worked extensively with the ftc so far along this and they also have a great deal of expertise in the competition area, which is one of the things that's driving better technology throughout the industry in terms of providing users more transparency and more control over their data. so the ftc has developed a great deal of expertise in this area. >> i would like to see a joint task force because the ftc will have expert at the national level and with inspection there's a real role for the fcc but when it comes to the added cell and the consumer itself it's the ftc. >> this is going to envelop you'll see more, voice-over-internet and everything over the internet. all communication is going to be through that media and so -- you know, i think the fcc has a part and parcel role. >> i think i'd echo a nod to the ftc in terms of our business model for cookie-related activity. the ftc for over a decade for

its workshops on the technology has been instrumental in raising awareness of the policy and technical issues and very much determinative for setting the direction for self-regulation. as for other business models and other regulatory schemes, i wouldn't be able to speak to that. >> mr. cleaver? >> ftc is the close with fcc. if you want to pass legislation that'd be the only tragedy. >> thank you very much, mr. stearns. mr. weiner is recognized for five minutes. >> could you ask perhaps for the for miss huang to talk about experience developing chrome which is your search -- what's it called? >> browser. >> your browser. wouldn't it be possible through that vehicle to when you

download it get your first page, tell us what information you'd like to know about the pages you're visiting and what information that you'd like to share and maybe a collection of boxes you can check or not check. it's similar to kind of what facebook tries to do although they don't right in your face. you can say this -- that seems to be even more -- even a better place to think about the true gateway to the experience. if i wanted to do that through chrome, would i be able to do that in some way? i know i can erase the cookies and erase my browser can i do something like that? >> thank you for your question. >> you're welcome. >> i'm a little bit disadvantaged. i'm not an engineer just a lawyer and our engineers do amazing things. i think -- so i don't know there's any limitation on what they can do. i know they're working very hard to build privacy controls -- >> maybe mr. feltman can tell me about the technology here?

>> sure, the information flows that users might be concerned about mostly happen not at the browser but after the user has interacted with a website or a content provider. what that means technical controls would exist mostly not in the browser but in the websites themselves. . >> but let me interrupt on that point, if you have a fairly finite of browsers that most people use, let's say for the purposes of this conversation it's 5, i mean, that basically probably accounts for most of what people do and the browsers are themselves competitive with one another, you know, you can argue that the browser industry grew out of people's dissatisfaction out of explorer. so why couldn't you say that if you want your website to come up when you're traveling through firefox, you have to have certain of your own information that you're giving us about what we can tell our users? isn't that kind of a technical solution, a solution but a

technical way to kind of serve as a gatekeeper for a lot of websites? >> yes, and there are certainly things you can do along those lines so that the browser could help the user express their preferences. and the browser could in a technical way query a site and see what promises the site makes about uses of data. there's been efforts to do this in the past. there was a standardization effort called p3p called the platform for privacy preferences which defines such a standard and for reasons that are the subject of debate the standard didn't stick. it wasn't popular. nonetheless, i think this is a fruitful approach and i for one would be happy if the companies got together and had a discussion again about how to do this.' >> mr. kelly, tell us a little bit, if you could, about yu8÷ experiences in stepping on the toes of people's privacy concern. i mean, it seems to mey'ñ we to

some degree have three companies that have succeeded because consumers with a lot of different choices have chosen to use google, chosen to use yahoo! and chosen to go to facebook. could it be the reason they're choosing your three services in particular that you're being self-selected by an active consumer marketplace that thinks the privacy works on your sites? now, you just had an experience, i guess, it's an ongoing one where you've had kind of a conversation with your members about privacy. how does it work differently on yours then say -- what search engine do you use when you're searching the internet? >> i mean, it's usually google. >> how is your privacy experience as a consumer of google different than as a member of facebook? is it at all? >> well, i think all three of these sites have succeeded because they're providing great user experiences overall and in

some cases they are because of privacy and because we based a business on identity and personal information and the effective sharing of that with people who share a social context with you, we knew going in that privacy was going to be a critical issue for us. and our goal has been to build technologies that allow people to make choices. so one of the things that's gotten lost in the mix -- in the discussions of social networking is that friending, whether you friend somebody or not and how you connect to them is in and of itself a pri"ññ setting. it determines what information you see on facebook and that's been a great experience for us. when you look at google or a yahoo! as a search engine they're looking for deliver a different experience there. they're looking for you to type in a word or two and get back something that they think is the most relevant experience for you. to get you to the page that you need to go next. if you use other services on those -- on those sites, they're providing different experiences there.

our goal has been to build technology that empowers users and lets them make their own choices about how they share information. we've aimed that to extend that into the advertising realm as well. >> let me build on it and you can go ahead and for my last two seconds you can answer. take me back to 1986 or 1996, i don't even know when this phenomenon all began. you could buy someone's credit report from three different companies. you could probably find aggregates of information that helped car dealers to send their information. you could scrub public records what kind of home they own and how many taxes they pay. it seems to me that there's always been resources that allowed someone to do 75% of what you described in your testimony as the thing we're protecting against. and we've acted here in congress to try to limit access to that

information. but to some degree, wouldn't you agree that consumers have pretty much now have a lot of tools that inform their experience. i would argue without even knowing it. i bet there's places i can go on the internet to find little software plug-ins i can probably download to let me know are going on which websites. it's a two-part question is a lot of your stuff you're concerned whether you don't plug into the internet at all and secondly, is it some degree the marketplace allowing -- are consumers allowing the winners for good companies >> polls after polls of survey including the one you saw berkeley release 10 days ago. most users, most consumers have no idea about what's being collected, how it's being used and how it really works. i honestly believe and i think this is going to come out as part of this debate and frankly that's why we need good privacy

legislation because it's going to undermine public confidence people don't really know what's going inside facebook and the third-party developers and all the data flowing out. they don't know what google is collecting across its various interest. if they knew, they would, in fact, i think be more concerned so consumers don't know. the polls show that. this is a whole different world here, right? than was back in 1996 when we did the children's act. you're talking the instantaneous merging of a vast number of databases with online behavior minute-by-minute that is adopted to an individual's actions and reactions with various online environments including all the personal information they put on their social networks. this is a completely different system that's been created. and finally, you know -- i mean, i have a 16-year-old. i look at this as the world that will be here very soon.

we will be buying our mortgages on this mobile phone in the not too distant future. this is the dominate way we'll be doing business through the pc and the mobile phone. it's a whole different world that has been created. on the other hand we should be proud of it. they created it for us. we just to have make sure that consumers are protected. >> thank you, mr. chairman. >> thank you very much, mr. weiner. the gentleman from louisiana is recognized for five minutes. >> thank you, mr. chairman. when we talk about opt in versus opt out and i would imagine for business model purposes opt out is the preference because if you force somebody to opt in, i think it would probably limit the number of people that would want their data to be collected on the front end but if they do go through the process of opting out, are they actually stopping their personal data from being collected or are they just not

getting the targeted advertising and if miss toth could start. >> what user is opting out for us that is an opt out of not collection but of use of the information. but i also want to be careful about the use of the term "personal information" because very often what's being conveyed to us is information that's specific only to a browser that's used to customize advertising but that level is what the user is able to opt out of in terms of that data being used. >> right and there are different levels -- if you're just going onto a browser and i think miss wong talked about that and go on google and do a search there's different information maybe just my ip address and if i use yahoo! for an email account i'll give you more information and you'll have information if i choose to opt out of that, what am i opting out there? are you not going to be collecting the data anymore or just not getting the targeted advertising? >> the way that we do it at

yahoo! is that when a user opts out we're not using targeted information and using that information in that way. yahoo! uses wide search, email -- >> maybe social network services. >> exactly. so when a user opts out, we opt them of the delivery of targeted advertising but we also recognize that users may not want us to have that much information about them so we take great pains to deidentify the data as soon as we can. we spent over a year looking at every single product, every single data system at yahoo! to try to minimize the amount of time we hold data about users. >> right. and i know we got limited time so miss wong and then mr. kelly. >> sure. i think it's roughly the same answer that i gave earlier which is we really collect very little data from users when they're searching the ip address and the cookie and the opt out for our interspace advertising is an opt

out for those targeted ads and what it means is that the cookie you're getting is not uniquely identified. it just drops query that you sent us or the data that we've gotten into a bucket of all opt-out cookies. >> because our service is based on sharing personal information with others, we inevitably end up collecting a great deal of personal information so that we can effectively share it with others and actually use people to retain people's photo albums for them, which they usually expect to be retained indefinitely. in certain circumstances, particularly, in our advertising products where we're innovating and where people may not be used to a presentation in a particular way, we've allowed for opt outs in those instances because we think it empowers users. it allows them to say i'm not comfortable with this at this point. but they can reconsider that at a later time. our goal overall and i think the goal of this committee and any legislation it considers and any

enhancement of regulatory authority should be to make sure that consumers have real power to make those choices. we've tried to embody that in technology as much as we can and you're here trying to embody it in law and trying to encourage the regulatory agencies to continue to meet their burdens and their obligations under existing law. >> and i apologize to interrupt. i've only acting minute left. there's something else i want to ask especially as it relates to the email services. and both for yahoo! and google if you can answer this. if a user of yahoo! or google or any other email service decides that they want to opt in or they don't want to opt out to all of those agreements and you can collect whatever information you want from them, but let's say they then send me and i don't have that service and they send me an email, i didn't agree to any of those issues.

do you read emails from people that are -- a yahoo! or google email subscriber. do you read through those emails to gather information in any way? >> yahoo! does not scan the content of email communications in order to show targeted advertising. >> or for any other purposes? >> we don't -- well, there are only some purposes for -- there is a process that actually removes viruses from email that's an automated process. >> miss wong? >> yes, we're using that same technology that scans for viruses and also scans for spam. it's basically technology that looks for patterns in text and we use that not only for the spam blocking and the viruses but also to serve ads within the gmail user's experience. so importantly, like the --. >> so if two people are exchanging an email about a sporting event and they are talking about the game and maybe they'll want to go for a drink

afterwards, could they maybe expect to get an advertisement about which different bars are offering specials after the game? >> so they won't get an email -- only the gmail user will be able to see ads that show up just like they show up on the side of the search results that are key to specific words, just as if you typed them into our browser that are calling from our repositories of millions of ads to deliver an ad that's targeted to the content that you're reading. >> if that was a two-way conversation one was the gmail subscriber who agreed and didn't opt out of the privacy but the other person in that conversation was not a gmail user, clearly not someone who opted nor opted out, would any part because in an email thread they could have had maybe four, five replies and you got a large threat built up and it's not going to be the gmail's information that's going to be there. the person who's the nongmail user is also going to be included in that thread. would any of that information be

read? >> nongmail user will not have an ads targeted at them at all. >> is any of their data collected? >> their data sits in the recipients, the gmail recipients archive. >> so if you've got algorithms that went through that gmail email, then when you were reading things in that email, some of the things that you were reading would have been part of the thread of a nongmail subscriber? >> that's right. >> how does your privacy policy handle that because that person clearly has absolutely no knowledge of you reading their email. they surely didn't agree to it and they didn't have the ability to opt out so how is that handled? >> just to be really clear. there's no humans reading email -- >> but if it's a software algorithm to go through and look for keywords or key information, their email address, of course, is going to be in there so you would be able to know who that person is at least from their email address but also you would

be able to have access to the information. do you have anything in those algorithms that prevents that information that's not gmail-related to be read? from a person who didn't agree or have the ability to opt out of the privacy? >> it would have to be the user did not want to receive that email from the person who sent it to them. so this is fully in control of the gmail account holder. and they can refuse to see emails from certain people. >> you would be putting the burden of privacy collection on a user of gmail? as someone who actually has a gmail account? but your user knew the policy was and could today right now go online as you've showed you've got many opportunities for your user to see opt out. >> that's right. . >> the person who's the third-party, who's part of that thread, does not have that same access. so how can you put the burden on the person who sent the email? >> no, no. the person who sent the email

has -- they've sent their email to their friend. that user is not going to get any ad targeted to them. we're not going to have any information about that user at all but for the fact we hold their email because we're the email service provider for the gmail account holder which is the same as any other web mail service. >> and i guess the real question is, how is that person -- the gmail subscriber clearly has the ability to protect their privacy, to opt out if they so choose, maybe some of their data but they could opt out but the third-party they sent the third-party to who's contained in that thread doesn't have that same ability but yet their data is subject to being searched in the same way. >> that's true. but that occurs with every web mail service because -- >> yahoo! said they don't -- >> scans their email -- >> i'll ask miss toth -- >> every web mail scans their email for spam, scans it for viruses. it is the same -- >> but also for targeted

advertising i think you said y'all do scan it for targeted advertising -- >> we don't -- >> and i guess the case they are scanning it for other services that would be maybe sold to a third-party, how does the person protect their privacy when they never had the same opportunity to opt out that the original gmail subscriber who sent the email was able to have the same access? >> to be very clear, no users information is sold to any third-party. no information about the sender of an email to a gmail -- >> you're past 10 minutes of time. >> if i could get that in writing maybe the answer to that. thank you. >> that's fine. if any of the witnesses would like to respond to that last question in writing, that would be highly appropriate. the gentleman from vermont is recognized next, mr. welsh, for five minutes.

>> thank you. i want to join my colleagues for apologize for our delay and appreciate your patience. although i think i might rather have your job today than ours. [laughter] >> miss wong, in your written testimony you noted that the committee should explore this. it's an incredibly difficult issue both because of the complexity of making this work in assuring confidence to users. and because of basic questions about what should be private and what isn't. i'm asking that you expand on that and what ongoing efforts is google making about the merging of online and offline data and the issues that are created as a result of that. so i'll start by asking you if you would comment in that and probably ask a few others as well. >> sure. and i actually think there's -- this is a multidimensional question. i think absolutely there's an

obligation on industry to do the right thing because the trust of our users is incredibly important. i also think that there's a role for groups like mr. kerns' group, the self-regulatory groups which continue having us innovate on best practices. i think the best thing that has happened in the last few years is that all of the major internet companies are competing to create better privacy technologies, and that is really phenomenal. there is also a role for government because to be very clear, there are bad actors. and so there is a role for oversight into the range of players on the ecosystem and the conduct that they engage in. and the thing that i think is most important and the reason it should apply to both online and offline the companies that you have here all face our users, are all invested in deepening the relationship with our users. there are companies that do not face the public that are behind it and that need more oversight because nobody knows what they do with their data.

>> mr. kern, you want to comment. it's a kudo for the role that you play. >> i'd simply say i think we have an obligation to tell you about our successes and our areas of improvement of self-regulatory organizations as it relates to -- and also, i think, to work with you to explain the somewhat complicatedtins that go around the different business models. i don't believe that i have a diverse membership so that we're not at a place in having a relationship view but we're very much committed to educating the technologies and i think today's hearing is helpful in terms of, in effect, helping you discern the exact technical infrastructure that goes into all of this online advertising. >> let me come back to mr. kelly. the congress is never going to

be able, obviously, to address technical issues. it's not our competence. it's not our job and it's not what we should do. what specific things in terms of policies, i'll ask you, mr. kelly, would it be -- would you be recommending that congress do in order to protect privacy, which is our proper concern but do it in a way that doesn't strangle innovation? >> and that is a critical role that you do have is protect the innovation in american technology and how we'd been able to lead the world in this area. but, obviously, protecting the privacy of american consumers -- it's critical to us and to other companies in the technology industry. but not everyone. >> uh-huh. >> and so there are many actors out there who are tasked and see their role as gathering data and building personal profiles of people with no notice, no

consent, no control. i think that congress' regulatory action should be largely directed there. we have a set of existing and extensive regulations and we've talked tonight about our work with the ftc as a technology industry. in this area where there are -- there are bands against deceptive practices and other activities. but still there are many technology companies out there whether they be spyware vendors, whether they be sort of just surreptitious collectors and aggregates of data that deserve the attention of this committee, the congress and existing regulators. >> okay. thank you, my time has almost expired. >> could i answer -- >> it's up to the chairman. >> yeah, that's fine. go ahead. >> yes, i think the key concept that you're looking for, that the ftc and others should build on longstanding fair representation law.

we, obviously, have a huge gap -- jeff mentioned a lot of the polls out there. consumers don't have a clue about all the stuff that's being collected on them. not a clue. and so if you believe in fair representation and you take the facts of all the people that have been dealt with in the internet and they don't know what's going on, there is a serious breakdown in fair representation. >> mr. chester, please. >> very briefly. all the companies here including the members of nai are increasing the amount of data they're collecting on consumers, right? it's not that there's a question of best practices. they are building and expanding the data collection. that's the nature of the business. that's the nature of the online advertising system. to build out these very sophisticated approaches. therefore, you need to have rules. you need to have -- you need to bring pii up-to-date, you know,

'cause you don't need to know your name anymore to know who you are. you need to protect sensitive data and you have to have the ftc be a better watchdog. >> with that, mr. welch, your time is expired. and let me say thank you once again to our witnesses for what truly has been an informative session. long-delayed but well worth our time talking to you and we thank you very much for taking your time all day, in fact, to talk to us. i have clearance for unanimous consent from the minority to place in the record a letter to the subcommittee, the joint subcommittees actually from the federal trade commission concerning the subject today's hearing. a letter from data foundry, a data company based in austin, texas, without objection, those will be made a part of the record and without objection, the record of this proceeding will be kept open for a period of three weeks so that other members of the subcommittee can submit to our witnesses questions in writing.

and as you receive those questions from the members, if you could respond to them promptly, that would be much appreciated. well, thanks again to you for an excellent hearing. this hearing stands adjourned. çíp]%+