myself -- people that we've 5 worked with who have been instrumental and but 6 for their hard work this event would not have 7 happened: Martha Landesberg at the FTC, Laura 8 Mozzarella at the FTC; Wendy Later, Sandra 9 Leonsis, and Christina Speck at NTIA; Don 10 Friedkin and Mary Street at the Office of the 11 General Counsel here at the Department of 12 Commerce. And we've seen a lot of AV guys 13 running around. The only one I recognized was 14 Hershel Gelman, but whoever all the rest of you 15 are, you deserve our thanks. Thank you very much 16 to all those people. 17 We spent a lot of time getting up to 18 speed on this technology and getting all of the 19 various viewpoints that we heard around the 20 table. So to all those people who worked on it, 21 thank you very much. 22 (Applause.) 23 MR. MEDINE: We'd like to ask the 24 panelists to keep their seats, and we'd like to 25 invite up to the podium Jody Bernstein, who is 285 1 the Director of the Bureau of Protection of the 2 Federal Trade Commission, and Andy Pincus, who is 3 the General Counsel of the Commerce Department, 4 to make their closing remarks. 5 As they're walking up, I will briefly 6 introduce Andy. He's the General Counsel, again, 7 at the U.S. Department of Commerce, and as 8 General Counsel he is the chief legal adviser for 9 the Department. Beyond his legal 10 responsibilities, he also serves as the senior 11 policy adviser for the Secretary and the 12 Department on a broad range of domestic and 13 international issues, including electronic 14 commerce, international trade, banging the 15 microphone, and telecommunications, intellectual 16 property rights, environmental issues, export 17 controls, and technology. 18 REMARKS OF ANDREW J. PINCUS, GENERAL COUNSEL, 19 U.S. DEPARTMENT OF COMMERCE 20 MR. PINCUS: Thank you, David. 21 First of all, I want to reinforce my 22 thanks, not just to the people in the two 23 agencies, but all the people who participated on 24 panels today and the people who came and listened 25 and participated in the audience. I think this 286 1 workshop did just what we hoped it would do, 2 which is to focus attention on an issue, a 3 privacy issue that we feel has gotten less 4 attention than it should, to put out there the 5 business community's views, the privacy 6 community's views, some of the technology that's 7 out there, and really to begin a conversation 8 about what to do about it that was helpfully 9 kicked off by some of the initiatives that were 10 announced here by the business community. 11 But that's not the end of it, that's 12 the beginning; and we obviously hope that this 13 dialogue will continue and will result, as other 14 dialogues have that started in workshops such as 15 this, with an approach to protecting privacy that 16 will work for the growth of the Internet and that 17 will also work to provide real and concrete 18 protection to the privacy of consumers. 19 I guess Becky kiddingly said federal 20 agencies don't often cooperate, but we have a 21 very good cooperative relationship with the FTC. 22 I think the reason for that is that both of us 23 realize that addressing this issue in a real and 24 concrete way is critical to both of our missions. 25 For the Department of Commerce, we 287 1 obviously care a lot about the growth of 2 electronic commerce. It's a driver of our 3 economy and the President has asked us to look 4 over that issue. But we recognize that that 5 won't happen if consumers don't feel that this is 6 a safe environment in which to do business. So 7 protecting privacy in all its manifestations is 8 critical to that. 9 Just as important, the FTC realizes 10 that in its role as the chief consumer protector 11 of the government, protecting privacy is a 12 critical element of that mission. So it's really 13 an instance where both of our missions point us 14 in the same direction and have really caused us, 15 not just in this endeavor but in the whole 16 privacy issues, to really be working together in 17 lockstep, and it's something that we're very 18 proud of. 19 I don't want to rehash everything 20 that's happened today. It seems to me, as I 21 said, a lot got put on the table and there's a 22 lot for everyone to digest. I think it's also 23 important to remember, as with anything in the 24 world of e-commerce, we're dealing not just with 25 our own domestic situation, we're dealing with a 288 1 medium that's international. So to the extent we 2 can devise solutions that work in the cross-border world, 3 we're going to devise solutions 4 that have a much better opportunity of 5 effectively protecting consumers' privacy. 6 That's one of the reasons that we 7 have concluded that self-regulation is an 8 important and effective way to go, because it 9 provides consumers with an ability to protect 10 themselves, not just domestically with respect to 11 laws that may or may not apply to any particular 12 web site, since there's no way to be sure exactly 13 what laws govern any particular web site, but 14 through seal programs and other mechanisms, 15 visual cues, give consumers a way to protect 16 themselves. So we think that's an important 17 methodology to pursue, with the caveat that that 18 protection has to be real. 19 So we look forward to participating 20 with all of you in the continuing discussions 21 both of this issue and the other issues relating 22 to privacy. 23 Now I introduce Jody Bernstein, who 24 is, as David said, our colleague in this 25 endeavor. Jodie is a true path-breaker in public 289 1 service. She's served in a number of roles in 2 the government, everything from Health and Human 3 Services to Environmental Protection to the FTC. 4 I'm proud to say she was a client of mine when I 5 was in private practice and we had a wonderful 6 working relationship then and we have a wonderful 7 working relationship now. She really puts 8 herself on the line every day to protect 9 America's consumers. 10 Jodie Bernstein. 11 (Applause.) 12 REMARKS OF JODIE BERNSTEIN, DIRECTOR, 13 BUREAU OF CONSUMER PROTECTION, 14 FEDERAL TRADE COMMISSION 15 MS. BERNSTEIN: Thank you very much, 16 Andy, for a very nice introduction. If I may say 17 also, as others have, what a pleasure it has been 18 to work with you and others at the Department of 19 Commerce on this very, very significant issue. I 20 do thank all of you participants, both on the 21 panels and in the audience as well, because I 22 think, once again, what we set out to do here 23 today we may have achieved. That is to open up a 24 process so that all of us could better understand 25 a very complex issue. 290 1 Now, I really never dreamed that I 2 would stand here before any audience and say, you 3 know, I agree with Jerry Cerasale about these one 4 or two things. I never agree with Jerry Cerasale 5 at these things, so there has to be a certain 6 uniqueness about any given one of these sessions 7 that we hold. 8 But when Jerry said, and others have 9 said it as well, that the real problem here I 10 think that we were addressing today is no one 11 knew that this was going on, nobody knew -- I 12 mean, us ordinary people didn't know what was 13 happening. And at least from our experience, 14 whenever Americans find out that something is 15 affecting them that they know absolutely nothing 16 about, whether they had any ability to control it 17 or not, they get very upset and they want to know 18 what's going to be done about it and do they have 19 a way of controlling it. 20 I noted that in connection with the 21 children's statute and the rulemaking that, 22 happily, someone did point out that we did it in 23 one year because it needed to be done, and as 24 soon as parents understood that the theory behind 25 the law and the way we were going to implement 291 1 the law was to put parents in charge of 2 protecting their own children, they were 3 immediately comfortable with what was happening 4 to them. I think the same thing is probably at 5 issue in this instance. 6 A lot was accomplished today, I 7 think. A lot of sort of consensus issues were 8 addressed that will serve us all well. We were, 9 I think, to be encouraged by DMA and NAI in 10 connection with an effort to achieve what's been 11 achieved in other areas, and that is a self-regulatory 12 program that addresses what the 13 problems were today. 14 I'm looking over at Evan because I 15 never agree with him, either, and he always has -- 16 luckily, they always give me a chance after 17 Evan has attacked the FTC to at least be on the 18 platform. In that context, I would just add to 19 Evan and others that, while the FTC has been very 20 supportive of self-regulatory programs, it is not 21 without the FTC's commitment to law enforcement. 22 Those things are coupled together in this area 23 and in other areas, and I think that is in my 24 judgment and I think in others why self-regulation has 25 achieved the amount of 292 1 credibility, particularly in the online 2 environment, that it has. 3 I would make one other point that I 4 don't think had sufficient stress today, and that 5 is that your program also included an education 6 component. We also believe that that's an 7 essential element of achieving an overall 8 comprehensive program that can -- and we've all 9 not seen all the details of everything -- can be 10 a successful one. 11 I think the key word is 12 "transparency," and if we all keep that in mind -- and I 13 think everyone has spoken for that 14 concept -- that we will have moved a long way. 15 We look forward to watching as this 16 program develops as you get more experience with 17 it, as we all get more experience with it. In 18 the end, I think that this forum which the 19 Department and the FTC sponsored will have 20 achieved at least an initial beginning of 21 achieving what has been a very complex, very 22 complex set of issues. 23 I would only add one more thing, and 24 that is that when we talk about notice and 25 opportunity to opt out, among the words that I 293 1 heard today was don't make it confusing, keep it 2 simple, don't have it be so confusing that people 3 say, oh yes, it's out there, but how do I use it. 4 That's for all of us who would like to have a 5 very simple program so that we can tell others 6 what's happening. 7 Thank you very much. Again, thank 8 everybody for coming. 9 (Applause.) 10 (Whereupon, at 4:38 p.m., the 11 workshop was concluded.) 12 13 14 15 16 17 18 19 20 21 22 23 24 25 294