05/18/00 Committee on the Judiciary

TESTIMONY OF MR. JONATHAN ZUCK

PRESIDENT

ASSOCIATION FOR COMPETITIVE TECHNOLOGY

www.ACTonline.org

BEFORE THE

COMMITTEE ON THE JUDICIARY

SUBCOMMITTEE ON COURTS AND INTELLECTUAL PROPERTY

UNITED STATES HOUSE OF REPRESENTATIVES

THURSDAY, MAY 18, 2000

2237 RAYBURN HOUSE OFFICE BUILDING

WASHINGTON, DC 20515

INTRODUCTION

Good Morning, Mr. Chairman and members of the Subcommittee. I am Jonathan Zuck, President of the Association for Competitive Technology, or ACT. ACT is a national, Information Technology industry group that represents the full spectrum of tech firms - from software developers to IT trainers, from technology consultants to dot-coms, from integrators to hardware developers.

While ACT members vary in their products, they share a common desire to maintain the competitive nature of today's vibrant technology sector that has been responsible for America's "new economy."

It is my sincere honor to testify before this subcommittee today. As a professional software developer and technology educator who spent fifteen years speaking at technical conferences around the world, I am humbled by this opportunity and appreciate greatly your interest in learning more about the technologies being developed today that are enhancing and improving our personal experiences on the Net.

I think I'm the token "techie" on this panel - so I look forward to getting into some of the nuts and bolts of online privacy developments. I think you'll find that there's interesting experimentation taking place on the Internet today that is creating endless opportunities. We're at the very early stages of this worldwide phenomenon…and I urge caution when considering proposals that may hamper the incredible innovation taking place on the Net. I continue to be amazed at the great strides my IT colleagues are making at keeping pace with consumer demands…with privacy protections topping the list.

In my testimony today, I'll help dispel some online privacy myths, provide some tips and tools for online protection, discuss developing technologies and address the implications of patents.

ONLINE PRIVACY MYTHS

The truth is, no one person, entity or service can track everywhere you travel on the Internet. Some isolated events have lead some to believe that it is possible to track everywhere you go on the World Wide Web. This simply isn't so. Instead, what has happened in some cases is that a number of on-line companies, often brought together by an advertising firm, have banded together to share profile information about you in an anonymous fashion. This type of information sharing allows these sites to personalize and tailor your experience to your interests. This is no different than ordering a pair of pants in a catalogue today and suddenly getting lots of clothes catalogues.

One important benefit of collecting profile information about users is the ability to tailor advertising based on that information. On TV, we know that different ads appear during Friends than appear during 60 minutes because the demographics are different. On the Web someone selling advertising on a website can make approximately 40 times as much revenue if they can tell the advertiser about what sort of folks they will reach. Just as with television, this makes the difference between being able to support content with advertising or needing to charge for it. To keep the Internet largely free, we need to take care not to hinder the advertising revenue model.

WHAT'S A COOKIE?

Much of the controversy surrounds a browser innovation called "cookies." Ironically, one of the most pleasant words in the English language has transformed to mean some sort of portal to your most closely guarded secrets. It turns out that a cookie is a fairly simple thing. It is a technology that allows a website limited interaction with your machine allowing that site to store information on your machine for your next visit. Many sites allow you to customize your experience by selecting layout, news preferences, language preferences and favorite cartoons. All of that information is stored on the website and given an id number. A cookie is simply a way to store the id number on the machine so that the next time your machine visits the site, it remembers the preferences. If you look through the cookies on your machine, they almost always just contain a single number, not personal information about you.

So cookies really aren't so bad, but you always have the option of not accepting them. All modern browsers provide some sort of cookie management capability that allows you to turn them off, prompt you before one is saved, or block them by site. This technology works today. There are also several tools on the market to make it easy to read and edit the cookies that are on your machine so you can selectively delete them.

TECHNOLOGY TODAY

Let's face it. Net firms are like businesses in any other sector…they want to stay ahead of the competition and generate revenue. What ACT member companies and IT firms across the Internet realize is that privacy is good business.

Net companies see the same numbers you do which tell them that privacy concerns are a top reason consumers stay away from the Internet. Those who are not yet on the Net skew the surveys we see. Most folks grow less concerned about privacy risks, the more time they spend on the web. That said, companies know that in order to attract customers, they must offer the kind of privacy standards demanded by consumers and make those policies known.

Firms are leveraging the concern into a business-enhancer, and thus a customer benefit - "check out my site, we offer the protection you desire." Ours is historically a business with unusually low barriers to entry and low switching costs. The software industry has routinely seen as much as 60% market share changes in as little as 18 months. This was at a time when you had to go to the store, buy a new software product, install it, convert your files and learn to use it. Now, switching is as easy as typing in a new location in your browser. There's literally no site on the web for which there isn't a viable alternative and folks have shown a willingness to "vote with their mouse" and give their business to those who better protect their privacy.

One interesting example is how Internet service provider Earthlink was able to exploit an unpopular provision of AOL's privacy policy that required people to "opt out" every year. Their "Opt out of AOL" campaign allowed them to woo a great many AOL users solely on the basis of a superior privacy policy.

WHAT CAN PEOPLE DO NOW?

Sometimes I am asked what can folks do now and, in most cases, the answer is to use common sense. At this point 95% of web traffic is on sites that have posted privacy policies. Once a site posts a policy, the FTC has jurisdiction to make sure they follow it. Therefore, someone surfing the web should check the privacy policy of a site before they provide any personal information and make conscious decisions whether to accept advertising and solicitations from partners of that site. If you don't find a privacy policy or don't like the one you find, send a quick note to the webmaster telling him or her that you won't be providing any information to them until they get in line and then just "click away."

Another important tip is to guard information like your password, Social Security Number and mother's maiden name, closely. Don't give that information out lightly. Ironically, if you ask a hacker how they got a password, most of the time they will tell you they got it by asking for it. No one should ever need to ask for your password over the phone for any reason. It also makes sense to change your password periodically and not to use the same password for every site your visit. Most browsers allow some type of password management making it less necessary to remember your password so you don't have to pick your dog's name in order to remember it.

Wallets - MS Passport and kids passport

In addition to common sense, there are some existing technologies to help you. Microsoft Passport consists of two services: a "single sign-in" service that allows you to use a single name and password at a growing number of participating Web sites, and a "wallet" service that you can use to make fast online purchases. There's only one name and password to remember, and after you sign in to one participating site, you can sign in to others with just one click. You can store information about yourself in your Passport sign-in profile and wallet, so you won't have to retype it when you visit or make online purchases at participating sites. Your personal information is protected by powerful encryption technology and strict privacy policies, and you're always in control over which sites have access to it--including your e-mail and mailing addresses. And, when you sign out, all of your Passport-related personal information is deleted from the computer, which means it's safe to use on public or shared computers.

Kids Passport is a service that helps you conveniently protect and control your children's online privacy. You can control what information your children can share with participating Web sites, and what those sites can do with that information. In addition, you have the flexibility of making specific choices for each child and for each site, all in one convenient, centralized location.

Internet Security Protection

There are also tools on the market to help protect the information stored on your computer such as Norton Internet Security from Symantec. Norton Internet Security 2000 stops all sorts of viruses, malicious Java™ applets and ActiveX controls, and even hackers-before they can access your valuable data. With Norton Internet Security you also get powerful tools to safeguard confidential information on your PC from unwanted visitors. The tools protect credit-card numbers, bank-account information, and other personal data. Norton Internet Security also helps you restrict children's access to specified Web sites, newsgroups, and other areas of the Internet, and lets you prevent them from submitting personal information through Web forms without your approval. You can even block banner ads, pop-up windows, and other Web page clutter.

Remaining Anonymous on the Web

News groups and chat rooms are not secure. Email from you tells recipients your address. You can use a third-party tool such as ZeroKnowledge to email and do other transactions anonymously. There are sites on the web that allow you to send mail through them so that the recipient doesn't get your email address. This is much like blocking caller id on the phone. These sites are called "remailers" and basically act as junction points when sending mail which scramble the email address of the sender. Most big email spam lists are accumulated simply by seeing who's sending mail in a newsgroup.

You can use a site redirector such as an anonymizer to keep your Internet address from being identified. An "anonymizer" allows you to browse the web without a site being able to uniquely identify you by your Internet address. In the case of people using dial up net access, this is generally not an issue because the address changes every time you sign on. However, many of those with broadband services have fixed addresses making it a decent identifier.

WHAT TECHNOLOGY IS COMING

One of the most interesting technologies coming down the pike is P3P which is an extension of some of the technology that exists today. Sponsored by the World Wide Web Consortium (W3C), P3P (Platform for Privacy Preferences Project) is a framework for products and practices that will let World Wide Web users control the amount of personal information they share with Web sites. It's described as a "privacy assistant." Using a P3P application, a user can enter personal information once and not have to repeatedly reenter it at different Web sites. The P3P application can inform a user of a Web site's practices with regard to gathering and reusing its visitors' personal information. Users will be able to define the information that a specific site can be provided or not provided.

Microsoft already provides a free wizard that allows you to generate a privacy policy that can be read by a browser as well as one which can be read by humans. It is therefore very easy to participate in the P3P movement and become a good actor on the Net. Once the standards have ironed themselves out, it will be possible for a browser to detect the privacy policy of the site you are about to visit and compare it to the preferences you have set. The browser can then warn you of a difference and help you to decide what sort of information you should and shouldn't share with the site. Sometimes, it's just this sort of friendly reminder that is all that is needed to help consumers remain conscious of this issue and protect their information accordingly.

PATENTS AND INTELLECTUAL PROPERTY

Privacy technology adoption is not likely to be hampered by patent protections. The P3P Activity had more to bear than just the policy implications, which was rather new to a body like W3C. It also had to face the problem that participants of early Working-Groups were working on a patent on the same technology. When Intermind Inc. announced its patent claims on P3P-Technology, the Activity stalled for a time. W3C made an investment and ordered an expert opinion on the patent claims from a major patent-law firm. In his outline on the result, Barry Rein explained, why implementing P3P does not infringe the patent of Intermind Inc. As P3P 1.0 contains neither negotiation nor data-transfer, there is nearly no risk of Infringement of US Patent 5,862,325. In other words, consumers will be able to enjoy the benefits of P3P innovations without impediment from patent claims.CONCLUSION - An Educated and Empowered ConsumerIn my testimony today, we've hit upon some of the key factors that I see as a software developer and a tech futurist that will play key roles as we develop better and better innovations to provide safe and personal Internet experiences. We've discussed the amazing technologies that are addressing consumer demands and we have heard examples of the kind of market discipline that will weed out the bad actors in the privacy space. But my organization adds a third prong to our online privacy position, which perhaps is the most important one - consumer education and empowerment. Industry must do its part to provide the necessary tools and information to consumers so they feel educated and empowered when using the Internet.

To that end I am pleased to draw your attention to www.NetPrivacyPower.org the newest, and I think, deepest site online devoted to educating consumers on protecting their information on the Internet. The site is part of a major, industry-led consumer campaign that hopes to educate consumers on how to protect their privacy online. It's our belief that this kind of effort will go a long way in addressing consumers' concerns. The campaign also includes online and offline advertising and direct mail and email all geared toward directing consumers to the site. The response to date has been positive and we look forward to continuing to roll out the effort in markets across America and across the Net. I thank you again for the opportunity to testify before you today and will be pleased to answer any questions you may have.