Junkbusters Testimony Before Congress

  Written statement

My name is Jason Catlett, and I am President and CEO of Junkbusters Corp., a for-profit company working with businesses, governments and legislators to promote privacy and reduce unwanted solicitations such as junk email. My Ph.D. was in Computer Science, and I have also held various academic positions, most recently as a fellow at the Kennedy School of Government, Harvard University (2001-2002 academic year). I'd like to thank the Committee for inviting me to appear again today, and for its past hearings on privacy.

Rather than repeating matter from my written statement of May 25 last year or from the testimony today of Professors Rotenberg and Schwartz (with which I concur), I would like to examine several events and trends over the past 13 months since I appeared before you all, and ask how they should inform your deliberations. My view is that recent experience reinforces the conclusion that strong comprehensive privacy law is urgently needed, with a private right of action and without the preemption of state law.

Over the past year businesses have admitted that privacy is a problem that is not going to go away without legislation. Executives at companies such as Hewlett-Packard, Dell, Intel, and the American Electronics Association (a large trade group) have called for federal privacy legislation. Many have advocated a weak "notice and opt out" bill, but several marketing leaders have come out in favor of an opt-in standard. Permission marketing, as they call opt-in, has matured from a radical idea to a mainstream doctrine. Online marketers know that spam (Unsolicited Commercial Email) has poisoned the good will of online consumers, and some trade associations have supported opt-in as the standard for email marketing. As I have testified before your Subcommittee, I believe this standard should be federally mandated.

The opt-out model has recently been put to a large-scale test, as the weak privacy requirements of the Gramm Leach Bliley Act (GLB) came into effect at the beginning of this month. According to a survey by the American Banking Association, 41% of people do not recall having received their notices; clearly they have not been served well by the opt out model. The 36% of people who read their notices may have gained too rosy a picture of the state of their privacy. For example, US Bancorp's Consumer Privacy Pledge opens with the assurance that "Protecting your privacy is important to the U.S. Bancorp family of financial service providers." Four hundred words later the bank says it allows itself to disclose all of the information it has "to other financial institutions with which we have joint marketing arrangements." Indeed, the bank has not been reluctant make such disclosures in the past. According to Minnesota Attorney General Mike Hatch, it sold to a telemarketing company following information about its customers: ``name, address, telephone numbers of the primary and secondary customer, gender, marital status, homeownership status, occupation, checking account number, credit card number, Social Security number, birth date, account open date, average account balance, account frequency information, credit limit, credit insurance status, year to date finance charges, automated transactions authorized, credit card type and brand, number of credit cards, cash advance amount, behavior score, bankruptcy score, date of last payment, amount of last payment, date of last statement, and statement balance.'' In a prepared statement the bank's CEO characterized this kind of transaction as an ``industry-wide practice.'' Now, I think it is reasonable to presume that if the average American were asked in a plain and direct manner whether she wanted the bank to sell all this information about her to telemarketers, she would say no. But by failing to find, read, understand, and respond to a privacy notice, she has unwittingly allowed this to happen. Under the opt-out model, banks continue practices against the desires of the majority of their customers, by making their notices ineffective, vague, and bordering on deceptive, and by placing the burden on the consumer to try to understand what they need to opt out of and how. The GLB experience is a clear illustration of the necessity of an opt-in model for disclosure and secondary use of information. In their lobbying against opt-in legislation, banks claimed it would cost them millions if they were required to obtain consent before selling information about their customers. This is an understandable motive, but the question for lawmakers is whose interests should prevail here.

Over the past year the Internet bubble has burst, and some who lobby against privacy for Internet companies have changed their tune from "don't crimp the nascent growth of this new medium" to "don't hit us while we're down." One might wonder whether under this logic there could ever be an appropriate time for privacy rights; I would suggest this time is long overdue. As Professor Rotenberg concluded from a Gallup poll, privacy continues to be a major reason for non-participation, as well as an ongoing concern of online shoppers; this does not decline as users become more experienced. Forrester Research has concluded that ``Nearly 90% of online consumers want the right to control how their personal information is used after it is collected... Surprisingly, these concerns change very little as consumers spend more time online.'' Many online retailers have gone bankrupt or are struggling to achieve profitability, as online consumer spending has failed to grow as quickly as hoped. Unfortunately the many bankruptcies have further damaged privacy, as customer databases of companies that formerly promised never to sell personal information without consent are sold, usually on an opt-out basis. Consumers typically have no option to see the information that is being sold about them, so the opt-out choice is fairly meaningless. This is one reason why access rights should be included in privacy legislation.

At a public workshop run by the Federal Trade Commission in March, the major consumer profiling companies refused to allow people access to their own profiles, or even to provide sample profiles.

Online profiling companies also told the FTC that they are continuing development of their Consumer Profile Exchange technology without any committment to observe fair information practices in their use of it.

In May the Federal Trade Commission found that Amazon and its Alexa division has likely deceived customers, but it decided "not to recommend any enforcement action action at this time," in part because the company had changed its description of its practices. This is a lamentable non-action for a consumer protection agency that is supposed to keep companies honest. Imagine if the SEC found that a company had misled investors with fake figures in a prospectus, then let them off because they had issued new figures and moved into a new business. To me this incident is an illustration of the need for a private right of action. So are many other incidents where companies have made inadvertent disclosures contrary to their undertakings to consumers, most recently Eli Lilly's release of the e-mail addresses of 600 people on Prozac. Companies face too little negative feedback for their errors. What sufferer of depression is going to tell his doctor not to write him a prescription for Prozac because of the manufacturer's record on privacy?

Another trend is that more companies online are posting so-called privacy policies, but the quality of those policies appears to be getting even worse. This conclusion was reached in one longitudinal study by Enonymous. There have also been some prominent examples, such as Amazon.com's change of policy at the end of August 2000. As customer of many years, I was shocked to find after a long and careful examination of their new policy that a company that had previously undertaken never to sell my information, might now sell the title of the next book I bought, in the event of a bankruptcy, or in bulk if they sold a division, such as their book operations.

Dissatisfied, I asked Amazon to delete its records of the books I had purchased. They have repeatedly refused, saying that their systems were not designed to accommodate this easily. They also refused my calls to show their customers all the information they have about them on request. The laws of several countries in which Amazon operates require both access and deletion on request, so I find their refusal to extend these rights to Americans deplorable.

In the past year several nations including Canada and Australia legislated broad, technology-independent privacy rights rights for their citizens, partly with an eye toward enabling free data flows with the European Union. Some fifty companies have signed up with the Department of Commerce's Safe Harbor program, committing to a privacy standard that in my opinion is short of ideal, but still far higher than most companies provide for their American customers, and higher than almost all proposed federal privacy legislation. The program applies only to the data of Europeans, but Microsoft has stated that it will apply that standard to all its customers, including the U.S. I wish I could hear an explanation from these companies as to why they don't want their American customers to have mandated by law a level of privacy that they are willing to grant to Europeans.

Ever more intrusive collection technologies are being rolled out, such as online tracking mechanisms, spyware, face recognition systems, location tracking devices and thermal imaging. To the lobbyist who says that the Internet shouldn't be held to a higher standard in privacy law than the offline world, I ask whether he believes that a camera that can see his body through the walls of his home should be held to the same privacy standards as a photocopier? Restrictions on data collection necessarily take into account the means of collection. When it comes to the use and disclosure of information, I generally agree that the same principles should apply regardless of how the information is collected, processed or distributed.

Enthusiasm seems to have waned in the past year for the hope that "technology got us into this mess, so technology can get us out of it." I am certainly in favor of privacy enhancing technologies: my company has for several years published such software, and it has been used by hundreds of thousands of people. But advances in "cloaking" technologies are always outstripped by advances in collection technologies, both in capabilities and degree of adoption. In September American Express announced that it would roll out in 2001 a "private browsing" service with a startup company called Privada. Privada recent ceased operations, and AmEx has told me it does not intend to deliver the service.

P3P has for years been billed as the privacy technology of the future, and it seems destined to remain so for at least several more years. Even if the computer-readable privacy notices of P3P were universally deployed, it would suffer the same problems as human-readable privacy notices that I have listed above. Microsoft has implemented a part of P3P in its next browser, but only as an excuse not to fix the default settings that allows tens of millions of web bugs to gather click streams in volumes of billions of clicks per day. Microsoft's "thermostat setting" where surfers are required to tell their PCs how much they will tolerate being surveilled gives a misleading and dangerous view of privacy. People should not be forced to trade privacy for participation. People need legally guaranteed privacy rights to control the data collected about them.

In July 2000 the FTC sanctioned a deplorably low set of standards proposed by DoubleClick and a few other online advertising companies under the name of the Network Advertising Initiative. Some of these companies are no longer with the NAI, having gone bankrupt or withdrawn on principle to support privacy. The companies require consumers who do not wish to be tracked to get "opt-out" cookies on their browsers. This is bad policy and bad implementation. People generally believe that destroying all their cookies will improve their privacy, and do not realize that this step in fact removes the record of their request to be anonymous. This opt-out feature is a contemptible excuse for massive surveillance.

Mr. Chairman, Members of the Committee, as this collection of a year's events suggests, each week brings another Love Canal of privacy to light. In previous centuries people enjoyed privacy as an accidental byproduct of the practical obscurity of personal information. Those days are gone forever. Privacy will not return to us by accident. Privacy will not survive without strong acts of will by democratic government. Privacy will not survive unless citizens have effective privacy rights created by governments. Privacy requires the diligent efforts of companies and institutions to comply with mandatory standards. Few companies will ask you to impose that discipline on them. But it is up to you to require all organizations that handle information about people to treat it fairly. Unless you do that, our society will not enjoy the benefits that our technology and economy could deliver, and we will be robbed of something that is very necessary to a dignified human existence: privacy.

I appreciate the opportunity to speak before you today. I would be pleased to answer your questions.

  Written testimony

My name is Jason Catlett, and I am President and CEO of Junkbusters Corp. I'm grateful for this opportunity to speak here today.

Junkbusters is a for-profit company whose mission is to free people from unwanted commercial solicitations through media such as email, physical mail, telephone, and faxes. (The Whois database is a major source for contact information for all these media.) Since our web site launched in 1996, millions of people have turned to us as a free source for information, services and software for stopping junk messages, particularly email. I have assisted many government organizations and legislators on email and other privacy issues since the Federal Trade Commission asked me to explain the mechanics of spamming at their public workshop on the topic in 1997.

I commend the committee for holding this much-needed oversight hearing on the Privacy and Intellectual Property Issues of the Whois Database. I have little to contribute on the topic of intellectual property, other than to say that it is in a sense somewhat irrelevant to the privacy interests of an individual whether an organization owns a item of personal information about a "data subject" (as privacy lawyers call the individual concerned), versus whether the organization buys, licenses, barters, scavenges, or steals the data from another party. These are essentially commercial considerations. The key privacy questions are whether the data subject consented to the collection, disclosure and use of the data, whether the organization handles the data fairly and lawfully, and what rights of redress the data subject has if it does not.

Privacy

Definitions of privacy generally fall into one of two types, both of which are acutely relevant here. The first is "seclusion from intrusion," or the "right to be let alone," to use the phrase made famous in the 1890 law journal article by Brandeis. The second is "informational self-determination," the right to control the collection, disclosure and use of information about oneself, formulated by Alan Westin in his 1967 book "Privacy and Freedom" and now the basis of most modern privacy statutes worldwide. To take obvious examples in context of the Whois database, the first definition addresses whether an individual registering a domain receives spam or unwanted solicitations via other media, and the second includes whether information is gathered or sold by other parties about the registrant without her knowledge and consent.

Violations of these two types of privacy tend to be correlated, since the gathering of contact information is a means towards the delivery of an unwanted solicitation, and because the targeting of messages based on further information makes the activity more economically attractive. As an illustration, the San Francisco Chronicle reported in 1997 that Barnes and Noble, an online bookseller, had established software systems to search people's home pages for references to certain authors, and emailed them solicitations to purchase new titles in the genres mentioned. Independent of the fact that the company should have known better than to try spamming (and soon discontinued the practice), many people were disturbed by the idea that a profile of their reading tastes was being assembled in this robotic manner by an unknown party, let alone being confronted with personalized recommendations based on them. Even fans of book catalogs might be unsettled by a physical letter beginning "Dear Murder Enthusiast" or detailing some interest that they intended to share only with a few friends. Given that the compilers of marketing lists have for years used Whois registration information as a source of personal information (in some cases scavenged free, in others bought from registrars), concerns over the data privacy are well justified. Most people avoid putting their home address on their web sites, and they should be able to register a domain name without effectively giving up this precaution.

The public policy objective of privacy law is to preserve the individual's right to privacy, while still permitting societal participation. This is somewhat analogous to intellectual property law, which seeks to encourage the publication of products of the intellect by providing certain rights to inventors and authors to control the subsequent distribution and use of their work. The current situation with the Whois database is unsatisfactory because individuals are effectively required to sacrifice some of their privacy in order to participate in a fundamental Internet activity. Courts have remarked that the Internet has provided an unprecedented opportunity for free speech; participation should not be dampened by avoidable erosions of privacy.

The current (1999) ICANN Registrar Accreditation Agreement does contain some provisions relating to privacy, but they are inadequate in both theory and practice. [See http://www.icann.org/nsi/icann-raa-04nov99.htm at J.7.a and F.6.f] The agreement anticipates the possibility of a registrant licensing a domain to another party whose contact details are not disclosed, but this is not a satisfactory way of preventing disclosure for the average user. The agreement also requires the registrar to impose an undertaking not to use the email addresses from the Whois database for sending Unsolicited Commercial Email (UCE, or spam), but in practice this is ineffective. Spam is discussed further below, and my statement here concludes with a set of specific recommendations for ICANN. Mine is not the only privacy organization to seek such reforms; see for example the Electronic Privacy Information Center's letter of February 16 to Congressional Privacy Caucus on this topic. [ http://www.epic.org/privacy/internet/ICANN_privacy.html ]

The requirement of the publication of registration information can be seen as egregious and anomalous when compared to analogous media. Telephone subscribers are universally given the option of a non-published (unlisted) number, regardless of which local phone company they use. The US Postal Service discloses information about the identity of a post office box holder only if the holder solicits funds from the public. Various statutory privacy rights have been established to protect the nexus of contact in different media, such as the prohibition in California against telemarketing calls to non-published numbers, so-called "asterisk laws" in several states mandating an optional designation in directories for published numbers that must not be telemarketed, the federal prohibition against junk faxes, and the opportunity to issue prohibitory orders against senders of unwanted solicitations via US mail. This procedure was upheld by the Supreme Court in 1971, including its restriction on the subsequent sale of the address in marketing lists. My first recommendation below is an addition to the Whois database to support this kind of protection for email addresses.

Given the lack of such protections in the online world, plus the ease with which contact information may be inexpensively gathered, it is hardly surprising that surveys routinely find privacy is the number one concern of Internet users and a major reason for non-participation by the offline half of the population. The basic operation of establishing a homestead in cyberspace should not stand as an example of the lack of respect for privacy in the architecture of the Internet, particularly when a few appropriate curtains could be added with comparatively little effort. To be fair to the original architects, many of their procedures were devised at a time when the individuals involved were few and often known personally to one another, so it is understandable that privacy does not appear to have been a top design priority. Changes are now overdue.

Accountability

Privacy is a fundamental human right, but it is not an absolute right: it should not provide impervious and permanent cover for criminal activity, for example. Appropriate mechanisms should be in place for personally identifying disclosures in the case of law enforcement investigations, and for civil litigation such as libel, trademark and copyright disputes. But these mechanisms should restrict disclosures to what is necessary and fair; checks and balances should protect against misuse. Making contact information available to everyone is as much an overkill as if a DMV were to require people to display their drivers licenses on their lapels when standing on the sidewalk.

Domain names do somewhat differ from other media in that they enable the registrant to establish an identity that can be used in the role of a publisher as well as a subscriber to a multi-way communications channel (though fax broadcasting has a similar quality). But the actual publication is typically performed by an Internet Service Provider, or at least via an ISP, and ISPs do not generally require the public disclosure of contact information for the source. Why should registrars be any different? ISPs are accustomed to tearing down web pages or providing subscriber information when required to do so by a court order. The same procedures can apply to domain name registrations if this additional step is needed.

Spamming

The problem of spamming is one of the most important and instructive topics for analysis here. Spamming is not a criminal offense in most states, but it is socially damaging, undermines consumer confidence in the Internet, imposes on consumers and businesses billions of dollars in wasted costs annually, and violates the terms of service of ISPs. As I have said in testimony before the Senate, I believe spamming should be prohibited by federal law, and perhaps it will be. But even if it is, people should still be able to try to avoid spam by reducing the exposure of their email addresses, and those who are harassed by spammers should have the means to obtain redress, which in practical terms translates into identifying the spammer.

The most obvious damage to privacy from the Whois database is due to the so-called "harvesting" of email contact addresses by spammers. (I prefer the term "scavenging" because the crop being reaped was not planted by the scavenger.) As mentioned above, the ICANN agreement with registrars requires the registrar to impose an undertaking not to use the data obtained to facilitate spamming. Unfortunately spammers can blithely ignore the "you agree not to" message attached to the responses to their requests, because their access is essentially anonymous. Limits are often placed on the rate at which domain name queries are answered from any given IP address, but this merely reduces the speed with which the addresses are obtained, and is ineffective in the long term. It cannot prevent scavenging any more than a supermarket could prevent shoplifting by limiting the numbers of bags shoppers are allowed to carry out of the store.

The observation has often been made that Whois contact information can help track down spammers, and I certainly agree that this is sometimes the case. Unfortunately it is rarely much help against career spammers, who have registered large numbers of domains with contact addresses such as the Martian embassy and phone numbers such as 202-555-1212. Beyond these patently false addresses lie more plausible but incorrect entries. Experienced spam hunters tend not to rely on such self-reported, unauthenticated and too-often inaccurate information; rather they examine the header information on the email and use software utilities such as "traceroute" to establish the ISP that originally carried the spam, and then ask the ISP to terminate the account. The casual spammer will usually desist after a warning from his ISP. Furthermore, almost all spammers give other generally more reliable clues to their identity in the content of their emails, which are seldom abstract messages such as "Sin no more." They often ask the addressee to visit a particular web site, which can be tracked via traceroute and the hosting ISP, or in the case of a site accepting credit card payment, through the banking system. Many spams ask directly for checks to be sent to a post office box specified in the email, which can also be followed. In practice, self-reported contact information is like a weak door lock that keeps out the honest unintentional intruder while presenting no serious challenge to the dedicated burglar. I do not believe the benefits of tracking amateur spammers via the self-reported contact details from the Whois database outweigh the damage to privacy caused by the public availability of the information.

Reducing personally identifiable information

Various other benefits of contact details being public have been cited, but none of them persuades me that administrative contact must be made public. Technical contact information is certainly useful for maintenance tasks, but most technical contacts are business-title roles at ISPs, not individual registrants. The fact that consumers find it useful to authenticate a business using the administrative contact information from the Whois database is no reason to require it of all registrants, any more than residential phone subscribers should be forced to have yellow pages entries. Businesses that consider it beneficial can elect to do so, as proposed in my second recommendation below.

ICANN states in the preamble to its June 2001 survey that more than 70% of its registrations are by organizations. [See http://www.icann.org/dnso/whois-survey-en-10jun01.htm under Background] The remaining twenty-something percent still adds up to a very large number of individuals whose privacy is being compromised by their registrations. A policy question arises whether organizations should be treated differently to individuals. Only natural persons have privacy rights; entities such as corporations do not, though they may have an interest in confidentiality: considerable public speculation has arisen from domain names registered by large companies such as Amazon and Microsoft. In the case of sole proprietors, the entity may appear to be an institution when it is in many ways more like an individual. For these reasons it seems to me appropriate to give institutional registrations exactly the same control over admin and billing contact information as individuals have for personal registrations.

I further believe that it may be desirable and feasible for domain names to be registered with a pseudonym (such as a registrar-issued customer number), so that no personally identifiable information is provided, not even to the registrar to whom payment was made (presumably with a money order). Anonymity and pseudonymity are the most reliable ways to protect privacy: there is no possibility of personal data being disclosed or used inappropriately, because it does not exist. (The difference between anonymous and pseudonymous speech is that while neither is identified as originating from a specific individual, the pseudonym allows continuity of interaction and attribution.)

If participation in the digital network without identification raises concerns in your minds about accountability, consider how routinely this occurs on the telephone network: with a payphone, using a popular privacy-enhancing technology called coins. Doubtless some crimes are facilitated by this opportunity, but nobody would consider this as a justification for retrofitting the nation's payphones with credit card readers or for abolishing the quarter. In some countries, including Italy, it is even possible to subscribe to a prepaid mobile telephone service without identifying oneself to either the carrier or the government. If the phone appears to be involved in criminal activity, law enforcement can have the service suspended or obtain the identity of subscriber by examining the numbers called or by wiretapping calls. The situation for pseudonymous domain names would be analogous.

Notice that the registration itself is unlikely to be considered criminal: even if the text of the domain name were arguably libelous or blasphemous, is there any prospect of real harm merely from its presence in the Whois database? Registrars have already addressed the question of obscene domain names, and can decline to register them if they consider them offensive. Even in the case of trademarks, it is far from clear that merely registering FamousNameSucks.org without publishing a corresponding web site would constitute infringement. Rather, it is activities other than registration that constitute the wrongdoing, and those activities entail their own means of tracing the malefactor: the Whois database cannot reasonably be expected to serve that purpose, any more than the white pages should be expected to deter harassing phone calls.

Where it is found appropriate to revoke a domain name, it is obviously just as easy to terminate domain name service for a pseudonymous account as it is for one registered to Thomas Paine or the Federalist Publishing Company. The Famous Name Corporation can still sue a John Doe defendant, seek his identity from an ISP, and persuade a court to have the registration transferred to it.

If a Unabomber wishes to publish his manifesto anonymously, he is likely to find other options preferable to registering the domain ExplodeTechnologists.org. Even if he did wish to establish such a web site, he would be more likely to give his administrative contact address as Mauritius rather than Montana. The FBI would be no more hampered by pseudonymous registration than the false details in this registration; its agents would probably sooner seek the assistance of the ISP hosting the domain rather than sending field agents to the Indian Ocean. Some spammers favor disposable return email addresses, which pseudonymous registrations could provide, but they are already have that by claiming to be from the Martian embassy, or less flagrant false addresses. Also, free web-based email services have a cost advantage to the spammer over domain name registration. In short, pseudonymous registration of domain names seems unlikely to lower the practical level of accountability for objectionable behavior, because such behavior can more reliably and appropriately traced by other means.

Pseudonymous registration does raise some logistic questions, such as how renewal notices are to be sent (perhaps by anonymous remailers), but I believe that deliberation would likely find practicable solutions, so I suggest that ICANN investigate the question.

This is one of the following several specific recommendations I respectfully submit to ICANN and the committee to improve the privacy of registrants and Internet users.

Recommendations

1. UCE field: The addition to the registration database of a field indicating the registrant's disposition towards Unsolicited Commercial Email from any party to email addresses within the domain (not merely the one provided as part of the registration). At least three possible registrant responses should be supported: unwilling, willing, and not indicated.

   This measure has similarities to the "do-not-call" lists and "asterisk laws" that several states have passed against telemarketers. The UCE field may be usable under existing state anti-spam legislation such as California's, and possibly by future federal and state legislation.

2. Disclosure election: Registrants should be given the opportunity to indicate their disposition toward disclosure by their registrar of billing and admin contact information. At least three possible registrant responses should be supported: unwilling, desired, and not indicated.

   I believe ICANN should require this of registrars. This option should apply not merely to email address, but to all contact data. Domain name registrants receive a great deal of junk physical mail as a result of registering (some due to their registrar actively selling the contact details as a mailing list). Registrants should not have to be burdened with this.

   In the case of Registrars who wish to sell for marketing purposes contact information about their registrants (versus distributing it via the Whois database), separate affirmative consent should be required (opt-in).

3. Population of fields: A program to encourage or require registrars to seek and process customers' elections for the above two fields (UCE and disclosure).

   Registrants need not be immediately pestered for a response, but the process should be easily available via the registrar's web site, and the question should be posed prominently at the time of renewal. Consideration should be given to whether the registrant's response ought to be made public as part of the Whois database; this transparency may be beneficial in seeing whether registrars are withholding or providing data about registrants who have made no election.

4. Plaintiff's procedures: The development of standard procedures for the processing by registrars of requests for the on-forwarding of messages to, or the disclosure of contact information about, registrants who have elected against disclosure of their contact information.

   A typical question here is what should happen when a trademark owner wishes to send a cease-and-desist notice to the operator of a web site. The procedure should not impose undue burdens or liability on registrars.

5. Development of appropriate legal mechanisms to support the three points above.

   Privacy rights require an enforcement mechanism with a sound legal basis. For example, if a registrar discloses a registrant's personal data contrary to her instructions, what procedures does she have for redress?

6. Pseudonymous registration: The development of appropriate mechanisms to support pseudonymous registrations.

I believe that the steps I recommend above would greatly improve the privacy of Internet participants without significant deleterious side-effects.

I appreciate the opportunity to speak with you today. I would be pleased to answer your questions.

Appendices

Statement regarding the Rules of House requiring the disclosure of Federal grants and contracts: neither I nor Junkbusters Corp. has received any such funding in the applicable period, directly or indirectly.

  Oral testimony

The official transcript is available at the House Web site.

  Written testimony 2001/4

My name is Jason Catlett, and I am President and CEO of Junkbusters Corp. I'm grateful for this opportunity to speak with you again.

Junkbusters is a for-profit company whose mission is to free people from unwanted commercial solicitations through media such as email, physical mail, telephone, and faxes. Since our web site launched in 1996, millions of people have turned to us for information, services and software for stopping junk messages, particularly email. I have worked advising government departments and legislators on email and other privacy issues since 1997.

As a technologist--my Ph.D. was in Computer Science--my initial inclination years ago was towards solutions based on technology and administrative processes. But years of practical experience with large numbers of consumers have led me to believe that the essential requirement for the collective protection of privacy is strong rights for the individual. Thanks to the private right of action in the Telephone Consumer Protection Act of 1991, junk faxes are today rare compared to junk email, a result achieved without any vast government bureaucracy, and with little frivolous litigation. In contrast, billions of unwanted email solicitations are sent each day, vexing hundreds of millions of people who feel unable to stop it. This reduces participation in online commerce and erodes the considerable benefits of that responsible email marketing offers to consumers and businesses. What is needed to reverse this harm to consumer confidence in the medium is a law establishing an opt-in standard for commercial email, and a private right of action for recipients and network operators. S. 630 would establish an opt-out standard and lacks a private right of action, and in my opinion would not improve the situation it addresses.

Before focusing on the specifics of spam, I would like to briefly review the unhappy recent history of online privacy more generally. In the eleven months since I appeared before you in May, the prevailing level of privacy on the Internet appears to have lowered. (Space allows only a few brief examples, for greater detail see http://www.junkbusters.com/testimony.html on the Web.)

1. Ever more intrusive collection technologies are being rolled out. Profiling companies are continuing development of their Consumer Profile Exchange technology without any committment to observe fair information practices in their use of it.
2. Most "privacy policies" offered by companies still offer little privacy, and appear to be getting even worse, according to one longitudinal study by Enonymous.
3. In September Amazon.com substantially weakened its privacy policy.
4. The standards proposed by DoubleClick and a few other online advertising companies and sanctioned by the FTC in July are deplorably low.
5. P3P, which has been billed by some as the pot of privacy gold at the end of the technological rainbow, is now being used by Microsoft as an excuse not to fix the default settings on its next browser that allows tens of millions of web bugs to gather click streams in volumes of billions of clicks per day.
6. At a public workshop run by the Federal Trade Commission in March, the major profiling companies refused to allow people access to their own profiles, or even to provide example profiles.

The failure to control spam is the greatest economic tragedy of the Internet age. Email marketing conducted in a fair, consensual manner offers enormous benefits to consumers and businesses alike, particularly to small businesses who could not afford the expense of traditional media. As email marketing becomes synonymous with spam--a tragedy because this is unnecessary and avoidable-- many consumers are deciding simply not to participate. The right public policy for spam, as with all privacy law, is to give people who participate rights to ensure their personal information is not used unfairly. This promotes both greater participation and better business practices.

Almost no reputable marketer routinely sends email on an opt-out basis. (A few have occasionally done so in error; this is perhaps the reason some companies oppose a private right of action, which would hold them accountable for such mistakes.) It is deplorable that certain trade associations such as the Direct Marketing Association are trying to hold the door open for spamming. H. Robert Wientzen, President and CEO of the DMA addressed members at the organization's 1998 conference with the following words: ``Let me begin by recognizing that bulk unsolicited commercial e-mail is not real popular with consumers. And to date, very few of you are employing it. However, we also feel that most of those who push for an opt-in-only regime have very little understanding of the incredibly negative impact it would have on the future use of e-mail as a marketing tool.'' The DMA continues to indulge in its fantasy of cyberspace as a world of free paper, free printing and postage-due delivery of solicitations, failing to realize that if it had its way, consumers would rebel or flee.

Opt-in is the right policy for marketing by email, and is consistent with successful legislation on marketing by fax. As in the TCPA, the definition of a commercial message should of course be carefully limited to avoid any impact on non-commercial speech, such as speech about religion or politics. The opt-in approach taken in the TCPA for faxes, cellphones and 800 numbers has as its basis the fact that the recipient may incur costs for receiving the unsolicited message. This is also the case for spam, so the opt-in criterion is therefore equally appropriate. The fact that some in some situations recipients appear to incur negligible incremental costs from a specific spam does not change the fundamental fact that spam is postage-due marketing.

The TCPA's prohibition against telemarketing calls to cellular telephones is not qualified any exemption for situations such as when the carrier offers the first incoming minute free or where the subscriber has excess minutes available for the particular month. That would be as silly as a spam law that said that people whose Internet service plans include unlimited hours are disqualified from monetary damages. Nor is there any exemption in the TCPA for fax-modems where no paper is consumed, a situation closely resembling junk email. Despite the fact that a spam recipient often cannot produce a specific line item from a bill relating to the spam, costs are being incurred by individuals, as well as being diffused among consumers. Of course in many situations the cost can be quantified, such as on certain usage-based tariffs, or when dialing up from a hotel room. In some cases these direct costs exceed the cost of paper for a junk fax or 15 seconds on an 800 number.

Furthermore, spam imposes a hidden tax on all Internet users by increasing network capacity requirements and requiring additional administrative costs at ISPs. I estimate this cost at around one dollar per month for the average subscriber, and billions of dollars per year including institutional buyers of network services. Because ISPs absorb this as a cost of doing business, this expense is not visible to individual consumers, but it is certainly passed on to them. An opt-in policy would reduce this spam-subsidizing tax, lower the cost of Internet access, and stimulate demand for Internet services and ecommerce.

A opt-out policy that allows each spammers one free spam is like permitting shoplifters to steal items until each store requests that they cease thieving. It imposes unfair burdens: in both cases, even people who are not directly victimized incur costs through higher prices. More than a million businesses have Internet access; if even 10% of them sent a single message to half of online US households over a period of five years, the American homes would receive an average of 27 spams per day. The opt-out model is simply inappropriate and unsustainable for the Internet. If opt-out spam were to prevail, email, the killer application of the Internet, would become the application that killed the Internet.

Consider an excerpt from an actual spam and imagine the reaction of a constituent in Alaska reading after downloading it via a toll call. (Of course, it's also important to remember that billions like it may have been sent to millions of people, so focusing on a single specimen is rather like examining a single dead grasshopper at a Senate hearing on locust plagues, but imagine your reaction multiplied to an appropriate scale.) Here is the spam:

 SEX SELLS!!! REALLY WORKS!!!

 "Why Pay To Belong To An Adult Web Site When You Can Own Your Own 
 For Less Than The Cost Of The Membership?" 
 --
 "Anyone With An Internet Connection Can Own An Adult Web Site For 
 Less Than The Cost Of Their Next Dinner!" 
 --
 "No Experience Required! Anyone Can Sell Sex Online In Just Minutes!"
 --
[extraneous detail deleted]

 This message is sent in compliance of the new e-mail bill: SECTION 301.
 Per Section 301, Paragraph (a)(2)(C) of S. 1618, 
 http://www.senate.gov/~murkowski/commercialemail/

Of course spammers are less likely to draw the attention of their victims to such a law. But if you pass a weak spam bill, the bill number and your name will surely be cited in vast numbers of junk emails for years to come. So when you consider the key questions of opt-in vs opt-out and whether to include a private right of action, think of these two alternatives: Do you want your name to remembered as the lawmaker who said "spamming is wrong"? Or do you want it to become the name that launched a trillion spams?

I appreciate the opportunity to speak before you today. Now I would be pleased to answer your questions.

  Letter 2001/4/26 on junk email from Consumer Groups

We, the undersigned groups, representing consumer interests, urge Congress to pass legislation to give consumers strong rights against senders of unsolicited commercial email (UCE). Two bills currently before Congress, S. 630 and H.R. 718, do not meet two requirements that we consider essential: an opt-in policy, and a private right of action.

Because consumers incur costs to receive UCE, the correct policy is to prohibit UCE, just as Congress prohibited junk faxes in the Telephone Consumer Protection Act of 1991 (TCPA). An acceptable alternative would be to enable network owners such as ISPs to post an electronic "No Spamming" sign, as was done in the 106th Congress's H.R. 3113, which passed the House. An opt-out policy, which is taken in S. 630 and H.R. 718, will not significantly reduce the widespread damage to consumers' interests and confidence.

The second essential requirement is that recipients of UCE have a private right of action. Liquidated damages of $500, as in the TCPA, are appropriate. ISPs should also have a right of action, but leaving enforcement solely to them, or state or federal regulators would leave far too many spammers breaking the law.

Beyond these fundamental requirements are numerous details, including as defining a narrow exemption for existing business relationship. The definition of a solicitation should be carefully limited to avoid any impact on non-commercial speech, such as speech about religion or politics.

We urge members of Congress to pass anti-spam legislation with an opt-in policy and a private right of action.

Respectfully

Gary Ruskin, Commercial Alert
Ken McEldowney, Consumer Action
Jean Ann Fox, Consumer Federation of America
Jamie Love, Consumer Project on Technology
Jason Catlett, Junkbusters Corp.
Beth Givens, Privacy Rights Clearing House
Evan Hendricks, Privacy Times

  Oral Testimony

This is an excerpt from the transcript of the hearings. The participants in order of speaking in this excerpt were:

Catlett: Junkbusters Corp. CEO Jason Catlett
Burns: Senator Conrad Burns (R-Montana)
Wyden: Senator Ron Wyden (D-Oregon)

Catlett: Thank you, Senator. And it is a pleasure to be back before you and Senator Wyden again. I'd like to begin with two issues that you raised: first, the technological arms race that is going on between spammers and (largely) ISPs, who are using technological means to try to abate the amount of spam from their networks before it reaches the spammer's intended recipients. That is a silent battle that goes on continuously, and it if were stopped, as we have heard earlier testimony suggesting a measure that might do it, this would cause an enormously greater amount of spam to reach end-consumers. So technological means for automatic spam filtering are tremendously important and do a lot of good.

However, you are absolutely correct that this is not a solution to the problem. And that ultimately it is essential to have laws to stop the attempts of spam being inserted into the network.

We have heard from Senator Rockefeller about the question of labeling. Is it sufficient to label the material? Well, I can tell you as someone who has written scientific papers on automatic text classification that those methods are always imperfect, and even if the spammers were perfectly honest in their labeling of the material, it would still impose an unacceptable burden on the network to try and reject each article after checking the appropriate label.

The second point I would like to raise is the issue of wireless spam, which indeed has been a problem, particularly in Europe where the technology is at a later stage of adoption, but also in states such as Arizona, where a class action suit on that is under way. I would like to note that trade associations within the wireless industry have come out strongly in favor of an opt-in criterion: that you should never receive commercial solicitations to your cell phone unless you have deliberately requested them. I think that is an admirable position for them to take.

I'd like to commend you on the hard work that you have done on spam, over a long period of time, and I am sorry to say that in its present form, I don't think that the bill will achieve the goals that it sets out to do. I don't think it will significantly reduce the amount of junk email that is sent. Two modifications would be necessary in order to have a spam bill that really deserves the name of CAN SPAM, and those two were the issues raised by Senator Rockefeller.

The first is opt-in. The appropriate criterion for email solicitation is opt-in. You should only get commercial email if you ask for. That is what the majority of people online believe is appropriate. It is also what a large number of consumer groups believe to be appropriate. And it is also the practice, as we have heard from David Moore from 24/7 Media, the common industry practice only to send email to people who have asked for it. Almost no legitimate established marketer sends unsolicited commercial email because it is despised by consumers, and it is actually against the terms of service of most ISPs. So the first suggestion I would have for you is to make the criterion opt-in. This has worked very well with the Telephone Consumer Protection Act (as we have heard discussed) for junk faxes, and I think that the success of that bill should be an example to us, particularly the provision to do with my second point, which is a private right of action for consumers.

The idea of a waterfall of frivolous litigation simply isn't borne out in practice under the Telephone Consumer Protection Act. There is very little litigation on junk faxes. But it is a sufficient to discourage businesses from systematically violating the law.

The idea of not allowing consumers to protect their interests, and hoping that their ISPs (some of whom are going bankrupt) will spend additional money to go to court for their individual consumers, I think is very naive. The appropriate thing to do is to give individuals the means to protect their own interests, as is being done with junk faxes, because it's that same situation: this is postage due marketing.

Burns: You believe in the vigilantes too, huh?

Catlett: The consumer should be able to act with the authority of law in an appropriate manner. Some spams do make me want to go into a vigilante state. In fact, I would like to read you a particular spam that I picked out almost at random under a specific criterion. This is a little bit like, at a hearing on locust plagues, to bring along a single grasshopper and hold it up for the committee and say "this is the problem," but imagine it multiplied a million times. It is in my prepared statement, but I'll read you briefly this spam:

SEX SELLS!!! REALLY WORKS!!!

"Why Pay To Belong To An Adult Web Site When You Can Own Your Own For Less Than The Cost Of The Membership?"

"Anyone With An Internet Connection Can Own An Adult Web Site For Less Than The Cost Of Their Next Dinner!"

"No Experience Required! Anyone Can Sell Sex Online In Just Minutes!"

This message is sent in compliance of the new e-mail bill: Section 301. Per Section 301, Paragraph (a)(2)(C) of S. 1618,

With the current form of the Senate bill, you would have to, when the mother asks you "Is it true? Is what this spammer says true? That it is okay for him to send this email?", you would have to answer something like: "Yes, the spammer can send you as much email as he wants until you tell him to stop, and if they don't stop -- if they keep on doing it -- then you can't do anything about it yourself. You have to either get your ISP to do something, or you have to get the Federal government to do something."

Now, I don't think that is an answer your constituents would want to hear. The answer that I think you would want to be able to give them is something like this: "The spammer is lying. My bill made spamming illegal. And it gives you the right to sue people who spam you -- if they break the law."

So the correct policy, I think, and I have made two key points, is to have an opt-in policy, and to have a private right of action for consumers. So the question of opt-in versus opt out and the private right of action really comes down to: if your name goes on this bill and it becomes law, do you want it associated with the spams that are sent out like this case? With so much spamming?

Burns: Thank you very much. And your full statement will be made part of the record.

Catlett: Thank you, sir.
...
[In reply to a question by Senator Wyden on whether the bill would be an improvement over the present situation.]

Catlett: I think there is a risk it will worsen the problem rather than improve it, I am sorry to say.

Wyden: Everyone here -- even though there are differences on the role of opt-out/opt-in, thinks that opt-out is a useful pro-consumer principle? Mr Catlett, you can take the floor. We recognize that you are for opt-in, and I understand that, but opt-out is better than nothing for the consumer, isn't it?

Catlett: It is better than nothing in an individual case. However, if you apply broadly an opt-out policy, particularly if you preempt state law on this, you will actually increase the number of unwanted solicitations, most likely, so applied broadly, an opt-out policy with preemption may well make the problem worse.

Wyden: I am not going to belabor it. I think that is pretty far-fetched.
...

Burns: Do we need to do something about this business of harvesting, and is there a way to amend, or how would you recommend we deal with this situation of harvesting?

Catlett: Thank you, Sir. Unfortunately, to ban harvesting would not be effective for the following reason. There is a technology employed now called "dictionary spamming," which is based on the age-old sales method of guessing. Say a spammer has, for example, and email address john42@aol.com. So they try sending a spam to john43@aol.com, and the mail server tells them "no such address" or "yes, that is a live one," then they go on to john45 and so forth. They also try john34@earthlink.net. Because people tend to use email addresses which are easy to remember for their friends, they hit on a large number of deliverable addresses. So deplorable as the practice of scavenging email addresses is, to ban it, even if completely effective, would not solve the core problem.

Burns: Any other comments? How do we deal with these folks who break into commercial organizations and take their lists?

Catlett: Well, the Computer Fraud and Abuse Act would already make that illegal, I believe, Sir. I am not a lawyer, but...

Burns: Is that correct? Well, that is about all the questions... We invited AOL and Yahoo today, and they declined to come...

  Written Testimony

My name is Jason Catlett, and I am President and CEO of Junkbusters Corp., a for-profit dot com company working to promote privacy. I'm very grateful to the Senate for this opportunity to discuss with you how to protect privacy in the Internet age.

I came to this country from Australia eight years ago to join the computer science research staff at AT&T Bell Laboratories. Since I founded Junkbusters in 1996, the company has published advanced software and provided services and information to help people defend their own privacy. These resources have been used by hundreds of thousands of Americans. Based on feedback from people across this country, and my own investigations, I have been led to the conclusion that technical solutions to the challenges of privacy will not prevent the death of American privacy online. It is clear to me that legislation is appropriate and necessary to protect privacy on the Internet.

My work in marketing and databases at AT&T Bell Labs was governed by strict laws to protect the privacy of telephone subscribers. The Internet still has few corresponding laws, so companies are engaging in practices that would be regarded as unacceptable and illegal on a phone network.

Collectively, this commercial surveillance is having the tragically perverse consequence of scaring off consumers from the entire medium rather than attracting them to a particular site. The Harris/Business Week polls and many others since 1998 have found that fear for privacy is a major or primary reason consumers give for not going online, and for not participating in ecommerce. Their 2000 poll showed a strong majority of Americans favoring new privacy legislation. Forrester Research, a highly regarded firm of technology analysts whose reputation has been built by providing accurate research and advice to companies, has harshly criticized the poor standards of privacy protection online, finding in September 1999 that 90 percent of Web sites fail to comply with basic privacy principles. Forrester called most privacy policies ``a joke'' and concluded that ``the vast majority of such policies, like those of the Gap, Macy's and JC Penney, use vague terms and legalese that serve to protect companies and not individuals.'' These are not the words of some bleeding heart privacy advocate, but of hard-nosed analysts working for a company whose long-term success heavily depends on understanding and promoting the growth of Internet commerce. In October 1999 Forrester published a report finding that ``Nearly 90% of online consumers want the right to control how their personal information is used after it is collected. This desire for online anonymity cuts across consumers from a broad range of demographic backgrounds, including gender, income, and age. Surprisingly, these concerns change very little as consumers spend more time online.'' It is not ignorance that is causing Americans to worry. It is a rational assessment of the lack of control over their personal information, and the paucity of recourse available to them if it is misused.

This privacy problem will not go away by itself because the economic incentives of individual companies work against it. As an example, providing customers with an opt-out from a list of phone numbers being sold to telemarketers means both forgoing future revenue and incurring a capital cost to set up an opt-out system. Companies can ill afford to unilaterally jump ahead of their competitors, even though the sums of money are minor compared to the increase in participation that would result from a market where privacy rights are widely respected. The idea that consumer demand will force companies to offer privacy protections is naive and simply not supported by empirical evidence in surveys. What company is going to produce advertising copy like the following? ``Buy books from us and we will give you a choice in whether we sell your phone number to telemarketers.'' As Commissioner Anthony wisely observed in a statement Monday, legislation of the kind recommended by the FTC ``would reward those sites that have offered real privacy protections and require all others to meet basic privacy standard.''

We are facing a tremendous loss of both economic opportunity, and of our fundamental human right to privacy. The only way to stop this tragedy is to require all companies to respect the privacy of their customers and prospects. And that is an entirely proper thing for the federal government to do.

On the Internet this loss is particularly acute, but is obscured by technical complexity. Let me describe one example by analogy.

Online advertisers build up profiles based on where people go, what they look for, and how they behave on the Net. Imagine if Congress had not passed laws to protect the privacy of telephone users. The headlines would be full of the kind of privacy horror stories we see today about the Internet. We might see a telco that I will fictionally name Orwell Long Distance using speech-recognition technology to spot keywords in your conversations with businesses in order to target you with more interesting telemarketing calls. OLD might look up the yellow pages categories of the numbers you frequently call, and sell that information to junk mailers to decide the kinds of catalogs you're less likely to throw away. This sounds absurd to us now, but on the Web, equivalent practices abound, unrestrained.

Banner ad companies get to see the specific Web pages people visit, plus the keywords they type into search engines and other forms. They track individual PCs using unique identifiers called ``cookies'' placed on Web browsers. Most people haven't heard these companies' names, but some of them have started identifying people by name. Large profiles that were previously gathered with just an anonymous identifier are being linked to a street address, and phone number, and email address.

If Orwell Long Distance were unencumbered by present phone privacy laws, its lobbyists would be telling Congress that any attempt to restrict the free flow of information on the international phone system would be futile, and could result in the collapse of toll-free ordering. But you would wisely dismiss that claim and judge that the greater economic good requires that people have confidence that their privacy is protected by law when they do business by phone.

It would be silly to expect consumers to defend themselves from Orwell Long Distance by using their own voice scramblers and payphones, or indeed technology from OLD itself. Suppose OLD designed a device that could be held up as a technological solution to the privacy concerns of phone subscribers. The result might be rather like a caller ID box, but in addition to displaying to the name and number of the calling party, it would indicate the degree of privacy being offered by the various carriers involved in the call. The called party would then supposedly be given "choice" on whether to pick up and speak to her mother for example, or have her call automatically rejected because it doesn't meet her daughter's privacy "preferences". This scheme would not protect privacy on the phone, and its Internet equivalent, P3P, will not protect privacy online.

What people need are simple, predictable standards, not more complexity, just as businesses need simple predictable copyrights. Both privacy and copyright law accommodate more complex arrangements whenever needed, with the consent of the parties involved.

The comparison with copyright is useful in dismissing many commonly-heard objections to privacy legislation. ``We mustn't impede the free flow of information, so privacy/copyright laws are bad.'' On the contrary, such laws promote participation in the information economy, by protecting the rights of the participants. ``The Internet is international, so privacy/copyright laws are useless.'' On the contrary, that is no reason to permit domestic abuses, and international treaties can be developed. ``Technology changes quickly, so copyright/privacy laws are useless.'' On the contrary, such laws should be technology-independent; it is the data that needs protecting, not the means of transmission. ``It's impossible to enforce copyright/privacy laws completely, so we shouldn't have them.'' Of course incidental violations will occur, but organizations will not base their businesses on piracy/privacy violation, or at least not for long.

Finally, imagine if Recording Industry Association of America were assessing the results of a fictional survey by the Department of Commerce showing that more than 80% of U.S. households do not infringe music copyrights, and concluding that copyright law should therefore be repealed. Preposterous, the RIAA would say. Even 95% of households respecting copyright would still leave 5% free to infringe copyrights. We must have a law. Won't new technology for preventing the unauthorized duplication of CDs provide the answer, a lobbyist against one-size-fits-all legislation might ask? No, the RIAA would say. We need a law, and we need substantial criminal and civil penalties. The Digital Millennium Copyright Act of 1998 was Congress's response to this issue.

In general, information technology produces many more opportunities for enabling undesired uses of information than it does for preventing it. As someone who has personally designed, coded, documented and published privacy-enhancing software, I would be the last to try to impede such technologies. The argument by some lobbyists that legislation would dampen technological innovation to protect privacy is specious. On the contrary, legislation would give companies an incentive to adopt technologies that promote privacy. Services for assuring anonymity become more valuable in a world where data protection is required, because anonymity is an infallible way of obviating the misuse of personal information.

  The Report and Recommendation of the Federal Trade Commission

The FTC's report has been criticized by some trade associations as understating the level of privacy protection being provided by major Internet sites. I believe exactly the opposite is the case. Three years of surveys by the Electronic Privacy Information Center plus Forrester's assessment in September provide far stronger evidence that the average site provides substandard privacy. As an illustration, take the issue of access by consumers to information collected about them. The Online Privacy Alliance's spokesperson Christine Varney said in a press release Tuesday that ``There is no agreed-upon standard for access, so how can the FTC measure it? They can't.'' The answer was on page 23 of the FTC's report: ``With respect to Access, a site received credit if it offers the ability to review, correct, or delete at least one item of personal information it has collected - oftentimes simply an opportunity to update an email address - without regard to what other information a site may have actually collected or compiled.'' Plainly the FTC can measure access, and they did. It is significant that the FTC were very easy graders, and yet most sites still failed. As to the consumer's view of access, a study in April 1999 by AT&T Laboratories asked respondents about ``importance of whether the site will allow me to find out what info about me they keep in their databases.'' 57% replied saying it was very important, 27% somewhat important, 4.2% not important, with the rest not responding. The FTC's conclusion that legislation is needed to improve consumer confidence in a world where most sites are not providing sufficient privacy is simply unassailable. What is remarkable is that the majority of Commissioners waited so long before recommending legislation.

The four privacy principles of the Online Privacy Alliance and the FTC (namely notice, choice, access and security) are necessary but not sufficient to adequately protect privacy. Orwell Long Distance for example would post a privacy policy (notice), offer an 800 number where people can opt out of surveillance (choice), let consumers fill out their own change-of-address forms (access), and deliver all its lists to telemarketers encrypted (security). Missing are affirmative consent and purpose specificity: not using information gathered for one purpose (to complete the phone call) for another purpose (to give to telemarketers) without gaining affirmative permission. These are among the principles endorsed the OECD in 1980 and used as the basis of privacy laws in most developed countries, including recently Canada.

  The Consumer Privacy Protection Act of 2000

The Consumer Privacy Protection Act from Senator Hollings and his colleagues is a landmark work, making a giant strides towards the wide application of all these principles, across technologies and across market sectors, within a legal framework that will really protect privacy in this country.

The CPPA addresses the problem that privacy policies have become "moving targets" that are constantly subject to change. Requiring consent for material changes in use an important part of the principle of purpose specificity. In line with this goal, the requirement for notice might be waived when the policy change merely narrows the purposes to which information is put, rather than widening them.

The CPPA moves toward addressing the urgent need for standing institutions that consider privacy and security policy issues not merely in the context of commerce, but also of government, society and human rights.

Very importantly, the bill provides a private right of action, which is essential if people are to have the means to protect their own interests. Some, but not all enforcement power should vest in agencies such as the FTC. Experience with the Telephone Consumer Protection Act of 1991 dispels the scaremongering claim that a vast government bureaucracy would be needed to curtail privacy violations. The FTC has restricted its enforcement actions to cases of fraud (which are indeed widespread and severe in that industry). State Attorneys General occasionally take action. But it is the precious few individuals who file suit in small claims court that have done the most to discourage the telemarketing industry from routinely violating the law.

Finally, to allow further progress, federal laws should not preempt state law. A good federal law that allows state Attorneys General sufficient enforcement powers will reduce the need for new state-specific legislation, but the states should not be deprived of their traditional role as laboratories of legislative innovation.

Congress now has before it a comprehensive proposal to head off the demise of privacy in this country. It is time for each member of Congress to decide whether the right to privacy is worth defending, or whether it should be allowed to lapse into a 20th century memory.

Throughout this nation's history, the world has looked to the United States as a bastion of liberty, and to its elected governments as defenders of individual rights. Congress now bears a great responsibility for determining whether that leadership will extend into cyberspace, and whether the American citizen's right to privacy - a fundamental liberty - will endure into the 21st century.

I appreciate the opportunity to speak before you today. I would be pleased to answer your questions.

[A list of references will be available at http://www.junkbusters.com/testimony.html on the Web, as links.]

  Oral Testimony

This is an excerpt from the transcript of the hearings.

The participants in order of speaking in this excerpt were:

McCain: Senator John McCain (R-Arizona), Chairman of the Senate Commerce Committee
Catlett: Junkbusters Corp. CEO Jason Catlett
Burns: Senator Conrad Burns (R-Montana)
Varney: Ms. Christine Varney, senior partner of Hogan and Hartson, and the Online Privacy Alliance
Berman: Mr. Jerry Berman, executive director, Center for Democracy and Technology
Lesser: Ms. Jill Lesser, Vice President of Domestic Public Policy, America Online

McCain: Thank you very much. Mr. Catlett. And Mr. Catlett, for the benefit of the committee, perhaps you could tell us what Junkbusters is all about.

Catlett: I would be pleased to, sir. Junkbusters is a web site where people go for information about how to stop junk communication, such as junk e-mail, junk telemarketing calls, junk faxes, unwanted junk mail, and so forth.

McCain: It sounds to me like you're doing the lord's work. (Laughter)

Catlett: Thank you, sir.

Burns: Maybe we do not have to pass the spamming bill then?

Catlett: I strongly recommend that you do pass something like H.R. 3113 without the provision of labeling. I think that is very much needed.

There are those who say that technological solutions for, for example, filtering out junk e-mail will suffice. But I can tell you after running this web site for four years and publishing software to help people protect their privacy, publishing information about how to remove cookies, how to stop junk phone calls, and so forth, I can tell you that technology is not going to stop the death of privacy in this country. Furthermore, self-regulation is also not, alone or with technology, going to stop the erosion of privacy. It is necessary to have laws that give individuals the right to protect their own interests.

McCain: You do not believe that FTC has existing authority.

Catlett: I do not believe they have sufficient authority to require sites to, for example, stop selling your telephone number to telemarketers when you tell them. If the site's policy is stated as they'll do that or they don't state that, there's nothing you can do. And we get e-mail with junkbusters from harassed mothers in West Virginia who say, "How can I get these telemarketers to stop calling me?" Merely notice is not enough. The doctrine that all actions can be taken as on the basis of fraud is simply mistaken, I think.

There's been a lot of discussion about online and off-line, and I'd like to relate a little experience. When I used to work at AT&T Bell Labs, I came here in 1992 to work on research on marketing and databases. That work was governed by very strict laws about what could be done with people's phone call records. Suppose that Congress had not passed those laws to protect the privacy of people when they used the phone system? Well, we would have a situation similar to what we have today on the Internet, where we're reading headlines about the terrible things that phone companies are doing. And instead of Double Click, it would be some company -- I will fictionally call it Orwell Long Distance -- that is spying on the phone customers.

For example, it might have speech recognition technology that listens to the keywords that you speak in your phone conversations with business and use them to target more interesting telemarketing calls to you. It might analyze the telephone numbers that you call, look them up in the Yellow Pages categories and see what kind of categories of products you're interested in, and sell that information to catalogers. Now, if they did that, people would be outraged, and it would be simply illegal. But analogous practices on the Web are prevalent from companies such as Double Click.

The Federal Trade Commission's report has been criticized by some people as understating the amount of progress that is being made, but if you look at the analysis of, say, Forrester Research, an independent industry analysis firm, they actually paint a much bleaker picture of the amount of privacy protection that has been provided by industry. Forrester called many of these policies a joke, and said that they serve to protect the interest of companies rather than consumers. The Electronic Privacy Information Center has also done a series of excellent reports that come to the same conclusion.

So, to my mind, the FTC's conclusion that legislation is necessary is absolutely unassailable. We need legislation. What kind of legislation is needed? Well, the Online Privacy Alliance's four principles are not sufficient. Merely having notice, offering choice, some sort of weak access, and some sort of security is not enough. What is needed is, in many cases, to ask the consent of the person concerned before using his or her information, and that is one of the great principles in the bill before you, the Consumer Privacy Protection Act.

It furthermore establishes -- would establish -- standing institutions that look to the privacy issue beyond the trade issue, and most importantly, it gives individuals a private right of action so that they can defend their own interests when their privacy is violated. My one major criticism with the bill that it preempts state law. I think it's entirely proper to allow the states their traditional role of laboratories of legislative innovation.

Privacy is a fundamental human right, and Congress, with this bill now, has the opportunity to head off the demise of that right. It's really clear to me that looking at the U.S. as someone who wasn't born here, that the world looks to the U.S. as a nation that deeply respects human rights and individual liberties. And the citizens of this country do not have enough rights to defend their own privacy in cyberspace. So, I think that you all bear a great responsibility for determining whether the United States leadership will extend into cyberspace and whether American citizens' rights will be preserved into the twenty-first century.

Thank you.

McCain: Thank you, Mr. Catlett. Mr. Berman?

Berman: Thank you, Mr. Chairman and members of the committee. It's a privilege to be here.

My organization is a civil liberties organization but also an Internet policy organization, and we're trying to maximize the democratic potential of the Internet, to build a bill of rights in cyberspace. And we've worked with all of you on different issues affecting the Internet, whether it's objectionable content and indecency and how to protect the rights of adults versus how to protect our children, encryption, communications privacy, and here data privacy. In every one of those areas we've recognized that the Internet is a different paradigm: It's global, it's decentralized, and that we need to focus in every one of those areas on empowering users and caretakers to protect their rights. That's the thrust of every model piece of legislation.

Why I think there's absolute consensus between Senator Burns' effort with Senator Wyden a year ago, the Boucher and Goodlatte, all four chairs of the Internet Caucus who share that vision of the Internet are supporting privacy legislation. It is very important to understand that none of that legislation is saying government takes over the Internet. All the thrust of that legislation, and Senator Wyden too, is to empower users to protect their rights on the Internet. And users cannot protect their rights if they have a crazy quilt of notice and obfuscation on the net where they do not know what the information policies are of those web sites, and they cannot exercise the right to choose or opt-in or opt-out of particular practices, and there's has to be flexibility in that area.

The legislation I see that has been introduced not only provides that baseline information, that information will not be provided by a 100 percent of the sites until Congress acts, because there's so -- everyone can be a publisher on the Internet. There are so many Net sites that don't know that privacy is even an issue. It is not the last mile, as Christine Varney says, because if Yahoo doesn't know what notice is required, and they may be suffering from a potential prosecution over their eight pages, what about the little web site? Isn't it important for the government to set some standards so that people on the Internet -- the web sites and consumers -- know where they are? That's the key part of this legislation.

You do not have to rely on the heavy hand of government, particularly on trying to figure out on Web what notice means. You can also rely on self-enforcement, and some of the web -- E-Trust and BBB Online -- they can become safe harbors under the legislation. But to move it from eight percent take-up by the industry to 100 percent is going to require some push that they know that's a safe harbor, and only Congress can do that.

If Congress does not act in this area, you are facing 270 bills in the states, and we've recognized in many areas that a crazy quilt of state laws is counterproductive, a burden on the Internet, a burden on commerce, a burden on speech, and not in the interest of the Internet.

I think that the companies like AOL and IBM and Microsoft and others that we've worked with on their online privacy guidelines have done a terrific job, and they've moved forward, and they should be commended for it. But they cannot bear the burden, and they do not have the resources or the time to drag the other web sites along or to subsidize them or to pick them up. That is a role for government, and it's balancing and making their practices the best practices as part of legislation, which will build legislation, which maps on to the decentralized Internet, and preserves and protects and enhances the values that we share. Thank you.
...

McCain: Thank you. Ms. Lesser and Ms. Varney, do you have a response to Mr. Catlett's allegations?

Lesser: Well, I would say the following: Obviously, we sort of fundamentally disagree with Mr. Catlett on approach, but we fundamentally agree with Mr. Catlett on the need to protect consumers' privacy. And, so I...

McCain: You disagree when he says that there is no technology that will solve this problem nor does the FTC has sufficient authority.

Lesser: Let me take the first and then the second. On the technology question, I think it is certainly not technology alone. As Mr. Weitzner has laid out, there are lots of efforts going on in terms of technological development in helping consumers and businesses have that conversation and making it easier for consumers to get notice and make choices, and that's critical. However, in order for technology to solve some of these problems, you have to rely on implementation, and in many ways you need to rely on how businesses are going to deal with their consumers.

So, I would say, in answer to some of the questions raised about whether they are large companies or small companies, having complicated, incomplete, misleading privacy policies, I would submit, based on our data with our customers, those companies will not ultimately succeed in gaining consumers' trust, and they will see a decrease in their business. So, I don't think that technology can do it alone, but we've never relied on technology to do anything alone. It needs to be coordinated with good business practices.

In terms of legislation, I think that, as I've said, it is not a zero sum game. There may be areas where we need to see standards set by this committee to guide the industry and to make sure that we are all headed in the right direction, particularly those of us who are not at this particular point. However, we need to do this in a deliberative way and make sure that we've identified what issues need to be addressed and who best to address them. I strongly believe that the FTC has an important role to play. I believe this committee has an important role to play, and that industry and consumers engaged in a dialogue have an important role to play.

I will say there is one important thing I disagree with in Mr. Catlett's remarks, and I think it's important to emphasize, and that is the issue of preemption. And whatever or however you folks begin to look at this issue, it is critical as we look at this medium, which we know is national but we also know is global, that we don't seek out a multiplicity of confusing and inconsistent standards; that whatever road we go down we make sure that companies -- every single company, be it the smallest company in any of the states represented here, go online and serve customers. They may be serving customers from all 50 states very quickly and from all over the world, and they simply, both large and small companies, cannot comply with a multiplicity of laws that are inconsistent around the globe and around this country. So, I would strongly urge you as you look at standards to think clearly about the need to respect the global and national nature of the Internet online medium.

McCain: Ms. Varney?

Varney: Yes, Senator. As to the second question, the FTC authority, clearly the Federal Trade Commission has the authority to prosecute anybody who posts a privacy policy that is deceptive or misleading, and they should do it, and perhaps they need more resources to do it. Do they have the authority to compel web sites that don't post privacy policies to do so? Probably not. Do they have the authority to compel web sites to post privacy policies using certain language or in a certain way? Probably not.

The chairman of the Federal Trade Commission and I, as a former Federal Trade commissioner, have had a long-standing argument, which I think you've heard before, about whether or not the FTC's unfairness authority, as opposed to their deception authority, would be a sufficient basis for them to prosecute those who collect and use personal information for purposes other than it was provided without adequate notice and consent. The chairman believes he does not have the -- that section 5, unfairness standard, does not give him that authority. I think it does. But he's a professor and a former dean of a university, and he's the chairman.

McCain: All right. Mr. Catlett?

Catlett: Thank you, sir. On the issue of preemption, if Congress moves promptly and passes a good law that gives strong rights to individuals, then the states will not need to move in to address particular needs of their citizens.

As to the question of inconsistent legislation, companies deal globally with this problem all the time. For example, Double Click does not set cookies in Germany because of laws that relate to privacy. Therefore, Germans are getting better privacy protection from an American company than Americans are. So companies do deal with these large differences, and a nation gets the level of privacy protection that it demands.

McCain: Mr. Berman?
...

McCain: So, Mr. Catlett, along those lines, I, like many others, buy books online, and now when I go on one of these web sites, they say, "Hi, John; we just got in a new biography of Napoleon we know you would like," which is true. They know what my preferences are. So actually they're helping me by informing me of books that I would like to read. What's wrong with that?

Catlett: It's a wonderful service, sir, and I use it myself.

McCain: Then you know what I'm getting at here, OK? Where does the line stop where they're informing me and helping me, and they're invading my privacy?

Catlett: Everybody wants the benefits of personalized technologies, and the Internet is wonderful at providing that, provided that the personal information is treated fairly. And that means several things. Only using the information for the purpose that they collected it for, in the case of, say, making book recommendations, and for not selling to or giving to journalists who want to get a psychographic profile of the individual who buys the books. Secondly, the individual should have access to that complete profile that's built up so they can be sure for themselves...

McCain: Like the FOIA. Like a FOIA, the Freedom of Information Act.

Catlett: Precisely, sir, and those laws should apply very broadly to all commercial entities that maintain personal information. It's the right of people to determine the information that's held about them. That information is being used by companies supposedly for their benefit, and so people have the right to see that information.

McCain: Do they now?

Catlett: No, they do not, sir. You have the right to see your credit report, but you do not have the right to see the vastly greater profiles about you that marketing companies have.

McCain: Is that fair, Ms. Lesser?

Lesser: I think it's a fair articulation of the current law. I don't think it's necessarily a fair articulation of all business practices. So, for example...

McCain: Now, wait a minute. Is it fair for me not to know what...

Lesser: Oh, I'm sorry; I misunderstood your question.

McCain: ... Amazon.com's profile of me is?

Lesser: I imagine that if Amazon.com is creating -- is giving you, for example, as we do, an opportunity to have a member profile...

McCain: Is it fair for me to know what the profile is, Ms. Lesser?

Lesser: Sure, absolutely. It is fair for you to know.

McCain: But right now I don't have that right.

Lesser: You will probably be given a right to know what your profile says by a lot of companies, because it's smart business practice.

McCain: But if they don't choose to...

Lesser: Now, the level of -- there's a difference between understanding access, i.e. do you access directly into the database or do you have an ability to basically say...

McCain: You're complicating the issue.

McCain: Ms. Varney, do I have the right to know what profile is compiled on me by an Internet corporation?

Varney: Do I get to ask you a question back to further the...

McCain: Yes.

Varney: OK, thank you.

McCain: Tragically, yes. (Laughter)

Varney: Do you want to know -- a company is going to take what you've purchased on their web site to develop their profile. Do you want access to everything that you've purchased?

McCain: No, what their profile of me is.

Varney: OK. So, you don't care about getting access to your past purchases. You want to see what they do with that information.

McCain: I want to know what the profile is, because obviously they are letting other people know that profile.

Varney: Why are they letting other people know the profile?

McCain: I don't know why.

Varney: What if they don't?

McCain: For profit and fun. (Laughter)

Varney: Not yours, Senator, I can assure you.

If they're not sharing the profile, does that matter to your question? Because here's what the...

McCain: Even if they're not sharing the profile. The FBI has a file on me, and I hope they're not sharing it. Yet, I have the ability -- well, I don't really care. (Laughter) Most citizens would not want that. So, through the Freedom of Information Act then I can find out -- I can get my FBI file. Shouldn't I be able to, through some kind of Freedom of Information Act, know the profile that is kept on me?

Varney: Having been through the Senate confirmation process, I do have an FBI file, and I have reviewed it, and what is in my FBI file are facts and summaries of conversations.

McCain: Should every American have the same right as they do with the FBI file?

Varney: But, Senator, that's what I'm getting at. What's in the FBI file -- if the FBI has a psychographic profile on me, I have not seen it. I cannot see it.

McCain: They may and they may not. I've seen all kinds of FBI files.

Varney: Can you see what they have on me?

McCain: You are evading my question. Should they have the right to know the profile that is -- should I have the right to know the profile that is kept on me?

Varney: Senator, I don't mean to be evasive. I'm trying to draw...

McCain: So, you're not going to give me an answer. (Laughter)

Varney: I am going to give you an answer. I'm trying to draw a distinction...

McCain: If you want to ask me a question, you've got to give me a yes or no answer.

Varney: I will, I will. You don't let me, though. I'm trying to draw a distinction between the data that is used by a company to create a profile. Obviously, you have a right to all of the data, the transactional data. What some of the companies will say back to you, whether or not you accept this argument, is we spend a lot of time and a lot of money and hire a lot of people and do algorithms and all kinds of things to come up with what we think is the profile. It's our proprietary property. Is it good business sense to share it with you? Sure. Do you want to legislate it? Talk to the companies that do it; I don't know.

McCain: So, your answer is I don't know. Now, what's your question for me?

Varney: I asked the question, whether you wanted access to the underlying data or to the profile that the data was used to generate.
...

McCain: I think I should have access -- very frankly, I think I should have access to any information that is collected about me and conclusions that are drawn about me. I think that's the right of citizens, and I don't understand how it could be -- go ahead.

Weitzner: Could I suggest we just take one step back? I don't have a clear answer to this question, but the right of access...

McCain: By law, I can have my credit profile.

Weitzner: That's right. And the reason that you can have your credit profile is because important decisions are made affecting your life based on that credit profile, so you have a right to see it, really, in order to correct it if there are mistakes.

McCain: Suppose that this company that makes a profile of me that portrays me as an ax-murderer is then sold and distributed all over the Internet. Is that good?

Weitzner: I think that what you certainly have a right to know is what they are disseminating to others. I'm not sure that I'm comfortable with the notion that any single web site that has any kind of commercial activity has to have a mechanism for disclosing all of the information that it compiles that is in some way personally identifiable. That really goes pretty far, and I think, as the FTC Advisory Committee recently pointed out, you get into a whole other set of privacy problems. How does Amazon know that you're you when you're coming to look at your profile? A lot of people are going to be trying to...

McCain: Because they get my credit card.

Weitzner: ... figure out every senator's password.

McCain: They get my credit card when I make a purchase, so they're pretty darn sure that it's me.

Weitzner: Well, they ensure against the risk that it actually isn't you, and they protect themselves, and the credit card companies charge you whatever interest they charge you.

McCain: They don't know that I like history books just because of one purchase. Go ahead, Mr. Berman.

Berman: I think the answer -- I raised it before. This is not an easy question. There's been a committee now on access, which has drilled down and made distinctions between proprietary information, information which you should have, which might be exempt. So, it depends. That's one of the critical factors in writing legislation like this. In order to decide...

McCain: If you're making an argument, we better be very careful about writing legislation.

Berman: You better be very careful and go through the hypotheticals about what you mean by access and who has access, and you might also raise the question which we raised is if you have total commitment from the private sector to both only give you that profile and keep it for themselves and never use it for anyone else, because they're the only ones that want to sell you Napoleon books, what is the right of the FBI to get access to that information, that profile? And what we've done is we're making an enormous transfer of third- party information, personal, sensitive information to the net without also examining what the government access standards to that information.

I mentioned the Monica Lewinsky example. A colleague of mine at CET is trying to find...

McCain: Try not to mention that.
...

McCain: Well, this is a fascinating issue. I mean it is really a remarkable issue, and I would argue that five years ago if we'd have said we would be having this kind of discussion, that that simply was not on screen. And I believe that Mr. Catlett is right, though. I think is a very rapidly growing issue rather than one that is diminishing. I apologize to my friend and colleague for the length of time I took, but it's a fascinating dialogue.

I thank the witnesses.

Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/testimony.html