>> this week on "the communicators," federal trade commission chair jon leibowitz on the ftc's recently-released report on online privacy. >> host: jon leibowitz, before we get into the substance of the ftc's privacy report, i want to talk about the policy or the process a little bit. >> guest: uh-huh. >> host: this is referred to as a staff preliminary report. >> guest: uh-huh. >> host: where does it go next? >> guest: well, one of the things that we do when we write a preliminary report is we take comments because we take comments from stakeholders, consumer groups, industry, perhaps other government officials, maybe state attorneys general because we understand a lot abouts privacy. we've, obviously, worked to

learn quite a bit about internet private, but we also understand that we're not perfect, and so we want to take comments about how i to implement a do not track mechanism and, you know, when we should insure that there's privacy by design. and so it's a good practice, and it's one that helps us insure that we get the best information from the folks who are really involved in the day-to-day workings of the industry. >> host: well, this report has just come out, so what happens next? does it go to congress, does it go to the full ftc board? what happens? >> guest: well, we have sent it up to congress, of course, and there's been a lot of -- it's really resonated, as i think you guys know. and it has gone up to the ftc board. the commissioners, we voted 5-0. we're a very consensus-driven organization to release the report and move forward, and i think that's something we're all

proud of, this pragmatic approach to people's problems and privacy issues this particular. so we'll refine it, we might make a few changes -- >> host: by suggestions given to you -- >> guest: by suggestions given by stakeholders, and we'll move forward with the final report sometime next year. >> host: all right. there are three major points to this report that you have sent up to congress. number one is companies should promote consumer privacy through their organizations and at every stage of the development of their products and services which you call privacy by design. point number two in this report, simplify choice. companies should simplify consumer choice. and then finally, number three, you call for companies when it comes to online privacy to provide greater transparency of their data practices. >> guest: that's exactly right. >> host: let's start with point number one. what is privacy by design? >> guest: i wish we could take credit for that phrase because it's a wonderful one, but it

actually comes from the privacy commissioner of ontario whose brother happens to be rafi, just as an aside, rafi the children's singer, by the way, who's very, very famous. the notion of privacy by design is making sure that you have privacy protections in the technologies that you develop. so let me give you an example of a failure of privacy by design. so if you look at sort of the true pier systems, there was no privacy component or a totally inadequate privacy component early on. and that's why the earlier versions of, like, p to p file-sharing services allowed for a lot of theft of information inadvertently from people's, from consumers' computers and even government computers and corporate computers. so that's why we think baking in privacy protections or privacy by design is an enormously important feature going forward.

>> host: tony romm of politico is also joining us as our guest reporter. >> host: great, thanks for having me. let's dig in a little deeper. it's one thing to say that various companies and technologies should just bake in privacy to everything they do, but what role does the ftc play in making sure that happens and those tools do what their promised today -- they're promised to do? >> guest: so i would say we have two roles here. one role is a policy function. this report is really in a certain sense twofold. it's, it's best practices for companies, and it's advice to lawmakers, members of congress as they think through privacy which i think we all recognize is going to be a major debate next year in congress and should be. and so our role is, one, providing guidance to companies and, two, when they fall below the standard that we expect of them, when they engage in unfair or deceptive acts or practices or they have inadequate data

security, bring enforcement actions, you know? bringing cases against companies under our statute. just sure. speaking of those enforcement actions, as all this plays out on the report, you solicit for action from stakeholders and you finally issue ha final report. what can the ftc do now with the draft framework you've put together? >> guest: so that's a great question. you know, i think it's already having an effect, and we expect it to have -- i mean, we've worked with companies, we work with consumer groups, so we expect it to have a somewhat favorable reaction, but from companies, from consumer groups, from lawmakers, you know, across the board privacy is a very bipartisan issue. we've really, people have really been very supportive of our report, and i think we'll get to do it on track later, but just yesterday microsoft announced that it was going to offer consumers a do not track mechanism which, i think, one, makes it clear that do not track

is technologically feasible and two means we're getting buy-in from companies, and it's much easier for companies to move voluntarily to have privacy by design or give choice to consumers or have more transparency than it is to do by government regulation. so we're ago agnostic. we're happy to have, we're just happy to see companies move forward. >> host: well, speaking of microsoft, we had a privacy series here on "the communicators" back in september. and one of our guests was ann toth of yahoo!. and she talked about what yahoo! does for, to insure privacy. >> guest: uh-huh. >> well, browsers, you know, technology on the internet has a lot to do with browsers and delivering pages to specific users, and it is fairly technical. we go into it in some detail in our privacy policy and talk to consumers about the very specific types of data that's being transmitted by your browser to our servers. that's the kind of data that our

data retention policy deletes in the 90 days so it's not kept in perpetuity. but what we're trying to do is looking for different ways to really make this kind of information a lot more understandable, to simplify it, to really speak to consumers in a language they can understand, and we're looking for symbols, we're looking for shortcuts to get consumers really actionable privacy information that they don't have to dig around and look for that's really readily available to them in the product interaction. >> guest: well, i mean, i think that's exactly right. and, you know, yahoo! has a wonderful and very evolved data retention policy. when you do a yahoo! search, they only keep the data, i think as ann mentioned, for 90 days. and one of the things that we say in this our report is the data should only be kept as long as necessary. and so we want to see more responsible companies out there. a lot of them are, but not all of them.

>> host: so let's dig a little more into do not track. as you mentioned, microsoft just announced that internet explorer 9 would have tracking technology in it. what do you think about that technology? it includes a component that would allow various groups, individuals, even government agencies, i suppose, to draft their own lists of sites that are red lighted and green lighted, you know, those technologies or those networks that you would or wouldn't see. what do you think about that particular functionality? >> guest: well, first, i want to commend microsoft for doing this and trying to give consumers real choice about being tracked by third party cookies. that's part of the reason why we want feedback because that is one approach you can take to block third party cookies and empower consumers. it, obviously, requires the creation of sort of, you know, blacklists and white lists or red light sites and green light sites. and so i think what they're doing is really an important step forward.

we'd like to see other technology companies, and can we have been talking to them and browser vendors, move forward as well, and i think you'll see that in coming days. and we're hoping that the advertiser community will also support this. >> host: and speaking of the advertising community, here's what the interactive advertising bureau had to say about your do not track proposal. the internet is comprised of millions of interconnected web sites, networks and computers, a literal ecosystem all built upon the flow of different types of data. >> guest: well, i don't think microsoft is reengineering the internet's architecture, i think they're just giving consumers choice. look, i understand the interactive advertising bureau. they're a lobbying organization for companies that like to put third party cookies in consumers' computers.

so they're doing what they do, but we're also doing what we do. if you think about third party tracking, you go on an amazon site or netflix, that's the company you have a relationship with. you think about third party tracking, let me give you an analogy. so let's say you're walking around a mall or a shopping mall and there's a guy standing behind you. and he doesn't know your name, but he sort of knows where you live, and he's sort of following you, and he's sending off e-mails to every store in front of you saying, yeah, that's leibowitz, he wants to buy a new suit, and he's using an american express card. you know, i mean, if guy's following you, that would be troublesome, but if he's following your daughter, you'd want to punch him out, right? and that's sort of what's going on with third party tracking. most consumers don't realize there's a cookie in the their computer, and it follows them around on the internet. and by the way, if someone give me the option of not being tracked on the internet, i would probably not take it because i sort of like having targeted

ads, and i think most people do. but consumers ought to have a choice, and that's one of the fundamental components of our report. >> host: as you said, you've been talking to different technology companies, how does industry self-regulation here? half the formulation that the ftc put together in its draft report was that congress could grant the authority or industry could lead the way. so what role does ftc play if industry does lead the way? >> guest: i would say two things. if industry, you know, comes around to this, we will commend them for it because they will be taking a major step in favor of consumer choice and privacy, and that's really important. and, you know, if they don't, we have our bully pulpit. and we sometimes admonish folks who don't necessarily violate the law but could be doing a better job. but that's one part of it. the other part of our bully pulpit, of course, too, is -- and the commission's not in this position yet -- we could go and

call for legislation on this, and i think many of the companies who want to do the right thing to give consumers more choice about third party tracking and can a bunch of other privacy issues would prefer to do it voluntarily than have congress write perhaps more prescriptive rules. >> host: what takeaways did you take from the do not track meeting on capitol hill last week? did you get the feeling that the issue might become rather political in the 112th? >> guest: i got the sense that privacy -- and i know this because identify testified a lot on -- i've testified a lot on privacy issues -- is a bipartisan issue. when i testify about, about internet privacy with the fcc chair julius genachowski before the senate commerce committee at the beginning of august, it was amazing how, you know, it wasn't just chairman rockefeller, but also senator thune, senator johanns, a wide variety of

people across the, you know, on both sides of the aisle. they really care about consumer privacy. and so when i watched and listened to parts of that hearing, and i think it was one of those hearings that started and then there were two hours of votes and people came back, so it was a 10:00 meeting and be ended at 2:00 in the afternoon, you know, i was very pleased by the reception. now, there's no doubt that the folks like the iab had done their homework, and they'd gone to visit members, so there were questions asked that were totally legitimate questions. but i think we are going to see a lot of resonance on capitol hill in terms of supporting consumer privacy. >> host: sure. and there does seem to be that there considering the new members, fred upton is interested in privacy, but there seems to be a disconnect between democrats and republicans on the issue of do not track. ed whitfield, for example, who could potentially take over the consumer protection subcommittee, wasn't a huge fan of the technology.

he didn't speak favorably of it at last week's hearing. do you sense there's a political disconnect on that issue? >> guest: i really don't. time will tell. i think particularly if it's implemented by companies, i think some of the, some of the business community who, that opposes what we're doing probably said, you know, industry is totally opposed to this and, you know, and this is going to change as the quote was from the iab, change the ecosome of the internet. but i think when you start to see companies like microsoft, you know, which is not, which is, you know, the leading browser company with, i think, a 59% market share endorsed this, i think that also sort of helps so that, it helps people understand, members of congress that, you know what? it's not opposed by the business community. the business community wants to do the right thing. >> host: jon leibowitz, one of the things i read in your report on the do not track was that most of us on the commission support the do not track is how

it was written in the report. was there dissension? >> guest: there was no dissent. it was a 5-0 report. one of my colleagues who is a wonderful commissioner and was the chairman, the last chairman under president bush and stayed was concerned that the technology wasn't quite there yet, and i think -- i haven't talked to bill since the microsoft announcement, but my guess is this will sort of help give him some comfort. and, again, i think that it was -- he had a, i think he concurred in his recommendation. but all of us, and this is one of the wonderful things about the federal trade commission, you know, all of us are committed to the mission of the agency, all of us are committed to insuring privacy protections and balancing it because we, obviously, want business innovation and an innovative internet, and all of us are committed to moving this report forward. >> host: how does do not track

compare to the quite popular do not call? >> guest: well, they have similar names, and their both designed to protect consumer privacy. but they're very different. with do not call there's a registry, as you know. and by the way, and there are, i think, very close to 200 million phone numbers signed up for it. it's really helped to insure the peace and quiet of americans' dinner hour. and the humorous dave barry called it the most popular government program since the elvis stamp. with do not track it is conceptually similar insofar as we are, we are calling for something that would help insure consumer privacy and consumer choice, but it's different. we didn't want to have a main registry of numbers because we thought that could be harvested by spammers and spyware malefactors. we also thought that the technology was just about there

or is about to be there for the ability to block third party tracking from consumers. we thought it could be done voluntarily and done through the browsers. and so we're bringing on a wonderful, tony, you probably know this, technologist named ed felton. he's a princeton engineering consultant to be our chief technologiologist. he was very, very involved in thinking through the do not track registry and in reviewing the whole privacy report. >> host: this is c-span's "communicators" program, our guest is jon leibowitz of the federal trade commission. we're talking about the preliminary staff report on online privacy. tony romm of "the politico" is our guest reporter. next question. >> host: sure. one of the things i've heard from people is do not track would put consumers in position where they couldn't access sites if it was enabled. just like consumers have to register to access content, if

they had do not track enabled, they wouldn't be able to view the content they enjoy. what kind of role does the ftc play in thought of that? -- in all of that? >> guest: well, i have heard some of this anecdotally. i mean, again, we want to empower companies to do this in a way that they feel they can effectuate it best. but part of the reason why we do a preliminary report is to take comments about the best way or series of ways to do this. you could standardize a do not track mechanism in a browser, you could have some sort of standardization, or you could have different approaches. and so, and i think whether it's microsoft that had this announcement about sort of, you know, a red light and green light list and you could pick your list so that, presumably, you wouldn't be blocked from accessing the sites you want or whether it's the approach that mozilla has been thinking about

where you would have a protocol that says do not track me, and companies would have to say we agree to this protocol, we won't track you. this is a time for sort of rolling out the technology, thinking about the way it would work best. again, what we want is consumer choice. and, you know, as those -- those in the community that oppose do not track, and as you know, there's much more in our report although do not track, although that's the thing that's resonated the most. you know, it's what, for example, the iab -- i have a lot of respect for them, but they're a lobbying organization -- is raise concerns. if they have empirical concerns, i'm sure the innovative business community can start to work them out. >> host: another area in your report is transparency. and when companies provide their online privacy statements to consumers, you have described them in the report as incomprehensible and in

ininadequate. >> guest: i think that was my description of -- i think that was my description of how we described it in the report. our report is slightly more nuanced, but as we all understand, consumers don't read privacy policies, particularly online. what consumers want to get to is the last box to click which is i want to make this purchase, or i want to do this. and so, you know, these privacy policies are written by lawyers. i'm a lawyer, too, i don't like to admit that to people, and they're full of legalisms. and consumers really deserve a clearer, you know, more transparent notices so that they can -- and shorter ones so that they can sort of understand what they're actually agreeing to. there was a -- and it's particularly true, by the way, in the mobile space where, you know, as so much internet advertising and so much of the internet migrates to mobile, i mean, how can you do 20 clicks to get to the privacy policy, right? i mean, it's just, it's almost

inherently unfair to consumers. there's a british gaming company on april fool's they wrote a clause, it's an online gaming company. they wrote a clause into their uniform, the licensing agreement that said if you opt out, we will give you six pounds. i don't know, about $10. if you opt out of this privacy policy. but if you don't opt out, then we have your soul. you have given us your soul for all eternity. do you know what percentage of people opted out? 11%. and that's a very sophisticated community, right? the online gaming community. so we all understand companies could do -- and they know it too. companies could do a better job with privacy policies. >> host: sure. one of the things i know you and others at the ftc acknowledged last week was that the agency had talked a little bit with awould bety about flash cookie technology. could you give us a little more about what the ftc's doing in that space? >> guest: well, one of the

obstacles to a, to a do not track mechanism for third party cookies is that the browser, at this point be not all browsers can block, and i think most browsers can't block third party -- can't block adobe flash cookies. so our staff is working with adobe to try to come up with a way to do that, and i think the very smart people who develop browsers and internet technologies for the be major browser vendors are also sort of looking at that too. >> host: sure. but with respect to adobe and other companies, are there other enforcement actions coming down at this time with respect to privacy? >> guest: yes. this is sort of a policy issue with respect to adobe, but we have a number of investigations involving internet policy in the pipeline. we had a few announcements in the last few weeks, but you'll see more. >> host: anything you'll be able to detail? >> guest: nothing i'll be able to -- >> host: had to try. [laughter] >> host: one of the areas you

have worked on in this report, thirdly, is simplified consumer choice. >> guest: uh-huh. >> host: that companies are not providing, in your words, consumers with choice whether or not they want to be tracked. is that something that you would like to see mandated? >> guest: it's something i would like to see at this point, and the commission, i think, would like to see more of for consumers. there's some areas, by the way, where you don't need to have choice. so, for example, if i go to the an internet site and i order a product, i don't think i should have to get a choice for how they ship it or whether my information can go to the shipper. it's, obviously, it's sort of what we anticipate will happen when we buy a product from amazon or somewhere else. there are other areas, tracking is one but not the only one, where we think consumers should have choice about what's going on with their data. there's a whole ecosystem, and some of it's very good. nobody wants to get rid of the

free content on the internet that consumers have.com sort of both love and expect. but there's a lot of things that just don't involve consumers. they don't see it. they ought to have more choice about that. >> host: jon leibowitz, in the past you've used notice and choice and harm-based tools to assist consumers. how effective have they been? >> guest: we think they have been very effective in some areas and somewhat effective in other areas, so, for example, there was a problem four or five years ago with, with a kind of spyware called nuisance adware where you would go on, you would click on something, some piece or something on the internet, and it would put some software in your computer that would feed you advertisements. and, you know, maybe it'd only feed you 10 or 15 advertisements a day, but one, one company we brought an action against acknowledged that they, that

they were responsible for six billion ads in consumers' computers. in the aggregate, that's a lot of harm. so both the harm-based approach and the fair information practice principles, notice and choice approach have been two different ways in which we, we have looked at privacy of issues. and this way sort of incorporates those and evolves a little bit beyond them as well. >> host: sure. i suppose the next step of the talk is to look at do not track in relation to the other issues here. >> guest: uh-huh. >> host: it seems the debate has focused almost entirely on do not track. do you think it's been to the debt -- detriment of the rest of the report? we talk a lot about the new technology but not so much thing about things of privacy? >> guest: it has resonated enormously across different stakeholders and really among

consumers. there are a lot of other things in the report, but it's only been out for a week. it's only, as you pointed out, in preliminary form. so i think the notion of sort of educating consumers and having companies provide a little more balance and choice to consumers will, will continue to be discussed. our expectation is that we'll go up and do hearings next year before members of congress in both houses. and so, no, you know, i did -- when we did a press availability right after we released the report after about half an hour -- you might have been on that call -- i had to say, remember, there's more to this report than do not track. but in the end i think, you know, it's a very substantive report. our staff did a terrific job as did our commissioners. and we had this report percolating at the commission for quite some time, and i think the whole thing will resonate and, hopefully, we can move forward with a little more choice, transparency for consumers and more baked-in privacy protections too. >> host: jon leibowitz, are

there any differences in the policy recommendations for wireless? >> guest: um, i think our policy recommendations are -- i would say this: our policy recommendations are consistent across different platforms. but when it comes to wireless and to handheld devices, you have to think about them in a slightly different way. so, for example, one issue is let's take privacy policies. consumers ought to know what the privacy policy is. how do you get a privacy policy in a screen where consumers will actually see it before they, i don't know, agree to give their -- you know, agree to give their information to a marketer? and so you just have to, i mean, sort of not unlike our antitrust laws which have served us so well for more than 100 years, you know, the rules and the approaches in this case the guidance, i think, works very

well across platforms, but it has to be thought of slightly differently with respect to sort of, you know, each technological program we're looking at. >> host: and finally, is there any protection for all of the personal and private information that's already out there? >> guest: well, there is a sort of worse out of the barn notion. the protection is this, if a company has inadequate data security and we've brought, i think, 29 or 30 data security cases in the last decade, we, you know, we will hopefully find out about that before there is some harm done. inadequate data security is within our unfair or deceptive practices statute for the most part. but, no, there's a lot of information out there including social security numbers that is personally identifiable or could be aggregated to make personal identification. but that doesn't mean you shouldn't be involved in those to insure the companies have better data protection policies

and to insure that going forward companies strike the right balance. and some of them already do between using, acquiring useful data and using and giving consumers more choice and transparency. >> host: jon leibowitz is chairman of the federal trade commission, tony romm, tech reporter with "the politico". thank you, gentlemen, for being on "the communicators." >> guest: thank you for having me. >> up next on c-span2, house intelligence committee senior republican pete hoekstra talks about cybersecurity efforts following the wikileaks release of state department documents.