0001 1 UNITED STATES OF AMERICA 2 DEPARTMENT OF COMMERCE 3 AND 4 THE INTERNET EDUCATION FOUNDATION 5 - - - 6 7 ONLINE PRIVACY TECHNOLOGIES 8 WORKSHOP AND TECHNOLOGY FAIR 9 - - - 10 11 Auditorium 12 Department of Commerce 13 Building 14 1401 Constitution Ave., N.W. 15 Washington, D.C. 16 Tuesday, September 19, 2000 17 18 The workshop was convened, pursuant to notice, 19 at 9:18 a.m. 20 21 22 23 24 25 0002 1 P R O C E E D I N G S 2 (9:18 a.m.) 3 INTRODUCTION - GREGORY L. ROHDE, 4 ASSISTANT SECRETARY OF COMMERCE FOR COMMUNICATIONS 5 AND INFORMATION, ADMINISTRATOR, NTIA 6 MR. ROHDE: Good morning and welcome. My name 7 is Greg Rohde. I'm the Assistant Secretary of Commerce 8 for Communications and Information, as well as the 9 Administrator of the National Telecommunications and 10 Information Administration. I am very pleased to welcome 11 all of you here this morning at this Online Privacy 12 Technology Workshop and Technology Fair. 13 Central to the mission of NTIA is to promote 14 electronic commerce, as well as to promote the development 15 of new technologies. I am very pleased today that you can 16 all come here to join us as we carry out our mission to 17 look at how we can promote electronic commerce and develop 18 new technologies. 19 The purpose of today's workshop is to focus on a 20 particular area of electronic commerce and that is an area 21 that is so vitally important to a lot of consumers, and 22 that is privacy. You don't need to look at national polls 23 to tell you that consumers care deeply about protecting 24 their private information on line. You can simply look in 25 the comic strips. When it reaches a comic strip such as 0003 1 "Cathy," when she calls it "the information superhighway," 2 you know we've got an issue that is really close to the 3 pulse of the American people. 4 So I'm very pleased to today that we can be here 5 to discuss this issue. We have a number of panel 6 discussions we're going to have throughout the day. 7 They're going to explore various aspects of this issue. 8 We also are very fortunate to have a Technology Fair which 9 is occurring out in the foyer area of the building, and 10 this has been co-sponsored by the Internet Education 11 Foundation. We're very pleased at their participation in 12 this event. 13 Without any further delay, I would like to 14 introduce the new Secretary of Commerce. We're very 15 pleased that the new Secretary has chosen to join us here 16 for a few minutes and is going to give a keynote address. 17 As many of you know, shortly, this summer, President 18 Clinton nominated Mr. Norman Mineta to succeed William 19 Daley as the Secretary of Commerce. Mr. Mineta comes to 20 us from a long career on Capitol Hill. He also began his 21 career as the Mayor of San Jose, and I can tell you that 22 since coming on board in the Commerce Department he has 23 certainly energized and inspired many here, and we're 24 extremely honored and pleased that Secretary Mineta is 25 here with us today. 0004 1 So without any further ado, I give you Secretary 2 Norm Mineta. 3 KEYNOTE ADDRESS - HON. NORMAN Y. MINETA, 4 SECRETARY OF COMMERCE 5 SECRETARY MINETA: Greg, thank you very, very 6 much, and I want to thank you for the terrific job that 7 you are doing as our both head of Communications and 8 Information as well as your dual other job as 9 Administrator of the NTIA. 10 First of all, I want to thank all of you for 11 taking time from your own busy schedules to be here with 12 us today. This is a very, very important conference and 13 I'm really impressed with all of you being here. 14 Two years ago when we held a privacy summit, a 15 poll was released that said that more than 80 percent of 16 Americans were concerned about their threats to their 17 privacy when they were on line. Unfortunately, according 18 to recent reports, the numbers have not changed and a Pew 19 study shows that over 86 percent of Internet users are 20 still concerned about businesses or people they don't know 21 getting access to their personal information. 22 Now, what has changed, however, is this, and 23 that is the way that industry is responding to these 24 concerns and the new technologies that are available to 25 protect online privacy. That's why we are all here today, 0005 1 to explore what those might be. 2 In 1997, when a fraction of today's web 3 population was on line, President Clinton and Vice 4 President Gore issued their policy framework on e- 5 commerce. They understood that if e-commerce were to 6 succeed it would be under private sector leadership. It 7 was the government's role to foster an environment to 8 promote e-commerce and to work with the private sector to 9 ensure that the Internet would grow worldwide. 10 Since then the Internet without doubt has 11 flourished and technology has dramatically lowered costs. 12 More and more people and businesses are online and e- 13 commerce is projected to climb into the trillions of 14 dollars over the next several years. Now, all of us, both 15 in the private sector and on the government side, want 16 this to prosper. 17 The Internet has been a central part of the 18 longest peacetime economic expansion in our history. But 19 we don't think this growth will continue unless both 20 consumers and businesses are confident about their 21 experiences on the net. So we see privacy as a make or 22 break issue. 23 The administration is committed to continuing to 24 protect privacy and we have supported legislation to 25 protect children, sensitive financial information, medical 0006 1 and genetic information as well. And we have worked 2 closely with the private sector to implement meaningful 3 self-regulatory privacy regimes. 4 Now, there has been progress. The FTC found 5 that 88 percent of the Internet sites now have some form 6 of disclosure. We now have several third party seal 7 organizations that certify a web site is complying with 8 its privacy policy, and a number of companies working with 9 my predecessor Secretary Bill Daley prompt other companies 10 to adopt and disclose good privacy policies. 11 Now, these companies use their market leverage 12 by withholding advertising from web sites that failed this 13 test. But it is a long road that we are all traveling, 14 and it seems to me much work remains to be done. In the 15 FTC survey, the Federal Trade Commission survey, only 20 16 percent of Internet sites had policies that tracked fair 17 information practices. 18 Now, clearly we have a challenge, which I think 19 can best be met if we all work together -- government, 20 industry, and consumers. One, we need to be sure that all 21 content providers satisfy the fair information principles. 22 Among other things, they must provide Internet users with 23 information about who is collecting their personal data, 24 how it will be used, and how its disclosure will be 25 limited. 0007 1 Secondly, we need to empower consumers so that 2 they can make informed choices about data collection. 3 Internet users should have a choice about whether to share 4 information and with whom they want to share it. 5 Three, consumers need to have reasonable access 6 to information collected about them and an effective mans 7 of recourse. 8 Finally, we are here today to let consumers know 9 what tools are available to protect their data. 10 Now, industry is doing a good job in developing 11 privacy-enhancing technologies, but the word hasn't gotten 12 out to the consumer. Reports show that only one in 20 13 Internet users have used software that hides their 14 computer identity from web sites. Only 10 percent of all 15 users have set their browsers to reject cookies. 16 Now, there are a number of privacy enhancing 17 technologies on the market or in the final stages of 18 development. Many incorporate the Platform for Privacy 19 Preferences and this allows users to determine if a web 20 site meets their privacy preferences. 21 Let me indicate that all of us here at the 22 Department of Commerce are committed to making our web 23 site compliant with these standards. Now, online privacy 24 is a critical issue for Internet users, one that we all 25 have to address if the extraordinary potential of this 0008 1 technology is to be fully realized in the twenty first 2 century. So we have invited all of you here today to put 3 a spotlight on privacy-enhancing technologies and what 4 their capabilities are and to learn from you what might 5 stand in the way of their future deployment and use. 6 Tomorrow on Capitol Hill, Senator Hatch and the 7 Internet Caucus will be hosting similar demonstrations to 8 further highlight this issue. 9 Let me close by saying thank you very, very much 10 to all of you for taking the time to be here and to 11 participate, and I look forward to your comments and, more 12 importantly, your recommendations on how we can enhance 13 privacy online and make sure that the Internet is a secure 14 place to visit. 15 Thank you very, very much. 16 (Applause.) 17 MR. ROHDE: Mr. Secretary, thank you very, very 18 much. We know that the Secretary's schedule is very, very 19 tight and we are very pleased that he was able to be here. 20 Before we begin the panels, we wanted to provide 21 a general overview of privacy on the Internet. To do so 22 we have asked Dr. Lorrie Faith Cranor of AT&T Labs to do a 23 general presentation that will provide kind of a backdrop 24 for the discussion we will have throughout the day. Dr. 25 Cranor is a senior technical staff member at AT&T and has 0009 1 done a great deal of research that's focused on a variety 2 of areas where technology and privacy policy intersect, 3 including she's worked in areas of online privacy, 4 electronic voting, and spam. 5 She is currently the Chair of the Platform for 6 Privacy Preferences Project Specification Working Group 7 and the Co-Chair of the P3P Interest Group at the World 8 Wide Web Consortium. 9 So I would like to introduce for you Dr. Cranor. 10 (Applause.) 11 PRESENTATION: OVERVIEW OF ONLINE PRIVACY-ENHANCING 12 TECHNOLOGIES - LORRIE FAITH CRANOR, AT&T RESEARCH 13 DR. CRANOR: Good morning. I'm going to try to 14 take you through kind of a whirlwind tour of the different 15 types of privacy technologies which are currently 16 available and show you some samples of what they look like 17 and give you a brief overview of how they work. 18 As has already been mentioned, we know that 19 online privacy is important because it appears in the 20 comics. In this particular comic strip of "Cathy," which 21 had about a two-week series on online privacy, in this one 22 Cathy is finding out just how much can be found out about 23 her online. In this conversation she learns that Irving 24 has found out the following. He says: "You love old 25 movies where men are heroes, love is forever, and women 0010 1 get to wear little hats." And she says: "You know that 2 about me?" 3 He says: "Yes. You dream of snuggling up under 4 a vintage quilt, sipping cocoa from Southwestern mugs, 5 listening to the Three Tenors on CD." She says: "Irving, 6 you, you created an online profile of me." 7 He says: "Yes, and also your stress-relief 8 tablets are back ordered. 9 So Cathy wasn't too pleased about this and in 10 the next few strips we learn how Irving was able to find 11 all this information out about her, and we find out that, 12 first of all, he snooped her e-mail and he looked at the 13 files on her computer because her employer had actually 14 hired Irving, and he was able to observe the chatter sent 15 by her browser, all the extra information that her browser 16 sends, and he was also able to set cookies through banner 17 ads and to use web bugs that allowed him to track her 18 activities across web sites. 19 (Screen.) 20 So let's take a minute to look at what browser 21 chatter is. Browser chatter is basically all the things 22 that your browser is saying when you make little requests 23 on the web. This will include your IP address, your 24 domain name. It includes the referring page, and that's 25 the web page that you visited before the page you're 0011 1 currently at. 2 It also has information about your computer, 3 including your operating system, what kind of browser it's 4 using. It also includes information about why requests 5 you're actually making, so the URL, and if you're 6 performing a search what are the search terms that you're 7 using. And it also includes cookies. 8 Now, who gets to hear this chatter? Well, 9 obviously the web site you're visiting gets to hear this, 10 but there are other people who might hear it as well. 11 This includes your local system administrators, your ISP. 12 There may be other third parties involved, such as 13 advertising networks. And any of this information that 14 may end up in log files at any of these places might be 15 subpoenaed later. 16 (Screen.) 17 So here is an example of the typical request, 18 and this is an actual request that I did. I actually 19 shortened it a little bit so it would fit on the screen. 20 But I went to buy.com and I wanted to buy some beer, and 21 so I did a search for beer and this is what my browser 22 transmitted. 23 You can see here that it includes my actual 24 request for beer, it includes the fact that I am 25 communicating in English, that I'm from the United States, 0012 1 what web site I was at before I did the search, as well as 2 a cookie which right now indicates that I have an empty 3 shopping basket. But there is all sorts of fields where 4 they could put more information in there. 5 Since I performed this search on my employer's 6 network, they know that I was shopping for beer at work. 7 (Screen.) 8 Okay, what about cookies? We've heard a lot 9 about cookies in the past and cookies are actually a very 10 useful thing. I like to think of them kind of like 11 staples. If you're going in the physical world and you're 12 filling out a form and the form is multiple pages, often 13 you have multiple sheets of paper that are actually 14 stapled together. And if it's a well-designed form, you 15 only have to write your name on the front page of the 16 form. You don't have to write it on every page because 17 the form is stapled together and they know that all the 18 information on page 2, 3, and 4 applies to the same person 19 who wrote their name on page 1. 20 Well, cookies can perform that sort of function 21 in the online world, basically tieing together information 22 that is submitted on multiple pages of a form. 23 Another use for cookies is to identify you when 24 you return to a web site so you don't have to remember a 25 user name and password. And it also can be useful for web 0013 1 sites to get a better understanding of how people are 2 using the web site, so when you go to a newspaper site, 3 does everybody read the sports page first; they'd like to 4 know those sorts of things. 5 So there are some very useful uses of cookies. 6 But as we've heard, there are also some reasons where 7 cookies can be harmful. In particular, people are 8 reacting to cookies being used to profile users without 9 their knowledge. So they can be used to monitor users 10 across multiple web sites in the background, so that users 11 don't even know that they're being tracked. 12 (Screen.) 13 An example of how this can work. So imagine 14 that you're going to a search engine and you're doing a 15 search for, say, some medical information and the search 16 engine has an ad, and that ad is going to set a cookie on 17 your computer. When it sets a cookie on your computer, 18 basically it's sending this little bit of data to your 19 computer, and whenever you go back to the web site that 20 set the ad your computer is going to send that little bit 21 of data back. 22 In this case, it's not the search engine that 23 set the cookie, but it's the ad company. So after I've 24 done my search, now I'm going to go to a book store and 25 buy a book. It turns out that this book store uses the 0014 1 same ad company as the search engine, and so when it goes 2 to display the ad it's going to send the cookie back to 3 the ad company. So now the ad company knows that I went 4 to the search engine and then I went to the book store. 5 It has tracked me across multiple sites. 6 If the ad company has the cooperation of the 7 search engine and the book store, it may actually be able 8 to get some more information, because while the cookie 9 itself doesn't know who I am, when I bought that book I 10 had to provide my name and my address and so the book 11 store knows who I am, and if the book store cooperates 12 with the ad company now they have an identified profile of 13 me. 14 Another thing that you may have heard about in 15 the media is web bugs. Basically what a web bug is, it's 16 very similar to what I just showed you, where you have an 17 ad that's sending a cookie, except that a web bug is 18 invisible. So there's some invisible little dot on your 19 screen that has a cookie associated with it and it may be 20 tracking you, but not only do you not know that's 21 happening, but you can't even see that the dot is there. 22 (Screen.) 23 Other privacy problems have come up due to the 24 refer. As I mentioned, the refer is the address at the 25 last web site you visited before the current one. Often 0015 1 when you go to web sites that have forms, sometimes after 2 you fill out the form, if you look carefully at the URL 3 bar, you'll notice that it changed and that some of the 4 information you typed into the form is now actually in 5 that URL. So there's an example at the bottom of the 6 screen where you have an actual person's name and address 7 that actually becomes part of that URL. 8 Now when I go to the next web site, that 9 information is going to be transmitted to that web site. 10 So this is a big problem. Now, there are a lot of 11 companies that once they became aware of the problem they 12 changed the way their web forms worked so that doesn't 13 happen. But there still are a number where this is still 14 a problem. 15 (Screen.) 16 Okay, so what can you do about this? Well, this 17 is a slide actually that I borrowed from one of my 18 colleagues that he put together. He says, well, you know, 19 you can go to cyber cafes, only use the Internet while 20 you're drinking coffee at different cyber cafes, and of 21 course never go back to the same one. And you can use 22 free e-mail services instead of an ISP and keep changing 23 them, or set up a prepaid cash account with your ISP and 24 be sure to give all phony information. And you can forge 25 e-mail, and of course never go shopping online where you 0016 1 have to actually give out personally identifiable 2 information. And if you do all that, then you should be 3 pretty safe. 4 Fortunately, there are some other solutions. 5 There are a number of software tools, many of which you 6 are going to see demonstrated today in the foyer, that can 7 help people address some of these concerns. 8 The first set of tools I'm going to talk about 9 are anonymity and pseudonymity tools, which basically help 10 people surf the web without any of their actions being 11 linked directly to them. Another set of tools is 12 encryption tools and I'm going to touch on them briefly. 13 That's not really the focus of the session today. We 14 could do a whole another session just on encryption tools. 15 Then another set of tools are filters. Basically, these 16 are tools that are going to be making sure that your 17 computer is not sending out certain kinds of information 18 and so they may be blocking cookies, they may be making 19 sure that your child is not sending out their name or 20 their phone number over the Internet, things like that. 21 (Screen.) 22 There are also some tools that are helpful for 23 information and transparency, so they basically inform 24 users as to what's going on, what information is collected 25 about them, and what is going to happen to it. Then there 0017 1 are a whole bunch of other tools that sort of didn't 2 really fall neatly into these other categories, and I'm 3 going to talk about a few of those. 4 (Screen.) 5 Just to give you sort of a holistic picture of 6 how this all works, you can imagine that you have your 7 user and you have various services and web sites and there 8 is the Internet that's sort of this big cloud in the 9 middle, and the user lives somewhere where there's a 10 regulatory and self-regulatory framework and the services 11 that they visit may be following the same laws and the 12 same guidelines or they may be following different ones. 13 Then the user has the ability to send all their 14 messages on the Internet through a number of different 15 tools. So these might include an anonymizing agent or a 16 cookie cutter or a P3P tool. So the user can basically 17 get extra privacy features by using these tools. 18 (Screen.) 19 Then the other thing is that it's very important 20 that any data that the user does decide to send to a web 21 site is going to be visible only to that web site. So the 22 user needs to have a secure channel through encryption 23 tools to make sure that this data is just not picked up by 24 anybody else who happens to be listening. 25 (Screen.) 0018 1 2 So let's start with anonymizing proxies. This 3 is a tool that basically a user can set up their web 4 browser so that all the requests they make to the Internet 5 are going to go through this proxy server. Basically, the 6 proxy server takes the request, strips off identifying 7 information, and forwards it to wherever the user wants it 8 to go. 9 Then when the web site responds, it responds by 10 sending the request back to the proxy. The proxy knows 11 what user requested it and so they can send it back to the 12 user. So as a result, the end servers have no idea who 13 the original user is. However, the proxy can see 14 everything and so we have to trust that the proxy is going 15 to have a good policy and not be using that data in ways 16 that the user doesn't want. There are a number of 17 different proxy-based services. Some are free, some are 18 subscription, some are supported by advertising. 19 (Screen.) 20 One of the best well-known ones is called the 21 anonymizer, anonymizer.com. For example, if you are 22 visiting Yahoo using the anonymizer it would add this 23 little blue bar at the top of your screen to indicate that 24 the page was loaded by anonymizer. It includes a control 25 panel that lets people control some of the settings, for 0019 1 example whether or not you want the anonymizer to filter 2 out the cookies or let them through. There are a few 3 other settings that the user can control. 4 (Screen.) 5 There are also a number of tools that are 6 related to anonymity tools, but they have sort of an extra 7 thing. I call them pseudonymity tools. They have the 8 ability to automatically generate user names, passwords, 9 e-mail addresses, or other information, basically 10 pseudonyms for the user, and keep track of them. A lot of 11 users say that when they go to web sites and they're asked 12 to provide information that they lie and they make up 13 names. But actually, you have to keep track of what it is 14 you made up if you want to maintain a relationship with 15 the site. 16 So these tools will actually keep track of that 17 automatically for the user. So one example is iPrivacy, 18 and I believe they're going to be doing a demonstration 19 here. Basically, when I go to a web site and I want to 20 order something and have it shipped to me, I can type in 21 my information and iPrivacy will translate that 22 information into this essentially encrypted private 23 identity and then it will fill out the form for me with 24 this translated information, and then the web site will 25 get the encrypted information. 0020 1 They will have enough information to give to the 2 credit card company and to give to the shipping company so 3 that the transaction can be processed, but they web site 4 itself doesn't know what my credit card number is or what 5 my home address is, and in the end the shipping subsystem 6 can basically print an address label which will allow the 7 product to be delivered to me without the company actually 8 knowing who I am or where I live. 9 (Screen.) 10 This is the screen. They have to download some 11 software onto the computer to make this work. 12 (Screen.) 13 There's another company called Incogno which has 14 a similar tool, except it doesn't require that users 15 download it onto their computer. They work with 16 merchants, and if the user visits a web site that is 17 equipped with Incogno they can use a similar tool where 18 Incogno may have access to some of this personal 19 information but it is not actually released to the vendors 20 themselves. 21 (Pause.) 22 Now, this is where technology breaks down. 23 Let's see if I can revise this. Otherwise I'll wing it. 24 (Screen.) 25 Now we're in trouble. 0021 1 Okay, while my computer is rebooting, some of 2 the other tools that I'd like to show you pictures of, but 3 you'll just have to imagine, besides the anonymity and 4 pseudonymity tools, the next tools I was going to talk 5 about are encryption tools. There are encryption tools 6 which are useful to encrypt data in a variety of ways. 7 There are some which are focused on encrypting data as 8 it's being transmitted from your computer to the web site. 9 There are also tools which are focused on encrypting e- 10 mail messages. And there are some which are focused on 11 encrypting the data when it's on your computer or when 12 it's on the database out there. 13 I'm not really going to talk about those in 14 detail, other than just to say that they're really 15 important. If you have all of these other privacy tools 16 and your data is just floating out there unencrypted, 17 that's not really going to offer a whole lot in the way of 18 privacy protection. So it's important not to leave out 19 those things. 20 Now, fortunately, increasingly some of these 21 tools are actually being built into web browsers, being 22 built into database systems, so that's going to be very 23 helpful. 24 The next set of tools that I wanted to talk 25 about are the filtering tools and the first set of 0022 1 filtering tools are the cookie cutters. So these are 2 tools which can be configured to block all cookies or to 3 selectively block cookies, and often users will want to 4 allow cookies from some web sites where they see 5 themselves as actually getting some value from having the 6 cookie, and at other web sites they'd rather not have the 7 cookie. 8 Some of these tools also allow the users to go 9 ahead and accept the cookies and then to review them later 10 and decide which ones they want to keep and which ones 11 they want to discard. 12 Besides being able to filter cookies, a lot of 13 these tools also have the ability to filter out the refer 14 header and some of the other browser chatter that we 15 talked about. 16 Hang on a second. We'll be back with the 17 presentation. 18 (Pause.) 19 (Screen.) 20 Okay. The other kind of filter besides the 21 cookie cutter are the child protection software. Now, 22 most of this software was developed primarily to allow 23 parents to filter out material that they felt was 24 inappropriate for their children. But a lot of this 25 software also has a feature where parents can block the 0023 1 child from sending privacy-sensitive information on the 2 Internet. So for example, they can set it up so that the 3 child's name or phone number won't be sent on the 4 Internet. They can also limit who a child can e-mail or 5 chat with. 6 (Screen.) 7 Another type of tool that we talk about are 8 identity management tools. Sometimes these are referred 9 to as infomediaries. Some of these companies refer to 10 themselves as infomediaries and some of them tell me that 11 they absolutely aren't infomediaries. So I'll just call 12 them identity management tools. 13 But basically, the idea is that these are tools 14 that help people manage their online identities. 15 Basically, they generally offer some sort of an electronic 16 wallet or electronic archive where I can type in my 17 information in some sort of a secure storage and have the 18 ability to have my computer automatically send this 19 information when I authorize it. So they'll automatically 20 fill out forms or automatically send demographic 21 information to web sites, but only when I have authorized 22 it. 23 So some of them are essentially an opt-in to 24 targeted advertising. Some of them will pay consumers for 25 data. Some of them actually go and check for privacy 0024 1 policies at web sites and give consumers some indication 2 as to what kind of privacy policy the site has before they 3 will release the data. There are a number of different 4 examples. They all have slightly different models of how 5 this actually works. 6 One example is Persona. In Persona, the 7 consumer will in advance fill out this profile with 8 personal information and they will indicate for each field 9 when they want to allow it to be shared. And then Persona 10 Valet has this tool bar that will allow users to have some 11 control over cookies and control over when to provide 12 data, and they are also planning on building in P3P so 13 that they can give users alerts about web sites' privacy 14 practices before data is released. 15 (Screen.) 16 There's another company called Privacy Bank that 17 has an interesting system. Here if I go to a web site 18 that's equipped with Privacy Bank -- in this case this is 19 the Starbucks Coffee site -- if I want to order some 20 coffee beans, I will click on my Privacy Bank bookmark 21 which I set up when I subscribed to Privacy Bank, and it 22 will pop up this window which provides a snapshot of what 23 the Starbucks privacy policy is. There are little symbols 24 that you probably can't see, but they basically give me - 25 - there are five symbols and depending on which ones 0025 1 appear I have some idea of what their privacy policy is. 2 3 Then if I'd like to fill out the form, then I 4 can click on the "My information" and drag it onto the 5 form, and at this point it gives me an alert, because when 6 I registered for Privacy Bank I indicated what my personal 7 preferences are. There's a conflict here, and so it says 8 "This site does not meet your privacy preferences. Would 9 you still like to fill out the form?" 10 I can say yes or no. I can also click on the 11 button for policy details and get a much more detailed 12 indication of what kind of data they collect and what 13 exactly they do with it, and then I can make an informed 14 decision. 15 (Screen.) 16 The next thing I'd like to talk about is the 17 Platform for Privacy Preferences, or P3P, and I'm just 18 going to give you a brief overview of that and that will 19 be discussed more on the next panel. But basically, P3P 20 is designed to give web sites an easy way to take their 21 privacy policies and convert them into a standard machine- 22 readable format. Then once this is done, we can build web 23 browsers and plug-ins and other tools that can 24 automatically go fetch these machine-readable policies and 25 read them for the user, and then they can compare the 0026 1 policies with the user's preferences and alert the user 2 when there are conflicts. 3 4 (Screen.) 5 So basically a web site that wants to use P3P, 6 it's fairly straightforward. First they have to have a 7 privacy policy. Then they need to translate it into P3P 8 format, and there are a number of tools that are available 9 to assist with the translation process. Then they take 10 that translated policy and they put it on their web site, 11 and then they create another policy -- another file which 12 indicates what parts of the web site this policy applies 13 to. 14 So a web site can say: We have one P3P policy 15 for the entire site, or they might have different policies 16 for different parts of the site and they can indicate what 17 policy applies where. 18 (Screen.) 19 The P3P vocabulary basically has a number of 20 different fields which capture what we felt were the 21 important parts of a privacy policy that people would be 22 interested in knowing. So basically they are who is 23 collecting data, what data is collected, what purpose will 24 it be used, is there an ability to opt in or opt out, who 25 are the data recipients, what kind of access is provided, 0027 1 what kind of data retention policy is there, how will 2 disputes about the policy be resolved, and that includes 3 third party seals, laws, anything along those lines, and 4 then finally where is the full human-readable policy if I 5 want to go get more information. 6 (Screen.) 7 One of the advantages of P3P is that not only 8 can I easily find out about a web site's privacy policy, 9 but I can also find out if the web page has any other 10 objects in it that might have different privacy policies. 11 So for example, here you see this page which is on the 12 AT&T web site and as a user I look at it and it looks like 13 it's just one whole page. But in fact it actually has an 14 ad in it and this ad is served from another company, and 15 the privacy policy associated with that ad is the policy 16 of that other company. 17 So using P3P, my user agent should be able to 18 automatically discover this and check both privacy 19 policies to make sure they match my preferences. 20 (Screen.) 21 I'm going to show you a prototype P3P user agent 22 which was designed at AT&T in conjunction with Microsoft. 23 This is a plug-in which is designed to work with Internet 24 Explorer, and it allows users to configure their 25 preferences. This is the preference configuration screen, 0028 1 which I don't expect you to actually read here, but you 2 can see it's a fairly small number of questions. The 3 users can use that to specify what their personal 4 preferences are. 5 After they have set their preferences, whenever 6 they go to a web site they can click on the privacy button 7 and it will check the results. So here are examples at 8 two different web sites. The top web site, there is a 9 warning that comes up because there was a mismatch with 10 the user's preferences and it says: "This site does not 11 allow you to find out what data they have about you." 12 Basically, the site provides no access and I have said 13 that I need access. 14 Then the bottom screen, we're visiting a site 15 where there are no warnings. We can see here that this 16 site has a seal from TrustE. That's one of the things 17 that comes up as part of a policy. 18 Now, if a user changes their privacy preferences 19 and goes back to that same site, now all of a sudden they 20 have a warning that this site may collect data that does 21 identify you for profiling. So basically now the user has 22 said: Hey, I actually don't really want profiling, and so 23 that warning will come up. 24 (Screen.) 25 Another P3P user agent is by IDcide. It's 0029 1 called the Privacy Companion and it's a plug-in that works 2 for both Internet Explorer and for Netscape, and it 3 provides cookie management capabilities. It actually 4 started out as a cookie management tool and by adding P3P 5 to it they've been able to enable people to have much more 6 fine-grain control over when to allow cookies. 7 So it adds these little symbols to the top of 8 the browser bar and the symbols indicate red for when 9 there's a P3P policy that's not acceptable, green when it 10 is acceptable, and grey when there's no policy at all. 11 Then when I visit a site that's trying to set a cookie, if 12 the privacy policy doesn't match I can get information as 13 to exactly why that pops up here. 14 Another tool is called YOUPowered Orby Privacy 15 Plus, and this is actually a toolbar that sits on the 16 user's desktop rather than in the browser window, and it 17 has similar features. It also has this trust meter. You 18 can see in the upper right-hand corner of the screen, it 19 gives you a little visual graphic indication of how close 20 the policy is to matching your preferences, and then you 21 can click on it to get specific positive and negative 22 flags to see specifically where the web site may have 23 problems or where it's doing good things. You can also 24 get it to prompt you when web sites want to set a cookie 25 and they don't necessarily match your preferences. 0030 1 (Screen.) 2 IBM has a tool that they're demonstrating here 3 that lets web sites create their P3P policies. This is 4 something that's currently available from the IBM web site 5 and it's a drag-and-drop interface that basically somebody 6 can pick up these little elements on the screen which 7 represent different kinds of data and drag them onto the 8 other page to indicate we collect this kind of data, and 9 then they can fill out various information about each type 10 of data and what is done with it. 11 IBM also has a number of templates, so rather 12 than starting from scratch you can find -- 13 (Screen.) 14 -- a template that follows similar practices as 15 your web site and then just edit that to customize it for 16 your web site. 17 (Screen.) 18 Another tool which allows web sites to create 19 P3P policies is called PrivacyBot. They're actually a 20 web-based interface. I go to their web site as a 21 webmaster and I can fill out their lengthy questionnaire 22 about my web site and I can pay I think it's $30 with my 23 credit card and create both a P3P policy as well as a 24 human-readable privacy policy for my web site. 25 (Screen.) 0031 1 Finally, YOUpowered, which I showed you a minute 2 ago, also has a tool for webmasters to create their 3 privacy policies as well. 4 5 (Screen.) 6 Now I want to mention a few other tools. As I 7 said, these are sort of the miscellaneous ones. There are 8 some privacy-friendly search engines. One example is 9 TopClick. These are basically search engines which are 10 committed to not using cookies, not tracking users, and 11 basically trying to be as privacy-friendly as possible. 12 Another type of tool are computer cleaners. 13 When you're surfing the web there's all sorts of little 14 files that are created on your computer to kind of keep 15 track of things while you're surfing and many of these 16 files are no longer really needed once you're done. So 17 there's a tool called WindowWasher which goes through a 18 removes all of these files, therefore removing the traces 19 of what web sites you visited when you were on line. 20 People say that it actually makes your computer run 21 faster, too. 22 (Screen.) 23 Another type of tool is tools to facilitate 24 access. We're going to hear today from a company called 25 Privacy Right, which is focused specifically on access. 0032 1 So for example, they have, for example, this tool. I can 2 go to a web site that is equipped with their tool and 3 indicate what kinds of data uses are acceptable, basically 4 opting in and out of various things, and then I can 5 actually go and view what data they have collected on me 6 and who it has been disclosed to and when, and I can view 7 that on line. I can also request that they send me a 8 complete audit trail of where my data has gone. 9 So that's pretty much the end of our whirlwind 10 tour. I think I even managed to stay mostly within time. 11 The final thing that I want to leave you with is that 12 we've seen a variety of different tools, but there's no 13 one tool which is going to solve all the problems. Really 14 what we need is tools that can work together. So I think 15 each tool has its strengths and it has something that it 16 can contribute. 17 So P3P tools are useful to help users understand 18 privacy policies, but they don't deal with, for example, 19 enforcing privacy policies. Seal programs can help with 20 enforcement as well as regulations can also help with 21 enforcement. Anonymity tools and filtering tools can 22 reduce the amount of information that I actually reveal, 23 which is great when I don't need to reveal information, 24 but if I want to actually go purchase something there may 25 be information that I do need to reveal, and so then some 0033 1 of the other tools are going to be useful. 2 Encryption tools are of course useful for 3 securing data both in transit and in storage. Finally, 4 the laws and codes of practices are going to do what tools 5 can't, which is provide a baseline level of acceptable 6 policies. 7 Thank you. And if you would like a copy of any 8 of these slides, they are all available on my web site. 9 (Applause.) 10 MS. LEVY: Thank you so much, Dr. Cranor, for 11 the extremely informative overview. 12 We're now ready for our first panel of the 13 morning, P3P Implementation. I ask all the panelists to 14 come up. 15 PANEL DISCUSSION: P3P IMPLEMENTATION 16 MS. LEVY: Our moderator for this panel is 17 Elliot Maxwell, the Special Adviser to the Secretary of 18 Commerce for the Digital Economy. Among other things, 19 Elliot advises the Secretary on and helps coordinate web 20 site of Commerce activities regarding electronic commerce 21 and the Internet. I'm going to ask that Mr. Maxwell 22 introduce his own panelists. 23 MR. MAXWELL: We are under this time pressure 24 and we are just going to hustle. So Lorrie just did a 25 wonderful job. It's like having a whole sort of panel to 0034 1 herself, but giving us an enormous amount of information 2 about privacy in general. We're going to focus right now 3 in this panel on P3P. 4 I will give a sort of blast fax introduction of 5 the panelists and then they will have three and a half 6 minutes. You will see a clock counting down at the end, 7 so the last 30 seconds you count down like it's a NASA 8 countdown, so they'll know that they don't have any more 9 time. 10 We're going to try to have questions at the end, 11 so we'll try to go very quickly. If we are able to do 12 that, there are microphones in the aisles, so that if you 13 will use those we can have a recording of it. 14 I will give the introductions in order of, in 15 alphabetical order, though that will not match the order 16 of appearance, and I'll give that quickly at the end. But 17 let me just briefly introduce the panel: Marc Berejka is 18 a Senior Federal Affairs Manager and Senior Corporate 19 Attorney at Microsoft's corporate office in Washington, 20 responsible for developing and advocating the company's 21 positions in telecommunications issues and in particular 22 in this regard in the area of privacy. 23 He chairs the Information Technology Industry 24 Council's working group on telecommunications policy and 25 the Information Technology Association of America's 0035 1 working group on information policy. 2 Karen Coyle is a digital library specialist at 3 the University of California. She speaks and writes often 4 on issues relating to cyberspace and is active with 5 Computer Professionals for Social Responsibility, a public 6 interest group based in Palo Alto. She's written 7 critically about P3P, which she refers to as "pretty poor 8 privacy," so she carries a particular perspective on this. 9 Dierdre Mulligan is Staff Counsel at the Center 10 for Democracy and Technology and works with groups around 11 the world on fair information practices and strengthening 12 individual's control over their personal information. 13 Dan Jaye is CTO and Co-Founder of Engage, part 14 of the CMGI Group, where he is involved in delivering 15 interactive database marketing and information service 16 products. He's also involved with a group itself in 17 facilitating communications about technology and privacy. 18 Ed Mierzwinski has been a consumer advocate with 19 the Public Interest Research Group, U.S. PIRG, since 20 January of 1989. He's a frequent participant in public 21 policy forums, has testified often at both the state and 22 federal levels, and is a member of the steering committee 23 of the Trans-Atlantic Consumer Dialogue, which just 24 recently met in Brussels. 25 Ron Perry of IDcide is the company's CEO. 0036 1 IDcide is a company that provides a bridge between privacy 2 and profiling services to Internet users and tries to 3 address the privacy needs of both e-businesses and 4 consumers. They just released "The Privacy Companion," 5 which is a product that reports cookie-based tracking, 6 automatically blocks third party cookies, and eliminates 7 data spillage problems. 8 Mel Peterson of Proctor and Gamble has served in 9 a number of different positions with the company. In 1998 10 he joined the Interactive Team at P and G -- it's now 11 called I-Ventures -- and he helped implement P and G 12 systems to manage online privacy and to develop P and G's 13 global privacy guidelines. Effective this year, just 14 about a month ago, Mel became P and G's global privacy 15 manager, responsibility for building and enhancing P and 16 G's privacy management capabilities globally. 17 Martin Pressler of IBM is an advisory programmer 18 at IBM's facility in Research Triangle. He's been deeply 19 involved in P3P and is co-author of the P3P specification. 20 Danny Weitzner, on his right, is Director of the 21 World Wide Web Consortium's Technology and Society 22 Activities, responsible for the development of technology 23 standards that enable the web to address social, 24 political, and public policy concerns, and has been again 25 heavily involved in P3P. Before joining W3C he was at the 0037 1 Center for Democracy and Technology and was also at EFF. 2 So I think I got my three and a half minutes. 3 You won't hear much from me any more. So Danny, why don't 4 you take it away. 5 6 MR. WEITZNER: Thanks very much, Elliot. 7 Because we have a big issue and a big panel, I'm 8 going to speak in sort of a cryptic, skeletal way. I 9 really just want to highlight, following Lorrie's 10 presentation, which I think gave us all a good background 11 on what P3P is and how it works, I want to just make three 12 very quick points about why we need P3P on the web, and 13 three points about why I think it's actually going to 14 happen. 15 First of all, I think there's a tremendous need 16 for what Lorrie referred to as machine-readable privacy 17 policies. That is, anyone who looks out on the web today 18 and looks at privacy policies knows that they're 19 relatively long, they're written, even for lawyers, in 20 sometimes somewhat confusing language, and I think that 21 some tend to feel that this is maybe done to confuse or 22 deceive users. 23 I actually think to a large extent it reflects 24 the fact that privacy practices, the practices of handling 25 personal information on the web, are becoming increasingly 0038 1 complex. Therefore, I think we desperately need to put 2 privacy policies in machine-readable format, in the same 3 way as everything else on the web is in machine-readable 4 format, so that the tools that we use to access the web, 5 the browsers and all the other user agents out there, can 6 help us to decipher these policies and make intelligent 7 decisions about them. 8 Secondly, I think that we badly need P3P because 9 we need to harness the entrepreneurial energy that has 10 made the web itself work to help users make intelligent 11 decisions. To me one of the most extraordinary things 12 that's happened in the development of P3P is that, now 13 that the standard is more or less complete, we're seeing 14 the whole range of companies come out with a variety of 15 products that give users a variety of different options 16 about how to make choices about their personal 17 information. 18 I think it's safe to say that the designers of 19 P3P didn't even think about a lot of these products or 20 about these possibilities. But we need to provide that 21 kind of flexibility to users which in practice in the web 22 arena is provided when we let software developers go out 23 and do innovative things. 24 Third, I think that, for the reasons I've said, 25 P3P really, in the words of Alexander Dix, who's a data 0039 1 protection commissioner from Germany, is necessarily but 2 not sufficient to guarantee online privacy. As Lorrie 3 indicated, P3P is part of a broad array of tools, 4 services, self-regulatory practice, regulation, that all 5 have to come together to make privacy work. But P3P is 6 really necessary for that. 7 I think there are three reasons following those 8 why web sites will adopt P3P, why software developers will 9 build P3P products, and why we'll really see this kind of 10 enhanced user control over privacy on the web. Number 11 one, web sites, particularly those web sites that are 12 trying to have a commercial relationship with users and 13 sell them something, very badly want to ensure that users 14 have a seamless browsing experience. They don't want 15 users to be distracted by going off and having to find the 16 privacy policies and take however many minutes or hours it 17 takes to understand it. Seamless browsing is critical. 18 Second, I believe that as the major browser 19 vendors begin to integrate P3P into their products, and 20 two of the major browser vendors, Microsoft and Netscape, 21 have announced plans to integrate P3P, users will come to 22 expect to see a P3P policy. I doubt very much that many 23 more than about a tenth of one percent of users will ever 24 say, I want my P3P, but they will see, as you saw on 25 Lorrie's slides, an icon that's an icon that's in grey 0040 1 instead of in green and they'll wonder what's happening. 2 Third, I think that P3P will become a part of 3 the web and needs to become a part of the web, because web 4 services are fundamentally becoming more complicated and 5 they are becoming more integrated into our lives in a 6 variety of ways, and the fact of the matter is that as we 7 live our lives, whether it's online or off, we share, 8 trade, quite a lot of personal information, and users need 9 a way to control that. 10 Certainly anonymity has its place. It's 11 critical for protecting basic human rights and civil 12 liberties. But in the world that the web is increasingly 13 becoming part of, there is lots of personal information 14 moving around and users need control of it. 15 MR. MAXWELL: Danny, we're going to move on to 16 the next person because autocracy is the rule here. 17 Marc Berejka is next from Microsoft, talking 18 about this from the viewpoint of the browser manufacturer. 19 MR. BEREJKA: Thanks, and I will try to keep 20 this on schedule -- 21 VOICE: Microphone. 22 MR. BEREJKA: Can you hear me now? 23 If we get network connectivity, we'll have live 24 connections to show the tools that I'll show you 25 graphically here. 0041 1 MR. MAXWELL: Can we get that mike, please, Marc 2 Berejka's mike, please. 3 (Screen.) 4 MR. BEREJKA: So and Lorrie and Danny have said, 5 there's a basic chicken and egg issue here in delivering 6 P3P. Microsoft looks forward to helping to deliver in the 7 near term both a chicken and an egg. We've been committed 8 to P3P for some time. Our first manifestation of that 9 commitment or tangible manifestation was in the 10 development of a privacy statement generator. Again, we 11 have that out in a mockup in the lobby, but if we have 12 network connectivity it'll be live. 13 (Screen.) 14 If we could go to the next slide, you'll see 15 that what's been sort of the longstanding beta of this 16 privacy statement generator, a beta that's been running 17 for 18 months now, has gotten about 20,000 companies to 18 use it and to walk through, to walk through a basic 19 questionnaire as to what the web site's basic information 20 practices are. 21 What we do with the web site generator is try to 22 guide users to follow the fair information practices. 23 This slide indicates that we're actually asking web site 24 operators to consider how they provide access. At the end 25 of the process, you press the "Done" button and it 0042 1 generates a sample privacy policy with some indicators as 2 to where the web site operator might want to seek some 3 further guidance or where we believe information might be 4 lacking. 5 Again, this longstanding beta, if you will, has 6 gotten 20,000 companies plus to use it. The game plan is 7 to update this privacy statement generator so that it's 8 compatible with the current version of P3P and our privacy 9 statement generator that is compatible with the current 10 version of P3P would be released in the December to 11 January time frame. 12 This version that's up now is compatible with an 13 April or earlier, April '99 or earlier version of P3P, so 14 it's not quite up to snuff, but is nonetheless useful for 15 basic purposes. 16 In terms of the client experience, if we could 17 go to the next slide -- 18 (Screen.) 19 -- we also want to make that as simple as 20 possible. Right now we have just, as Lorrie showed, 21 developed a basic tool, and you can see this better out on 22 the screens in the lobby, but what we're struggling with 23 is how to simplify the P3P experience for the end user. 24 In this mockup we ask the individual whether they only 25 want to go to a site that collects data necessary for the 0043 1 processing of a specific request, whether they only want 2 to go to a site that does not reveal your identity, and 3 whether they only want to go to a site that does not 4 identify you for profiling. 5 So we're trying to make these choices simple for 6 the consumer so that the process of enabling the browser 7 to read XML statements is not difficult. 8 If we could go to the next slide -- 9 (Screen.) 10 The next process, as Danny and Lorrie pointed 11 out, is for the P3P-enabled browser to talk to the XML- 12 enabled privacy statement. If we could go to the next 13 slide -- 14 (Screen.) 15 -- this is a sample -- it's similar to what 16 Lorrie showed -- of what gets spit back. We ran this test 17 live against Microsoft.com and what came back was that 18 Microsoft.com, the fact that Microsoft.com is a bearer of 19 the TrustE seal, that there's one-click access to the 20 Microsoft.com privacy policy. But you know what? 21 Microsoft.com does collect, does use cookies. It's 22 disclosed in their privacy policy that they do use 23 persistent cookies to do some level of tracking. 24 What we're really looking for over the course of 25 the next nine months or so, because this process is 0044 1 complicated, is input from interested people who want to 2 help us in this boiling-up process to make the consumer 3 experience in implementing P3P easy. The game plan is to 4 release the privacy statement manager -- excuse me, the 5 privacy manager for the consumer, integrated into the next 6 version of the operating system, which is codenamed 7 Whistler and which is due out some time next year. 8 MR. MAXWELL: Thanks very much, Marc. This is a 9 world record for 11 slides in under 4 minutes. So we 10 appreciate it. 11 Next, Ron Perry from the standpoint of those 12 people developing applications that try to serve 13 individuals and increase their control over privacy. 14 (Screen.) 15 MR. PERRY: Thank you, Elliot. In compliance 16 with the government regulations you set out here regarding 17 timing, I'll rush through my three slides. 18 I wanted to give you our perspective on how we 19 think P3P can help applications treat privacy better, give 20 you a little overview of what we've done and what we think 21 are the possibilities that would be opened up by P3P. So 22 first of all, what we've done with P3P is to utilize it in 23 order to simplify decisionmaking by the user. Instead of 24 having the user read through a complex privacy policy and 25 then decide whether cookies should be enabled for this 0045 1 site or not, understanding how the site uses information 2 collected, we are trying to automate this decision. So 3 the Privacy Companion with P3P reads the privacy policy 4 for a site, analyzes it, tries to find out whether it 5 matches the user's preferences or not, and decides whether 6 to allow the cookie from the site or not. 7 We also show the user, as Lorrie showed in her 8 slides earlier, we give the user a visual indication of 9 whether the policy is acceptable or not according to that 10 user's preferences. 11 (Screen.) 12 We see the major advantage of P3P in its opening 13 up of a wide range of possibilities for application 14 developers. The first type of applications that we can 15 see using P3P are privacy-enhancing technologies, such as 16 ours. But we also see many possibilities for other tools 17 like search engines that can take the privacy policy of a 18 site into consideration. 19 Various privacy policies -- the fact that a 20 computer application can do something with a privacy 21 policy really opens up the issue of privacy into a 22 competitive advantage, so that the major challenge we see 23 in the development of P3P is being able to actually 24 enhance its vocabulary to emphasize the good practices 25 used by various companies and really give them a 0046 1 competitive advantage, turning privacy into a competitive 2 advantage, something that is not possible today without 3 such technologies. 4 Thank you. 5 MR. MAXWELL: Thank you, Ron. 6 Next will be Mel Peterson. Proctor and Gamble 7 is sort of the mother church of brand management and so 8 someone who takes the job of worldwide privacy policies 9 for a firm like that has a big challenge. Mel. 10 MR. PETERSON: We were sort of a guinea pig for 11 P3P a few months ago. We participated in the June interop 12 demos, created a P3P policy statement based on our privacy 13 policy that we have displayed on the pg.com web site. 14 Neither I nor the developer that worked on this had even 15 read the P3P spec ahead of time, so we were a pretty good 16 test of what does it take for a company to actually do 17 this. And we didn't cheat and use one of the nice 18 generators that are out there, either. We wrote the code 19 by hand. 20 The net was it was very easy to do and very 21 inexpensive. Over the course of a couple of weeks, we 22 spent maybe three elapsed or three effort days to create 23 the P3P statement, learn what it took to do that, debug 24 it, put it up on the site. So it's a very straightforward 25 thing for content providers and web sites to do. 0047 1 (Screen.) 2 I was asked to speak to, so what do you think 3 other content providers and web sites are going to react 4 to P3P? I would make four points. The first is simply 5 that my suspicion is most web sites and content providers 6 haven't spent a lot of time learning about P3P yet and we 7 need to get the word out that this is not an expensive, 8 time-consuming thing to do, particularly if you create a 9 single policy statement in P3P. 10 Secondly, while it was easy to create and write 11 the code, companies do need better guidance for how to 12 implement P3P. For example, we heard earlier that it does 13 make sense in some cases to have multiple P3P statements 14 for your web site. That's counterintuitive to most 15 companies. You think you want to have one statement, keep 16 it simply. And by the way, that's more supportable as 17 well. Companies need guidance on how to implement this in 18 a supportable way and also in a way, though, that's most 19 helpful for consumers. And I think we're still learning 20 that. 21 As far as what else will spur companies to move 22 forward, certainly seeing a critical mass of consumers out 23 there with the capability to use P3P and evidence that 24 they're using it will spur. What gets measured gets done. 25 Similar to the kinds of measures that were publicized 0048 1 about privacy statements in the past, we need to do the 2 same thing with P3P. 3 Secondly, organizations that are interested in 4 moving this forward need to create sort of their own 5 project management around this. How many of the Fortune 6 500 companies, how many of the top 100 web sites have done 7 this? If they haven't, call them up and find out why not. 8 Thank you. 9 MR. MAXWELL: Great. 10 Ed, from a consumer standpoint do you want to 11 comment about what you've heard? 12 MR. MIERZWINSKI: Thank you, Elliot. The Public 13 Interest Research Group has views that represent those of 14 consumers, but more and more consumer protection has come 15 to take into account issues such as privacy and the 16 development of fair information practices. Quite simply, 17 from our perspective we don't feel that the notice and 18 choice provisions enacted by the code of the machine are a 19 substitute for the full panoply of fair information 20 practices that includes so much more than notice and 21 choice that were originally embodied in the early 1970's 22 by the HEW task force that led to the inclusion in most of 23 the U.S. laws governing U.S. government uses of 24 information a set of practices that says, collect the 25 least information possible, collect it suitable for a 0049 1 specific purpose, give consumers control over their 2 information, not choice but consent-type control over 3 their information, ensure that the information is 4 protected by security standards, give the consumer the 5 right to correct the information and to know all about the 6 information in the database about him or her. 7 I quite frankly don't see how P3P meets the fair 8 information practices test. The notion that notice is a 9 privacy policy is patently absurd, and the notion that 10 notice and choice, what I call FIPS Lite, which is all 11 most industry groups want to give us, are adequate for 12 what the American public are clamoring for -- and this is 13 the American public that doesn't only include the members 14 of the so-called liberal groups such as the ACLU or the 15 Nader groups -- we're not really a Nader group, but 16 everybody thinks we are -- such as my group, but also 17 includes organizations such as Phyllis Schafly's 18 organization, the Eagle Forum, very conservative 19 organizations. Senator Shelby is aligned with Congressman 20 Markey supporting bills that represent really strong fair 21 information practices. So it's a broad section of the 22 public wants privacy protection. 23 Ultimately, I think P3P will fail for a number 24 of reasons. First of all, it's not really a negotiation. 25 It's not a privacy-enhancing technology. It's at best, 0050 1 it's a -- I'm sorry. At best it's a tool that allows the 2 companies, as Mark Rotenberg has pointed out, it allows 3 the web site to instantly know your privacy price. 4 What do you learn about them? Virtually 5 nothing. Any consumer who wants to take advantage of very 6 high P3P protocols is going to end up, is going to end up, 7 I think, subject to all the nuisance screens that we get 8 when we look at cookies. 9 How many of you have set your cookie preference 10 to "Notify Me" or "Reject All Cookies" and then had 11 difficulty trying to surf? You can't surf when you've got 12 those cookie pop-up windows coming up all the time, and so 13 people are going to give up on high privacy protection 14 under P3P and they're going to end up with low privacy 15 protection, and that's what the industry wants and that's 16 disappointing. 17 I think its supporters are going to say P3P INP, 18 P3P is no panacea, but it's something we can do now. It's 19 not good enough and it's going to prevent the development 20 of better privacy protection policies that enhance 21 anonymity, and that's why we don't like it. 22 Thanks. 23 MR. MAXWELL: Karen. 24 MS. COYLE: Now we need this one on. 25 Notice is an important feature of any privacy 0051 1 program and it is notice that is addressed by P3P. 2 However, as you just heard, notice does not by itself 3 provide any amount of privacy. With P3P it's like we now 4 have the axle, but we are still lacking the wheels, the 5 cart, and the horse. We do not have a privacy solution. 6 Proponents of P3P claim that the notice provided 7 by web site privacy policies gives imminent users a 8 choice. This presumes that there will be comparable 9 services that differ significantly only in their privacy 10 statements, and I see no indication that this will be the 11 case. 12 The invasion of privacy is deeply is entwined 13 with the reliance on advertising for revenue. In a highly 14 competitive environment like the Internet today, the 15 winners are all under the same pressure to play the 16 customer profiling game. In a world of information, what 17 is, after all, a comparable product? If I want to read 18 the New York Times on line, but I do not want to give ut 19 information about myself to do so, reading another 20 newspaper that doesn't require me to sign up, say the San 21 Francisco Chronicle, definitely does not give me the same 22 content. 23 Unlike other products, information resources 24 tend to be unique. As a matter of fact, that uniqueness 25 is encouraged by our copyright laws. Where will the 0052 1 reader turn for a choice? 2 But even worse in this approach is that the 3 approach places the burden on the Internet users to 4 essentially shop for their own privacy. I believe that 5 privacy should be a right, not a bargain hunt. I'm 6 dismayed when P3P is touted as a solution. It's only when 7 we create the rest of the vehicle that we will actually 8 enhance privacy on the Internet. There are a number of 9 commercial products that now address this issue. 10 But my hope is that we'll turn our attention to 11 the root of the problem and implement a baseline of 12 privacy that is the default for all users and in all 13 situations. It's only then that privacy will be a right 14 and not a privilege enjoyed by the technologically elite 15 few. 16 Thank you. 17 MR. MAXWELL: Deirdre. 18 MS. MULLIGAN: I hope you all aren't getting the 19 double echo that we are up here, because I've heard Karen 20 and Marc's presentation in like stereo from three 21 different directions. 22 I am in a position which is not as unusual as it 23 may seem from the panelists. I'm a privacy advocate and I 24 fully support P3P. I completely agree with people on both 25 sides of this issue if you could identify two of them, but 0053 1 there actually aren't. P3P is clearly not the silver 2 bullet, but I don't think you've heard anybody up here 3 suggest that it is. 4 P3P is a very positive step in the direction of 5 what Karen has called notice, Danny has called machine- 6 readable access to information, and what I call 7 transparency. I can tell you, if I'm expected to shop 8 with my feet and identify good privacy choices for myself 9 and be an engaged consumer, certainly the ability to 10 access information in an easy fashion that doesn't burden 11 me with having to read the fine print -- I'm sure you've 12 all tried to look at the back of your Fair Credit 13 Reporting Act notice on your credit card and that's really 14 easy to do -- steps that promote transparency and that 15 enable consumers to diminish some of the costs of 16 protecting their privacy I think is a very positive step. 17 We've seen numerous surveys that say consumers 18 care, not a tiny little bit, but feverishly about their 19 privacy. But it's very, very difficult for them to gain 20 access to the information needed to take steps to protect 21 it. One of my favorite stories is Elliot Spitzer, who is 22 the attorney general in New York State, talked about three 23 of his senior staff attorneys, one of whom is a good 24 friend of mine, spending an awful lot of time trying to 25 decipher what a privacy statement meant at a major portal 0054 1 site. 2 I think if three very smart attorneys with a 3 background in privacy can't understand a privacy policy, 4 which is supposed to be at least the initial step in 5 figuring out whether or not they want to exchange 6 information with a business, that we have a real problem. 7 Does P3P undermine privacy? I personally don't 8 think so. I think we've seen more privacy activity at the 9 state and federal level in the past two years than we have 10 in a very long time. Most of our privacy laws are dated 11 from the 1970's. We've seen increased pressure on the 12 private sector to develop standards. There is certainly 13 an awful lot of effort needed to ensure those standards 14 are actually a race to the top, not a race to the bottom. 15 But I think that when we think about a little 16 sunlight as both disinfectant and also as motivation, that 17 transparency that P3P can bring is part of that sunlight. 18 So I think that we have to continue to say that this is a 19 step forward. It's clearly not the horse and the cart. 20 But to suggest that it's a rock in the road and not an 21 axle I think really undermines all of our efforts to move 22 forward. 23 MR. MAXWELL: Dan. 24 MR. JAYE: As I'm here to speak somewhat from an 25 industry perspective, first of all I totally concur with 0055 1 Deirdre that we have to look at progress towards a 2 solution as not being inherently evil because it 3 undermines the cause that we need to make bigger efforts 4 to get to a final solution. You never get to the final 5 destination if you don't start making steps forward, and I 6 think that, once again, everyone is in agreement that P3P 7 is a mechanism for making it easier to understand and 8 process notice and to enable tools that actually will make 9 it easier to support the other fair information practices. 10 So it's a step forward, it's not a complete 11 solution. But I think one of the most important aspects 12 of P3P is just the discipline it imposes upon the industry 13 and policymakers to codify privacy practices. The P3P 14 vocabulary is enormously important because the process of 15 going through, creating a P3P policy statement, refines a 16 company's understanding of exactly what it is committing 17 to. 18 It's also turning out to be enablers of many 19 other things. So for example there's another standards 20 effort going on called CP Exchange. Actually, I have high 21 hopes that CP Exchange will be a mechanism for addressing 22 another major concern in privacy, which is onward 23 transfer. A site may make many representations to a 24 consumer, but once that site transfers data to a third 25 party, even with the best intentions and contracts, the 0056 1 horse is out of the barn. 2 I think the ability of having additional 3 standards that leverage the initial work of P3P to, for 4 example, bind consumer data, encrypt it, and tie it with 5 strong semantic information about what can and cannot be 6 used with that information, such as you can use this 7 information to ship a product, but you can't use it for 8 anything else, will be very useful, but once again not 9 complete solutions. 10 Once again, the final area that makes P3P very 11 important is that as a company that has tried to find the 12 balance between consumer privacy and the marketer's need 13 to be effective, to have an advertising-supported Internet 14 economy, is that we've tried very hard to follow solutions 15 that basically don't require us to need to know what an 16 individual is. 17 You can market effectively without knowing who 18 an individual is, but just understanding certain 19 preferences. You have to minimize data, you have to 20 follow specific practices. Without a solution like P3P, 21 there's no ability for a company like ours to distinguish 22 ourselves from other companies who have very intrusive 23 data collection approaches. 24 MR. PRESLER-MARSHALL: Thank you. Is this one 25 on? 0057 1 I'd like to point out that the World Wide Web is 2 part of the real world and users have an expectation when 3 they are dealing with an organization that they want to 4 have trust in that organization. That organization may be 5 a corporation, that organization may be a government, that 6 organization may be a nonprofit organization. But in 7 either case, individuals want to have trust in an 8 organization that they're working with. 9 As part of that process, they should expect to 10 know what an organization is going to do with their 11 information. So if I come to a web site I want to know, 12 okay, what is this organization going to do with my 13 information. For a web site, you've got to be part of 14 establishing that trust regime. 15 In any case, whatever kind of site it is that 16 you're running, you do need to be able to establish that 17 trust relationship so that you can see that, so that you 18 can see that person come back to you again and again. 19 P3P comes into this picture because P3P gives 20 users useful, actionable, understandable privacy 21 statements. It lets people actually quickly and easily 22 understand what a site is going to do, what information 23 the site is going to make use of, and what choices the 24 user has in interacting with that site. 25 P3P is also very useful for the web site as 0058 1 well. It is useful in that, as Stan pointed out, by 2 codifying your site's privacy statements you understand 3 what it is that you're living up to. In many 4 organizations that can be complicated. A large company 5 has very many different branches or arms or portions of 6 the company that may be interacting with users in 7 different ways. If a company is going to make a unified 8 statement, P3P can help them understand, this is our 9 statement, and then the applications that are making use 10 of information can be written to back up that statement. 11 When you put statements in machine-readable 12 format, you can process them automatically at a web site 13 as well or at a corporation as well, so that corporations 14 can really enact what they say they're interacting -- 15 they're enacting, excuse me. 16 P3P is also useful in that it is implementable 17 and deployable at web sites at a reasonable cost. As Mel 18 pointed out, it doesn't require that you reprogram your 19 web site, it doesn't require that you replace large 20 amounts of infrastructure at your web site. P3P is 21 realizable and that's very important for a lot of web 22 sites. I've heard tell that one web site managed to 23 deploy P3P in ten minutes based on an existing privacy 24 policy. I was very impressed by that number. 25 Last of all, I want to point out that this is 0059 1 P3P Version 1 and web protocols, networking protocols and 2 software all will evolve based on the needs of their 3 users. In this case, those users are end users, those 4 users are web sites and corporations. This will move 5 forward as it is needed, and I look forward to seeing 6 what's going to happen with it in the future. 7 MR. MAXWELL: Thanks very much to all of you. 8 It's really heroic to try in this period of time just to 9 try and sort through some of the basic issues. I'd like 10 to open it up to members of the panel if they have 11 comments that they would like to make. 12 I have one question. If we sort of stipulate 13 for the moment that it's not a solution and if I stipulate 14 for the moment that it's a tool and if we stipulate for 15 the moment -- and we don't have to believe this, but -- 16 that everybody here is interested in increasing 17 individuals' control over their own information, one of 18 the issues -- I look at this audience and say, how many of 19 you have made adjustments to the settings of your browser? 20 How many? 21 (A show of hands.) 22 So call it in this case about two-thirds of an 23 audience which is interested enough to come to the 24 Department of Commerce for a session on privacy 25 technology. Now let's assume for the moment that we have 0060 1 a much broader audience, 100 million people in the United 2 States, 300 million people around the world. What can we 3 do to give people sufficient encouragement, tools, 4 simplicity, ease of whatever, to make this tool useful, to 5 make sure that people feel comfortable with it, that if 6 they choose to approach it this way that they will say, I 7 can do it and I can do it in a nanosecond and it's easy 8 and it's just like buttering the toast in the morning? 9 How are we going to make it possible for people to really 10 make use of this tool if it does give people a greater 11 sense of empowerment? 12 MS. MULLIGAN: I direct people to something 13 that's called the P3P Guiding Principles. I think Elliot 14 is highlighting the importance, A, of educating consumers 15 about the existence of tools and the fact that they can 16 use them. There are some efforts under way kind of in the 17 broader technology community, but also efforts like this, 18 to educate the public. 19 But it also really emphasizes the focus on how 20 does the product come out of the box, what does it look 21 like, what are the defaults, how configurable is it, how 22 obvious is it to the consumer? And because this is what 23 we'd like to call, I think, a social protocol, it's not 24 just about technology, it's about a pressing social issue 25 -- privacy. 0061 1 There was a lot of thought within the P3P 2 working groups about how to give guidance to web sites, to 3 implementers, about when they were designing products how 4 they should think about designing them, make sure data 5 isn't transferred unless a consumer explicitly wants to. 6 Now, P3P doesn't transfer data, but P3P might be built 7 into a product that does. It could be in a product that 8 provides for anonymization, a product that reads P3P 9 statements, and a product that provides a wallet. 10 Well, the guidance there is make sure that, even 11 though the P3P policy has been read, that the tool doesn't 12 automatically blast consumers' data away from them without 13 actually requiring some affirmative steps. It's not a 14 one-click, it's a two-click. If you look at the guiding 15 principles, there's a lot of direction. Some of it's 16 should, some of it's must's, some of it's, we'd really 17 like you to. But it's a lot of forward thinking about how 18 should the product come out of the box. 19 I think that there's going to need to be a lot 20 of vigilance from consumers and people what care about 21 privacy in evaluating products and make sure that they 22 actually meet the goals of advancing privacy. But I think 23 it's a process and it's a very iterative one and we're 24 just in the beginning of that. 25 MR. MAXWELL: Marc, then Danny, then Karen. 0062 1 MR. BEREJKA: I would just like to second 2 Deirdre's point about the importance of defaults and also 3 reiterate my invitation to interested parties to work with 4 Microsoft on our P3P implementation for the operating 5 system. We know that there are a lot of conflicting 6 tensions, but one of the things that Microsoft does care 7 about enormously is the user experience. We bring people 8 in off the street and we have them sit down and we have 9 them hack around and we have them -- we get real consumer 10 feedback. 11 We also run public betas and try to get a lot of 12 feedback that way. My ultimate point is that this is not 13 going to be an easy balancing act, but at least from our 14 perspective it's a balancing act that we look to 15 accomplish within the very real near-term. 16 MR. WEITZNER: So you didn't ask people how many 17 buttered their toast in the morning. That should have 18 been the question. 19 But I think that the real question should have 20 asked, or rather the question that you should ask to the 21 audience of web users out there, is how many of you set a 22 preference in AOL or whatever Internet service provider 23 that you use? Granted, most people don't go and set their 24 browser preferences. However, people develop expectations 25 about their browsers. 0063 1 People, I think through a whole lot of public 2 information effort and just common sense, are reluctant to 3 enter credit card numbers when they don't see that little 4 locker key icon closed. That's not because they know what 5 SSL is or because they went and changed some settings or 6 because they downloaded more security. It's because, 7 through a pretty complex process, which we obviously all 8 have to come to understand better, their expectations 9 changed as a result of technology tools that were 10 available to protect them. 11 That's the kind of dynamic I think we're looking 12 for, and I think based on the experience with tools like 13 SSL we can expect to be successful. I think it takes a 14 lot of effort, no question, and I don't think we should 15 just assume that people are going to become technological 16 geniuses. But I think there is evidence that people 17 gradually do use new technology when it actually offers 18 them something. 19 MR. MAXWELL: Karen. 20 MS. COYLE: Well, I think there's even a prior 21 question that we need to ask here. The Pew study which 22 Secretary Mineta alluded to basically says that a large 23 number of people are concerned about their privacy, but a 24 huge number of people, although a majority have heard 25 about cookies, they have no idea what it is. 0064 1 I think the first question is who is going to 2 educate the Internet users as to how it actually is that 3 their privacy is being invaded, because it's only with 4 that information that they will have the knowledge to turn 5 to something like P3P. 6 MR. MAXWELL: Martin. 7 MR. PRESLER-MARSHALL: Elliot, I'll give you a 8 direct answer to one of the questions you asked, which is 9 how can we help see this get rolled out and then be usable 10 to individuals. There are a wide variety of opinions 11 among the people in the world as a whole about what 12 constitutes an acceptable level of privacy. There are a 13 large variety of opinions within my own household as to 14 what constitutes an acceptable level of privacy. 15 Part of this discussion is to give individuals 16 that flexibility. There's a need for organizations to be 17 able to, for public interest organizations to be able to 18 express not necessarily defaults, but settings: This is 19 what we believe is an acceptable level of privacy. So if 20 you happen to be in the Ralph Nader camp, you may go to an 21 organization, a similar organization, and see, these are a 22 reasonable set of settings. Or if you happen to be more 23 interested in getting highly personalized content on the 24 Internet, then maybe you can find different settings. 25 So this really needs to be a broad reach, with 0065 1 many people offering opinions, because there are a wide 2 variety of opinions within the United States and around 3 the world. Tim Burners-Levy, inventor of the World Wide 4 Web, is fond of reminding people that the first "W" in 5 "WWW" stands for "World," and there's a lot of opinions 6 out there and we need to make sure that those are all 7 supported. 8 MR. MAXWELL: Thank you all very much. I'd like 9 to be able to take questions from the audience if you have 10 them. The only thing that you have to do is to respond to 11 the question about buttering. 12 If you'd identify yourself, please. 13 MS. WOODARD: Yes, my name is Gwendolyn Woodard 14 and I would like to thank each of you for the information 15 on the tools that the consumer have to work with. 16 However, I would like for you to talk about how these 17 tools will work on a voicing browser for individuals who 18 have physical challenges, and just could you talk about 19 that issue. 20 MR. WEITZNER: Let's see. It's an excellent 21 question and I'm not going to be able to give you a 22 complete answer. You're probably familiar with the World 23 Wide Web Consortium's web accessibility initiative. One 24 of the benefits of having machine-readable privacy 25 policies that I didn't mention is of course that once a 0066 1 browser or a user agent has overall abilities to 2 accommodate people's different disabilities, that browser 3 can then present the information in the way that the user 4 is comfortable with once it's encoded in machine-readable 5 format. 6 So the fact that, as Dan said, this is 7 semantically structured information, the browser that 8 knows to send that information through a braille reader or 9 not to present it in image format but to do it in some 10 other format will be able to make those accommodations 11 much more effectively than a policy that's just written 12 out in English. 13 I'd also point out that the fact that these are 14 machine-readable policies means that they can be presented 15 in any number of natural languages that the user happens 16 to be comfortable with. 17 MR. WEITZEL: David Weitzel from Mitretek. 18 We're a systems engineering nonprofit here in the suburbs. 19 My question relates to a report or reports that came out 20 of GAO last week about the United States Government and 21 its interaction with the citizens. Is there a role here 22 for the government to step up quickly to be an early 23 adopter and to lead the way as a good Internet citizen in 24 its interaction with the American populace? 25 MR. MAXWELL: Rather than shunting that question 0067 1 to any of the other people who might be willing on the 2 panel to answer it: Yes. The Commerce Department is 3 committed to having its pages P3P-compliant. It's already 4 well on its way to do that. 5 That report from the GAO I think was very 6 troublesome, not because of what it concluded, but because 7 of sort of what it asked and what it ignored. What it 8 ignored was something that Ed mentioned, which essentially 9 is since the early seventies the government has been under 10 the restraints of the Privacy Act and we're all very 11 pleased that it does. So the web sites that were queried, 12 were queried on the basis of a set of principles that were 13 not appropriate for the question. 14 So we feel, I think, in the administration quite 15 proud of the steps that have been taken to increase the 16 privacy protections of the citizen and to be able to work 17 with consumer groups, with the industry, to think about 18 how to increase individual control over information. That 19 was I think a sort of fairly bum rap. But sort of the 20 easy answer to the question is we are committed to P3P 21 implementation here and we're on our way. 22 Over here. 23 MR. CLARK: Drew Clark with National Journal's 24 Technology Daily. 25 Mr. Jaye mentioned that P3P can help you compete 0068 1 on privacy, on strong privacy protections. But Mr. 2 Mierzwinski and Ms. Coyle seem to say that there really 3 won't be competition on privacy within certain industry 4 spheres. I'd like to understand exactly how privacy -- 5 how P3P will help you compete on privacy and to get the 6 viewpoints of some of the other panelists on whether P3P 7 will facilitate market competition on better privacy 8 policies. 9 MR. JAYE: Thank you. First of all, the ability 10 to conduct advertising on the Internet requires certain 11 mechanisms like cookies to be able to, for example, when 12 somebody clicks on an ad send them to the appropriate web 13 site, so we can basically staple together the resulting 14 page and the ad together, in Lorrie's analogy. In 15 addition, advertisers want to know how many visitors saw 16 an ad. So there are statistical purposes that are not 17 privacy invasive, that are not used to make decisions 18 about individuals, for which this information is used. 19 To be able to express that that's what we're 20 doing in certain cases and to be able to do that, because 21 we've been able to express it and distinguish ourselves 22 from unknown policies, is an enabling capability for an 23 advertising-supported model. 24 But specifically with regard to privacy and 25 competitive advantage, major brands respond to consumers. 0069 1 Consumers care about privacy. Major brands and 2 advertisers don't want to be associated with bad actors. 3 Being able to maintain a position that is strong with 4 regard to privacy has been a competitive advantage. It's 5 a position we've taken for five years, and it's our story 6 and we're going to stick to it because it's working very 7 well for us. 8 MR. MAXWELL: Because of time, let's just turn 9 to the last question. 10 MR. STAMPLEY: Dave Stampley from the New York 11 AG's Office. 12 For anybody who is of the mind that there should 13 be certain defaults and that the best thing to do for 14 consumers would be to recognize those defaults and hand 15 them to consumers, I guess my question is is there such a 16 thing as an identifiable default privacy value that in 17 fact is not a choice or value judgment itself that might 18 usurp some other consumer's power? And might it be more 19 important instead to focus on where is a good baseline and 20 should all persons collecting information be obligated to 21 provide abilities to then vary from that baseline or let 22 consumers set their own preferences? 23 I'm just curious if there is a sense that there 24 is a way we could say, this is privacy and we know what it 25 looks like and we'll set it here at this point in time. 0070 1 MS. MULLIGAN: I think it's a great question and 2 I think it's a place to distinguish between substantive 3 defaults and process defaults. What I mean is, my 4 decisions about privacy and what would be an appropriate 5 disclosure of information are going to vary depending upon 6 the situation. 7 For example, if I'm trying to get a driver's 8 license on line, yes, they're covered by the Privacy Act. 9 B, I have no choice. They're not going to give me the 10 driver's license unless I give them two forms of ID. For 11 me in that situation, that's going to be acceptable 12 privacy. 13 Now, if CVS said that they're not going to let 14 me buy Rollos without two forms of ID, that's not going to 15 be acceptable. That's a substantive privacy decision. 16 I think some of the process privacy decisions, 17 for example we were talking about does the information get 18 transferred without the consumer's affirmative action, 19 that same process I think you could apply in both 20 situations. So even if I'm applying for a license, I 21 should have to actively hand over my two forms of ID. 22 They shouldn't automatically be sucked out of my computer. 23 So I think there may be some areas, we may have 24 substantive defaults that we think apply in commercial 25 transactions, we may have substantive defaults that we 0071 1 think apply in government transactions. I think it would 2 be very, very difficult and it's a whole other process to 3 create those. 4 I think Martin made an excellent point: 5 Consumers are going to feel differently because they have 6 different concerns and they have had different 7 experiences, and it's not going to be big broad cuts, you 8 know, commerce, government. it's going to be certain 9 companies that I already do business with, or you're going 10 to have lots of variety. 11 But I do think on the process defaults that I 12 think that there is some progress to be made in thinking 13 about how to implement some of those in a broad way across 14 different kinds of implementations. 15 MR. PETERSON: P3P is available, the client 16 tools at least in beta are available, to make consumer 17 research very possible. So starting with what we know or 18 what we think we know and then putting it in the hands of 19 consumers worldwide, not just in the U.S., and seeing how 20 they react and whether it's useful or not is something we 21 ought to definitely be doing to really decide where these 22 things ought to net out. 23 MR. MAXWELL: I'd like to thank the audience for 24 their questions. I'd like to thank the panel. It's 25 really a quite extraordinary group of people who I think 0072 1 have worked very hard on this issue. 2 This privacy technology is only one piece of the 3 puzzle. It's clearly only one part, and when people sort 4 of, I think, look at this and see it's sort of this or 5 that, it's really not the kind of sophisticated analysis 6 that you'd expect. It's about law, it's about self- 7 regulation, because self-regulation is just another word 8 for what the companies will be doing for themselves and 9 how they will think about it. It's about consumer 10 awareness and education. It's about how the technology 11 provides tools. 12 I think when we put all of these together, while 13 there will be differences, I think we all are committed to 14 exploring the issue of how can we give people more control 15 over information about themselves so that we can in fact 16 harvest the incredible technology that is available to us 17 now. I think everybody working here makes a huge 18 contribution to that effort. 19 So thanks again for your time and effort and for 20 your attention. 21 (Applause.) 22 MS. LEVY: Thank you for your insights on P3P. 23 Thanks for the panel. 24 I'd like to now invite everyone to go to a 15- 25 minute break. I invite you out to the lobby to see the 0073 1 exhibits and to enjoy some refreshments being hosted by 2 the Internet Education Foundation. Our next panel will 3 begin at 11:15. 4 (Recess from 11:01 a.m. to 11:28 a.m.) 5 MS. LEVY: Good morning. We're going to get 6 started with our second panel this morning. This panel is 7 on the role of privacy -- 8 VOICES: Your mike's not on. 9 MS. LEVY: It's not on? Can I try to get a mike 10 here? 11 (Pause.) 12 PANEL DISCUSSION: IMPLICATIONS FOR 13 FAIR INFORMATION PRACTICE PRINCIPLES 14 Hello, can you hear me now? Is that working? 15 We just want to start the second panel this 16 morning. It's going to be on the role of privacy- 17 enhancing technologies and the fair information practice 18 principles. We're pleased to have as our moderator for 19 this panel Dr. Lorrie Faith Cranor, what spoke this 20 morning and was introduced by Assistant Secretary Rohde. 21 So I'm going to let Dr. Cranor go forward. Thank you. 22 DR. CRANOR: Thanks. Let me start by 23 introducing the panelists and then we are going to -- I 24 think it's on. We are going to go through a series of 25 questions and answers, rather than having the panelists 0074 1 each give a presentation. So let me go through the 2 panelists. They're all here now. 3 First, we have Brian Adkins, who is Director of 4 Government Relations for the Information Technology 5 Industry Council, where he handles privacy, intellectual 6 property, and other e-commerce issues. He is also Co- 7 Chairman of the Privacy Leadership Initiatives Technology 8 Working Group. 9 Next we have Scott Beechuk. He is Co-Founder 10 and CEO of Privacy Right, Inc. His previous technical 11 career in embedded systems design, object-oriented 12 programming, and engineering management served as the 13 basis for his deep interest in and understanding of 14 Internet privacy and security technology. 15 Next we have Glee Cady, who is Vice President of 16 Global Public Policy for Privada, Inc. She brings over 20 17 years of technology and Internet experience as a respected 18 author, educator, technology executive, and policy 19 adviser. 20 To my left is Caitlin Halligan, who is Chief of 21 the New York Attorney General Elliot Spitzer's Internet 22 Bureau. The Bureau coordinates statewide law enforcement 23 -- ooh, now I can really be heard -- statewide law 24 enforcement efforts regarding online consumer fraud, 25 privacy, securities trading, and other Internet-related 0075 1 issues. 2 Now I have an echo of myself in both ears. 3 To my left we have Lance Hoffman, who is filling 4 in for Joel Reidenberg, who had a family emergency. Lance 5 is Professor of Computer Science at the George Washington 6 University. He is in charge of the computer security 7 graduate program in computer science. he is the author or 8 editor of five books and numerous articles on computer 9 security and privacy, and he founded the School of 10 Engineering Cyberspace Policy Institute. Lance and I both 11 served on the Advisory Committee on Online Access and 12 Security at the FTC. 13 Next we have Gary Laden. Gary joined BBBOnline 14 on October 1st, 1998, as Director of the BBBOnline Privacy 15 Program. From 1994 to September 1998 Gary served in the 16 Federal Communications Commission's Cable Services Bureau, 17 first as Chief of its Policy and Rules Division and most 18 recently as Chief of the Consumer Protection and 19 Competition Division. 20 Prior to his service at the FCC, Gary was at the 21 FTC for 21 years as an attorney and Assistant Director of 22 the Marketing Practices Division. 23 Next we have Stephanie Perrin, who is the Chief 24 Privacy Officer of ZeroKnowledge, formerly the Director of 25 Privacy Policy for Industry Canada's Electronic Commerce 0076 1 Task Force. Stephanie Perrin manages ZeroKnowledge's 2 public affairs activities and acts as the company's 3 primary liaison to government and nongovernmental 4 organizations. An internationally recognized expert in 5 freedom of information and privacy issues, Stephanie was 6 instrumental in developing Canada's privacy and 7 cryptography policies over the past 15 years. 8 Finally, we have Ari Schwartz, who is a policy 9 analyst at the Center for Democracy and Technology. Ari's 10 work focuses on protecting and building privacy 11 protections in the digital age by advocating for increased 12 individual control over personal information. He also 13 works on expanding access to government information via 14 the Internet and online advocacy in civil society. 15 Ari is a leading expert on the issue of privacy 16 on government web sites and has testified before Congress 17 and Executive Branch agencies on the issue. 18 We're going to start today with Ari, who is 19 going to give us an overview of the fair information 20 practice principles so we're all on the same page and know 21 what we're talking about. 22 MR. SCHWARTZ: I'm going to stand mostly because 23 I feel as though I'm facing that way and I'm speaking to 24 you. Although I only have one slide, I could have 70, but 25 after Lorrie's experience I think I'm better off narrowing 0077 1 it down to one. 2 (Screen.) 3 The Fair Information Practice standards are the 4 basic standards by which we measure data privacy. Many 5 companies come to us and ask, what are the basic standards 6 that we should address. We hand them a list of Fair 7 Information Practices. The discussion doesn't end there, 8 mostly because the standards -- the list of different 9 kinds of standards cover different issues. There are many 10 different areas, many different kinds of these standards, 11 and they're often portrayed in different lights. 12 Sometimes we've heard recently that a lot of 13 these Fair Information Practice standards, the sets that 14 we've been seeing, have been portrayed as international, 15 not American focused. But in reality, the Fair 16 Information Practices are an American idea. As was 17 mentioned on the last panel, in 1973 Health, Education and 18 Welfare Departments put together the first set of Fair 19 Information Practices. Those were a set of four 20 practices, more like statements than actual bulleted ideas 21 as we see before us today. 22 Since that time we have seen these practices 23 grow and shrink in different formulations, usually ranging 24 between 4 and 12 different practices. The most popular 25 that any self-respecting CPO, chief privacy officer, or 0078 1 privacy analyst or policy analyst working on privacy 2 should know by heart are: 3 The Organization for Economic Cooperation and 4 Development standards. They have eight standards. Those 5 were made in 1980, agreed upon by all the OECD countries. 6 The FTC standards. That's the Federal Trade 7 Commission standards, which have come out more recently. 8 They have a set of five standards, and sometimes these 9 standards overlap, sometimes they don't. 10 These, the ones you see here, these are the 11 Department of Commerce's standards that they put forward. 12 We see that they have chosen six. The list that the 13 Center for Democracy and Technology covers chooses seven. 14 If you want to see those, go to cdt.org. That's my 15 commercial for the day. 16 But I've been asked to show the Department of 17 Commerce standards. They're somewhat similar to the CDT 18 standards, and we will also hear from other people where 19 these are lacking, I'm sure, later in the panel. But I 20 will try and do as good a job of covering them as I can. 21 Can people in the back read the full slide? 22 VOICES: No. 23 MR. SCHWARTZ: Then I will reread what it says 24 on the slide. I'm sure that you can read some of the 25 bold. The first practice listed is: "Awareness. 0079 1 Companies should raise consumer awareness and should post 2 privacy policies that articulate the manner in which it 3 complies with other fair information practices." 4 I've also noted here that this term is also 5 called "notice" and many people on the panel will refer to 6 it as notice, rather than awareness. That's the way it's 7 listed in the FTC principles, for example. 8 That's the most basic of Fair Information 9 Practices, just the idea that individuals should know 10 what's going on with personal information. 11 Second is what's called choice here: "Companies 12 must give the opportunity to exercise choice with respect 13 to whether and how their personal information is used." 14 In other words, that individuals just are given some kind 15 of choices. Consent, opt-in, opt-out, are often terms 16 used when referring to this practice. 17 Consent and opt-in are often used synonymously. 18 Opt-in is the idea that individuals should be given the 19 ability to affirmatively consent to uses beyond the 20 transaction at hand. So if the information is being used 21 for another purpose, the individual should be able to 22 consent for those uses. 23 Opt-out is when individuals -- when the 24 information is by default used for other purposes and the 25 individual is given the opportunity to get off of the 0080 1 list. There are many ways to frame opt-in, opt-in and 2 opt-outs. 3 Most of the debate that goes on today about 4 choice are about whether it should be opt-in or opt-out. 5 I'd like to also put out the idea that there's a third way 6 here, which is not just opt-in or opt-out, but give the 7 individual two choices -- I want my information shared, I 8 don't want my information shared -- right up front, 9 getting beyond this kind of idea that there is some kind 10 of default that needs to be set. 11 Third on this list is security: "Companies must 12 take reasonable precautions to protect data from loss, 13 misuse, alteration, or destruction." This is a pretty 14 straightforward principle that's in almost every set of 15 fair information practices. 16 Data integrity: "Companies should only collect 17 and keep personal data relevant for the purposes for which 18 it has been gathered. The data should be accurate, 19 complete, and current." This is covering two or three 20 different types of practices: one, the first set, which 21 some consider to be collection limitation, and there are 22 different ways that that can be framed, the basic idea 23 that you should only be collecting information relevant 24 for the purpose; and that the data should be accurate and 25 complete, is also in most fair information practices and 0081 1 often called data integrity. 2 Access: "Companies should offer consumers 3 reasonable access to information about them and a means to 4 correct or amend inaccurate information." This is an oft 5 hotly debated subject. This was, as Lorrie mentioned, 6 this was covered recently in an Access and Security 7 Working Group that the Federal Trade Commission held. 8 They put out a very good report on this subject and on 9 security, which both Lorrie and Lance were on, I think. I 10 don't know if anyone else on this panel was, but some of 11 the other panelists have been as well. 12 That really goes through each of those issues 13 about where people lie on this. It ranges from people 14 should just know some basic information held about them, 15 what has been collected in the past, to that individuals 16 should have access and be able to correct anything that is 17 held about them, and there's different places in between 18 there, which I'm sure will be addressed. 19 Accountability: "Companies must be accountable 20 for complying with their privacy policies." This one is 21 also known as enforcement and it is also somewhat basic 22 and straightforward. 23 DR. CRANOR: Thank you. 24 Stephanie, I was wondering if you would care to 25 comment on some of the other principles that are not part 0082 1 of this set that you think we should be thinking of as 2 well. 3 MS. PERRIN: Thanks, Lorrie. I guess, should I 4 speak here or go up to the podium? 5 DR. CRANOR: From the seat. 6 MS. PERRIN: From the seat, okay. I think 7 Lorrie's afraid I'll get up there and talk for half an 8 hour. 9 In Canada, about ten years ago, recognizing the 10 difficulties that we were facing in this area and frankly 11 the lack of compliance to the OECD guidelines, we formed a 12 committee under the Canadian Standards Association, which 13 is a recognized standards development body, and created 14 basically a management standard for privacy based on the 15 OECD guidelines with a view to making what are good 16 statements of principle auditable. 17 We came up with a list of ten. Just briefly, we 18 pulled some of them forward and gave them the kind of 19 depth that is impossible to get in an international body 20 such as the OECD when you're working on these things, and 21 we put what we thought was the first one forward, and that 22 is accountability: Every organization shall be 23 accountable for the information under its care and shall 24 put in place procedures and practices to give effect to 25 that accountability, shall educate, shall make people 0083 1 aware, shall name someone within the organization 2 accountable. It's a pretty full principle. 3 I should just add that Canada went ahead once we 4 had agreed on this voluntary standard, which took 5 basically about four years -- we had an industry, a 6 consumer rep, and government committee, 47 members. Some 7 of you have some idea what that would be like. And we 8 pounded this out. Once it became a standard, we move 9 ahead and legislated. 10 So if you're interested in looking at it, it is 11 the Schedule 1 of the recently passed Personal Information 12 Protection and Electronic Documents Act, which cleared 13 Parliament in April and will come into force in Canada for 14 all organizations engaged in commercial activity on 15 January 1. 16 So we pulled the accountability up forward. We 17 gave a lot more emphasis to the pieces that are necessary 18 in management systems to make it auditable and make people 19 accountable. 20 The next one was purpose specification. You had 21 to state your purpose. There were huge fights over 22 whether you could -- whether we would get into this 23 standard the concept of whether a purpose was legitimate. 24 Obviously, businesses weren't keen on that, consumers 25 were. So we at least said that you had to state it. I 0084 1 think that complies partly with your awareness, only it is 2 more fuller in this standard. 3 Consent. One of my problems with the opt-in, 4 opt-out is it's a totally opt-in, opt-out. You opt in for 5 something, you're there for the ride. Really, with the 6 complexity of the personal information flows in the data 7 age, we've got to be able to articulate that consent on a 8 data element basis. 9 There are certain provisions under this consent 10 clause. One that I would pull to your attention is you 11 are not required -- and this is now law, of course -- to 12 give more information than is required for the delivery of 13 a particular product or service, and if the company denies 14 you the product or service based on a failure to give 15 information not necessary for it, you've got a justified 16 complaint. 17 That kind of thing doesn't come across in a 18 simple opt-in, opt-out. So a little more articulation on 19 the consent. 20 There would be limits to collection. We see 21 different thresholds here. Instead of putting collection, 22 use, and disclosure all in one bailiwick, there's 23 collection tied to purpose and then use and disclosure 24 tied to purpose. So they're in two separate principles. 25 You limit the collection first and then once you've got 0085 1 that data you limit the use, the disclosure, and the 2 retention of that data, because as long as data's hanging 3 around of course the temptation to use it for another 4 purpose arises. 5 Accuracy, a little different. This insists on 6 accuracy, this data integrity principle. In our debates 7 we discovered that, frankly, it wasn't in a consumer's 8 interest to insist on accurate information because it gave 9 companies an excuse for a fishing trip to go back and get 10 recent, more accurate data. If you don't need it, you 11 don't need to make it more accurate. In other words, if 12 you've got a loan ten years old, don't go back and look 13 for my new income if I'm making my payments. 14 So that's a little different. We have a 15 safeguards principle that I think is a little fuller, 16 although that's a good security principle there. 17 Basically, industry standards is what we're looking for, 18 and that's of course where our companies come in, is to 19 make this real. 20 Openness, similar to your first principle, but 21 basically a company has to make policies, procedures, down 22 to the detailed collection instrument level available to 23 people on request. That doesn't mean you have to have it 24 all there in your office, but if an individual inquires 25 that stuff has to be made available. That's a little 0086 1 fuller, I think, than just an education sort of imperative 2 that you see in that first principle. Again, under the 3 law, of course, people can complain on any of these 4 things. 5 Individual access, hotly debated, of course, in 6 Canada, as it is everywhere. But it's a fundamental right 7 of privacy. If you don't have the right to get your 8 records and to change them and to have whatever your view 9 of the story is travel with the records wherever they go, 10 then you don't really have a human rights-based approach 11 to this in our view. So that's pretty strong under this 12 bill. 13 Challenge. Many data protection statutes and 14 indeed the OECD guidelines gave people a right to 15 challenge the accuracy of their own information and some 16 of them the use that's being put to it. We broadened that 17 because we recognize that a lot of the problems in privacy 18 arose over security issues, over the way the company 19 handles the data. 20 So under this standard and now piece of 21 legislation, you have the right to challenge any of the 22 practices, and of course in the regime we have you can 23 take that to a privacy commissioner and have it 24 investigated. 25 Now, this standard has been put forward for 0087 1 several years to ISO as the basis for a management 2 standard. It's had, I think, three or four unanimous 3 resolutions of the COPOCO committee -- that's the Consumer 4 Policy Committee of ISO -- endorsing it, but it keeps 5 getting blocked. So the ad hoc advisory group that was 6 looking at this for a potential for an international 7 standard has now been disbanded. There's work going on in 8 Europe looking at standards, but I think that's where it 9 ends. 10 DR. CRANOR: Thanks. 11 Now that we have the overview of what the 12 principles are, let's focus on technology, which is the 13 focus of this panel. I'd like to turn to Glee and ask you 14 to describe how the technology that your company offers 15 can support some of these principles. 16 MS. CADY: Good morning. Is this on? Ah, good. 17 I'm now getting the echo that Lorrie was talking about 18 earlier. 19 I find it very difficult to answer this question 20 because we don't see our technology as other than parallel 21 to the Fair Information Practices. What we're trying to 22 do is to build an infrastructure where you don't have to 23 count on the other party being good. Do we support 24 philosophically all of these things that Ms. Perrin so 25 eloquently described? The answer to that is yes. 0088 1 But we also support basically the idea that, 2 because in an Internet environment what we have is a 3 bottom-up structure of making it relatively easy for new 4 companies to come online all the time and making it 5 relatively difficult for us to get the word out, us 6 collectively as those people being interested in the 7 privacy community, about what is responsible behavior, 8 what we're afraid of is that the trust that comes that 9 enables good things to happen, whether you're sharing 10 information or you're buying products, won't be based on 11 the necessary experience that we find in the real world. 12 So what we're trying to do at Privada is to 13 build privacy into the infrastructure. That's somewhat 14 hubristic at this point, all right. The current product 15 sets that we offer and are offered by other anonymizing 16 and pseudonymizing companies don't provide a total 17 package. We're all working toward that, but again this is 18 a bottom-up process where we're working in conjunction 19 with top-down standards like P3P in order to provide the 20 accurate notice, so that you could tell what someone's 21 privacy policies are if you visit their site, but also 22 that you don't have to count on it because you don't have 23 to tell them who you are in order to achieve what you need 24 from them. 25 So our motto is "Privacy Under Your Control." 0089 1 We encourage responsible behavior on the part of 2 individuals certainly and on the part of other companies, 3 but we're trying to make it so the consumer doesn't have 4 to know the four principles of so on and the five 5 principles of someone else or the six principles of the 6 Department of Commerce in order to be both protected and 7 effective. 8 DR. CRANOR: Thanks. 9 Caitlin, I'd like you to talk about what you see 10 as the limitations of technology in addressing these 11 principles. 12 MS. HALLIGAN: I think there are a couple of 13 different ways -- the echo is disturbing, right. There 14 are a couple of different ways of getting at -- no echo. 15 There are a couple of different ways of getting 16 at that question. I think all of the technologies we've 17 been looking at today only address discrete components of 18 the Fair Information Practices, and I don't think any of 19 them purport to address all of them. So if we take P3P, 20 for example, it I think does take some important steps 21 towards improving notice and improving consumer ability to 22 understand the information practices that a site might 23 have. 24 By doing that, it also facilitates choice. It 25 doesn't, I think, do as much with respect to enhancing 0090 1 access and security. I think that's okay. I think, 2 secondly, if you look at how these technologies function 3 to protect consumers with respect to particular aspects of 4 Fair Information Practices that they try to get at, we 5 could all identify limitations and I think some of those 6 are a function of where the technology is today and where 7 it might be tomorrow. 8 For example, again if you look at P3P, one of 9 the pieces that doesn't seem to be on the table right now 10 in this current iteration is the ability for consumers to 11 negotiate on a real-time basis with a site with which they 12 might want to interact. So if a site's privacy policies 13 don't match their preferences, there's not an opportunity 14 to offer to engage in some kind of trade. But again 15 that's a function, one would hope, of where the technology 16 is today. 17 I think the third way of looking at this 18 question and maybe the most important is whether 19 technology, whatever it's able to do for us, is sufficient 20 to fulfil Fair Information Practices. I think the answer 21 to that is probably not. I think that we do need some 22 sort of statutory guideline that puts rules in place and 23 creates incentives for the technologies to develop in a 24 way that promotes those principles. I think that's true 25 for a couple of reasons. 0091 1 First of all, these technologies, as wonderful 2 as they might be, are not self-adopting. They're not 3 self-adopting for businesses and they're not self-adopting 4 for consumers, either. For consumers to take advantage, 5 for example, of Privada they have to understand that there 6 are issues out there about information practices that 7 might trouble them and that there is an option out there 8 for them to protect their privacy. 9 Also, I think that these technologies don't 10 address and don't again purport to address a second very 11 important component here, which is Stephanie's first 12 principle, and that's accountability. There aren't a lot 13 of ways in which the enforcement is really enhanced by 14 these technologies. There aren't ways in which there are 15 audits readily done by these technologies which allow for 16 -- whether it's a regulatory entity or watchdog 17 organization, to easily monitor whether in fact sites are 18 in compliance with the practices that they set forth to 19 the public. 20 So I think that there is a bigger picture 21 question out there that's worth thinking about. 22 DR. CRANOR: Before we go on, does anyone want 23 to disagree with any of those limitations or point out any 24 technologies that we haven't maybe thought of? 25 (No response.) 0092 1 DR. CRANOR: Okay. Then what I want to do now 2 is -- oh, go ahead. 3 MS. PERRIN: I hate to grab the mike again, 4 Lorrie, because I did have quite a bit of time there. But 5 I think we have to be clear. I agree with our last 6 speaker, a technology is not a replacement for a law. It 7 is a heck of a good way to implement the requirements of a 8 law and, frankly, that's why I came to ZeroKnowledge, 9 because the next challenge is to build the principles of 10 law, the principles of what we agree on here, into the 11 infrastructure. 12 I think that many of these things become web 13 enforceable w