JEFFREY BROWN: How much do advertisers know about you? And how can that information be used? That online DNA was the subject of a Senate Commerce Committee hearing today.
SEN. BYRON DORGAN (D), North Dakota: Someone is gathering information about where you traveled and what you viewed, and that goes into a databank and can be sold or resold, and it becomes the process by which companies will use the information in which to target advertising directly to you.
JEFFREY BROWN: The issue of online privacy has grown, along with the ability to access and collect data and the merging of online search and advertising. Congress is considering new federal privacy protections that can still allow Internet business to flourish.
SEN. BYRON DORGAN: The questions that we discuss and raise today are not meant to suggest that advertising has no value as it relates to the Internet. Quite the contrary is the case.
But I think there are issues that are developing that are important issues, and those are issues about the invisibility of data collection; the collection of information about online users; the security of the information that has been collected; and the use of that information.
JEFFREY BROWN: The committee heard from representatives of key Internet companies, including Microsoft, Google, and Facebook, who explained how Internet activity is tracked and the current self-policing protections in place.
JANE HORVATH, Google.com: If you came onto our service to Google.com, and you weren’t logged in, what we would collect would be your I.P. address…
SEN. BYRON DORGAN: Right.
JANE HORVATH: … the operating system that you’re using…
SEN. BYRON DORGAN: Correct.
JANE HORVATH: … the browser type that you’re using, the query that you have requested, and we would — if you don’t have a cookie already, we’d have a cookie.
SEN. BYRON DORGAN: That was my point. That was my point.
JANE HORVATH: And that’s all we would collect.
SEN. BYRON DORGAN: Well, that’s a lot.
JEFFREY BROWN: A cookie is a kind of digital bread crumb placed on your computer’s hard drive by search companies, Web sites, and marketers to track your online activity.
As you continue to surf the Web, the companies can try to target advertising directly to you based on prior activity and online interests.
At issue now is whether the Federal Trade Commission or Federal Communications Commission should enact mandatory rules on how information is gathered and used.
And we look into this further with two public policy advocates who testified at today’s hearing: Leslie Harris, president and CEO of the Center for Democracy and Technology, and Wayne Crews, vice president for policy and director of technology studies at the Competitive Enterprise Institute.
A call for privacy protection
JEFFREY BROWN: Well, first, help us understand this a bit more, Leslie Harris. What kind of information is being tracked? And how is it used?
LESLIE HARRIS, Center for Democracy and Technology: Well, what's happening is, when you go on a variety of Web sites, they're part of an ad network. They have arrangements with each other.
And as you look at particular information, they are placing a little piece of code called a cookie that connects you across sites so that they're able to say, you know, you're a person looking for a car, you're a person who seems to have older parents, because you're doing a lot of research about old folks' homes.
They pull this all together into a profile, which is probably not in and of itself personally identifiable, although that profile, as it gets richer and richer and has more and more information, maybe.
And then, as you go to another site, you'll have an ad served back to you that says -- that's based on sort of their analysis of who you are.
JEFFREY BROWN: And for the companies, this is of growing importance, right?
WAYNE CREWS, Competitive Enterprise Institute: It's of growing importance, but, you know, if we had been having this talk four or five years ago, we might have been angry that we were getting a lot of untargeted ads, spam.
And now what's happening is we have this ability to target ads to people based on these networks, but we have an uproar. You know, is the data secure? What's it being used for? What happens when we get on lists we don't want to be on? And so on.
JEFFREY BROWN: Right. Now, the companies refer to this as non-identifying information, is what you're saying.
WAYNE CREWS: Right. Right.
LESLIE HARRIS: Right.
JEFFREY BROWN: That means it doesn't mean they know me, but they know me as a type or as a consumer?
WAYNE CREWS: What matters online is they're trying to sell something to you. It's not that they have to know who you are necessarily, but what someone like you likes to buy. And that's the idea.
So the standards are evolving here. We're probably going to make a lot of mistakes. You know, the Internet is a frontier industry. It's new. It's never been a totally secure network just because of the origins of it. It evolved as a public network.
So we're probably going to make some mistakes. A lot of techniques have to evolve. We've got to have privacy protections, like a lot of these companies that were just shown on the clip do offer opt-out for sensitive information, sometimes opt-out for information that's not even sensitive. Usually it's not personally identifiable.
LESLIE HARRIS: Well, we need to talk about...
JEFFREY BROWN: Right, well, let's talk about it, because right now...
LESLIE HARRIS: We need to talk about that, because...
JEFFREY BROWN: ... right now, it's largely self-policing, but you think more needs to be done and more...
Can security be guaranteed?
LESLIE HARRIS: Well, a couple of points. First of all, the companies that are sort of name brands, when they collect this information, they probably are just using it for advertising. They aren't looking to identify you by name.
But the ability to aggregate massive amounts of information, and no rules about how much you collect, how long you have it, and usually it's tied to some kind of identifier, means that somebody else can come along, the way Viacom has come along and demanded, you know, that Google turn over the logs of every single video viewing since the time that YouTube was created, you're creating these enormous pots of information.
WAYNE CREWS: They're vulnerable.
LESLIE HARRIS: They are vulnerable.
JEFFREY BROWN: So what should be done?
LESLIE HARRIS: Well, we need a baseline privacy law in the country. It needs to be very lightweight. The Internet is an innovative medium. We don't want to crush it, but we have historically a set of what we call fair information practices that you collect information for one purpose. You don't use it for another purpose. You hold it for only as long as that purpose exists.
People have a right to know what you're collecting about them. People have a right to fix any errors you have. I mean, the rules or at least the framework for the rules are well understood legally, but we don't have any of those rules in this country.
WAYNE CREWS: But it looks like the information that is collected a lot of times the problem is -- you just mentioned the Viacom case, with the YouTube video files. A lot of the problem in privacy is not marketing. The problem is...
LESLIE HARRIS: I completely agree with you.
WAYNE CREWS: The problem is government collection of databases or compulsory databases or government -- companies not being able to make security guarantees, because that information then becomes turned into...
LESLIE HARRIS: But the companies don't need to hold it.
WAYNE CREWS: ... the government.
LESLIE HARRIS: I think the problem is -- I tend to agree.
WAYNE CREWS: They may not have to.
LESLIE HARRIS: I do not believe that advertising, per se -- I mean, it's an engine of the Internet. But if we're going to do that, we're going to collect -- I mean, I think that the hearing today was about advertising, and it probably should have been about the fact that we have this massive data collection. And then it can be used for all kinds of purposes. Just because good companies are only using them for advertising...
JEFFREY BROWN: But, for example, let me ask you this.
WAYNE CREWS: There was no conclusion that we really knew how to legislate.
The government's information pool
JEFFREY BROWN: Right. But you said earlier, for example, that many companies, many sites allow people to opt out. I don't know if people -- how much they know that they can opt out.
LESLIE HARRIS: They don't know it at all.
JEFFREY BROWN: But whether they do or not, should that be a mandatory thing, that people -- why not?
WAYNE CREWS: No, I don't think it should be mandatory, because I don't see the private-sector information collection as the greatest threat. I see things like the Viacom, Total Information Awareness, and all of these other issues that we haven't discussed right now.
LESLIE HARRIS: But the government collects its information from private databases. I mean, the problem is -- we're watching the FISA story as if these are all separate universes.
WAYNE CREWS: That's a different problem. That's true.
LESLIE HARRIS: And they're not separate universes. We're creating enormous pools of information online that we are collecting that are available to the government. And under legal standards, where you as an individual have no privacy interest in that information, if they go after it, you don't even have to be notified.
JEFFREY BROWN: So should there be a place where I, as a consumer, can opt out or say, "Do not track"...
LESLIE HARRIS: Yes, absolutely. Absolutely.
JEFFREY BROWN: ... as we have with phones? You're saying as a mandatory...
LESLIE HARRIS: Absolutely, because there are good actors and there are bad actors.
JEFFREY BROWN: And you think that's not a good idea?
WAYNE CREWS: Well, I don't really think that would work. I mean, I think a do-not-track database becomes vulnerable in itself. A lot of the greatest data breaches we've had have been from government data.
It's just an unfortunate coincidence almost that a lot of these marketing issues arising on the Internet are happening at the same time we're in this homeland security culture in which the government is prone to go after this private information.
JEFFREY BROWN: What about...
WAYNE CREWS: But that's a different problem than regulating the private sector. I think there's a lot of things that have to evolve there. We've got to have liability standards online. Those need to evolve, because there are new technologies that are going to come on board, like biometrics, that are going to make these problems even more difficult.
LESLIE HARRIS: They're going to make them worse. And it's already happening. I mean, we're migrating health care online.
WAYNE CREWS: But to think that we need...
JEFFREY BROWN: Well, that's what I was going to ask you.
LESLIE HARRIS: We have no rules.
Personal data privacy rights
JEFFREY BROWN: What about more sensitive data, like health care, like personal finance?
LESLIE HARRIS: We have to have more.
WAYNE CREWS: But those are market tools that have to emerge.
LESLIE HARRIS: We cannot say, you know...
WAYNE CREWS: And they're in force.
LESLIE HARRIS: ... as we move health care online and out of HIPAA, the information online is not -- you know, when you decide to go do a search and join some kind of a group, or you're revealing all this information, you're under no privacy regime.
And I just don't think we can say, "Well, self-regulation will be enough. Companies will promise that they won't use that sensitive information or collect it." That doesn't give you any rights in your data. And, you know, ultimately, privacy is about your ability to make decisions about your data.
WAYNE CREWS: It's more about -- you know, privacy is not a thing that you regulate. It's a relationship that people have with companies they deal with, with hospitals, with financial institutions.
LESLIE HARRIS: It's a lot of people.
WAYNE CREWS: And in a lot of different avenues, the relationship is going to be different. And a certain law or new set of rules from FTC isn't going to be able to embrace all...
JEFFREY BROWN: Let me just ask -- we just have a minute.
LESLIE HARRIS: Sure.
JEFFREY BROWN: I just want to ask one more thing, because the committee was -- the next step was to the ISPs, the Internet service providers.
WAYNE CREWS: Right.
LESLIE HARRIS: Right, because this is a new model.
JEFFREY BROWN: The big companies, Comcast, AT&T, Verizon, who are moving towards being able to gather information themselves or to allow others to...
LESLIE HARRIS: That's right. That's right.
JEFFREY BROWN: ... use it.
LESLIE HARRIS: So this has been a model where, you know, your favorite online Web sites are together in an ad network and they are directly putting cookies on your machine and collecting.
The new model has your Internet service provider essentially diverting all of your traffic stream to some third party, where they just market back to you. And our perspective is that's wiretapping. And we think that the wiretapping laws say that. You're not supposed to...
JEFFREY BROWN: All right, we just have time for a response on that.
WAYNE CREWS: I see wiretapping as old school. That's 1969 for the telephones. It may be that it would apply now, but if it does, we may need to make changes...
LESLIE HARRIS: Well, it was 1986.
WAYNE CREWS: ... to recognize the difference in online uses. We need competitive discipline here to deal with a lot of these things, not just political discipline. There are formal market institutions...
LESLIE HARRIS: Well, I certainly support competition in industry for privacy, but it's not enough.
JEFFREY BROWN: OK, all right, Leslie Harris, Wayne Crews, to be continued.
LESLIE HARRIS: Absolutely.
JEFFREY BROWN: Thanks a lot.
LESLIE HARRIS: Thank you.
WAYNE CREWS: Thank you very much.
LESLIE HARRIS: Thank you very much.
JUDY WOODRUFF: And the conversation continues on our Web site, where you can ask Leslie Harris and Wayne Crews questions about online privacy. To participate, go to PBS.org.