SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
CONSUMER FINANCIAL PRIVACY
THURSDAY, SEPTEMBER 18, 1997
House of Representatives,
Subcommittee on Financial Institutions and Consumer Credit,
Committee on Banking and Financial Services,
The subcommittee met, pursuant to call, at 10 a.m., in Room 2128, Rayburn House Office Building, Hon. Marge Roukema, [chairwoman of the subcommittee] presiding.
Present: Chairwoman Roukema; Representatives Bereuter, Metcalf, Kelly, Redmond, Vento, C. Maloney of New York, Barrett, Roybal-Allard, Bentsen, Kilpatrick and Weygand.
Chairwoman ROUKEMA. If the first panel would take its seat, please, and our observers and guests here today, if you will take your seats, please, I would appreciate it. I was waiting for the House to officially go into session. It now has, although it is about 5 minutes late. We will be hopeful that we are not interrupted too frequently with roll call votes, but you
understand what that is all about.
I think the best thing to do is to get started as quickly as possible. If the first panel will come forward, I would like to make an opening statement and perhaps have others from my colleagues on the subcommittee.
Page 2 PREV PAGE TOP OF DOC
I should begin by thanking our colleague and Ranking Member, Mr. Vento, for bringing this issue to our attention some weeks ago, and I welcome his contribution and his recommendation. It is proving to be, of course, as timely as ever. There has been so much that has happened recently that has proven the wisdom of our scheduling this hearing this September, despite the fact that we are competing with a lot of other concerns through the appropriations process, trade issues, and so forth.
But the issue is a very important one. Privacy matters have come to our attention, whether they are health issues or other privacy issues, but currently the questions of financial privacy are moving to the top of the agenda and to the consciousness of people all over the country, consumers as well as the service providers.
The computer age, I need not tell you, has revolutionized commerce and information access. The ability for us to acquire, share and store information has never been more advanced or more central to business operations. However, as we are learning rapidly, the proliferation of readily available personal information could jeopardize personal privacy and facilitateand this is an important part of itfacilitate fraud and deception practices that none of us could even have begun to anticipate. This hearing today will initiate our inquiry and address the risks associated with the misuse and abuse of individual's financial information.
The genesis of this hearing, as I said, was Mr. Vento's request, but also it is the consequence of increasing concern about the privacy of consumer financial information. A poll published in August of this year in Money Magazine found that 83 percent of the respondents were concerned about the release of financial records like bank or brokerage account information. Banks and brokerage firms are certainly not the only commercial firms that have access to consumer financial information. Credit bureaus collect financial information about individuals from banks, credit card companies, mortgage lenders, finance companies, merchants and others. This information is used to prepare a so-called ''credit report'' that includes an individual's address, Social Security number, phone number, even mother's maiden namethat surprised mesalary, loans, credit cards, outstanding credit balances and repayment histories.
Page 3 PREV PAGE TOP OF DOC
Such reports are available to sell to anyone with a ''legitimate business need.'' Is it any wonder that 83 percent of the people polled had anxiety and concerns about this?
By the way, this may come up later in our questioning. I don't know to what extent our panelists have hard information about what percentage of people feel as though they have been violated against the law, but we will bring that up in the questioning later, or in the testimony later.
But, such reports are available for sale to anyone who has a ''legitimate business need,'' as they define it. Each time a consumer uses a credit card or debit card, the company that issued the card and the merchant collect information such as the credit card number, the individual's name, and so forth, and the product purchased. Information about a consumer's finances and purchasing preferences are also collected from warranty cards and surveys. The same information can be collected from transactions over the Internet. Data on consumer finances and buying habits is used to develop consumer profiles that contain a variety of information that are used by the direct marketers.
And this, I think, is very important, and I stress itthe sale and distribution of personal identifying information by businesses is not new, but the information age has increased the great complexity not only concerning consumer awareness of the practice, but it throws a new light on the implications, not only for business but for the consumer.
Today's consumers can download mortgage application forms, fill out forms on a computer and then submit the loan application electronically. Now, in the face of it, that is all to the good, but it raises the questions that we are going to be looking at today, pro and con.
Page 4 PREV PAGE TOP OF DOC
The move from traditional banking services into such other areas as database marketing, however, presents new privacy concerns for the industry. In the information age, inadequate protection of privileged financial information among banks, credit bureaus and software manufacturers, especially combined with other types of information such as those I outlined, such as demographic profiles, could have, and I think will inevitably have, implications on the individual's privacy. As banks merge and become more electronically oriented, the potential for privacy problems will increase dramatically.
In recognition of this, many participants, and I must state this and stress as a positive, many of the participants in the financial services industry have already taken voluntary steps to address privacy concerns, whether it be the American Bankers Association, Consumer Bankers Association and the Bankers Roundtable. They have taken some action, and we will hear their testimony here today, and we will be able to objectively determine whether or not they are adequate.
In addition to voluntary privacy standards that some of these industries have adopted, there are two Federal laws which govern, under present circumstances, financial privacy issues: the Fair Credit Reporting Act and the Right to Financial Privacy Act.
In addition to Federal laws, many States have laws that relate to the privacy of an individual's financial information, but again, State action in this field is extremely limited because this is, indeed, national and international communication.
Today's hearing is going to focus on who collects and disseminates consumer financial information and what type of information is actually collected, and who has access to the information. In other words, we are going to look at, hopefully, every perspective of it, and it is only going to be an initial action on our part, initial information gathering.
Page 5 PREV PAGE TOP OF DOC
I feel free to confess to all of you publicly, as I have to those that are on the panel, you are going to educate me today and educate all of us today. We have to have sound information before we can draw any conclusions.
But I guess I have to make the obvious connection to a ''Brave New World.'' If you remember, in George Orwell's book, ''1984'', he predicted, and it was quite a shock to many people because it seemed like he was hitting a very raw nerveeven at the time that he wrote his book. He predicted a day when the Government would be monitoring every aspect of life. But literally George Orwell didn't get it right. ''Big Brother'' could turn out to be private industry and the computerized network for gathering information; it may or may not be the Federal Government. But there are other aspects of this that even George Orwell didn't anticipate.
I don't know whether ''Big Brother'' is already here, but that is one of our jobs today, through this series of hearings, to determine how we can keep ''Big Brother'' under control.
Thank you very much. With that, I would yield to my colleague, Mr. Vento, the Ranking Member here.
Mr. VENTO. Thank you, Madam Chairwoman. As the second oldest of eight in a family, I am a ''big brother'' in a lot of ways.
Chairwoman ROUKEMA. All right.
Page 6 PREV PAGE TOP OF DOC Mr. VENTO. In any case
Chairwoman ROUKEMA. I won't make any political observations at this point.
Mr. VENTO. All right. I want to begin by first thanking you for the hearing and your thoughtful statement this morning, which I concur with. I have long held an interest in protecting the privacy of Americans, and in recent years have introduced legislation in this and in the previous Congress regarding privacy on the Internet, which is just place-marker legislation. But more detailed proposals have been introduced, and we plan on continuing to work in that endeavor.
I would also like to note, Madam Chairwoman, the excellent panels that you have assembled this morning, in which I concur, but there are a number of witnesses we would like to have heard from today, many in the consumer privacy advocacy organizations, who already had plans to attend an important conference and session in Brussels. And I am hopeful that we will be able to reconcile that.
In particular, I hope we can hear from the Center for Democracy and Technology, EPIC and others who are experts in the field. So even though we have a long list of panelists today, we still need to hear from consumer privacy advocates.
Privacy, of course, is a familiar word in the financial realm. However, it is often at the low end of the totem pole, topped by security in and of financial transactions. Institutions are, understandably, first interested in security and such security assurance may well come at the expense of individual consumer privacy.
Page 7 PREV PAGE TOP OF DOC
The financial sector has a model in the Fair Credit Reporting Act. It is certainly not a perfect model. Privacy protection, in fact, has been a sector-by-sector initiative by law and by industries. That, in and of itself, raises problems. Yet in the end, it is the same person, the same personal privacy and the same basic information about a person that is affected by the various sectors and privacy protection laws. Because of the computer, the Internet and the electronic age, the single separate threads of consumer protection governing personal information have really become woven into a bridge. This bridge, of course, conveys all of our personal and financial information. It opens up our privacy and security to the information superhighway.
The threads of that bridge have become blurred by continued technological advances. The advent of the Internet has brought the privacy abuser basically into the comfort of our own homes. The collection of information on or about a person has become so pervasive and so inexpensive as to become the fodder for major industries based on cereal preferences or credit card shopping patterns. People's financial security and their actual identity are at risk to abusive utilization and improper actions by those who manipulate the medium and circumvent the complex laws governing personal privacy concerns and, admittedly, most of those are geared to a different era.
Congress has a duty, as do the regulators and Federal agencies that have begun the process, to explore the policy implications and proper safeguards to be accorded to American citizens encountering, as you had mentioned, Madam Chair, the brave new Internet worldelectronic commerce, data collection, data sales and privacy. I know there will be a mantra repeated today by the industries, and even the Federal Trade Commission, that the Government should give the technology time to evolve and that abuses are self-correcting with market innovation and new developments. This may well result, I fear, in a loss of a public voice. Congress must assume a role in establishing benchmarks. Proposed protections for consumer privacy should not take a back seat, however, to market innovation.
Page 8 PREV PAGE TOP OF DOC
Yet, I fear that under a well-intentioned self-regulatory approach, which today's testimony, with predictable certainty, speaks in favor of, is a regime that can work against consumer privacy interests. We have not achieved a critical mass where the profits for greater consumer privacy protections reward and outweigh the losses from the company not being able to use the information. As a result, there is a monetary premium for information that is collected for one purpose to be employed for another purpose.
An overwhelming majority of consumers understand that their privacy is at risk in the Information Age. Consumers want affirmative choices, not necessarily the negative options currently offered by the information industries, but rather affirmative choices to exercise control over the collection, distribution and use of their personal information. I will be listening closely for solutions in today's testimony in order to determine what precise actions can be taken to strike a more appropriate balance between consumer demands to control personal information and business demand to, in essence, harvest this personal information.
Page 9 PREV PAGE TOP OF DOC
This hearing should be very helpful in deciding how to refine my legislation, the Consumer Internet Privacy Protection Act. A new and improved version of it will hopefully be aggregated or be put forth in the next weeks.
Why is the Banking Committee interested in this? Much of the deep data mining taking place, whether on the individual or in the aggregate, takes place in conjunction with a financial transaction. Whether it is tracking credit card purchases or catalog sales, the purchase of items creates profiles and preferences that some company, somewhere, may pay money to access and use. Although basically anonymous, even cash transactions in some stores are done in conjunction with a zip code request of the consumer.
I would note that the testimony and most of the work fails to explore the basic social behavior and dynamics that take place at the point of transaction. When we make a credit card purchase, most consumers feel vulnerable. Are we going to be rejected, denied or approved? Informational demands for Social Security numbers, phone numbers or addresses may seem more like an ultimatum at that point, as opposed to just a discretionary request.
Further, key data about a person that is more readily available than ever, has, in fact, put individuals at risk of being electronically mugged. The phenomenon of identity theft is growing and the wealth of data casually available along with lax industry standardscredit, information or elsewherehas afforded the aggressive marketer on the legal side and worse, the wise criminal on the illegal side, with thousands upon thousands of opportunities for sales and, unfortunately, for fraud. Fraud that wreaks havoc on the lives of individual consumers.
Page 10 PREV PAGE TOP OF DOC
The Internet has spawned another route for fraud and misinformation hucksters. It is not always crystal clear how far out on the thin ice these schemes can slide before they break the law. We have seen many of them that I am sure consumers feel a concern about, from junk e-mail to solicitations of pornography, credit repair schemes, kids games which ask for information about grandma and grandpa, and even the possibility of finding out juicy tidbits about anyone you desire. Let me quote from one such e-mail, Madam Chairwoman. It states: ''Now you too can learn everything about your friends, neighbors, enemies, employees or anyone else! Even your boss, even yourself.'' This can be quite dangerous, you know.
Madam Chairwoman, the pervasive nature of the Internet has been defined. Now the questions remain as to how it can be checked and, of course, as I say, I am not convinced today that self-regulation is the sole solution.
I greatly look forward to the hearing and am certain that the privacy in financial transactions represents a common ground and fertile soil for further hearings, fact-finding and possible legislative activity by our subcommittee.
Thank you, Madam Chairwoman.
Chairwoman ROUKEMA. Thank you, Mr. Vento.
If there are other opening statements.
Page 11 PREV PAGE TOP OF DOC
Mr. METCALF. Thank you, Madam Chairwoman.
In glancing around the room, I see again I am the oldest person in the room. I don't necessarily like that, but it is a fact of life.
I was born into a world where privacy was considered your right and respected. I am appalled by the willful collection of private information far beyond what is necessary or legitimate.
Orwell's ''1984'' arrived over a decade ago and has been far surpassed. We appreciate this hearing so that we can judge, ''surpassed by how much?''
Chairwoman ROUKEMA. I am sorry. I was still concerned about age. And Mr. Vento observed also, and I think it was a good observation, so I did not hear your last statement, that you are a privacy fundamentalist. I think I share that with you, if not your age. Thank you.
Mrs. MALONEY. Thank you, Madam Chairwoman. I would simply like to be associated with the concern expressed by my colleagues. I would like to request that my opening remarks in total be put into the record.
Page 12 PREV PAGE TOP OF DOC
First of all, I would like especially to welcome my former colleague, Leslie Byrne. It is so good to see you again.
I would just simply like to add my own concern that every day we give a little piece of ourselves. With every purchase we make, every form we fill out, every withdrawal we make, someone somewhere is collecting information about us. Sometimes we are aware of it when we fill out an application for a loan, but sometimes we are totally unaware of the information that is being gathered about us. We certainly do need to examine the laws which already exist and examine whether they are still appropriate in this ever-progressing and advancing era.
Certainly, businesses have the need to expand their marketing base. Consumers certainly have a right to protect their privacy. The area that I feel is probably the greatest problem area is when information a consumer gives to one business is then sold to another. The consumer usually has no knowledge, let alone control, over the new business which now has this personal information.
I would simply like to add that I believe that by better understanding the new relationship between technology, information and business, we will be better able to address the concerns of the consumer without harming business opportunity.
I look forward to the comments of the panels, and I ask that my remarks, in total, be put in the record. Thank you.
Chairwoman ROUKEMA. Thank you.
Page 13 PREV PAGE TOP OF DOC
And we are also pleased that Congresswoman Kelly is with us today.
Mrs. KELLY. Thank you, Madam Chairwoman. I would like to thank you and Ranking Member Vento for agreeing to hold this hearing on the privacy of consumers' financial information. I don't believe we could hold a hearing on a more timely and potentially troublesome area as we move into the 21st century.
As the representative of New York's 19th District, I am fortunate to have the headquarters of IBM in my district. I mention this not only to highlight their importance to me as one of the area's largest employers, but also to thank them for helping me prepare for this hearing. In conversations I have had with the folks at IBM, I have gained much better insights into the amount of information that is available about us electronically, as well as ways by which individuals can gather information about us through seemingly unobtrusive questions, while simply conducting an on-line search. For example, if we are just looking for information about purchasing a car, without even typing a word, we are leaving a signature on each Web site we visit, detailing who we are and our e-mail address, and if the account we are using to access the page is personal or business, and, naturally, our interests. As the rate of electronic mail increases, the potential use and misuse of these lists is really alarming.
We all know the types of information that the Government and businesses use to identify us over the phone: name; address; ZIP code; Social Security number; mother's maiden name and so on. What I would like to focus on today is what information it takes to electronically identify ourselves, and therefore, for someone to falsify themselves electronically to commit fraud and steal from us.
Page 14 PREV PAGE TOP OF DOC
Of course, I am focusing on electronic fraud since people are capable of perpetrating this from other countries, where our laws don't apply. I would like to submit an article for the record, Madam Chairwoman, from the April 21 edition of The Washington Times, which details a cybercrime, an electronic bank heist. It says that cybercrime averages $250,000. The headline on this article is ''Electronic Bank Robbers Flourish.'' I would like to submit that with unanimous consent for the record, please.
Chairwoman ROUKEMA. So moved, without objection.
Mrs. KELLY. Thank you.
This article details a Russian hacker's network that took untold sums from Citibank in 1994. Since then, Citibank has totally revamped its electronic security.
But I submit to this subcommittee, how much longer before foreign hackers begin to focus on individual holdings, gathering information available about us electronically, to pass themselves off as us? Ordering everything from additional credit cards to accessing our different accounts? The possibilities are really endless.
I am pleased that all of these witnesses were able to take the time to share their insights with us, and I look forward to working with all of the Members of this subcommittee as we learn about how little privacy we have for ourselves and personal financial information.
Page 15 PREV PAGE TOP OF DOC And, Jack, I want to tell you, you do have a few years on me, but I remember when privacy was a real thing, too.
Chairwoman ROUKEMA. All right. I thank my colleagues.
Now we move to our first panel of witnesses. I am very grateful that they were so willing to come and meet with our time constraints and our schedule here in the House.
The first panel, in one form or another, whether at the Federal level with our first two people, or at the State level, have a direct application to their responsibilities, not only to oversight, but implementation and enforcement of the legislation that deals with these privacy issues and the transfer of information a consumer needs here. So we are particularly hopeful that you can give us an overview, with some specificity, about how we, as a responsible Congress, can address these issues.
I also would like to make the point, and I think I neglected it in my introduction, that in that same Money Magazine article which indicated the concerns that consumers have, there was also an indication of perhaps as many as 29 percent of those surveyed felt strongly that their financial, medical or personal privacy had already been violated. I don't know whether that is consistent with your studies, your experience and your knowledge in the field, but I would be happy if you would address them.
Now, before introducing each of you individually, let me also say we have some time constraints. I would hope that you could keep your comments, your statements, to 5 minutes, and I will try to be as understanding as necessary; but we would like to conclude the hearing here in a timely manner because we will only be more and more interrupted by legislative business on the floor the longer we continue.
Page 16 PREV PAGE TOP OF DOC
Mr. VENTO. Madam Chairwoman, could I just extend a special welcome to Leslie Byrne, the Director and Special Assistant to the President for the U.S. Office of Consumer Affairs. She came to my District some months ago and we held a conference, unfortunately not a well-attended conference, about privacy on the Internet. But I am grateful for her work and interest in this. I think it points out the importance of this function within the Office of Consumer Affairs and, hopefully some day it will attain the status it once had. I know she is working very hard on this issue, and we appreciate her participation here today.
Thank you, Madam Chairwoman.
Chairwoman ROUKEMA. Thank you.
Yes, I will introduce our first witness, former Congresswoman Leslie Byrne, and I stress that because she has a perspective from both sides of the desk here, both as a former Member of Congress and now as Director and Special Assistant to the President for the U.S. Office of Consumer Affairs. You give us a very practical insight into the problems.
STATEMENT OF LESLIE L. BYRNE, SPECIAL ASSISTANT TO THE PRESIDENT; DIRECTOR, U.S. OFFICE OF CONSUMER AFFAIRS
Ms. BYRNE. Thank you, Madam Chairwoman. It is good to be here with you and the other Members of the subcommittee today and to discuss electronic commerce and the use of personal and financial information in the marketplace. It is indeed the stuff of ''Big Brother.''
Page 17 PREV PAGE TOP OF DOC
You hit the nail on the head. I guess the real question now is, what do we do with this unruly sibling?
Technology is moving so quickly that consumers sometimes feel that they are witnessing a revolution without really understanding it. Despite the enormous amounts of money invested in this new technology, the predictions about its potential will fall flat unless we remove the stumbling blocks that consumers feel are there for their participation.
For example, electronic commerce industry itself has begun to understand that the promise of this segment of the economy will succeed only when consumers trust the technology and have confidence in on-line providers of goods and services.
Technology can offer us many benefits, including cost savings and faster service and more choices. As it stands today, it also has some drawbacks. One of the most serious is the potential loss of privacy. The lack of control over how our personal information is used is of deep concern to most of us. It becomes even more pressing when face-to-face transactions are replaced by automated ones. In a face-to-face transaction, a consumer can rely on a number of clues to verify the legitimacy of that transaction and that vendor.
For example, Madam Chairwoman, if I buy a ''Rolex'' off a guy on the street, I have a pretty good idea it's a fake. If that watch stops the next day, I know I am out of luck. On the other hand, if I go cybershopping and click onto the home page of what appears to be a legitimate jewelry store that offers me that same ''Rolex,'' I cannot tell if it is that same street vendor dressed up in cyberclothes, or it is the real thing?
Page 18 PREV PAGE TOP OF DOC
As recent media accounts about America Online's experiences with fraudulent efforts to collect credit card numbers of subscribers show, in cyberspace it can be very hard to tell legitimate operators from con artists.
In addition, in the real world, the individual can also exercise choices about how to complete transactions. For example, payment can be made with cash, check, either credit or debit card. In the electronic marketplace, a credit or debit card is usually required. While I believe consumers understand that credit and debit card purchases leave a trail in the form of an itemized bill, I don't believe that the majority of consumers understand that when they shop on-line, they are leaving an electronic trail that can be followed by those who know what Web sites they have visited. This is called a ''click stream,'' Madam Chairwoman. And this ''click stream'' of visits is used to detail a profile about that individual's interests, their buying habits and their personal lives.
Both on-line and off-line, identity theft is the fastest growing segment of the estimated $10 billion in credit card fraud a year. A con artist uses the identity of an unsuspecting consumer to acquire credit in that consumer's name. By the time the consumer has found out about the fraud, his or her credit is often ruined. It can take years to clear this up.
On the subject of debit cards specifically, it has been noted in news stories that banks are increasingly sending consumers dual-use cards; the card is an ATM card and a debit card. While most people don't understand how they can use these cards, it is often overlooked and misunderstood how the use for an ATM is a debit card, often draining their checking accounts before that misunderstanding is cleared up. As a result of these kinds of identity thefts, the drain on these accounts can be severe.
Page 19 PREV PAGE TOP OF DOC
In addition, because debit cards look like credit cards, some consumers have assumed that protections and, particularly, liability for theft or misuse is the same. Fortunately, to their credit, MasterCard, Visa and the Bank of America just announced voluntarily that they were going to equalize the amount of liability for debit cards to that of credit cards, which is $50.
Information about consumers offers a competitive advantage, Madam Chairwoman. This information is now viewed as a commodity in and of itself. It has turned the normal buyer/seller transaction relationship on its head. You may buy something from a store, but that store wants more than payment for goods and services. It wants the facts about you that make you who you are. Recent articles about data mining suggest that the common industry view is to collect as much information as possible about consumers and figure out how to use it later.
Madam Chairwoman, we believe that there are some basic privacy principles that we have included in our testimony that we submit for the record. We want to work with you in having those implemented, and I say this with some sense of irony because, Madam Chairwoman, as the only Federal agency that deals as the consumer advocate for privacy in the Federal Government, we have been zeroed out by the House and Senate Appropriations Committees.
So, I hope that we are here to help you in your deliberations. And the fact is that when business privacy is in question, we call it piracy. When we talk about intellectual property, we put in a lot of effort. We had hearings here in this building yesterday about intellectual property. If we look at individual information as stringently as we look at business information and ask for the same kind of protections, I think we will make great gains on this subject for the American people.
Page 20 PREV PAGE TOP OF DOC
Thank you, Madam Chairwoman.
Chairwoman ROUKEMA. Thank you, Ms. Byrne. Excuse me, you indicated that you were zeroed out where?
Ms. BYRNE. In the House and Senate Appropriations Committees.
Chairwoman ROUKEMA. In both?
Ms. BYRNE. Yes.
Chairwoman ROUKEMA. All right. By the way, you referenced debit cards. In our hearing next week, we will address that aspect of the question.
Mr. Medine, I don't want to shortchange you in your testimony. I think this is the best time for us to adjourn for maybe 10 to 15 minutes and then come back so that we can really concentrate on your testimony.
Thank you. There is a vote on the floor of the House.
Excuse me. The lights did not show. I don't know whether they are deficient or what the problem is, but there are evidently two votes in sequence, so it will be at least a 15 minute adjournment. Thank you.
Page 21 PREV PAGE TOP OF DOC [Recess.]
Chairwoman ROUKEMA. Will the hearing come to order, please? We will want to move this along before we get interrupted again. We have been alerted that there may be some, what I call ''fun and games'' on the floor today. So hopefully those who are speculating are wrong.
I won't repeat what Mr. Vento just whispered.
Mr. Medine, David MedineI did pronounce that correctly?
Mr. MEDINE. Yes, you did. Thank you.
Chairwoman ROUKEMA. Mr. Medine is our next witness. And he is Associate Director of the Credit Practices Division for the Federal Trade Commission and is certainly well-known for his extensive background and knowledge on financial privacy matters.
And I believe, Mr. Medine, you have a direct responsibility, do you not, for enforcement of legislation?
Mr. MEDINE. Yes, we do.
Chairwoman ROUKEMA. The existing legislation?
Mr. MEDINE. Yes.
Page 22 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. I thank you very much for being with us here today, and we will turn the microphone over to you.
STATEMENT OF DAVID MEDINE, ASSOCIATE DIRECTOR OF CREDIT PRACTICES DIVISION, FEDERAL TRADE COMMISSION
Mr. MEDINE. Thank you, Chairwoman Roukema and Members of the subcommittee. I am pleased to appear on behalf of the Federal Trade Commission at this extremely timely hearing on the implications of emerging electronic payment systems on an individual's privacy.
Changes in electronic payment systems will facilitate a marketing revolution in which consumers may be making purchases on interactive television, or their computer, or through payment devices not yet even invented. Great demands will be put on new payment systems to make sure they provide consumers with both convenience and security. Privacy and consumer protection issues will present an overarching policy question: What is the appropriate role of Government in the development and deployment of new electronic payment systems?
On the one hand, it can be argued that without effective Government regulation, there will not be sufficient public confidence in the security, effectiveness and fairness of these new electronic payment systems to permit their development. On the other hand, premature Government regulation could chill or prevent the market from developing optimal solutions. Particularly at the early stages of new technologies, where new issues will take shape gradually over time, there is a good case for Government restraint. For now, Government should continue to monitor the development of the marketplace for electronic payment systems to ensure that consumers are getting the information they need to make informed choices about protecting the privacy of their financial transactions.
Page 23 PREV PAGE TOP OF DOC
In order to become a part of consumers' everyday lives, however, electronic money must be widely accepted, convenient and secure. Our consumer protection experience has shown that payment systems will be accepted by consumers only when they are confident that those systems offer a sufficient level of privacy and security. Electronic money presents a wide array of consumer protection issues, including liability for unauthorized use and dispute resolution procedures. While the focus of this hearing is on privacy, we should not forget the need to address these important consumer protection concerns. In fact, in some situations, there may even be a tradeoff between consumer protection and privacy, and each must be fully understood to evaluate potential tradeoffs.
In the developing electronic marketplace, consumers may not know the potential exists to monitor not just their ultimate purchases, but the whole on-line shopping process that led to the purchases. In the on-line environment, it will be possible for merchants not only to know what a consumer purchased, but also what other items he or she examined, for how long, and at what point this took place during the store visit. There are currently few, if any, controls on the use to which this consumer transaction information is put. Merchants are generally free to gather and use such information for their own purposes and to sell or rent it to third parties without notice to consumers. This information can then be combined with demographic information and data from other merchants to create detailed profiles of individual consumers, which can enable merchants to more successfully market their goods or services. The Commission has learned through its privacy workshops that some consumers might not care whether this information is captured, especially if it results in their getting better service or individually tailored offers in the future. On the other hand, others might be highly offended. Shopping for some products, books, magazines, videos may raise even more sensitivity to privacy concerns.
Page 24 PREV PAGE TOP OF DOC
The Commission expects privacy to be relevant to consumers' willingness to use electronic money in making payments, whether on the Internet or at the corner drugstore. Consumers' privacy can be protected in two major ways when using electronic payment systems: First, electronic transactions can be anonymous, so that no personal information about the consumer is gathered. Anonymity protects consumers' privacy, but it also has drawbacks. It is important to recognize that the dominant method of payment in this country, both in terms of transactions and dollar amount transacted, is paper currencycash and checks. Cash, of course, is a fully anonymous payment system. There is no way to tie information about a transaction to a particular consumer if cash is used, which offers substantial benefits and detriments to consumers. On the benefits side, consumers can purchase items they may not want others to know they have purchased, either due to the sensitivity of the item or a general desire not to be observed when making purchases. A major detriment, however, is that cash payments may inhibit consumers' ability to take advantage of certain consumer protections such as those provided for credit or debit cards. The greater concern is that if cash is lost, it cannot be replaced. The same risk would apply to electronic payment systems that do not offer an audit trail. If those payment systems are lost, so is the value of payment stored on them. On the one hand, one important benefit of anonymity is that it could significantly reduce the incidence of identity theft. Identity theft involves a criminal takeover of a consumer's existing credit accounts or the opening of new accounts in a consumer's name. Clearly it is much harder to assume someone's identity when their payment identity is anonymous.
If confronted by this dichotomy of anonymity versus accountability, the market should decide which approach is preferable. In fact, the marketplace approach to this issue could well mean that both systems could thrive. The key to making this marketplace work is consumer education and disclosure of important terms and information about electronic products. Only when consumers have been armed with this basic information can they intelligently decide what degree of privacy they will seek for their transactions.
Page 25 PREV PAGE TOP OF DOC
Consumers will need to understand that with credit cards they get certain protections; debit cards, other protections; and that some stored-value cards may offer no protections at all. At some point, there may be a need to mandate uniform disclosure so that consumers can quickly and easily compare payment products and determine which product suits their needs best.
One Federal statutory scheme governing the use of consumers' transaction information can be found in the Fair Credit Reporting Act
Can I have your indulgence for another minute to complete my statement?
Chairwoman ROUKEMA. Yes. I would be happy to extend that.
Mr. MEDINE.Which bears on the privacy protections afforded such information. The subcommittee may want to examine the impact of technological developments on the degree of protection the Fair Credit Reporting Act will afford financial information in the future. The FCRA is premised on the notion that financial information will be pooled into large databases such as those operated by the major credit bureaus. However, developments in cyberbanking and computer networking technology suggest that the past efficiencies of large databases may not be nearly as great in the future. In the event that large numbers of individual merchants choose to report information on their transactions with consumers directly to other merchants, it will be possible to create detailed financial profiles on consumers that escape any protection under the Fair Credit Reporting Act.
Page 26 PREV PAGE TOP OF DOC In addition, in last year's amendments to the Fair Credit Reporting Act, Congress permitted affiliated companies to share information, even credit reports, free from most of the FCRA's restrictions. The subcommittee may wish to examine whether these lessened protections for affiliated companies sharing information raise special concerns in the cyberbanking or electronic payments context, where detailed and sometimes sensitive information about consumers is gathered.
In considering whether to regulate electronic money, it makes sense to err on the side of under-, rather than over-regulation. Market-created solutions, voluntary self-regulation, and technological fixes may be sufficient. However, if private solutions prove inadequate, Government should be ready to act. The utility of efficient, decentralized marketing on interactive television, the Internet and future technologies is too valuable to be allowed to evaporate because an effective payment system does not develop.
Chairwoman ROUKEMA. I thank you.
We now have the final member of this first panel, Dan Greenwood, who will be here to give us an additional perspective. Mr. Greenwood is Deputy General Counsel for the Information Technology Division, the Commonwealth of Massachusetts, so he gives us a State perspective.
STATEMENT OF DANIEL J. GREENWOOD, DEPUTY GENERAL COUNSEL, INFORMATION TECHNOLOGY DIVISION, COMMONWEALTH OF MASSACHUSETTS
Page 27 PREV PAGE TOP OF DOC
Mr. GREENWOOD. Thank you very much.
Chairwoman ROUKEMA. Welcome, Mr. Greenwood.
Mr. GREENWOOD. I guess I win the title, or I win the race for the longest title. I would really like to, on behalf of the Commonwealth, thank you very much for inviting us to testify today. I think it is important that State perspectives are brought to bear on this issue, because it does cut across areas of law and jurisdiction.
I think it is safe to say in the Commonwealth of Massachusetts that we have taken a leadership position with electronic commerce policy at a State level, but also with consumer protection laws more generally and certainly those relating to banking and financial services. I am pleased to say that many of the remarks that I had submitted for the record have already been echoed by my colleagues here, and so in the interest of time, also, why don't I just quickly skip across the top of the waves? I would like to emphasize a couple of things that haven't been mentioned from a State perspective.
First of all, States are really in the electronic commerce game as users. In Massachusetts, for instance, now you can renew a vehicle registration, you can pay traffic citations, even order vanity license plates over our Web site. We accept credit cardsand that is with encrypted data, between the browser and the server.
We are also permitting banks in our jurisdiction, and other financial institutions, to do some filings with our division of banks, and that is being secured and also authenticated by use of so-called ''digital certificates,'' which are public key cryptography-based instruments which perhaps we can get into later. But I think, as a technology, that is going to end up playing very heavily indeed into how it is we look at security and privacy issues in terms of the technical reality, developing implementations, and that that probably ought to guide some policy development too.
Page 28 PREV PAGE TOP OF DOC
Also, vendors can now get solicitations on the Web. We have discovered from a user's perspective that this has been very useful for our business and it has also been extremely useful for businesses in our jurisdiction. We are the home of a lot of so-called ''cyberindustries,'' and banks in Massachusetts, like elsewhere, are beginning to use this technology; and increasingly they are looking to us to set policy and implement laws where there have been some perceived obstacles.
In terms of privacy, to the extent you start to look at the potential need for congressional action in this area, I would again just really encourage you to take a close look at the relationship between that action and existing bodies of State law. To the extent that that action would preempt State law, particularly in areas that involve electronic commerce, electronic transactions, we are starting to discover that there can be implications that really are non-obvious at the start of the drafting process.
We have 239-some-odd specific provisions in the Massachusetts General Laws, for instance, that deal, head on, with privacy or confidentiality of information; and this morning, before coming out, I did another search for ''shall not disclose,'' or ''may not disclose,'' or ''disclose only if''; and then I got hundreds more, which dealt with every different area of the economy, public and private sector, and depending on how legislation was drafted, could have effects beyond, you knowthat we ought to talk about.
We have been also at the State level, I think, out ahead of the Federal Government in the area of electronic contracts and so-called ''electronic signature'' legislation, and to the extent that that involves electronic records, privacy issues have been implicated. I think now there are some 12 or 13 States that have enacted such legislation. Massachusetts has some on the drawing board.
Page 29 PREV PAGE TOP OF DOC
The National Conference of Commissioners on Uniform State Law is now looking at a Uniform Electronic Transactions Act which has, in part, modeled State rules for electronic records and, certainly, for records in the hands of the Government, and I think they are going to have to look at the questions of privacy.
In terms of banking, the committee did ask, what is the relationship between, for instance, the Fair Credit Reporting Act and State law in Massachusetts? I am going to submit for the record a short analysis piece that we have, but the amended Fair Credit Reporting Act specifically exempts from the preemptionfrom parts of the preemptionan area of Massachusetts General Law where our privacy requirements actually exceed those of the Fair Credit Reporting Act. I believe Vermont and California law were similarlyor parts of itwere similarly exempted from that preemption.
And so, again, I would like to suggest that, as you move forward, that we continue some sort of communication or dialogue, either through inclusioncertainly the National Governors Association has been a good focal point for communications, and other forums where we can make sure that we are synching up law and policy at the State level, where I foresee we will continue to exercise our traditional jurisdictions in areas like contracts and privacy law, signature law, electronic commerce, Uniform Commercial Code to the extent that implicates electronic commerce.
And I think we are going toI can tell you for a fact that we are very concerned that we not only do this uniformly at a State level, but that we continue communications to make sure that it makes sense in a national structure and fits in well with what you have in mind at the Federal level.
Page 30 PREV PAGE TOP OF DOC
If I could just close bywell, I guess for the record, I am going to submit a couple of things that the National Governors Association are doing with something called the United States Innovation Partnership, a partnership between the NGA and the White House Office of Technology Policy, where we are attempting to find another forum to specifically sync up technology policy between the States and the Federal Government. We have been very active in Massachusetts in the electronic commerce portion of that. Certainly the banking and financial payments area is an important part, and that is another forum where we are looking to create communication.
In the future, we would like to make ourselves available to continue the dialogue about coming up with a consistent legal and policy infrastructure to support electronic commerce at the State and the Federal level.
So with that, I would like to conclude my remarks.
Chairwoman ROUKEMA. I thank you very much.
I have a couple of questions with respect to your last statement, Mr. Greenwood, and perhaps it is included in that portion that you want included in the record, that report that you want included in the record; but if you could submit for the record, with more specificity perhaps, your concerns on how we can coordinate both the State and the Federal, you know, it would seem to me that inevitably there is a tremendous conflict heremaybe notbut I would like to have more information on that.
Page 31 PREV PAGE TOP OF DOC I don't think we have time to go into it in any great detail right at this moment, butunless you have a very brief statement to make.
Mr. GREENWOOD. Very briefly.
Chairwoman ROUKEMA. Yes.
Mr. GREENWOOD. Like I say, I brought with me to submit for the record, some materials from the National Conference of Commissioners on Uniform State Law that has a Federal liaison committee, and also a statement from the National Governors Association, where the governors specifically call for consultative forums, and they have some ideas on that which we support in Massachusetts. I will submit that.
Chairwoman ROUKEMA. That would be very helpful. I thank you for that.
Now, for our other two members, and you as well, Mr. Greenwood, if you want to contribute, but I am very concerned, because I didn't get quite the clear insight that I hoped I would hear, and it may have been because of the disruption here in terms of the vote that we had.
And I did hear Mr. Medine refer to market solutions and, as a good Republican, I always like to think of market solutions. However, I am not quite sure what your experience has beenbased on what your experience has been, if you wouldn't give us some precise understanding of how the Fair Credit Reporting Act might be improved.
Page 32 PREV PAGE TOP OF DOC
I guess you made one reference to it, that is, the information-sharing provision of the Fair Credit Reporting Act. I think you see that as a problem, and I am not quite understanding of that.
But aside from that, is there a specific way that we could improve the legislation, aside from the monitoring that you are talking about, based on your experience, before this becomes a horrendous problem; and before that sibling that Ms. Byrne referred to, ''Big Brother'' sibling, is any further unruly and out of control?
Can you give us one specific example, or would you say that need is not yet proven? I will start with Mr. Medine and then Ms. Byrne.
Mr. MEDINE. As regards the Fair Credit Reporting Act, I think there are two areas that would be worth the subcommittee focusing on. One is, in the last session, there were amendments passed to the Fair Credit Reporting Act which allowed affiliated companies to share very sensitive information about consumers, including credit reports, without the substantial protections that are otherwise accorded that kind of financial information.
The idea was to increase the efficiency of operations within companies in terms of affiliates sharing information; and there's nothing wrong with that. But those protections that consumers value in terms of access to the information, the ability to correct it and the responsibility for accuracy, were lost in that process. And I think it might well be worth reexamining, in the privacy context, whether too much was given in terms of the facilitating of sharing, which can benefit consumers in terms of increasing offers and the ability of consumers to do more business with affiliated companies, without losing those protections at the same time.
Page 33 PREV PAGE TOP OF DOC
The second question down the road is, credit bureaus exist really because of the efficiency of sharing large amounts of data in one place. With networked computers and the Internet, it is not clear that that is really going to be the way companies communicate in the future. They may communicate directly with each other and create electronic profiles through the network, essentially, and avoid the large databases. If that happens, the Fair Credit Reporting Act won't apply at all to the gathering and distribution of that information; and so, in terms of the amendments that were passed last year, which in many ways improved privacy and accuracy, they didn't focus on the future exchange of information in the form of electronic commerce and electronic payments. And there may be some substantial losses to consumers there.
Chairwoman ROUKEMA. Is there a reason why we should try to protect the credit dissemination, or should we just accept the fact that it is an anachronism under existing law?
Mr. MEDINE. Well, we would urge you to consider ways of protecting it while still balancing the ability for a free flow of information, but protect consumers from profiles being created about them which may cause them to lose jobs, lose the opportunity to get credit or insurance or other valuable benefits based on incorrect information that they have no right to see.
So the question is, can you balance the protections of privacy in terms of accuracy and correction with the free flow of information in the marketplace?
Chairwoman ROUKEMA. And some legitimate needs for credit information if a sound business judgment is to be made.
Page 34 PREV PAGE TOP OF DOC
But you have got to help us find that definition.
Mr. MEDINE. We would be happy to help you.
Chairwoman ROUKEMA. Will you do that?
Ms. Byrne, please.
Ms. BYRNE. I echo Mr. Medine's comments. And just to give you an example of what this affiliate sharing means, that a card issuer can share with an affiliate travel agency, who can share with an affiliate publisher, who can share with an affiliate list compiler; and that is how this information goes through the system. So the Fair Credit Reporting Act enabled all of these affiliates to start passing this information around without the ability, once it has left the credit bureau or the credit card issuer, to correct false information; and it can end up anyplace.
The other thing that I would point out to you, Madam Chairwoman, is that while card companies and banks make good-faith efforts to highlight their privacy policiesand they are going to tell you about that later this afternoon, I am sure. I brought a couple of samples that came across my mailbox.
This is my credit card from Nordstrom's, and it says, under all of this verbiage: Number 15, Sharing Information: Nordstrom's may share information about its experiences and transactions relating to me with its affiliates and other parties.
Page 35 PREV PAGE TOP OF DOC
That is your notification.
Chairwoman ROUKEMA. ''And other parties.''
Ms. BYRNE. ''And other parties.''
Chairwoman ROUKEMA. Will you submit that for the record?
Ms. BYRNE. I will indeed.
Chairwoman ROUKEMA. Thank you.
Ms. BYRNE. American Express does a much more comprehensive job, but it also goes on to say, ''For mailing lists, we may use information you have provided to us on your initial application; in surveys; information derived from how you use the card and information from external sources, including consumer reports, for marketing activities, including mailing lists, by us and our affiliates.''
And then it goes through a process on both of these that at some point you can call a 1800 number, if you can get through, to tell them that, ''No, I don't want this.''
Page 36 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Thank you.
Mr. BEREUTER. Madam Chairwoman.
Chairwoman ROUKEMA. Yes. I yield to Congressman Bereuter.
Mr. BEREUTER. I think we ought to make sure the record is correct here. The sharing between affiliates is authorized by law. The sharing with other parties, as the first of those examples indicated, is not sanctioned by law, and that could be disputed.
And I did want to point out what our former colleague just pointed out, that there is an opt-out arrangement that must be there, but that is for affiliate sharing and there is no authorization for sharing it beyond that under Federal statute. And I do want to point out that the gentleman's statement on page 18 gives the implication that Congress did not consider this ''not subject to hearing.''
Those provisions were in the legislation when first introduced. They were subject to debate and consideration, and I do not like the incorrect information that you are conveying on page 18.
Mr. MEDINE. Sorry. I didn't intend to convey that although it was not subject to hearings, it was a discussion in markups and subsequent debate.
Mr. BEREUTER. But the legislation was subject to hearings. It was in the legislation from the beginning. It did not come as an amendment.
Page 37 PREV PAGE TOP OF DOC
Mr. VENTO. If the gentlelady would yield.
Chairwoman ROUKEMA. I would be happy to yield.
Mr. VENTO. I don't know that there is any disagreement about the statement from Nordstrom's, because they can share. The only thing they cannot share is the credit rating and the credit rating information. They can share preferences and purchase patterns and so forth. And, of course, not only can they, but, I mean, under the Fair Credit Reporting, as Mr. Medine has pointed out on page 17, that the Fair Credit Reporting has a significant exclusion; information about entities, direct transactions with the consumer can be transmitted to anyone without making the sourceyou know, without making the source a consumer reporting agency or credit bureau.
I agree with the gentleman from Nebraska that there was debate on the affiliate issue. In fact, it passed in one Congress on the House floor. It was a matter of a vote there. And then in the next Congress, perhaps it didn't have, as a process a pure type of path, but it was debated in terms of what went on with regard to the affiliate sharing.
Madam Chairwoman, maybe you should recognize me on my own time.
Chairwoman ROUKEMA. This is a good example of why we are having a hearing, in view of the experience of the legislation we have now, that this particular issue should come up for a thorough analysis and review. It is not a black-and-white issue necessarily, but we have to base our judgments now on the experience of the last few years.
Page 38 PREV PAGE TOP OF DOC
I certainly would say that many of us, given the extraordinary advancements of technology, perhaps did not understand the full implications of affiliate sharing and how it is working out.
We don't yet have evidence of necessarily serious legal or personal violations here, but that is something that we do have to look into.
I will yield now to our colleague.
Mr. VENTO. Thanks, Madam Chairwoman.
Chairwoman ROUKEMA. Ranking Member.
Mr. VENTO. Understanding I have had some time, but let me just say, I think this is a good point, this affiliate sharing, and I think it just is one more law where even though there was this sharingI mean, most of us voted for it, understanding what it did and the implications of the electronic age and so forth. That is the least of our problems.
The problem today is that each of these laws have loose ends, including Fair Credit Reporting, which is rather more closely regulated than some. If you look at other financial institution lawsand I just want to call to my colleague from Nebraska's attention that most of them have no prohibition or limitation on sharing of the information. The fact that they don't share information is because it is proprietary, and it is to their advantage to keep it.
Page 39 PREV PAGE TOP OF DOC
But the question today is where most of that information was accumulated, it was benign, because it was sitting out there in an unorganized mass of paper and other details that could not be woven together. It is like a blind man trying to describe an elephant; you know, we have all heard the analogy so I need not go through it.
But today you get anot just a horizontal or a vertical, but a three-dimensional picture. You get the entire profile of everything that is taking place. So now, what was benign information that Nordstrom's was passing around to whomever they could do it, all of a sudden becomes a means of completing a complete click trail. It might be from the computer; it might be from a retail store; it may be from American Express; it could be from a bank.
But now we have to understand that, you know, what is the deal? And I think the issue is, here, yes, consumers have a responsibility. The question is: Do they have the tools and the ability to control it? I think that is what Mr. Metcalf is concerned about when he talks about our rights to privacy: Do we have the tools to control that?
I would suggest that, beyond even implied consent, are the tools there if you want to do it?
The question is: What is the responsibility of those affiliates or what is the responsibility of Nordstrom's in terms of, yes, they can accumulate this data, but what is their responsibility on how it is put forward? Do they have any responsibility?
I would think, yes, they have some responsibility to make certain that this is used in a bona fide way.
Page 40 PREV PAGE TOP OF DOC
We talk aboutand I have nothing against self-regulationdo all Web sites now have a consumer policy with regard to sharing of information, Consumer Advocate Byrne?
You are going to hear people talk about ''click streams'' and ''cookies'' and be able to trace people from place to place on the Web, and I am not a technocrat, so I will let others explain all of that to you.
Mr. VENTO. This is a new type of Cookie Monster.
Ms. BYRNE. A bad Cookie Monster. But the fact is that those who aren't explaining their privacy policies are going to, I believe, suffer the consequences of not doing that, and that is, people won't participate.
We also need to understand that to have solutions, we need a context, and if this subcommittee can do anything in having self-regulation work, it can give goals and context to those self-regulatory efforts, because right now it is kind of spread across the horizon.
Page 41 PREV PAGE TOP OF DOC
Mr. VENTO. Well, we need to play our role here. I think it is going to be key.
Mr. Medine, there is no standard agreed uponwhen I get to one Web site, I may have one particular policy. When I get to another, I may have another. There is no commonality. So it is a task; in terms of trying to rationalize this, it may be extremely difficult for those of us that would be or could be, if it were required, if there were some standards and so forth here, but we need to set some sort of a basic foundation.
I want to point out that I believe in the free enterprise system. I don't believe that legislation should be such that we would structure it to change the entire dynamic of our economy. It has to work.
As a matter of fact, whether we like it or not, we are all going to be part of this electronic age. Just ask those 10 million people that don't have checking accounts right now at banks that are going to have their payments directed to financial institutions. They are going to have to become part of that system, a piece of it. And so it is sort of involuntary, as a matter of fact, and Congress has voted to make it to some extent involuntary.
So I think we need to stay engaged and hopefully we can find some common ground.
There is much more I would like to ask, but I respect the fact that many of our colleagues are here, Madam Chairwoman, and I am going to yield back.
Page 42 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Thank you. Thank you.
Mr. BEREUTER. Thank you very much.
Thank you, Madam Chairwoman.
Mr. Greenwood, I have a couple of questions for you, and perhaps it is in your written material which you supplemented, but I have not had a chance to read it in its entirety. I am wonderingI noticed, for example, that you are discussing the National Governors Association and others, including the Secretary of Commerce and the White House, involved in the United States Innovative Partnership, looking at the national technology policy.
Beyond that, is there an attempt ongoing to develop some kind of a unified, or at least coordinated, State position on consumer privacy issues as they relate to the issues we are talking about here today? Are the States coming up with a common set of guidelines for enacting legislation?
Mr. GREENWOOD. I would have to say that there is not currently a mature effort to do that. However, there are a number of efforts that are afoot now among the CIOs of the States, the comptrollers, the purchasing officers and other sort of high-staff-level people involved in electronic commerce policy, to coordinate our efforts generally. And consumer issues, privacy issues, our own information practices issues, are often on those agendas. But I don't know that we have taken this square on on its own merits at this time.
Page 43 PREV PAGE TOP OF DOC
Mr. BEREUTER. All right. We are told that you are a leader in Massachusetts, the Commonwealth, in experimenting with on-line technology. Could you briefly describe security measures being used in this system and explain whether or not they are applicable to protecting sensitive information which would be transferred over the Internet?
Mr. GREENWOOD. Yes. Very briefly, I would say we are attempting to use the same tools available in the private electronic commerce marketplace to make it easier, we hope, for citizens and businesses. Encryption is one of the best tools available at this time, that we have come across. For credit card numbers, we are using a protocol known as SSL 2, Secure Sockets Layer 2.0, which allows for a point-to-point encrypted session between a browser and a server. So the data, in this case, credit card data for our registered motor vehicle pilots, is encrypted. If it were intercepted over the Internet, one couldn't read it.
We are also using cryptography in another way to get at another dimension of information security, which is the authentication piece. How do you know who you are dealing with on the other side of a transaction, whether it is the merchant side or the consumer side? And, unfortunately, I can't describe that briefly, but I will tell you the moniker is something called public ecryptography and we are using digital certificates.
We have relationships with so-called certificate authorities, and we are in a multistate effort now. I was in Washington again just this past Monday with representatives from a number of other States where we are now working with NATCHA, a clearinghouse association, to come up with national standards for how we will deal with certificate authorities and how we will have digital signature standards more generally. That is going to be an area that I think is going to have to be looked at very closely because it does raise policy issues.
Page 44 PREV PAGE TOP OF DOC
Mr. BEREUTER. Thank you very much.
Director Byrne, you have indicated in the last few paragraphs of your testimony the five common-sense principles which you identify for us, that you think should be used, that are relevant today to protect the privacy of personal information. Is the Office of Consumer Affairs prepared to begin to work with us on moving any necessary changes to implement those common-sense principles into statute and then into regulation?
Ms. BYRNE. Mr. Bereuter, we have been proponents of these principles since 1989 and we are trying our best to educate the consumers that these are what they should be looking for. We are prepared to go forward, again, as I mentioned, as long as we are in business, to help this subcommittee and others make these principles a reality. You will hear several of our industry friends here today talk about how they are trying to enforce very similar principles, and the question really comes down to implementation.
I don't think there is any disagreement among industry or consumer advocates about these principles. What we need is some kind of implementation mechanism.
Mr. BEREUTER. Have you reached a conclusion whether or not the implementation of these principles will require Federal action? Or can we rely on the private sector to adequately implement them to protect the consumer?
Ms. BYRNE. Again, it is trying to see, when we look at the privacy disclosures and the things that I read, the great differences. And to have some kind of context that is a legislative standardization of these principles, I think would be wise from the industry's point of view, because it saves them trouble, and from the consumer point of view, because they know exactly what they are looking for, and you and I can go ahead and educate them how to look for it.
Page 45 PREV PAGE TOP OF DOC
Mr. BEREUTER. Thank you.
Thank you, Madam Chairwoman.
Chairwoman ROUKEMA. I thank you, Mr. Bereuter.
Mr.I am sorry, Ms. Kilpatrick. I am taking Members in the order of their arrival. Ms. Kilpatrick.
Ms. KILPATRICK. Thank you, Madam Chairwoman. I think my first question will be to Ms. Byrne.
Some mention was made about the affiliates exchanging information within their own institutions. I am aware of several times when lists are sold, and that seems to be one of the major concerns of constituents around my district and probably across America. How is their information ''sold,'' in fact, when the law does allow that within affiliates it can be ''shared,'' I would rather say; and many times, in many instances, they found that their name is sold on a list?
Is that not against the law? And what protections are there for those consumers?
Ms. BYRNE. Well, you have to recognize all of the sources for this information. One of the greatest sources of information that is sold comes from our State governments in selling their records, and so they sell records to list compilers. We have records coming in from credit sources, and this, what I call in my testimony ''data mining,'' is where all of this compiled together. And the availability for sales is across all spectrums.
Page 46 PREV PAGE TOP OF DOC
Now, affiliates can share; they can trade. I canif I am an affiliate of a card issuer and I am a travel agency, I can trade my travel agency customers with the card issuer customers. So whether you call it trading or selling, it is still done.
Ms. KILPATRICK. Isn't that unethical?
Ms. BYRNE. Not under the law.
Ms. KILPATRICK. Does the law need to be changed or do you think it is OK that consumers would be used in this way?
Ms. BYRNE. I think the information sharing among affiliates has a great potential for mischief.
Ms. KILPATRICK. Are you recommending that Congress do something about it? I come from a State legislature, and you are right, many times the States are the biggest faulters of what we are discussing at the moment. Should some regulationor really, can it be manipulated so that the consumer is better protected?
Ms. BYRNE. Well, the previous Congress took a good step in passing the Moran-Boxer Bill, which outlined for States how they were going to handle information on DMV records, on driver motor vehicle records. That was a positive way to address how States handle information. I think you would look to that model for how other information is used.
Page 47 PREV PAGE TOP OF DOC Ms. KILPATRICK. Thank you.
Another question, if I might, Madam Chairwoman, to Mr. Medine. Given that, that we just discussed and as the FTC looks at it and those of us who represent consumers across America, I too believe that consumers must be educated so that we know exactly how our information is used when we apply. What tools might we use, as Congresspeople, as FTC regulators, to better educate consumers to deal with what is happening to them to protect them in their creditworthiness?
Mr. MEDINE. Well, I think that you have touched on one of the most critical issues, which is consumers' understanding of information practices, because without understanding how their information is going to be used, consumers cannot make an intelligent choice about whether to enter into a transaction or deal with a particular merchant. And there are a number of ways that can be done.
The FTC has held a number of public workshops to try to highlight to consumers how information is being gathered and used. We have also encouraged companies to disclose their privacy policies; and in fact, in a letter to Congress in July, we indicated that next March we are going to be surfing the Net and counting how many Web sites, at least on a statistical basis, are disclosing privacy policies and report back to Congress the following June, about our findings. Our hope and expectation would be that a substantial majority of Web sites are posting privacy policies that indicate how consumers' information will be used that is gathered through the Internet, so again consumers can have some choice in this area. And we hope to find that and we think that will be industry's self-regulatory response.
Page 48 PREV PAGE TOP OF DOC If we don't find that, we will also, of course, report back to Congress that there is a failing in this area and that maybe greater attention needs to be given to informing consumers about information practices.
Ms. KILPATRICK. We certainly look for that information. And I think, finally, with this global world that we live in, it is almost going to be impossible even that we want to do these things and protect our constituents as well as consumers across America. But with the technology that is available, that is advancing every day, we are almost, you know, good to have it in one instance, but there are some downsides to it as well. And I count on the FTC, as well as the President's representatives and all of us, to look out for the people whom we represent.
Mr. MEDINE. Well, technology is a double-edged sword in that it can provide an opportunity to invade consumers' privacy as well as protect it, especially, as you point out, in the international arena where our laws only go to our borders; and this information is now being exchanged internationally. Sometimes technological solutions that limit the flow of information or put it into consumers' control may have a greater force than even the law in this area.
Chairwoman ROUKEMA. Mr. Medine, that was an interesting response to Ms. Kilpatrick's question. What did you say on the posting privacy policies on the Web site? There is a study being done by your commission and a survey or a study with recommendations that are coming forward when?
Mr. MEDINE. We responded to letters from Senator McCain and Chairman Bliley after we held some privacy workshops in June about where the FTC was going on privacy issues. And what we reported back in that letter, we would be happy to make a copy of that letter a part of the record if that would be helpful.
Page 49 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Yes, please.
Mr. MEDINE. We will do a survey of Web sites in March of 1998, and what we hope to find is a substantial majority of Web sites hosting privacy policies; and we will report back to the Congress in June of 1998 about the state of on-line privacy generally, but in particular, what we find in our survey.
Chairwoman ROUKEMA. All right. Thank you very much. I appreciate that.
Mr. BARRETT. Thank you, Madam Chairwoman.
When we talk about self-regulation or security guidelines, isn't there a problem with that if not all marketing organizations adhere to the guidelines and consumers are left with the risk?
Mr. Medine, if you could address that?
Mr. MEDINE. That is a challenge of self-regulation. It is not enough for the good members of the industry to come forward and adopt good policies. They have to adopt policies and procedures that protect consumers across the board. And, clearly, that is the challenge the industry faces in this area.
Page 50 PREV PAGE TOP OF DOC
Mr. BARRETT. But it sounds like you are still advocating for us to take a reactive, rather than a proactive, approach to this. I think consumers are left holding the bag then.
Mr. MEDINE. Well, I think we are, fortunately, at an early stage of electronic commerce, where we have a chance for the technologies to develop and industry to be monitored to see if it is providing adequate protections and to intervene in situations where there are not adequate protections for consumers.
Mr. BARRETT. The other question I have deals with enforcement.
If you have a situation now where a provider of some sort tells you what they are going to use the information foronce it gets out into the World Wide Web and it is overseas or wherever it goes, where does our enforcement ability stop? How do we deal with that problem?
Mr. MEDINE. Well, I think there are legal challenges and practical challenges that we face in that area. In terms of our legal enforcement powers, there is no question we have jurisdiction over commerce that affects this country, even if the commerce comes from abroad. But there may be practical enforcement questions.
Page 51 PREV PAGE TOP OF DOC
One example that recently came up, we were asked our opinion about a Web site that was based in Australia that we believed to be deceptive; and we might have had jurisdiction over it in this country, but as a practical matter, the site was based in Australia. What we did in that instance was to contact the Australian equivalent of the FTC and ask them to take a look at the Web site. And they were fully ready to jump in and they are investigating that Web site, because they recognized that even though relatively few Australians were victimized, it is now in everybody's interest to pursue fraudulent activities on the Internet.
So we are going to see far greater cooperation among the law enforcement agencies around the world, because we recognize it is in all of our interest to address these concerns.
Mr. BARRETT. OK. And I would like to welcome back my old classmate Leslie Byrne. It is good to see you. You look relaxed after Congress.
I didn't catch your oral testimony. But as I was looking through your written testimony, I saw your reference to an industry that is a hot spot issue to me, and that is debit cards. Earlier this year, I found out I had a debit card after I mistakenly used it to charge $300 over the phone. Thank God I had $300 in my checking account at the time.
But I had received it unsolicited, thinking that it was simply a replacement ATM card. And then when I learned that I was, in essence, carrying around signed blank checks because of the provisions that are in effect right now, I introduced a bill that has Congressman Schumer to deal with this.
Page 52 PREV PAGE TOP OF DOC
And the Chairlady has been very receptive to looking at this issue, and I appreciate that. So I wanted to thank you for your interest in that area. And if you have any recommendations, we certainly would be open to those.
Ms. BYRNE. Well, your legislation, I think, would address a lot of the concerns that we have been hearing about from consumers who have had experiences just like yours.
I would like to take just one second to talk about the international picture because, in this global economy, it is important to understand that there are things going on across the globe to address privacy.
The European Union has come out with an EU directive on privacy that is much more strict and has a much more regulatory aspect to it than U.S. policy. One of the questions really is, can our companies compete overseas if they don't do better on privacy? Are they going to have self-imposed trade barriers when they try to do business overseas, because they have not addressed privacy that the EU directive demands? So that is a real question about how we are coming to grips with this in this worldwide marketplace.
Chairwoman ROUKEMA. Congressman Barrett, I might point out, or remind everyone, that next Wednesday we will have additional hearings on the debit card question that will be specific to the subject.
Mr. BARRETT. Thank you. I appreciate that very much. That is all, Madam Chairwoman.
Page 53 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Ms. Mahoney.
Mrs. MALONEY OF NEW YORK. It is Maloney.
Chairwoman ROUKEMA. I am sorry. I know better than that. I am sorry, Congresswoman.
Mrs. MALONEY OF NEW YORK. Mr. Greenwood, what kinds of information does a State gather about a person which can be accessed by a third party?
Mr. GREENWOOD. First of all, States do gather a dizzying array of information about people through various filings, certainlyyou know, tax records, medical records through public hospitals, and so forth.
In terms of access by third-party detention, as I think was anticipated a little bit by prior comments, between the public records laws, our equivalent to FOI, and privacy interests, every State has some version of a public records law.
Let me speak to Massachusetts. Our public records law presumptively makes every record in the hands of our Government a public record unless it falls into one of several relatively narrowly crafted exceptions. Medical records and so forth are included in those exceptions.
And we are also one of the States that has a so-called Fair Information Practices Act, which gives people a right to prevent disclosure of information of a private nature. In my practice, I have come across times when I have been able to prevent disclosure of records, such as personnel files, based on that.
Page 54 PREV PAGE TOP OF DOC
But I have to say that I characterize that as a constant twilight battle between fending off requests for public records based on privacy concerns and looking for adequate hooks in law to get to that result. And we do continually amend our public records law in Massachusetts to keep pace with the electronic realities of the data that we keep.
Mrs. MALONEY OF NEW YORK. Well, could you just elaborate a little bit more on the types of problems that have surfaced because of third-party access to these volumes of information that you are gathering in Massachusetts?
Mr. GREENWOOD. Just, for instance, we have a lot of data on our employees. Much of that data, I think for good policy reasons, is available. People want to know how we are spending our money, how we are managing the public affairs.
There wereactually I am not sure exactly what precipitated this, but recently there was an amendment to our public records law that exempted out the employee data, the name, the home address, and so forth for prosecutors, law enforcement officials, judges and so forth, which prior to that was public record.
I had to deal with a public records request as that amendment was going through for every solitary employee of the Commonwealth, and this is for direct marketing purposes; and we were able to arrange to exempt out some of those records. But that will be one example.
Mrs. MALONEY OF NEW YORK. OK. Thank you.
Page 55 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. I thank you. I thank this panel. This has been very instructive, very helpful for us; and we will go over your testimony in detail and certainly compare
Mr. VENTO. Can we submit written questions? I realize we would like to move along, but I would like to submit written questions.
Chairwoman ROUKEMA. Oh, absolutely. All Members would be permitted with unanimous consent to submit questions to you for the official record. And we appreciate your cooperation.
Thank you very much. We certainly will be interested in comparing your testimony with that now of the private sector, the second panel that will be before us.
If this panel number two will come forward, please.
Thank you very much. I appreciate your patience and your willingness to come before us today to give us of your wisdom, based on the practical experience you have.
I am going to introduce you in the order in which you are seated, and it will be in that order that you will give testimony.
First, I welcome Dr. Alan Westin, who is Professor Emeritus of Public Law and Government at Columbia University, with a long history of teaching there for many years. Dr. Westin not only has a law degree from Harvard University, but also has a Ph.D. in Political Science.
Page 56 PREV PAGE TOP OF DOC
Dr. Westin, I understand you are the author of 26 books.
Dr. WESTIN. Yes, I am.
Chairwoman ROUKEMA. And publisher of Privacy and American Business. We appreciate that. And of course your most notable claim to fame is that you are a resident of New Jersey.
Dr. WESTIN. Absolutely. Yes I am.
Chairwoman ROUKEMA. Thank you. Dr. Westin
STATEMENT OF DR. ALAN F. WESTIN, PROFESSOR EMERITUS OF PUBLIC LAW AND GOVERNMENT, COLUMBIA UNIVERSITY, PUBLISHER, ''PRIVACY AND AMERICAN BUSINESS''
Dr. WESTIN. Thank you, Madam Chairwoman and Members of the subcommittee. As a privacy expert who has been looking at these issues now for 4 decades, I want to underscore how important I think it is that your subcommittee is holding these hearings, because unlike the European countries that have national regulatory commissions that cover the private sector, our tradition has been very much one of sector legislation and a mixture of market forces, private lawsuits, and sector legislation.
But when you have rapidly changing technology and some of the trends in financial applications of new information technology that I describe in my testimony, it becomes very important for committees of Congress to look hard at whether the existing structure of law and the existing practices in industry are adequate. And it is in that spirit that I think your gathering of information from a wide variety of sources is extremely appropriate.
Page 57 PREV PAGE TOP OF DOC
What I have tried to do in my written testimony is to provide you with some survey material, some actual experience and then some judgments about what the directions are for voluntary activity, and also a judgment as to whether legislation would be appropriate at this moment.
Let me start quickly by summarizing some of the survey data. I have been the academic advisor on 24 national public opinion surveys on privacy since 1978 with both Louis Harris & Associates and Opinion Research Corporation in New Jersey.
Just this past May, Privacy and American Business sponsored, with Louis Harris, the first representative national survey of computer users in America, about 100 million persons who use computers today, and that included 44 million persons who were on the Internet.
In my testimony, I lay out the highlights of what we found. And also, as an appendix to my testimony, there is an issue of Privacy and American Business, which details all of these, and I would like to submit that for the record.
Chairwoman ROUKEMA. Yes, that will be in the record. Thank you.
Dr. WESTIN. Among the major survey findings are that, first, as many people know, consumers rank financial information along with medical information as the two most privacy-sensitive types of information collected about them.
Traditionally, the public has had high trust in banks and financial institutions to collect and use their financial information appropriately. But a number of trends in data mining and warehousing and target marketing and affiliate sharing and the breakdown of industry lines and the connection of the banks, insurance companies, and securities firms have begun to shake public confidence that the traditional trust in banks is merited.
Page 58 PREV PAGE TOP OF DOC
And so we find much lower confidence today in credit card companies, on-line and Internet service providers, credit reporting agencies and others, a feeling, in other words, that consumers have not yet seen a set of policies and a set of practices enunciated and communicated to them that keeps pace with the much more rapid circulation of consumer information within these financial service communities.
The surveys also show that, in general, the American public is quite strong in favoring voluntary safeguards and voluntary policies over Government regulation if the private sector adopts such good policies and if they are widely supported.
A final highlight I would like to mention from the survey data is that consumers clearly differ in how they define privacy and their willingness to provide personal information in return for consumer opportunities. And that is why a one-size-fits-all concept of legislative intervention is pretty dangerous in this area. Much more important is a concept of notice and choice and variety, because that reflects much better what the survey data tells us about the differences people have about how comfortable they are to share information.
In the second section of my testimony, I describe what I think are the core voluntary principles that have emerged from various hearings and efficacy and industry sources. There are seven of these that are listed, and they range from no surreptitious or secret gathering of personally identified data and notice at the outset, provisions of choice, effective techniques to screen out unwanted commercial or other solicitations, a provision of inspection and correction opportunities, verification mechanisms and workable systems that challenge, and public education and response.
Page 59 PREV PAGE TOP OF DOC
And many leading companies in the United States making use of the Internet have appreciated this. And so, in my testimony, I give examples on the home pages of companies like IBM, Equifax, Bell Atlantic and Time Warner, which all, as examples, state on their home pages what they collect, how they will use it, and often offer opt-out provisions to visitors as to how their information would be used.
Knowing that I was asked to testify, my center, the Center for Social and Legal Research, last week did a pilot survey of 50 banks and 22 investment firms with Web sites to see how widely those models of what the IBMs and the Equifaxes have done are being followed in the banking area.
And I should say that in all of these sites, personal information is being collected from consumers, either in requests for information forums, on-line banking, financial analysis models, signing up for various services, and so on.
And our findings are that no bank or investment firm Web site of all those we surveyed has on its homepage a privacy notice that tells individuals how their information is going to be used. And only three of the banks of the 39 that collected personal information offered an opt-out at the point at which they were collecting sensitive personal information from their customers.
Now, my sense is that the reason for this is that senior management in the banks have not yet stepped forward to tell their marketing people and the Web site developers that this is, indeed, what consumers expect and what good public policy and good industry policy ought to be.
Page 60 PREV PAGE TOP OF DOC
My own sense, in other words, is this is not out of willfulness or a sense of disregard. But it does seem to me that your subcommittee has to measure the actual progress in this voluntary safeguard concept against what actually is being done.
In general, as I say in my testimony, I think that this is a period in which a tremendous amount of ferment is going on in the technology community, the industry community, the public interest community, and that many things are being done that are the models for what will be good practice. The problem is to make sure that these are followed, that they become the norms, and that they have remedies and enforcement mechanisms that are important.
Let me close by saying that I have, over 40 years, been a strong advocate of privacy legislation in particular sectors when the time was right. I was a lead witness for the Fair Credit Reporting Act in 1969 when it was passed in Congress, and I have supported privacy legislation in the health and medical area, digital communications, and a wide variety of other sectors. But I don't believe the time is right yet for legislation in the Internet and on-line area.
Our survey found, for example, when we asked a sample of people using the Internet and using on-line services, ''Do you believe that your privacy has been invaded in your use of the on-line and Internet survey process?'', only 5 percent of Internet users and 7 percent of on-line service subscribers reported that they had ever experienced any invasion of privacy while on-line and using the Internet.
Page 61 PREV PAGE TOP OF DOC
And since we know that about that percentage of people believe Martians have come down in their backyard and taken away their young, I don't think that a 5 percent or 7 percent figure really ought to be seen as evidence of a tremendous, actually experienced invasion of privacy.
Therefore, I would argue that what a subcommittee like this needs to look at is, are there abuses and malpractices that have been documented that need to be addressed? Is there clear evidence of the failure of good voluntary efforts and practices to unfold in sufficient volume? And, finally, are there regulatory approaches that have a high likelihood of resolving problems effectively without creating even more serious problems in the regulatory effort?
Measured by those standards, I would suggest that the next two years or so is a wonderful time to watch and wait, but that the effort to frame legislation this year or next year, it seems to me, to be anticipative in the wrong sense and would not be a significant contribution to the process of development that is taking place in this area.
Chairwoman ROUKEMA. Thank you, Dr. Westin.
Marcia Z. Sullivan. We welcome you here today. Ms. Sullivan is Director of Government Relations for the Consumer Bankers Association, and one of the architects of the banking industry, as I understand it, your best practice is use of customer information. Do you accept credit for that?
Page 62 PREV PAGE TOP OF DOC Ms. SULLIVAN. I would love to be an architect.
Chairwoman ROUKEMA. Do you accept credit for that? In any case, you have considerable practical experience in this area, and if you will begin your testimony. Thank you.
STATEMENT OF MARCIA Z. SULLIVAN, VICE PRESIDENT AND DIRECTOR, GOVERNMENT RELATIONS, CONSUMER BANKERS ASSOCIATION
Ms. SULLIVAN. You are welcome, Chairwoman Roukema, thank you for the kind introduction. I appreciate the opportunity to appear today to talk about the ongoing efforts at CBA.
I would also like to say that I like the watch-and-wait philosophy of Dr. Westin to my left. I think all of us here would agree, having lived through working with you and your staff on the Fair Credit Reporting Act over the pastpeople say 7; I seem to remember 10 yearsbut, nonetheless, we think it is a good law, and we would like to talk about it some later.
As we heard today, electronic technologies have provided consumers with unparalleled choice and opportunities. We are also aware, however, that these new information technologies have raised concerns about the collection and the use of personal information. As a result, we know that it is clear that a balance must be struck between protecting individual privacy and the fair use of information.
Page 63 PREV PAGE TOP OF DOC
I want to talk about a couple of things today. First, the principle of customer information or customer confidentiality on which banks operate today, is one on which they have operated for decades. Second, the development of industry-wide privacy principles such as those endorsed by CBA, ABA, The Bankers Roundtable, and BITS are very important; and I want to talk a little bit about our part in the development of that. And last, the current law and substantial oversight in Federal Government today in the area of privacy, which we welcome and we think has beenand isquite substantial.
Banks have traditionally protected personal financial information. This has led to strong safeguards, ensuring the confidentiality and proper use of customer information. As a result, we believe that banks are well prepared to protect customer or consumer privacy in the electronic commerce age. Although the form and quantity of information may have changed, it is a change of degree and not in kind.
Protecting customer privacy is important to the very success of a financial institution.
Few consumers would patronize a bank that would fail to provide an adequate level of privacy. It is really easy for a dissatisfied customer to find another bank. In addition, the establishment of bank industry privacy principles strongly encourages banks to provide consumers with consistent assurance about the confidentiality of personal information.
Within the banking industry, we were at the forefront in developing these privacy principles or best practices guidelines. We responded to a growing concern over the use of customer information and its importance to the banking industry, and our board adopted guidelines to serve as a blueprint for institutions developing their own.
Page 64 PREV PAGE TOP OF DOC
In order to help the banks implement the policy, we had a workshop a year ago and are doing another one very shortly with Morrison & Foerstera firm that many of you have worked with on the Fair Credit Reporting Actin order to help banks implement their policies.
This is a very difficult area. I have worked on it with the banks for years. Many of them are on the cusp of actually making their policies public; as Dr. Westin mentioned, PNC is one of them. But that is not an easy thing to do, and we are hoping that we can help them in the process, as will ABA and The Bankers Roundtable and BITS.
We also believe that the marketplace, with the support of existing Government oversight, is the best regulator of electronic commerce at this time. One example is the recently amended, and we certainly talked about it, the Fair Credit Reporting Act, FCRA.
FCRA puts consumers in the driver's seat by providing them with notice and the ability to opt-out of information-sharing arrangements among affiliates. September 30, however, is the date this law does become effective. So I do think that we will see a correction of the problems that Dr. Westin was referring to on the 30th when that law does go into effect.
Moreover, and I want to state this again, it is important to note that FCRA amendments allow only affiliated companies to share information. If a bank were to share with an unaffiliated third party, the bank would become a consumer reporting agency and subject to the very burdensome requirements of the FCRA.
Page 65 PREV PAGE TOP OF DOC The rationale of that was to allow banks to share information because the law required that they be in a bank holding company structure. As such, they weren't allowed to share information they could share, were they just one company.
Other laws, like the Electronic Funds Transfer Act, require that consumers also be informed that banks share information. Finally, as discussed, a number of States govern their disclosure.
At the same time, Government is playing an integral oversight role in the development of electronic commerce. As financial institutions develop new products, they have done so in very close contact with their bank regulators.
We have heard about the FTC. We have heard what Ms. Byrne's work is. The Department of Commerce has also been extraordinarily active. Its role is due in part to the American companies and their concern with the privacy initiatives, especially the European directive abroad.
We believe, and we would like to agree with the FTC discussion today, that the Government could play an even larger role in educating consumers about the benefits of the use of privacy and its implicationsthe use of customer information and its implication to their privacy. We would welcome working with you and the regulators on this very important task.
Once again, I thank you very much. I would like to submit for the record, because I think the press is playing a very important role in educating customers, an article in Time Magazine on August 25 and an article in The Washington Post from September 7, both advising customers on what to do and how to protect their privacy. Thank you.
Page 66 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Very good. Without exception, we will have those included in the record.
Now, we have a vote going on, currently in progress, and we expect it to be followed by a second 5 minute vote, so we will be in recess for at least 15 minutes. And, hopefully, my colleagues will return promptly, and we will try to begin right after this second vote. Thank you for your patience.
Chairwoman ROUKEMA. I would hope that we could bring the panel to the front and continue the hearing.
Again, I thank Ms. Sullivan for her testimony. We concluded that.
Now we have a window of opportunity here. We don't anticipate other votes, at least not within the next hour, so we would hope that we can conclude matters here. And at least the rest of this panel can be assured that they will have our undivided attention.
The next panelist is John Byrne, and he is representing the American Bankers Association and I believe has particular focus on financial privacy matters. Mr. Byrne serves, as I understand it, as Senior Federal Counsel for the American Bankers Association.
We welcome you here today.
Page 67 PREV PAGE TOP OF DOC
STATEMENT OF JOHN J. BYRNE, SENIOR COUNSEL AND COMPLIANCE MANAGER, AMERICAN BANKERS ASSOCIATION
Mr. BYRNE. Thank you, Madam Chairwoman and Congressman Vento. I am pleased to be here today to discuss the issue of privacy. I want to summarize some of the issues that we have included in our written statement; and also some of the same things that Marcia has talked about, I will leave for our written statement.
The banking industry is acutely aware of the increased focus on consumer privacy due to the rapid emergence of electronic commerce. But as Dr. Westin said and Marcia said, we do believe that, overall, banks do more to protect customer confidentiality than any other industry. Whether by law or by policy, the watchword for our industry is trust. And we realize that without it, consumers can lose confidence in their financial institutions.
Basically speaking, when we talk about privacy law in the United States, we are talking about a series of Federal and State laws, as well as case law, dealing with privacy. So some of the discussions about the European Union and how those are stronger laws, I take a little bit of issue with because while it is more difficult to discern financial privacy restrictions in our country, you simply need to go to several different sources to figure out what they are.
We have the Right to Financial Privacy Act, the Fair Credit Act you talked about earlier, and the Electronic Communications Privacy Act. As I said before, you also have State law and an array of case law that you need to look at to determine what banks' obligations are. These laws and court decisions make it clear that our industry has unique challenges.
Page 68 PREV PAGE TOP OF DOC
ABA believes that information is critical to the daily business of our members, and issues such as unauthorized access and disclosure are carefully addressed in bank policies and procedures. Before talking about those issues, I would like to briefly mention the work of the ABA payment system task force.
The task force came together two years ago and concluded at the end of September 1996, among other things, the necessity of creating a privacy working group. We put that group together earlier this year, and one of the results of that group was the creation of industry privacy guidelines which, as Marcia has pointed out, were based in part on what the Consumer Bankers Association had done in an excellent fashion, in the year prior to the ABA development. Our task force concluded that industry guidelines should be drafted and made available to all industry parties.
In June of this year, the ABA's board of directors approved privacy principles. And since that time, ABA, the CBA, The Bankers Roundtable, as well as the Independent Bankers Association, have all agreed on a uniform set of industry principles so that banks in the United States would have just one set of principles to use in order to enhance, supplement, or create their own individual policies.
Page 69 PREV PAGE TOP OF DOC
The banking industry willingly accepts this challenge, and we will continue to develop appropriate models to address customer concerns. Our industry, therefore, should be free to develop our own privacy response to emerging technologies because we are in the best position to address compliance with the various laws. We believe that our efforts to address privacy issues within the industry will pass muster under any reasonable objective analysis of banking privacy policies.
Another option being discussed within the framework of that study, that we could support, concerns the creation of an advisory body without regulatory authority. Our industry has a track record of working with several governmental advisory groups whose mission is information-sharing and coordination.
For example, ABA has participated with NSTAC, the National Security Telecommunications Advisory Committee, in a public-private sector advisory group created to draft recommendations on important infrastructure and computer security issues. We have commended the group's objectivity and professionalism in carrying out the difficult task of analysis and recommendations of major national security issues.
Similarly, the ABA also sits on the Treasury Department's Bank Secrecy Act advisory board, a forum of private and public sector experts that exchange concerns and information in a myriad of areas. In fact, ABA is also involved in a subcommittee of that group that is established to address privacy issues.
Tapping the expertise of the private sector in privacy areas and ensuring that all relevant industries are represented is a worthy goal for the Government and Congress. Therefore, ABA recommends the creation of a public-private sector advisory board on financial privacy.
Page 70 PREV PAGE TOP OF DOC
Madam Chairwoman, in my testimony, I also go to great lengths to talk about the fraud issue that we have to deal with and how we deal with check fraud and other types of fraud that we need consumer information in order to combat. Rather than go through that, let me just make a couple of points regarding some changes that have occurred to try to deal with those frauds.
The industry is constantly searching for new ways to prevent check fraud. We primarily rely on technology, enhanced in terms of procedures education, as well as suspicious activity reporting. While on its face they may appear to threaten privacy, our association believes that a balance has been reached.
For example, according to the September 10 issue of the American Banker, a bank in Wichita, Kansas, will be confirming customer identity by voice through the use of a new system that both protects customers and ensures added efficiency of product and service delivery. This is just one of the examples of what banks are trying to do with these emerging technologies.
The privacy principles are being dealt with both by Marcia and, I am sure, our next witness, Cathy Allen, so let me just say that we were happy to work with all these trade groups to come up with this one set of guidelines. They are included in each of our testimonies. And we ask the subcommittee to take a look at that.
One of the points that I would like to mention though is, we are committed to providing these principles for use by all institutions. But the implementation of these or similar policies must be handled by each individual bank. In their statement today, The Bankers Roundtable is offering suggestions on implementation options for each institution, and these should be carefully considered. They are well crafted and good examples for banks to take a look at.
Page 71 PREV PAGE TOP OF DOC
We wish to stress that enforcement of privacy principles, if auditable by the institution, should be sufficient to prove that a bank has a workable policy. We believe that, as long as an institution's policy is enforced through some type of bank sanction for violations, it should be ample proof that one's privacy program is an effective self-regulatory model.
I have two brief points I would like to make on legislation if I may, Madam Chairwoman. There are several proposals out there dealing with privacy, and one, I believe introduced by Congressman Vento, that deals with Social Security numbers.
While we certainly support the concept and are happy to work with the Congressman, I just want to stress that the only concern that we havewhile this is a preliminary view, not an official positionis that as long as banks are able to use identifiable information to protect against fraud and to know our customer, we certainly don't have any problem with effective sanctions and effective programs dealing with things like Social Security number abuse. But I would suggest that because we have so many other affirmative obligations under law that we would like to work with the Congressman and other Members of the subcommittee on that and similar proposals.
Finally, there is a bill pending on the Senate side by Senator Kyl of Arizona, Senate Bill 512, which creates a new Federal crime of identity fraud. This proposal, supported by the United States Secret Service, we believe will go a long way toward giving Federal law enforcement a necessary tool toward those that prey on unsuspecting consumers. We urge this subcommittee to craft a similar proposal so that identity thieves think twice before engaging in this act.
Page 72 PREV PAGE TOP OF DOC
Finally, just for the record, we have attached to a copy of our testimony a publication that will actually be in book form in about 10 days, and it is a privacy compendium. Several of the people that appeared today, including Leslie Byrne, contributed essays to our public commission, which are private and public sector experts who are asked to simply provide their views on privacy and electronic commerce.
We have given you a photocopy, attached to the testimony today, and we will make sure that every Member of this subcommittee gets a printed copy of this book within two weeks. We believe this is a good start to get the privacy debate focused, and we are pleased with how it turned out.
Thank you for our association's being able to participate in this difficult but exciting issue. We stand ready to work with everybody on this subcommittee. I would be happy to answer any questions.
Chairwoman ROUKEMA. Thank you very much.
Next panelist, Catherine Allen. Ms. Allen serves as the CEO of the Banking Industry Technology Secretariat. I have got to tell you, this was new to me. I did not know of your existence. And you are a division of The Bankers Roundtable, but Bankers Roundtable is well known.
The BITS board is made up of the Chairman of the 10 largest bank holding companies, is that correct? And their mandate is to foster the growth and development of electronic banking. So you have a very narrow focus, and we expect that you are very well informed.
Page 73 PREV PAGE TOP OF DOC
All right, Ms. Allen, thank you very much.
STATEMENT OF CATHERINE A. ALLEN, CEO, BANKING INDUSTRY TECHNOLOGY SECRETARIAT, THE BANKERS ROUNDTABLE
Ms. ALLEN. Thank you very much.
Chairwoman ROUKEMA. Well-informed with practical experience.
Ms. ALLEN. That is right. I am not a lawyer.
Chairwoman ROUKEMA. Thank you.
Ms. ALLEN. I am a businessperson here.
Chairwoman ROUKEMA. And I am not a lawyer either.
Ms. ALLEN. I was a teacher.
Chairwoman ROUKEMA. We were the two that had that conversation prior to the panel. I don't know whether you consider that a benefit or a deficit, but we are not lawyers. Yes. Go ahead.
Page 74 PREV PAGE TOP OF DOC Ms. ALLEN. Yes, I see it as it enables us to work with other Congressmen and CEOs, right from the teaching experience.
What I would like to do is thank you, first of all, for the opportunity to speak to you, Madam Chairwoman, and to other Members of the subcommittee to talk about how we are looking at privacy and how privacy links with security and some of the initiatives we have under way. So most of the focus of my testimony was on the privacy and security initiatives that the banking industry has under way.
A little bit about BITS: It was formedactually got funding the end of last year. I was brought on as CEO in April. So we really are a short-lived organization. And our mandate is not only electronic banking, but electronic commerce and to look at how we promote safety, soundness, and security in the banking system, in particular, privacy concerns. So it is one of our key areas.
Last April, we talked at the board about the importance of privacy and what initiatives we might undertake. And cooperatively with the ABA, the CBA, the IBAA, we are very happy that we have industry-adopted privacy guidelines; and virtually every bank holding company in the U.S. will use these guidelines as recommendations for them.
BITS, because we are focused on electronic commerce, went a step further to look at how we might implement, or create a model of how we might implement these privacy guidelines within the bank; and that is what I am going to talk about. I would also like to talk about what we are doing in the security area and how those two link together.
Page 75 PREV PAGE TOP OF DOC Professor Westin talked a lot about the research, and I endorse what he said in terms of consumer concerns about privacy. There is another study, the Yankelovich Cybercitizens Study, that shows not only is there an increased concern, just from last year to this year, about privacy, but that women are more concerned and are more reluctant to use electronic commerce until they have some feeling of security in electronic commerce as well as privacy of information. And they, in particular, link these two together.
One of the initiatives BITS has between now and the end of the year is to do a research study on how consumers think about privacy, trust, and security, and link them with electronic commerce and banks.
We are also doing research on the potential need for a privacy mark that might be an indicator to consumers when they go on-line how the bank treats the material is consistent. So there might be some kind of a ''Good Housekeeping Seal of Approval''and again, we are looking at how consumers would relate to that.
In terms of the privacy principles, those have been attached to you, and I actually won't go over them because I think that they have been made evident. What I would like to do is talk about some of the privacy implementation plan, because what we think is important is self-regulation.
Let me preface this by saying the fortunate thing about BITS and the Roundtable is it is the CEOs of the banks, and these people have a much more strategic view of what is important, where there is competitive advantage, where there is strategic advantage.
Page 76 PREV PAGE TOP OF DOC And I think the fact that last Thursday and Friday the boards of the Roundtable and BITSand BITS is a subset of thatunanimously endorsed the privacy guidelines, as well as the privacy implementation plan. So it tells you something about the attention of the CEOs to this matter.
And I think Dr. Westin said that there had been a number of things not yet, for instance, on the Web sites, not having the buttons, that would indicate going to a privacy page. I think you are going to see changes over the next year because of the attention from the top down.
In the privacy implementation plan, first of all, we are indicating that each bank will approve a plan for implementing the banking industry privacy principles at the level of the board of directors or the office of the chair, and that the board of directors would be aware of this; that they would communicate the bank's policy about customer privacy to the bank's customers. It would be left up to each bank how they would do it and whether it would be on the Net or through collateral materials, but that was part of the plan.
That they would advise, inform, and educate internal employees and particularly employees related to any customer data. And, again, this would be decided upon, how that is done, by each bank. One of the things that BITS is doing will be tracking and helping banks to implement this plan.
A fourth is to do research on the need for a privacy mark and how that might be implemented and what that would mean to the customers if we, in fact, instituted that.
Page 77 PREV PAGE TOP OF DOC Another is, each bank will obtain agreement with third-party vendors on a case-by-case basis to comply with the bank's privacy principles. One of the things for the subcommittee to be aware of is that increasingly non-banks are providing payment systems and infrastructure, and it is important that they be looked at, as well as the financial services community, so players like Microsoft or EDS who provide some of the third-party services.
Informing customers of third-party opt-out, the bank provides information to unrelated and unaffiliated third parties for independent use. Where that is done, the bank would notify the customers of their right to opt-out of the bank's providing customer information to these third parties.
The banks will apply their own internal process to assure compliance with the bank's privacy principles. Breaches of policy would be addressed internally or on a case-by-case basis by each bank. And each bank will establish and maintain procedures by which customers can correct inaccurate customer information.
The follow-up to this is not only to look at how we might track the implementation, but, as I said, the two pieces of research.
In addition to that, we have initiatives in the area of security. And we met last week with Attorney General Janet Reno and Tom Marsh, who heads up the President's Commission on Critical Infrastructure Protection, and shared with them, first of all, to establish a working relationship with them, as we have already with the Fed and the OCC in the area of security.
Page 78 PREV PAGE TOP OF DOC And one of the initiatives that we have under way in this arena is to look at risk assessment program of existing payment systems and some of the de novo payment systems that BITS is responsible for. We are looking at how the payments will go in the future and the technical design of that.
Also, they are setting up security working group and sort of a peer review of industry experts in the security area. We believe that in the customer's or consumer's mind, they link security and privacy together. The CBA, the IBAA, the ABA all have done significant things in this area. We plan to do something that is, again, an industry-wide cooperative effort.
We also are looking at fraud reduction and the business case for a roots certificate authority, who within the Banking Committee should be perhaps responsible for a root authority in the ability to make sure that that is both secure and the privacy of information is protected for consumers.
So one of the thingswe have an industry forum coming up October 8 on security. And I would welcome members of your staff to attend that if they would like. I think, coming from our perspective, we not only think that it is important that the subcommittee look at thisand just the fact that you are having hearings, I think, is drawing attention to the importance of these issuesbut also to look at how privacy and security are linked together.
We look forward to working with your staff or any of the subcommittee Members and certainly to providing information in the future. I thank you again for the opportunity.
Page 79 PREV PAGE TOP OF DOC Chairwoman ROUKEMA. Thank you very much, Ms. Allen.
Barry Connelly, the final member of our panel, is President of the Associated Credit Bureaus. And as I understand it, Associated Credit Bureaus represents, among others, the three major credit bureausExperian, Trans Union, and Equifax. And of course you are an essential component of this whole system, so we look forward to hearing from you. Thank you.
STATEMENT OF D. BARRY CONNELLY, PRESIDENT, ASSOCIATED CREDIT BUREAUS
Mr. CONNELLY. Thank you, Madam Chairwoman, Mr. Vento. As you have said, I am President of the Associated Credit Bureaus, and if it is in the interest of disclosure, I am not a lawyer either. But I didn't know whether that was necessary on this panel.
Chairwoman ROUKEMA. We will forgive you for that.
Mr. CONNELLY. Thank you. ACB, as we are commonly known, does represent over 1,000 consumer credit and mortgage credit reporting companies, including the so-called ''Big Three'' that you identified.
My testimony today focuses on the consumer reporting industry's role in our Nation's information economy and on the newly amended Fair Credit Reporting Act. And I hope that my entire testimony will be entered into the record, and the addendums that answer the specific questions.
Page 80 PREV PAGE TOP OF DOC The FCRA is a privacy law in which Congress acknowledges that consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers.
This Nation's consumer reporting industry is considered the case study, if you will, for the world. I can say this with some confidence, having returned from a trip to the Pacific Rim earlier this year, where we were invited to present our perspective on the new FCRA and our country's high-growth information economy to financial industry leaders and government officials in Taiwan, Japan, and Australia. The success of our consumer reporting industry and the FCRA were of great interest to these countries, which have a strong desire to bring to their citizens the many benefits of an expanded credit and information economy.
Consumer reporting agencies are essentially libraries. They are libraries of information on individual consumer payment patterns, associated with various types of credit obligations. The data compiled by these agencies are used by creditors and others under the strict prescriptions of the Fair Credit Reporting Act.
Consumer credit histories are derived from, among other sources, the voluntary provision of information about consumer payments on various types of credit accounts or other debts from thousands of data furnishers. The consumer's file may also include public record items such as bankruptcy, a judgment, or a lien.
For purposes of data accuracy and proper identification, generally our members maintain information such as a consumer'sobviously, their full name and current and previous address, Social Security number when voluntarily provided, and place of employment.
Page 81 PREV PAGE TOP OF DOC
Now, there is information that our members do not maintain in consumer credit reports. Our members do not know what products consumers have purchased on credit. Or they do not know where they are using their individual credit cards, their MasterCard or Visa card. They also don't know when consumers have been declined for credit or other benefit. Medical data is not in our files. We compile data on how consumers pay their bills.
The Fair Credit Reporting Act was significantly amended in this past session of Congress, beginning with oversight hearings held in 1989. Ms. Sullivan was wondering how long it was. It was really eight years that we worked on the Fair Credit Reporting Act.
We believe that the public policy process subsequently evolved into one of the healthiest and most thorough debates the law could possibly receive. It is my opinion that this amendatory process resulted in a complete, current, and forward-looking statute in which every consumer may have some confidence. The work of the 104th Congress balanced the rights of the individual and the economic benefits of maintaining a competitive consumer reporting system.
Section 604 of the FCRA, entitled ''The Permissible Purposes of Reports,'' prescribes a series of acceptable reasons for which a consumer report may be used. Some of the more common uses of a consumer's file are in the issuance of credit, underwriting of insurance, and evaluation for employment.
Amendments to the permissible purposes section of the Act extend significant and greater protections to consumers. Consumers who do not want to have their file reviewed in order to receive a prescreened offer of credit may simply opt-out of all such uses. Congress greatly expanded the consumer's ability to understand how a consumer report was going to be used in the context of employment. It is this section of the law, the Permissible Purposes section, which controls the use of data and which makes the FCRA an effective privacy statute which protects the consumer.
Page 82 PREV PAGE TOP OF DOC
Another question of the subcommittee speaks to how data found in the consumer's credit report may be used, other than for credit reporting. Let me first point out that any data defined as a ''consumer report'' under the FCRA may not be used for any purpose other than for those outlined under Section 604.
Some of our members also developed direct marketing lists in order to stay competitive in the information marketplace. But you must note that the data used for direct marketing purposes is not the financial information defined as a consumer report under the FCRA.
In closing, let me address the subcommittee's general question about the currency of the FCRA's consumer protections, given the technological advances on the Internet.
The FCRA need not include the word ''Internet'' for it to apply to this medium of data exchange. The FCRA applies to any instance where a consumer report is involved, whether it is the Internet or the U.S. Postal Service, which is delivering the information. Data uses, data furnishing, data reporting and consumer rights are all accounted for in this newly amended Fair Credit Reporting Act, which will be in effect on October 1.
It is our members' belief that while there may continue to be a broad discussion of regulation of the acquisition and uses of data in the context of electronic commerce, the data defined as a consumer report is already regulated by the most significant, modernized privacy law to date.
I thank you for the opportunity to be here this morning andthis afternoon, I guess nowand to be present with you at this hearing.
Page 83 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. All right. Thank you very much. Your comments, combined with the first panel, give us a lot to digest and contemplate.
May I first say, there was a question raised about whether or not the European Union has greater privacy protections. Without making a judgment on that, I simply want you to know as a matter of information that, in our hearing next week, we will address the European Union's privacy directives; so that will be part of it, and we will look into that.
But, again, I am not quite sure where to begin here. But I will note for all of you, in the event that you would like to make further observations on this subject, that you will remember the affiliate-sharing question was quite controversial as it came up on the original panel. And if you could give further insights from your own perspective, I would appreciate that. Because, to me, that seems to be a central issue.
However, I want to make another just observation, which I will give you a chance to comment upon; and I think it was Mr. Byrne that made it. But then I want to get on to something for Dr. Westin.
But were you, Mr. Byrne, the one that referred to case law and that the court decisions leadyou made reference to case law and how that hasand the court decision, how that has complicated or given direction to the issue?
But for someone like myself, the natural question that came up, without a precise answer, is, doesn't that mean that perhaps we need more clarifying legal standards? Or are we going to let it go through a process of years of case law? I don't know. It is an open question. And I believe you were the one that raised the issue.
Page 84 PREV PAGE TOP OF DOC
Mr. BYRNE. Madam Chairwoman, my point was, I think, that when they look at the United States to try to determine how secure are our privacy laws or how strong are they, what I think people fail to understand is, you have to do a little work. And ''a little work'' means there are several major Federal laws, there are State laws, and there is case law.
While that could, in and of itself, argue for some sort of umbrella statute, I obviously don't support that notion. My notion is, before you can make a statement about our privacy laws and what banks are obligated to do, you have to go to a lot of different places to find that. We certainly have discovered that. I think that is the overall point.
I don't think you can argue against States having the right to enact their own privacy laws. We are not suggesting that because some States have laws that are similar to the Right to Financial Privacy Act, that that somehow should change. What I am simply pointing out is the fact that it is a very complicated issue. There is a lot out there.
And sometimes I hear witnesses speak about how deficient our laws are. I don't agree. I think there is a lot out there; it just takes a while to get to it.
Chairwoman ROUKEMA. Do you want to comment, Dr. Westin, on that particular subject?
Dr. WESTIN. I wanted to respond on your affiliate-sharing.
Chairwoman ROUKEMA. Absolutely. I would like very much for you to do that.
Page 85 PREV PAGE TOP OF DOC
Before we get to that, I did havethis may require a consent from my colleague here, because I might go over time here. I did want to come to the question that I think Dr. Westin pointed out, but on the face of it, the testimony from The Bankers Roundtable is contradictory, and that is with respect to privacy notices.
I think on thethat your indication, Professor Westin, was that there really are not the privacy notices that one might expect or require. And that seems to be contradictory to the assessment that The Business Roundtableor the assertion of Business Roundtable saying that you really do give all this information.
Is there a contradiction here, or is there something I am not understanding?
Ms. ALLEN. I think it is a media difference. What Dr. Westin's research was talking about was on Web sites and whether or not there was a button on the Web site whichmany banks do not have that. But I think, as far as I know, all of the banks, and they are required to do that, have information.
Chairwoman ROUKEMA. But aren't both required? I mean, aren't both necessary, or not?
Ms. ALLEN. Both necessary or not? I would think so.
Chairwoman ROUKEMA. You are saying you are in compliance with that?
Page 86 PREV PAGE TOP OF DOC
Ms. ALLEN. Again, our privacy guidelines and the privacy implementation plan was voted on last week.
Chairwoman ROUKEMA. Right.
Ms. ALLEN. So it is not yet implemented.
Chairwoman ROUKEMA. All right. I thank for you that clarification.
Comments on the affiliates. And then, Dr. Westin, I was a bit surprised you didn't think this was the time yet for anything more than cooperative efforts. Yes, go ahead, Dr. Westin.
Dr. WESTIN. On the affiliate-sharing, I got the strong sense that there was not a clear understanding in some of the questions about what is affiliate-sharing and how the public feels about it.
In 1994, 1996, and 1997, in Louis Harris surveys that I worked on, we asked the public, ''If you patronize a bank, a telephone company, a retail store, how acceptable is it for you that your customer transactions and information are used by that organization to make offers to you of other business services and products that they have or that their affiliates engage in?'' Overwhelmingly, 60-, 70-percent said initially it was acceptable.
Page 87 PREV PAGE TOP OF DOC Then we asked the other 30 or so percent, ''Would it become acceptable to you in this situation if the organization you patronize gave you notice that they wanted to send you this additional information and you had the opportunity to opt-out?'' Unfailingly, two-thirds of the people who said it was not initially acceptable said, under those circumstances, it would be acceptable.
When you add those up, you get figures in the 85- to 90-percent range of the national public who say that this process is acceptable. And if I could just give one more example
Chairwoman ROUKEMA. Yes.
Dr. WESTIN. In particular, African Americans, Hispanics, and other minorities were even stronger than the general public in saying that they were in favor of this, because they often do not have the opportunity to get as many offers of products and services. And so they were even more accepting and positive about this.
So I think we should distinguish between the affiliate-sharing view that is somehow sending this information outside to list brokers or third parties and the inside situation in which people are saying, ''If I patronize the XYZ bank or the ABC telephone company, it is OK to send me offers. I can throw them away; I can accept them.''
But the idea that somehow this is privacy-intrusive just doesn't seem to me to capture what I understand the public tells us, when we ask them, are the ways they react to this kind of marketing to them.
Page 88 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Thank you.
Ms. Sullivan, do you want to
Ms. SULLIVAN. Yes. Having been involved with Fair Credit Reporting and the amendment since the beginning, I think that it is fair to say that one reasonnot the only reason, but the main reason that banks, especially large banks, became involved in the debate was because they needed the relief of a provision that would allow them to share information amongst their affiliates. And they were willing to take on the extra burdens that they did assume under the Fair Credit Reporting Act for that reason.
And the reason that they felt they needed it was that many companies just operate as a single company and can share information amongst their different departments and divisions. But because Federal law often requires banks to operate in a holding company structure, they were not able to share that same information.
So it was very, very important to them, and we are very grateful actually that you acted and let us share information.
Ms. ALLEN. I would like to speak to that, also.
Actually, in consumer research that we have done, one of the most important things to consumers in managing financial services electronically is to integrate the information through software, or to be able to pull different sources of information, their credit card accounts; their investment accounts; their bank accounts together.
Page 89 PREV PAGE TOP OF DOC
So one of the things is, if you weren't allowed to share, you would not be able to provide the consumers what they say they want, which is integrated information, the convenience of having it together.
In addition to that, my experienceI was at Citibank before. We actually added value to consumers by integrating information across the different, again, divisions within Citibank, and that way we had linked accounts. So if you had a savings account or investment account or a credit card account, not only did you get the linked informationand you could hold lower amounts of money in the bank and still not have to pay feesbut more importantly, you got preferential treatment at some points in terms of interest rates.
So by integrating information, we were adding not only value to the customer in what they wanted, but we were also adding value and providing it at a better price to the consumer. And to not allow affiliates to share that information within an entity could be a real detriment to the consumer.
Chairwoman ROUKEMA. Further comment on that?
All right. I will hand it over now to Mr. Vento.
Mr. VENTO. Thank you, Madam Chairwoman. I feel like it is a myopic view in terms of fair credit reporting, because fair credit reporting is sort of delineated. We have addressed that in a lot of detail, and there are a lot of problems that came out of it. It should probably be an example, you know, just don't jump into this before you know what you are doing. Because, in fact, they came here because they had 50 States, and we wanted to regularize this and notyou know, take the Attorney Generals off your back, remember, and have common law. And there was a question of whether or not they should be able to go further than that, as in the case of the Massachusetts witness earlier.
Page 90 PREV PAGE TOP OF DOC
So the issue here, of course, is that really dealt with on the security side. The reason all that is kept is for security purposes and establishing credit. But a lot of the information is shared. Like the stuff all above the line, we share. Isn't it, Mr. Connelly? The name, the address
Mr. CONNELLY. Yes, sir.
Mr. VENTO.maiden name, you know, information.
And the real risk here, the real problem, is not that I doubt the banks' willingness to try to have security. That is their bread and butter. I don't doubt that; I understand that. In fact, you know, they never like to talk about their losses, because they are selling security and credit cards; and the last thing they want to talk about is how much money they lose in terms of those incidents. I understand that.
But the concern here is that we are not operating in a vacuum anymore, so the information that before was treated as benign, that could be shared, all of a sudden now, put together, you have got a little piece of information aboutChairwoman Roukema, from each one of you. Pretty soon I have a file, and maybe even something that could act as a risk in a security aspect. By itself, information isn't useful; when you begin putting it together, all of a sudden, it represents a different risk to the security issue that you are concerned about.
So I am just trying to bring this back together to talk about that particular aspect. I think it is a question of what does the individual consumer have as tools? I am from the school, ''Don't do for someone that which they can do for themselves.'' And so the real question here is, do they have the tools to do for themselves at this particular point?
Page 91 PREV PAGE TOP OF DOC
And one way you can do that is with some sort of a statement that says, ''Yeah, I am going to have this open.'' You can say, ''We have self-regulation,'' but that may mean at some point, when everybody goes to the Internet, that instead ofand I think that they will do that. I trust that the brokers and bankers that are operating on the Internet are going to put up what are going to be 70 differentor a lot of different policies maybe at some point. Everyone is going to have their own little theme and variation. You know, what works for Citibank may not work for U.S. BanCorp.
Ms. SULLIVAN. I think, Congressman, that one of the reasons that we provided a uniform piece was that we would have the same concepts that would be addressed by every bank across the country. We think that that is important for customers to be able to see and perhaps shop around, based on some privacy principles.
But in conjunction with educational efforts that we think are really important, it will give them a better understanding of what they can and cannot do.
In addition to that, when the Fair Credit Reporting Act goes into effect either September 30 or October 1 of this year, they are going to have a sufficient amount of control over who can use their information and for what purposes. And you are going to see a lot more of that on the Net after the 30th.
Mr. VENTO. You know, the question that that raises that you can't answer is, what is the remedy if they misuse it or use it for something else? Are you going to deny them the information? But, you know, what is the remedy?
Page 92 PREV PAGE TOP OF DOC
Ms. SULLIVAN. The Fair Credit Reporting Act actually, for misuse of information, does have some very severe penalties.
Mr. VENTO. I was thinking in a different context. I was thinking of other information that goes on that is shared, not just within affiliates, but outside in terms of third parties. So my question was misdirected.
Let me just direct one question to Dr. Westin, as my time is quickly running out. In order to have self-regulation, the effect of privacy regimes to be implemented, a certain number of market conditions must be met. Can you identify those conditions and whether or not they are satisfied to the current level of competition on the Internet?
The concern here is, neither competition nor consumer awareness is strong enough today to offer consumers a real choice to negotiate the terms of their privacy. In fact, I heard, I think, Ms. Sullivan mention that she thought that you have some individual differences in terms of that. Even though there are some common elements, there will be some differences.
Dr. WESTIN. I think, as I mentioned, you have got a period of probably two years in which several things will happen which will enable you to test whether you think it is enough.
Number one is the development of what are known as ''personal control software choices'', the ability of individuals to set their Internet or on-line systems so that they filter out those kinds of sites that don't meet what they will see as proper privacy policies or guarantees.
Page 93 PREV PAGE TOP OF DOC
A lot of software companies and on-line service providers are working together with public interest group support to develop those and then the software that will enable people to adopt them. So that is the first thing.
Along with that, though, goes the notice principle, that you can't set your filter unless the organizations that want to come to you, or that want you to visit them, say what it is that they do. And that iswhether it is the trustee concept or the privacy mark that Cathy Allen talked aboutwill enable consumers to know that when that is flashed, as it were, electronically, or it is on the screen, that they know what it is that will be done with their information by that organization.
Finally, I think you put your finger on it when you said, will there be a market, or will there be choices? And my sense is that what is interesting about the on-line and Internet world, quite unlike the off-line world, is that we go and sign on to use that medium, and where we go is up to us.
So if the consumer is educated, privacy is important. Then what you really want to have is the ability of people to say that if they go to a bank or investment company, or if they advertise to them and they don't see that privacy mark, and they don't know what it means, they just won't even go any further. They won't click. They won't look. They will go elsewhere.
Now, what that does assume is that privacy is important to consumers. But what I would like to point out is that all of us wouldn't be here today if we didn't think that privacy was important to consumers. So I think it is vital to understand that this is not a throwaway issue for most American consumers. And, therefore, you could have some confidence that if we are right, that the American consumer is concerned, then there is hope that market mechanisms and choices, in fact, will be used.
Page 94 PREV PAGE TOP OF DOC
Mr. VENTO. Well, my time has expired. Thank you.
Chairwoman ROUKEMA. Thank you.
Actually, Congressman Vento's question was really the same one that I was going to propose to you. I am not sure whether I am in complete agreement here. It is kind of aI see both sides of this issue, obviously. But I am not confident yet that even given the consumer knowledgelet the buyer beware, and so forthand the need, the essential need for consumers to understand these things, I am not sure that we have the penalties in there or thenot only the oversight, but the legal requirements that are there that should protect the consumer. I am just not sure about that.
And I do recognize that all of you have made a legitimate point that, on the one hand, we do need cooperation on the voluntary actions of the industries, and that perhaps the time is not yet ripe, because we don't know enough and technology is advancing so fast.
But I am more than a little uncomfortable. I think Congressman Barrett was a little uncomfortable. But I don't have the answer yet, and that is, do we have to be reactive, rather than proactive? I don't know where that comes in here.
But you have certainly helped us between this hearing and others that we will have in the near future to give it good, considered judgment and not act preemptively and have the best minds that have the most experience with this issue come to help us out.
Page 95 PREV PAGE TOP OF DOC And I think you have had enough experience in your own industries with your own research, Dr. Westin, too, to know that, when these things happen, if we don't act in a concerted way and in a timely fashion, often the backlash results in nonproductive legislation that will be retroactiveI mean, retrograde, really, and not be helpful in the future.
And we don't want to invite that kind of reaction and overreaction to the issue, and so we want to have a concerted and intelligent debate here.
Thank you very much. I appreciate this panel.
Mr. VENTO. Madam Chairwoman, we have had
Chairwoman ROUKEMA. Yes.
Mr. VENTO.Several witnesses and others refer to the August 1997 Money Magazine, that story that concerns privacy, protect your privacy. I would ask unanimous consent that we place that article in the record.
Chairwoman ROUKEMA. By all means. I should have thought of it myself. Thank you very much.
Chairwoman ROUKEMA. Thank you, panel.
And we will have the third and final panel here, and the order in which the names appear, I will call on you in that order. Thank you. And I appreciate your patience and endurance. This is our final panel for the day.
Page 96 PREV PAGE TOP OF DOC
And we are fortunate to have with us Jill Lesser. Ms. Lesser is Deputy Director for Law and Public Policy of America Online, which is located in Dulles, Virginia. Ms. Lesser aids in the direction of the company's internationalas I understand it, international, Federal, and State public policyoverlapping jurisdictions thereand regulatory and industry relation activities. Ms. Lesser is also Senior Counsel with America Online legal department.
Peter Harter is Global Public Policy Counsel for Netscape Communications Corporation of Mountain View, California. Mr. Harter is responsible for Internet law and policy issues such as on-line financial privacy issues.
And, finally, our last witness is Liz Kislik. Ms. Kislik is here on behalf of the Direct Marketing Association. She is also President of her own consulting firm and specializes in planning, implementing, and marketing service efforts that involve people and phone telemarketingand other marketing strategies, do I understand? All right. That gives you extensive experience in this field.
Chairwoman ROUKEMA. And with that, we will begin with Ms. Lesser.
STATEMENT OF JILL A. LESSER, DEPUTY DIRECTOR, LAW AND PUBLIC POLICY, AMERICA ONLINE
Ms. LESSER. Thank you very much. Chairwoman Roukema, Ranking Member Vento and Members of the subcommittee, I would like to thank you for the opportunity to come and speak to you today about this important issue, privacy and electronic commerce in the on-line environment.
Page 97 PREV PAGE TOP OF DOC
With nearly 9 million members worldwide, AOL is the global leader in Internet on-line services and is keenly aware of the tremendous benefits and potential of the on-line environment.
Our consumers exercise unique control in locating information they want and in avoiding content or services in which they have no interest. In fact, by simply perusing the equivalent of an on-line shopping mall, they can choose specific products or services of personal interest and have them delivered to their homes in a few days or even a few hours. At the same time, however, the ease of Internet-based communications brings with it new challenges for the protection of personal privacy.
AOL strongly believes that companies operating in the on-line Web must take the initiative to provide secure and privacy-friendly environments to all consumers. As Leslie Byrne said earlier, we simply will not be able to build the Internet into a mass medium without developing the relationship of trust with our customers. We must be able to protect their privacy, or what we will not see are people coming on-line to enjoy the on-line environment.
To ensure that our consumers' privacy is protected when engaged in electronic commerce, or otherwise communicating on-line, we have taken several steps over the last few years. I would like to just talk about a couple of them.
First is, we use and have used new, sophisticated, and up-to-date technology to guarantee the security of our system. Second, we have engaged in several self-regulatory initiatives to help implement private-sector-generated policies that protect privacy on-line.
Page 98 PREV PAGE TOP OF DOC
And, finally, and perhaps most difficult, we have taken a regressive approach to finding and helping law enforcement catch on-line scam artists who seek to threaten the security of on-line transactions and the privacy of our on-line consumers, despite whatever commitment America Online might have to the privacy of our members.
Before I comment on precisely what we have done, I want to talk for one second about the benefits of self-regulation. As with any industry in its infancy, early Government regulation may lock in policies that ultimately do not well serve the public interest. With a medium like the Internet, this risk exists in exaggerated form. As the technology and communication in commerce change so rapidly, even before the end of this Congress what seems like good policy today may, in fact, be outdated policy a year from now.
As I mentioned before, AOL has used the strongest available security technology to protect the integrity of our services and the security of electronic transactions. And we are happy to say that we have not encountered a situation where security on AOL has been compromised during the course of a transaction. However, because we know that many of our consumers are not sophisticated users, we have also undertakenabout a year ago, actuallyto institute an ''AOL guarantee,'' which is intended to guarantee transactions made through AOL and our AOL-certified merchants from the point of view of both security and customer satisfaction.
And we know that without offering consumers comfort about the security of those transactions, the infinite world of electronic commerce will never develop and U.S. consumers and U.S. businesses will end up at a worldwide competitive disadvantage.
Page 99 PREV PAGE TOP OF DOC
At this point, the biggest problem facing AOL is really the question of whether or not there will be pending legal restrictions on our ability to use the strongest encryption technology available. While much of the discussion surrounding the use of encryption has focused on restricting export of such technology, a recent initiative by the FBI has begun to focus congressional attention on the use of encryption technology domestically, which would place unprecedented restrictions on our ability to use encryption.
I strongly urge the subcommittee to look at the negative effect that encryption restrictions would have on the development of electronic commerce.
In addition, we have engaged in several initiatives, and I am just going to talk about two very quickly, to protect the personal privacy of our members. The first is, we have helped to organize the Internet Privacy Working Group and the concept of the Platform for Privacy Preferences, which is an initiative of consumer organizations, privacy advocates, and industry to develop an Internet standards-based approach to developing a platform for privacy, which means that, when you initially sign onto an on-line service and set your browser preferences, as a consumer, you would say, these are the kinds of information that I feel comfortable with people collecting and using and distributing. And you would basically get that same information under this scenario from the Web sites that are operating on-line. And then a seamless conversation would take place on-line, and if your privacy preferences match what the practice is of a particular Web site, then you would just have a seamless interaction. And if not, some notification would pop up and make sure that you were informed as a consumer, ''Hey, these privacy practices don't correspond to your privacy preferences, and therefore, you are going to need to override them or you are going to need to go to another site.''
Page 100 PREV PAGE TOP OF DOC
We think this Internet standards, bottom-up-based approach is basically the best way to go. At the same timeI know my time is up. I will be done in one moment if that is OK.
We have put enormous time and effort into the development of our own privacy policies and into letting consumers know what those policies are.
And I think the thing we need to emphasize the most is notification. Consumers have the right to know exactly what is being collected from them, what is being used about them, and how it is being disclosed, if it is being disclosed. And we have undertaken to ensure that those notification policies and our notification practices are enhanced as the technology enhances.
And I will answer any questions you might have about on-line scams, because I see that my time is up. But I will tell you that no matter what our commitment to privacy is, if there are scam artists out on the Internet who possess assets, AOL security or AOL employees, and seek to get people's passwords or credit card information or billing information, we can cooperate with law enforcement. We can encourage the strict enforcement of our laws.
But we cannot at this point ensure complete security. We can only say to our members, do not give your credit card information or your password to anybody with whom you are not familiar. And, you know, consumers have to exercise judgment as they move around in the on-line environment.
Page 101 PREV PAGE TOP OF DOC Thank you very much.
Chairwoman ROUKEMA. Yes.
STATEMENT OF PETER F. HARTER, GLOBAL PUBLIC POLICY COUNSEL, NETSCAPE COMMUNICATIONS CORPORATION
Mr. HARTER. Good afternoon. Thank you, Madam Chairwoman, Mr. Vento. It is a pleasure to be here and an honor to testify before this subcommittee.
Netscape Communications is a young company. We have only been in business for three years. But we have been very fortunate to ride the Internet tidal wave. And now we earn one-half a billion dollars a year in revenue, and we are in 25 countries and have, at last count, 2,500 employees. And so we are very happy that people seem to like the Internet and use it and continue to experiment in and grow it in new ways that are beyond our imagination.
The purpose of being here today is to talk about privacy and financial services in general terms. And while Netscape is not a bank, our software is used by banks, and so, the intersection between Netscape's interests and the questions of concern of this subcommittee.
Page 102 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Is that where you got your legal education? No, you don't have to answer that. Continue. I don't mean to be rude.
Mr. HARTER. That is all right.
So with that in mind, I tend to take a somewhat nontraditional perspective toward legal issues.
The on-line world and off-line world have a lot to learn from one another. I do think, as we try and deal with the privacy concerns, that many existing laws in the off-line world can be applied in some way to the on-line world. So I do not think we need to jump into a whole new regulatory regime for privacy and data protection. But there are definitely some challenges ahead of us in general terms.
The global or borderless nature of the Internet: The fact the Internet is not a point-to-point circuit switch network like the telephone network is; it is a multipoint-to-multipoint seamless network of which there is little chance of centralized, top-down control. And with those general points in mind, let me move into some points and detail on privacy software and the Web and the Internet.
Netscape is often asked about the issue of ''cookies,'' so let me touch upon cookies briefly. I have been honored to be asked to participate in a Federal Trade Commission workshop on privacy the past three years. And each year, I have a different cookie to bring to the workshop.
Page 103 PREV PAGE TOP OF DOC
In Netscape's history, we have gone through four versions of client software. The browser, in version 1.0, we didn't give users much choice but to take all cookies from all sites all the time; in version 2.0, we allowed users to select a preference where they could be warned by an audible alert in advance of any cookies coming from a Web site they were visiting; in version 3.0, we allowed a third user preference where they could block cookies from sites that the user would select; and in version 4.0, Communicator, which came out this June, at the time of the Federal Trade Commission workshop this year, we announced a fourth preference where users could block cookies from all sites all the time. So we are giving users four options for dealing with cookies.
Cookies exist because, as I said, the Internet is a seamless global medium where you go on to the Internet and log on to a site. It is not an ongoing conversation like a telephone is. You go and get to a Web page at a site, the server, the computer server at the Web site downloads that page for you, and the connection between your software at your desktop computer and that Web site server is ended. That session is very momentary. It is only a second or two.
So in order to facilitate commerce in the Web and to transfer information for payment of goods bought, a cookie file is necessary to transmit the data from the client back to the server. And that was the intended purpose of this technical device called a cookie.
Page 104 PREV PAGE TOP OF DOC
We believe the Open Profiling Standard will allow the user control of profile information, because now the profile information resides on the client side at the user end as opposed to the server end.
The cookie file is no longer necessary in profiling. Instead, there is a file on the user's machine that is encrypted and protects the information from access by other persons.
And if I may indulge, Madam Chairwoman, for an additional minute to close my remarks. May I continue?
Chairwoman ROUKEMA. I am sorry.
Mr. HARTER. May I continue for a minute to close my remarks, Madam Chairwoman?
Page 105 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Yes.
Mr. HARTER. Thank you.
In closing, I think the barriers to privacy on the Internet are twofold. And not to oversimplify, but just to bring it down to the basics: One, the business practicesand we have heard a lot about business practice todayWeb site policies, the symbols for privacy notices; and the affiliate business practices and information-sharing.
And the second major barrier to privacy on the Internet is something that my colleague, Ms. Lesser from America Online, has already mentioned, and that is the current issue here in the House of encryption network controls.
Just today from Paris, a story will appear on September 22 in Communications Week International about a conference that took place in Buffalo recently that Mr. Vento referenced earlier, and I believe Dr. Westin was an attendee of.
The title of this story is ''Europe to Resist U.S. Cryptography Policy.'' Quote: ''Europe plans to use privacy and free trade laws to resist cryptography policies entered internationally by the United States. And the initial results of European trials designed to test the practicability of storing users' private encryption keys in so-called 'trusted third-party databases' suggests such systems may in any case prove unworkable according to European Commission officials.
Page 106 PREV PAGE TOP OF DOC
''These trials, funded by the European Commission, have cast out on the system's skill ability, cost, and legality. Dr. Ulrich Sandl, responsible for cryptography policy at the German Ministry of Economics, said last week at the conference that the operation of entrusted third-party systems may be illegal in Germany or Europe as a whole. And he said, quote, 'There is a real prospect that products based on the U.S. policy is a violation of our privacy laws with severe consequences.' ''
Chairwoman ROUKEMA. Thank you, Mr. Harter.
Ms. Kislik, my colleague, Mr. Vento and I think that it would be best if we were to go over, vote quickly, come back, and give full attention to your testimony.
Ms. KISLIK. Thank you, Madam Chairwoman.
Chairwoman ROUKEMA. So if you will be patient, we should have only this one vote, and then we will return promptly.
Chairwoman ROUKEMA. All right. Thank you.
Page 107 PREV PAGE TOP OF DOC
Ms. Kislik, thank you very much. We welcome you here today and look forward to your insights.
STATEMENT OF ELIZABETH KISLIK, PRESIDENT, LIZ KISLIK CONSULTANTS, ON BEHALF OF THE DIRECT MARKETING ASSOCIATION
Ms. KISLIK. Madam Chairwoman, Mr. Vento, I appreciate the opportunity to appear before your subcommittee as it examines privacy issues relating to electronic commerce.
I am testifying today on behalf of the Direct Marketing Association, the DMA, as a member of the DMA Board of Directors and the Committee on Privacy. DMA's members include more than 3,000 U.S. corporations, as well as 600 corporations from 47 other countries, all of whom are interested in direct marketing.
Electronic commerce offers extraordinary opportunities for U.S. marketers and U.S. workers because of its wonderful potential for penetrating restricted foreign markets such as Japan. Consumers benefit from the wide array of choices, the ready access to information, and the personal convenience that on-line shopping provides.
Electronic commerce has enormous promise, but it is still in its infancy. The technology that defines it is changing with extraordinary speed. Regulation is likely to be outpaced by, and even to interfere with, technological progress that will enhance consumer choice and privacy in the new medium.
Page 108 PREV PAGE TOP OF DOC
It would be unfortunate to impose privacy regulations specific to this medium at this early stage before self-regulation, industry education, and privacy technology innovations have a fair chance to work in conjunction with enforcement of existing laws, such as FCRA and Federal and State fair trade laws.
Self-regulation will work in the on-line environment because of the significant market pressure to satisfy privacy-sensitive Internet users. Market surveys show that Internet consumers are more likely to visit sites that have privacy policies. DMA has embarked on an aggressive campaign over the last year to educate its members on complying with consumer preferences.
DMA issued new self-regulatory principles specifically governing marketing on-line that reaffirm DMA's long-standing principles that consumers should receive clear notice of marketers' data collection and use practices and should have the choice of opting out of disclosure of information about and to third parties.
These principlesand these are part of my testimony; they have been submittedare enforced by DMA's Committee on Ethical Business Practices. I also want to make very clear that our guidelines specify that marketing data can only be used for marketing purposes. There is no link between marketing data and the identity of theft or fraud that concerns both consumers and the subcommittee.
DMA has gone further by developing specific techniques to help companies implement the guidelines. It developed a tool kit for designing Web privacy notices, so that marketers can create accurate and effective consumer privacy policies for their Web sites in just a few easy steps. And I would like to give you a very brief tour of it as it appears on the DMA Web site. Some of those banks that don't have it yet might want to use it, too.
Page 109 PREV PAGE TOP OF DOC
The questions on the Web site identified the marketer to establish
Chairwoman ROUKEMA. I am sorry, is there a way of lowering the lights here?
Ms. KISLIK. A copy of this is also attached to the testimony.
Chairwoman ROUKEMA. That is better. All right. Thank you.
Ms. KISLIK. Thanks.
Chairwoman ROUKEMA. Well, I don't think she can read now.
Ms. KISLIK. I am actually fine.
Chairwoman ROUKEMA. Are you OK?
Ms. KISLIK. I am really fine. Thank you.
Chairwoman ROUKEMA. Thank you. That is fine.
Ms. KISLIK. The questions on the Web site guide the marketer to establish its identity clearly, to specify what information the Web site collects automatically, and what is collected from consumers volunteering it. It moves to explaining how the company will use the information and goes on to specify how consumers can opt-out of being contacted by the site and how they can opt-out of having their information shared with third parties for e-mail, mail, and telephone.
Page 110 PREV PAGE TOP OF DOC
In addition, DMA is working with the World Wide Web Consortium at MIT on an exciting new Internet privacy standardwe are done with the slides now. Thank you very much.
Chairwoman ROUKEMA. Thank you.
Ms. KISLIK.so that users can decide which Internet sites to visit based upon an automatic, instantaneous comparison and match between the user's privacy preferences and the Web site's privacy practices.
DMA has also made a special effort to educate families about on-line advertising and safety on the Internet through ''Get Cyber Savvy''and this has been attached to the testimonya workbook and on-line information guide for parents and children.
DMA has devoted a section of its Web site to hyperlinks, to software packages that assist parents in monitoring and controlling its children's on-line activities.
The DMA's active program of self-regulation, education, and technological innovation can respond much more flexibly and more quickly to the rapidly changing landscape of electronic commerce than can top-down Government regulation of the Internet.
The DMA's experience with other direct marketing media over many years is that educating the industry of consumer preferences results in more satisfied consumers and more successful businesses.
Page 111 PREV PAGE TOP OF DOC
The DMA believes that self-regulation backed by enforcement of existing laws can and will work to protect the privacy of Internet users in their interactions with marketers' Web sites for commercial transactions.
Thank you very much.
Chairwoman ROUKEMA. Thank you.
I think you have been very helpful to us on this panel. And I guess I have to admit that some of the trains of thought have been interrupted with these various votes.
But I want to particularly note that you have made the case, I don't know if it is in itself enough, but you have made a good case that this is a two-way street here and that, from your industry's perspective, the scam artists are as much of a threat to you as they are to anybody else, because it negatively affects your relationship of trust that is so essential, and it really greatly undermines your industry, and so that you cannot be competitive. So that they are a problem for you, too.
I don't know if, therefore, at some point in the future, if not now, maybe in the very near future, there is a point to our getting together and talking about this, to protect your good names, as well as the public concern. And I don't know how that will work out, but I do think we have to give very objective and intense thought to this in the very near future.
Again, that goes to one of the questions that I previously had organized, but I think we have a mutual understanding on this, and that is that the privacy advocates, others that we will perhaps be hearing from that Mr. Vento had referred to, and others that we will hear from subsequently at other hearings, that they have also stated the need for someone to protect them against the bad actors. But I believe they are more eager to enter into the legislative field perhaps than you are. But we will have to keep that as an open question.
Page 112 PREV PAGE TOP OF DOC
One of the things that I didn't understand, and I believe both Mr. Harter as well as Ms. Lesser made reference to it, and that is this question of a pendingI think you called ityou referenced it, Ms. Lesser, as pending legal restrictions on encryption.
Ms. LESSER. Yes.
Chairwoman ROUKEMA. Could either you or Mr. Harter, or Ms. Kislik, for that matter, go into that a little bit more? I somehow see that as contradictory. I don't know, perhaps I don't understand it in the same context in which you are talking about.
Ms. LESSER. OK. Let me try and give you just a little bit of background, and that is, historically, there have been restrictions on the export of encryption technology, and those restrictions have been based on national security issues as well as law enforcement issues.
With the growth of electronic commerce and the demand, particularly in the area of on-line banking, and it is just a coincidence that we are in the Banking Committee, but on-line banking is probably the industry that has demanded the strong use of encryption the most.
It is no longer a question of encrypted data technologies being used by criminals or people who might threaten the U.S. national security. Instead, the primary use of encryption is really for the protection of the privacy of consumers, because I can only ensure that hackers will not be able to infiltrate a transaction if my data is encrypted and if I am sure that the browser that my users are using supports a high level of encryption, that the merchants that we allow to do business over the AOL system are using a high level of encryption.
Page 113 PREV PAGE TOP OF DOC
So with encryption export restrictions for a company like America Onlineand Netscape should comment, obviously, as wellwhen I send my services overseasand we have services in both Europe and in Asia that often are seamless between the United States and those other countrieswhen I just simply send data back and forth, I can't do it and guarantee a certain level of encryption.
I think a problematic approach has come recently in the last couple of weeks from the FBI, who has said, you know, this is really a serious law enforcement problem. So even when you domestically use encryption, you should be able to allow law enforcement to come in and immediately read everything in plain text. Now, not only does the Government not know how to do that, I don't know how to do it.
So the current transactions that I am allowing my customers to engage in, if I don't have the technology yet to be able to support entry from law enforcement immediately to plain text would just prevent me from doing on-line commerce at all.
Chairwoman ROUKEMA. Now, this is very important, and we are going to have to go into this in more detail as we know more about it.
Mr. Harter, do you want to add to that?
Mr. HARTER. If you would.
Chairwoman ROUKEMA. Yes.
Page 114 PREV PAGE TOP OF DOC
Mr. HARTER. I would like to.
In your opening remarks, Madam Chairwoman, you mentioned ''Big Brother,'' and you characterized ''Big Brother'' as industry collecting information. Well, from my vantage point, I won't disagree with your characterization in that context, but in the context of the point of encryption export controls and the debate of instituting whole cloth of domestic access for the FBI, the FBI could become ''Big Brother.''
What we are seeing today in Congress and the House in the past few weeks in the International Security and Intelligence Committee are bold new amendments to the security on Freedom from Encryption Bill, the Safe Bill, that has over 250 cosponsors in the House on both sides of the aisle. The Safe Bill promises to relax U.S. export controls in a very reasonable way that would allow U.S. manufacturers to export encryption once we demonstrate that the same strength of encryption strength is available overseas.
So we are willing to concede that we have to sit in the back of the bus until other manufacturers have it available and establish market share. We are willing to concede that, as industry, to be fair to law enforcement concerns, national security concerns.
However, the recent amendments offered by law enforcement would institute new domestic controls. The status quo today and the current policy of the Clinton Administration, as stated recently as last week, as Vice President Gore reiterated the policy: ''No domestic controls on encryption, not on the strength of the encryption or the use of it.''
Page 115 PREV PAGE TOP OF DOC Yes, law enforcement has some serious concerns. Yes, there are child pornographers, there are terrorists, and bomb-making recipes, and those are the ''Three Horsemen of the Apocalypse'' that law enforcement claims require domestic access to encryption, as Ms. Lesser referenced.
But I would say, on the privacy side of today's hearing, there are ''Three Horsemen of the Apocalypse.'' If we do not have strong encryption worldwide that is secure and doesn't have any trap doors for law enforcement that consumers will not trust, we are going to have the ''Three Horsemen of the Apocalypse'' on the privacy side: Financial data, medical data, attorney/client communications, religious communications, personal communications. We need strong encryption that has the confidence of the users worldwide.
If some country or some businesssome customer says, ''I am not going to buy your product because I think the FBI has a back door in your product,'' not only do we lose a sale, which we are very concerned about, but people don't trust the medium, people don't trust American products, and they don't trust American Government. And I think the press statement from Europe clearly indicates there is a growing sentiment in Europe, a very important market, that they don't trust ''Big Brother'' built in.
Chairwoman ROUKEMA. Further comment?
Ms. KISLIK. I will pass on that.
Chairwoman ROUKEMA. All right. Thank you.
Page 116 PREV PAGE TOP OF DOC Mr. Vento.
Mr. VENTO. Well, I think it is an important observation by Mr. Harter, but I think that that meansI mean, I suppose that if the law enforcement would have to, as they do in terms of wiring and otherwould have to go to court, there would be certain procedures, due process, in order to obtain that informationmy understanding.
Mr. HARTER. And that is correct, Mr. Vento. We don't disagree with lawful process, and, in fact, industry needs the best law enforcement possible to protect ourselves from economic espionage, from hackers, pirates of copyright, and so forth. And with the proper level of constitutional protection for protecting against abuses of lawful access with court orders and so forth, I think there are ways we can find to accommodate law enforcement.
Mr. VENTO. I just think it is a more pervasive system, as you have heard me talk about it, and I don't want to repeat what I said. So I think I understand where you are coming from. But they also have to have the tools that they need in order to provide the type of security and protect the system and the individuals.
We ran into the same problem with fair credit reporting, which no one has mentioned here, but we put a provision here that apparently barred the CIA and FBI from getting information, which is being corrected.
Chairwoman ROUKEMA. I did not remember that.
Mr. VENTO. Well, none of us thought of them. They weren't excepted. So the fact is that one of the bills that is coming back from conference includes a provision that deals with it on fair credit reporting, that they needed that exception. I am sure that the Chairwomanyou know, I am sure it is somewhere in your file of information there.
Page 117 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Yes.
Mr. VENTO. Your staff is going to get it to you soon, I imagine.
Chairwoman ROUKEMA. Soon.
Mr. HARTER. If I could respond, I think there are ways to reasonably reply to law enforcement. Basically, the amendments we have seen in the past few weeks escape all rational course of compromise in that the FBI is dictating, ''Invent this technology, or we will make your products illegal.'' And the amendment in the Intelligence Committee spelled clearly, by 1999, that software products we use today freely in this country will be illegal. Netscape is public enemy number one.
I mean, I am notI care a lot about this issue, but when you read this legislation and making our products on the Web illegal, something strange is happening.
Mr. VENTO. We will obviously pay closer attention.
Mr. HARTER. Thank you.
Mr. VENTO. I am on that bill, incidentally, so I am a little concerned about what they are doing. I thought I understood what they were doing, but apparentlywe are looking forward to those coming back from Brussels in terms of the consumer point of view. They happen to be there.
Page 118 PREV PAGE TOP OF DOC
They may bewhen you suggested to me that the consumers are more anxious to move into the legislative forum, I really don't know that they are or are not. I think that there are some concerns, you know, some outstanding concerns, that have shown up with regard to the Internet that are being dealt with. My issue is a more subtle one, incidentally.
I think there are some concerns about the use of Social Security numbers. There are laws that deal with not being required to give your Social Security number on the part of the individual. Unfortunately, that doesn't prevent individuals from asking for it. And so it gets used like a lot of other datayou know, motor vehicle driver's license numbers from my State. And so they get used.
The concern here of course is that all of a sudden this was sort of benign practice, but when you start integrating it together with all the other information, it can become a very key in terms of, for instance, accessing Social Security documentation.
The question here is, where is the bright line? Which part is the responsibility of the Web site, of the service provider? What responsibility to the marketer, direct marketer that is using the Internet? And that is what, in a sense, we are trying to find out.
Obviously, we all share security concerns. We want the system to work so transactions can take place, so fraudI mean, in terms of fraud, hopefully we can agree that the FBI or the police, law enforcement, get reasonable powers so they can participate in this process and do their job. I don't think any of us, as consumers or as individuals of service providers or Web sites, want to take over their role in terms of law enforcement.
Page 119 PREV PAGE TOP OF DOC
So where is the bright line in terms of this? And the question is, in terms of other types of consumer informationand I think that, obviously, America Online has gone through a process in terms of self-regulation the last few months where they have had to, shall I say, be very, very kind in saying ''evolving policy.''
Ms. LESSER. Well, I assume that you are referring to our decision a few months ago to share with some very select partners certain telephone numbers of our members. And I think the best way to comment on that is to say that we think that is the way self-regulation works. We made a decision that extended our current marketing policy, which is to, under very controlled circumstances, share names and addresses, but giving consumers choice. We gave them the same choice with telephone numbers. But when we notified them of the policy, they clearly didn't want to see our company doing it. So we changed it within 12 hours.
And, you know, there really isn't anything to say except that you make a decision as a company, you think you are making a responsible decision, your consumers tell you, ''We don't think that is the best way to do business,'' and you change that policy.
And we hope, as we go forward, that what we learned from that experience is that we do a little bit more research and we make our decisions, you know, moving forward. But all I can say is, that is why we think self-regulation works. You make a decision, and it was a bad decision.
Mr. VENTO. Well, I didn't really expect you to come forth with that. I was really referring to the fact, in June they started out with a position, and the position changed, and it now has changed again. So I am just pointing out that
Page 120 PREV PAGE TOP OF DOC
Mr. VENTO. Just to get back from it just to say that it is ''evolving'' or is changing, it is very much in flux in terms of how to define this relationship between the service providers and consumers, is what I am trying to say. It is obviously an indication of the change.
Ms. LESSER. Absolutely.
Mr. VENTO. I note alsothat is what I was really trying to get at, but with direct marketing, that they have 3,000 members, but not all direct marketers are members of your association.
Mr. VENTO. Please denote good intentions.
But I think in terms of self-regulation, at some particular point, obviously, we don't know how many of the direct marketers will actually adopt your policy; is that correct today? You think most of them will?
Page 121 PREV PAGE TOP OF DOC
Ms. KISLIK. We don't know how many will. But as Professor Westin was saying on the earlier panel, this is the period in which it is happening. This market, these consumers are so savvy and are so clear about their preferences, and this is such an easy way for them to get back to business and say what they are comfortable with and what they are not comfortable with.
Mr. VENTO. Well, it is happening. I mean, it is sort of dynamic, though. I don't think that there is ever going to be a point in which this is going to be still. There is a lot of change that I see as evolving. It is happening at a pretty rapid rate. So, you know, codes not followed, you know, enforcement, and others.
Now, one of the things that Mr. Harter mentioned was the Open Profiling system that you described. It appears to me to be more of a mechanismI can look at this either way, you know. It depends which end of the telescope I look at. You see it as being almost a protection but a mechanism to facilitate transfer data. Or is it really enhanced consumer privacy?
In other words, this, with OPS information, is automatically transferred to the Web site and not evaluated on a case-by-case basis by the consumer. So it sort of says, ''Well, this is my browser, this is the information that gets to be part of that. I transferred all of the details required in that OPS system, so I can fill it out, and so that whenever I go to the Web site, that information would be available to that site.''
Mr. HARTER. If I could respond, I do agree there are two ways of looking at the Open Profiling standard. But from our point of view, we saw bad profiling practices, as evidenced by stories about cookies over the years. And the fact of the matter is, in the off-line world and the on-line world, merchants and others are going to collect information about individuals. And, hopefully, the OPS hundred different companies, organizations supporting it, will be an open architecture and will bring some order to the chaos, because in the chaos of today, whether an on-line or off-line world, the user has little opportunity to readily know how their information is being collected and how they can control this information collection process.
Page 122 PREV PAGE TOP OF DOC
The Open Profiling standard brings an architecture through the browser to the doorstep of the individual user, where they control the possession of information. It resides on their machine in encrypted format so it is secure. And they only release itthe profile, that isthey only release the profile to the merchants they choose to do so with, and the merchants they have that relationship with can tell them, ''I am going to keep this to myself, only use this for one transaction, I want to resell this to these people, I am going to resell,'' and not tell you who we are selling it to. And if the merchant tells you what their privacy practice is, then at least the user has some information and can consent to it or not.
We are not trying to prevent bad actors from doing what they already do. We can't really change that. We are trying to bring more order to the environment. Think of in architecture; it is more apparent and simpler to use to the user. We try to be neutral on the issue.
Mr. VENTO. Now, what has consumer reaction been to it, and was consumer input involved in the development of this particular OPS structure?
Mr. HARTER. The OPS idea was evolved over the past year by a few companies and now is an open standard being vetted by the World Wide Web Consortium in Cambridge, at MIT. And given the fact that it is an open standard, Netscape no longer controls the standard. It is going to be vetted and improved and finalized by the standards body. So right now, we are waiting for that process to run its course.
Mr. VENTO. So does this replace all the cookies, then?
Page 123 PREV PAGE TOP OF DOC
Mr. HARTER. We hope that people will use this to replace one of the two functions of cookies. Cookies are used primarily for two functions: One, for profile information, which we are trying to address with OPS; and the original function is that for password identification. If you simply want to maintain an ongoing relationship with a site, you go to Amazon.com, and you search through that site's selection of books, and you find a book on fiction, a book on mysteries, and a horror novel, and you go to the page to check out to pay for the books with your credit card, for example.
Well, because of the way the medium works, there is a session for each page. It is a connection. It is not an ongoing connection with a site for all those books and pages you just surfed through. The Web site does not know that you picked a mystery book, a horror book, when you get to the page where you pay with your Visa card. So the server comes to the cookie file that was placed on your client machine and sees that, oh, in this file, there is a horror book, a novel, and so forth, and pulls that data out of the cookie file and submits it with the Visa information for your credit card, whatever the payment scheme isnot to use Visa in particular, but as an exampleand then the cookie file is deleted.
Mr. VENTO. So dropped off at the, as you said, a shopping cart at the Web site? It doesn't go beyond that into your hard drive?
Page 124 PREV PAGE TOP OF DOC
Mr. HARTER. Right.
Mr. VENTO. Does Netscape have access to these personal profiles?
Mr. HARTER. In the Open Profiling Standard?
Mr. VENTO. Yes.
Mr. HARTER. No. Those profiles are created when a user using our software or Microsoft's software
Mr. VENTO. Pardon me, but your purpose in participating, then, is to use this as a marketing technique in terms of saying that we have this browser as an available tool for potential individual Web sites that might be on-line.
Mr. HARTER. Correct. It is to help Web merchants build up confidence in e-commerce and have a relationship to individual users.
Mr. VENTO. In developing this particular OPS, is there a recognition that collection preferences might, in fact, be using personal information that might be benign in one sense, but then in a different access vertically be a problem?
Mr. HARTER. I am not going to argue about the problems that you are bringing up here in your questions, but I would say that, from our point of view, these kind of activities would occur whether or not Netscape existed in the first place. These activities already occur in the off-line world, and they are merely being replicated in the on-line world. And we are trying to use technology and encouraging merchants who would otherwise be bad actors to have good behavior, have privacy policies, and inform the users what they are going to do with the data through this open architecture.
Page 125 PREV PAGE TOP OF DOC
Mr. VENTO. How does this interface with the European Union directive?
Mr. HARTER. We have briefed the European Union several times about our changes in cookies and our product and Open Profiling Standard, and so far, while I don't want to prejudice what they would say officially, I have gone over to Brussels and met some German data protection officials, and they haven't taken my kneecaps out. So I think they are at least impressed with the technology solution.
But, again, the debate between the U.S. and E.U. on the data protection directive is a very sensitive matter. I don't want my conversations in meetings to implicate where that might be going.
Mr. VENTO. Well, I just think it would be interesting. Obviously, it is also a work in progress, for sure.
Mr. HARTER. Yes.
Mr. VENTO. You know, just one of the questions, of course, that was a predicate of the hearing was the issue in terms of financial transactions, whether it be credit cards or banks. All of this really comes at sort of one piece of cloth when you pick up a piece of it. And, you know, we made comments about the fact that theMr. Byrne, I believe, ran through a series of laws, and there are really very few laws that govern the information that banks collect other than theof course, from a proprietary standpoint, they don't want to share it.
Page 126 PREV PAGE TOP OF DOC
But do you see, are there concerns that we should be aware of with regard to other information that banks have been collecting and being on the Internet or exchanging that information, that have not been articulated here today, that you see as soft points or weak points in terms of financial institutions and the functions of financial security and/or privacy?
Ms. LESSER. It is difficult for me to comment on that, because we are not in the business of on-line banking. I can tell you that the banks and financial institutions with which America Online does business, because we are very careful in terms of who we do business with, we have not identified any problems. And since we require all of the merchants with whom we do business to abide by our privacy policies, I think, you know, in our experience, the answer would be no. But I really can't comment on the experience on the Internet and what banks are doing.
Mr. HARTER. I don't really have an opinion on the matter either, because we are not a bank. We don't offer on-line banking services ourselves. However, one of our biggest customer bases are banks worldwide, and all they ever tell us is, ''Give us 120 encryption and no U.S. Government built inside, please. Thank you very little.''
Mr. VENTO. Well, thank you.
Chairwoman ROUKEMA. I do thank this panel. And I think we have learned quite a bit today. Sometimes on subjects like this, the more you know, the less you know, but we will try to put this together.
Page 127 PREV PAGE TOP OF DOC
I hope I didn't leave the wrong impression earlier. We do not yet have our second full hearing on this particular subject scheduled. We are planning one, but it is not explicitly scheduled as of this moment. The one that I referred to next week, however, will include the debit card question, and that will be held next week. But we do hope to follow up this hearing with a second hearing in the near future.
Yes, Mr. Harter.
Mr. HARTER. One last request, Madam Chairwoman, if I could enter that Communications Week International article into the record, please.
Chairwoman ROUKEMA. Yes. I am sorry, I thought
Mr. VENTO. We had let the Money Magazine article in the record, but he had a different article.
Chairwoman ROUKEMA. Yes. I thought I had. In any case, yes, you may, without objection.
Mr. HARTER. Thank you.
Chairwoman ROUKEMA. This hearing is now adjourned.
[Whereupon, at 2:40 p.m., the hearing was adjourned.]
Page 128 PREV PAGE TOP OF DOC