Remarks at Privacy Symposium, Cambridge, MA, Harvard University

Click the photos below for a larger version

Audience at Privacy Symposium

Stearns gives privacy speech

Stearns at the lectern

Participants at the symposium
 

Good morning everyone. I very much appreciate the opportunity to join you for the Privacy Symposium, and to discuss my efforts, at the federal level, to enhance and protect privacy.

Most of you are probably watching the Olympic Games in Beijing. I find the games to be enthralling and the competition to be exciting. Having been to China, no doubt like some of you, it is gratifying to see that nation's landmarks brought into American homes. I am confident that, through watching the Olympics, Americans will learn more about China. As this occurs, the similarities and differences between our countries may begin to become evident.

There are stark differences between China and the United States, one of the most significant being the collective nature of China. China presents a sharp contrast to western democracies, which focus on individualism as well as the rights and protections that are being discussed at this symposium.

While watching the Olympic coverage, I was particularly struck by the story about the little Chinese girl who lip-synced "Ode to the Motherland" during the opening ceremonies. This young girl was selected to present "the face of China" during the ceremonies because the girl who actually sang the song has crooked teeth.

Chinese officials explained that the substitution of one child for the other was "in the national interest." I cannot help but wonder what other countries would interpret "the national interest" in quite the same way. It seems to me to be inconsistent with the way in which "national interest" is interpreted by the vast majority of Americans.

Certainly, the differences among countries in our global world are significant, and these variations result in great diversity and interest from which we all benefit. New York Times opinion writer David Brooks recently noted that one of the most striking global differences is the divide between societies with an individualist mentality and those with a collectivist approach.

He wrote about the image of thousands of Chinese moving as one during the opening ceremonies. He also outlined a global continuum, with the most individualistic nations – the United States and Great Britain – at one end of the continuum, and China and Japan at the other end. In his view, as well as in my opinion, "individualistic countries tend to put rights and privacy first."

I don't often quote author and philosopher Ayn Rand, but one observation in particular is applicable to our topic today: "Civilization is the progress toward a society of privacy. The savage's whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from men." Here, in America, we enjoy an open society, yet we cherish our privacy.

When I was Chairman of the House Commerce, Trade & Consumer Protection Subcommittee in the 107th Congress, I held the most extensive congressional hearings to date on the important topic of privacy. Following these hearings, I introduced the Consumer Privacy Protection Act of 2002.

This bill would have required data collectors to provide consumers with information on the entity collecting the information and the purposes for which the information was being collected. The data collector would also have been required to provide the consumer with an opportunity to "opt in" or "opt out" with respect to disclosure of his or her personal identifiable information to a third party.

In 2005, I held two hearings on identity theft and security breaches involving personal information. At that time, the Federal Trade Commission testified that, in a one-year period, ID theft victimized 10 million people, at a cost of $48 billion for businesses and $5 billion for individuals.

These hearings led me to introduce H.R. 4127, the Data Accountability and Trust Act (DATA Act). While this measure passed the Energy & Commerce Committee in 2006, it was not brought to the House floor.

This Act would have required any entity that experiences a breach of security, such as a business, to notify all those in the United States whose information was acquired by an unauthorized person as a result of the breach. In an effort to protect personal information, it also would have directed the FTC to create rules establishing rigorous national standards for data brokers. As well, it would have provided for an FTC or independent audit of a data broker's security practices following a breach of security.

The United States continues to regulate privacy with a sector-specific, and often inconsistent, approach. The sometimes glacial speed of Congressional policy-making in the area of privacy has meant that no comprehensive national policy exists. The resulting legal landscape leaves individuals and businesses to navigate an increasing number of local, state and federal requirements dealing with notice, consent and security as they are applied to the healthcare, e commerce and financial services industries.

Although these laws have, at least to some extent, protected us against privacy-infringing practices, and have protected us to a lesser degree against identity theft, gaping holes and major inconsistencies continue to exist. The result is that consumers are vulnerable and less protected than they should be, and businesses must make decisions despite enormous uncertainties that directly affect their success and their ability to plan strategically.

One of my primary goals as a member of the House Energy & Commerce Committee is to create a consistent federal approach to privacy. Despite attempts to date, Congress has been unable to pass comprehensive privacy legislation. Apart from the jurisdictional hurdles, I believe the biggest roadblock to achieving this goal is the complexity of the problem.

In the Committee, we focused on constructing a privacy framework that would incorporate the work done in the commercial privacy arena. I still believe that this type of approach will offer the most uniformity and the most efficient regulation as information technology, the use of consumer information, and domestic and international commerce continue to become more integrated. My goal remains the enactment of a more uniform, stronger and more consistent consumer protection law that benefits American consumers and businesses.

But that is only one piece of the puzzle. We must also empower consumers, businesses and the federal government, and work toward a model of application and enforcement of privacy practices that would make US protocols a worldwide benchmark. We must also ensure that consumers and businesses have the tools they need to solve the havoc – such as identity theft – resulting from breaches of their privacy.

First and foremost in our fight to preserve privacy continues to be addressing the online world. Through the House Committee's examination of – and work with – the Federal Trade Commission, I have come to understand that privacy in the online world can be characterized as "death by a thousand cuts."

You give your name and phone number to one site. To another site you give your online ID and zip code. Then you give your birth date and name to yet another site. Finally, you give your email address and account number to a fourth site. Unbeknownst to many people, the information submitted to various sites can be linked together to identify us. I think that this reality is known to only a very limited number of Americans.

For some time now, companies such as Google have been tracking information about web-browsing habits. These data can be used for market research, to customize services or to target – and increase revenue from – Internet-based advertising. Broadband providers such as Charter and Embarq have also conducted limited trials with companies such as NebuAd in an effort to tailor web ads to subscribers' online patterns.

On the one hand, such practices can make ads more relevant to the viewer, and can generate revenue to support innovative Internet content and services that might not otherwise exist or that would cost more for subscribers. On the other hand, such practices can potentially reveal personal information about consumers. NebuAd places "cookies" on the broadband subscribers' computer that track the web sites visited by subscribers. With that information, NebuAd builds "profiles" of the subscribers' interests based on broad categories like "potential audio electronics purchaser."

When the subscribers then go to certain other web pages that partner with NebuAd, they would start seeing advertisements related to their interests. For example, if a subscriber goes to certain car web sites, the subscriber might start seeing car manufacturer ads incorporated into other web sites that he or she visits, such as for an online newspaper.

The companies generally argue that the methods they use make it impossible for them, or for anyone else, to connect the tracked information to the identities of individual subscribers. They also argue that they do not track sensitive information, such as visits to financial- or health-related web sites. Many of the companies appear to be taking steps to protect consumers' privacy. However, rather than only tracking the information of consumers who "opt in," information is typically tracked unless consumers proactively "opt out."

We also need to be mindful that even if we are comfortable with the conduct of "good actors," there are undoubtedly "bad actors" as well. Consequently, it is important for us to evaluate what types of information are being tracked by companies, how they are tracking information, what they are doing with the data that are collected, and how consumers are being notified about what information is being collected and how it is being used.

At a minimum, we need to identify best practices, make those practices available to industry, and ensure that industry is implementing them. It is only through a comprehensive examination of the behavior of all parties involved in tailored Internet advertising that we will be able to determine whether current privacy laws are adequate, or whether additional legislation – or legislative change – is needed in order to create uniform, federal Internet privacy standards governing all relevant companies, including phone companies, cable operators, search engines, web advertising networks and others. It is imperative that there be some evidence of harm if we are going to regulate in these areas.

Otherwise, we run the risk of prematurely restricting the latest technological advancements. Clearly, this outcome would be undesirable and in no one's best interest. We must undertake a careful cost-benefit analysis before actions are taken and laws are implemented. Google, for example, uses technology that tracks the behavior of users across affiliated sites, and then provides advertising based on consumers' activities online.

Although Google claims that it does not engage in deep-packet inspection, there are still some concerns about the privacy practices of this leading online advertiser, as well as about those of other similar companies, such as Yahoo, AOL and Microsoft.

In a recent Washington Post story, Jeffrey Chester, executive director of the Center for Digital Democracy, said: "Google is slowly embracing a full-blown behavioral targeting over its vast network of services and sites." He went on to say that Google, through its vast data collection and sophisticated data analysis tools, "knows more about consumers than practically anyone."

Although Mr. Chester singled out Google, it's important to reiterate that whatever the appropriate standards are, they should apply to everyone. The standards need to be consistent. Consumers don't care if you are a search engine or a broadband provider. In either case, they want to ensure you are not violating their privacy.

In seeking to resolve some of these issues, I joined with Energy & Commerce Committee Chairman John Dingell, Committee Ranking Republican Joe Barton, and Telecommunications and the Internet Subcommittee Chairman Ed Markey in sending letters to 33 cable and Internet companies, including Google, Microsoft, Comcast and Cox Communications. We asked for details about their privacy standards, and the responses we have received to date have been very enlightening. All responses are available on the Energy & Commerce Committee's web site, energycommerce.house.gov.

Another important issue related to data aggregation is whether the data are secure. With any national privacy regime, we must look to current data protection practices and examine whether those practices are adequate. The global communications network provides so many benefits to consumers and businesses alike that we will have to develop policy within that framework, which has so many advantages for so many.

Instantaneous authentication has removed the restrictions of time and space when conducting commerce. The convenience and increased productivity associated with conducting business without ever leaving our computer is an historical change. But it also permits anonymity, fake identities and faceless criminal enterprises to flourish. As is often the case, the good and the bad appear to coexist.

One obligation of legislators is to act in order to limit "the bad." Whether it occurs because of simple carelessness on behalf of those who collect and/or hold data, or because of a more pernicious attack, criminals do not discriminate when it comes to acquiring personal data about individuals or businesses. The basis for any federal data security policy must be twofold: 1) require businesses to protect sensitive information, and 2) require notification to consumers when their data are compromised and their identity is at risk.

I believe that consumers and businesses would benefit from a consistent framework of laws and regulations that stimulates innovation to protect data better. Surely this outcome is preferred to a continued patchwork of disparate laws and inconsistent enforcement of them. Cyber security is more than a personal and economic concern: it is a major national security concern as well.

The news out of Georgia has been almost exclusively focused on the aggressive actions of Russia. However, reports also suggest that the attacks against Georgia's Internet infrastructure began as early as July 20, with coordinated barrages of millions of requests that overloaded and effectively shut down Georgian servers. According to the New York Times, researchers at Shadowserver, a volunteer group that tracks malicious network activity, reported that the web site of the Georgian president, Mikheil Saakashvili, had been rendered inoperable for 24 hours by multiple attacks.

As it turns out, the July attack could have been just a practice – a dress rehearsal or dry-run, if you will – for an all-out cyber war once the shooting started between Georgia and Russia. According to Internet technical experts, it was the first time a known cyber attack had coincided with a war involving gunfire. I think we can all agree that, sadly, it probably will not be the last. I would encourage you to hold a symposium like the one that is being held today just on cyber security.

Clearly, cyber security is an issue with specialized concerns and challenges that would benefit from comprehensive examination by experts. As spy ware and viruses emerged as threats to the Internet, technology evolved to protect against those threats.

Although Congress has not yet passed comprehensive privacy legislation, the House has examined a bill to restrict spy ware. While I was proud that my proposals amending the Committee legislation passed in the House, the Senate – unfortunately – did not move forward with the legislation.

I am firmly committed to upholding our tradition of individualism over collectivism. I support personal freedom as a central goal, in the same way that I support privacy protection as a central tenet. The iconic image of the 18th century American, the Minuteman armed with a musket, has given way to the 21st century American, armed with protection of his or her privacy. In their own ways, each is focused on the right to "life, liberty, and the pursuit of happiness."

The American Revolution brought us independence and representative government. The technological revolution is bringing us new products and services, along with new threats such as ID theft and cyber hacking. By promoting the protection of privacy, you stand with the Minuteman as a defender of our liberty.

So today, I look forward to working with all interested parties to develop the best possible federal public policy in these important areas. I am confident that together we can achieve goals in these areas that benefit American and American businesses, protect our privacy and identities, and increase prosperity for all.

Thank you for the honor to speak with you today.