Online Privacy Alliance

STATEMENT OF

DR. IRVING WLADAWSKY-BERGER

GENERAL MANAGER, INTERNET DIVISION

IBM CORPORATION

before the

JUDICIARY COMMITTEE

UNITED STATES SENATE

"PRIVACY IN THE DIGITAL AGE"

APRIL 21, 1999

Mr. Chairman, Senator Leahy, and Members of the Committee, thank you for giving me the opportunity to comment on the question of privacy in the emerging Digital Age.

My name is Irving Wladawsky-Berger and I am the General Manager of IBM’s Internet Division. In that capacity I am responsible for IBM’s Internet strategy, and for driving its implementation across the company. I am also privileged to serve on the President’s Information Technology Advisory Committee.

As you may know, IBM is the largest information technology company in the world, with over $81 billion in 1998 revenue and over 290,000 employees worldwide.

We believe this gives us a unique vantage point from which to comment on privacy in the digital age, working as we do with leaders of large, medium and small companies and with governments worldwide, helping them navigate the historic shift to a networked world, and offering them business solutions in the form of expertise, services and technology.

I. The Value of Information in the Information Age

With every passing day it becomes more certain that the Internet will take its place alongside the other great transformational technologies that first challenged, and then fundamentally changed, the way things are done in this world. But with all respect, let me begin my comments by suggesting that, while technological advances in our industry continue at an amazing pace, it is information, not technology, that is at the heart of this revolution.

Information has never been more important than today, when we are engaged in a fundamental transformation of commerce, education, health care, and government--indeed, just about every institution in society that serves individual Americans either as consumers or citizens. For every business, information has assumed an increasingly strategic role. Information is their competitive advantage. It is what allows them to differentiate themselves from all the others in the marketplace who are trying to serve the public.

Leveraging the Internet and other networks so that businesses can better work for all their constituents is what we in IBM call e-business. Indeed e-business is our key market strategy.

We have worked in the marketplace with many thousands of our customers around the world to help them implement e-business strategies. And, one of the things we have learned in the process is that the more information is available to business, government and other institutions, and the more intelligently it is used, the better the job they do serving their customers, dealing with business partners, and running an effective organization. The cumulative effects of all these improvements are greater convenience for consumers, more satisfied constituents, and lower costs that can be passed on to customers in the form of price reductions.

For example, customer self-service applications let consumers obtain whatever information they need anytime of the day or night, whether it is locating a package they have shipped, analyzing the status of their investments, or getting expert advice about a purchase they are contemplating. Moreover, with the amount of information in the World Wide Web growing at a prodigious rate, businesses are increasingly capable of using automated "personalization" techniques, leading questions based on the customer’s known needs and wants, to help consumers better navigate through the growing sea of information.

Similar personalization techniques permit retailers to cement relationships with customers by offering promotions on items shoppers are most likely to want. In fact, the Safeway supermarket chain in the United Kingdom typically gets a remarkable fifty percent-plus response rate to their direct promotions based on this simple premise: offering discounts on items they know customers are likely to buy anyway--and Safeway knows what they are likely to buy because of the information people have entrusted to them.

This same retailer, in devising additional customer loyalty programs, discovered that people hate to write shopping lists and invariably forget certain items. So, in cooperation with our research labs, they are piloting a program in which customers get shopping lists matched to their buying patterns. The lists are downloaded to a portable device the customer picks up as he or she enters the supermarket. This same device scans the items as the customer selects them, thus significantly reducing the time spent checking out.

Health care is an area of enormous promise as well. We are working with practitioners around the world to establish high-security health information networks that connect physicians, laboratories and hospitals. With much more timely health information available, patients can receive faster, more effective treatment, and the significantly lower administrative expenses could help restrain medical costs.

But the real promise of these health care networks is the possibility of subjecting all that information to highly sophisticated supercomputing analysis--what we call Deep Computing, since it is similar to that developed in our research labs for our Deep Blue chess playing application--and developing a truly "intelligent" assistant able to deliver expert medical advice to health care professionals. Such expert assistance could be available over networks to practitioners everywhere, in a famous urban medical center or a small rural practice.

In addition, such sophisticated information analysis can infuse far better forecasting and planning into business processes of all sorts. For example, our research laboratories are working with an airline to apply Deep Computing techniques to the scheduling of crew assignments. That improves not only the airline’s efficiency, but working conditions as well by matching assignments as much as possible with the preferences of their flight personnel.

That’s a great convenience for the flight crews certainly, but it also saves the airline over $80 million annually, costs that would otherwise find their way into airline fare schedules to be paid by the consumer.

In the final analysis, if the digital age is about anything, it is about using information to empower individuals, be they consumers or citizens.

II. Addressing Privacy Expectations: IBM’s Longstanding Commitment

Incredible prospects exist for enriching the lives of customers, patients, citizens, or just plain individuals by using their information for their benefit, not for their exploitation. And the opportunity to obtain and use that information constitutes a competitive advantage for business. With all that at stake, it stands to reason that the business community has keen incentive to meet people’s privacy needs.

This is why IBM takes people’s concern for the privacy of their information very, very seriously. IBM understands that consumers will continue to embrace the Internet, and the electronic marketplace it makes possible, only to the degree that they trust those who use the technology to respect the privacy of their personal information. Equipping consumers with knowledge and choice about how their personal information is used is key to building such confidence and trust.

We strive to lead by example via our own policies and behaviors. And we have done so for three decades--a long term commitment to individual privacy, one that predates, in many ways, the policies of industry and government.

1960s

IBM adopted our first formalized and global privacy policy, on handling of employee data, establishing employee access to their personnel folder, well before the practice became common in the workplace.

1970s and 1980s

We formulated specific guidelines and principles, applicable worldwide, on the handling of employee and other data (such as medical records). We instituted management training to ensure compliance. IBM also participated via business groups in the formulation in 1980 of the Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and the Transborder Flow of Personal Data. These Guidelines underlie much of the international community’s thinking about privacy protection and IBM supports the spirit and intent of the OECD Guidelines.

1990s

As the decade of the Internet began, it was characterized by much hype and a lot of trial and error, but now by the end of the decade the Net emerged as a new mass medium that is transforming how we work, buy, sell, play and learn. As use of the Internet and other networked technologies grew, the need for IBM to renew and refocus its commitment on today’s privacy issues became clear.

Therefore, in 1997 we adopted and implemented a worldwide privacy policy for our thousands of web pages operating as part of ibm.com. A copy of our corporate privacy policy statement from www.ibm.com is attached as an Exhibit. Within IBM, we supported adoption of our Web privacy policy with executive communications and the establishment of a new executive position responsible for our internal privacy practices, reporting to IBM’s Chief Information Officer.

And we recognized the need for independent third-party backups to company policies, and thus sponsored the formation and launch of both the TRUSTe and BBBOnline privacy seal programs. We also played a key role in the organization and launch of the cross-industry Online Privacy Alliance, the principles of which I describe below. TRUSTe and BBBOnline are independent non-profit groups that can provide consumer assistance and dispute handling for privacy-related questions, and in the case of BBBOnline can respond to any and all consumer queries or complaints. We backed up our own policy by enrolling in the TRUSTe program last year.

IBM also organized or sponsored a number of customer briefings on the issue. In 1998 alone, for example, we hosted a conference in New York City for over 100 senior executives from various business and government organizations. We hosted Secretary of Commerce Bill Daley for a roundtable with over 30 senior executives. With the Software Publishers Association (now the Software and Information Industry Association) we co-sponsored a series of a dozen workshops on web privacy policies.

Recognizing the needs some businesses will have in this area for expert assistance, we also formed a dedicated consulting team in our IBM Global Services division to guide organizations (large and small) through the process of creating and implementing practices that comply with applicable privacy policies or regulations. This team relies on the concept of a "Privacy Architecture" to help organizations adopt the appropriate mix of policies and technologies to manage the privacy and security commitments they make.

We also supported efforts to educate consumers on how to protect their privacy online, most notably funding an effort by Call for Action, a consumer assistance organization, to publicize its "ABCs of Privacy." I’ve included a sample sticker pamphlet as an exhibit, and you can find more of their information on www.callforaction.org. To their credit, Circuit City supported Call for Action’s efforts during the 1998 Holiday season by allowing the organization to distribute this material through their 500-plus stores in the United States.

And most recently, IBM last month stepped forward and announced that, effective June 1, we would no longer advertise on U.S. and Canadian Web sites that did not post privacy policies. As the second largest advertiser on the Web, we believe that our action will influence the practices of other market players. Attached as an Exhibit is the letter sent by our advertising agency, OgilvyOne, to over 350 Web site owners, informing them of our policy.

III. Spreading the Adoption of Online Fair Information Practices

The key question before all of us at this point is how our society as a whole--business, government and individuals--will strike the right balance between the free and fair flow of information and the reasonable expectations of privacy. In particular, what is the right balance between legitimate government action and the rewards and sanctions of the marketplace?

IBM, led by our CEO Lou Gerstner, has thought about this question a great deal, drawing on our decades of experience with privacy, technology, and business practices. Frankly, we want rapid progress in adoption of "fair information practices" by organizations that handle personal data--so that the e-business marketplace, and consumer acceptance of it--will continue to grow at double-digit rates. We also appreciate that U.S. policy makers and other important stakeholders also want rapid progress--especially since electronic commerce has been recognized as a major economic driver of the U.S. economy’s success entering the 21st century.

A new statute is not the answer. It would be relatively easy, I suspect, for some to fall into the trap of thinking that enacting a simple statute that tries to make those who operate on the Internet, through whatever means, "respect privacy." But that would give a false guarantee to our citizens--a single "one size fits all" approach could never really meet their expectations for privacy protection, especially in such a complex and fast moving medium as the Internet.

The Internet presents some special challenges that stem from its wonderful and unique attributes. All at once it is: global, instantaneous, and decentralized. Information flows through many packets in order to get routed to its final destination, relying on a very international distribution system that is by its nature decentralized and under no one’s ultimate control. The Net and its related technologies change quickly as well. For example, the Internet2 and Next Generation Internet initiatives, under development now in the United States, will soon make it possible to share richer stores of data, much more quickly than before. New technologies and new online startups are challenging us all with their continual changes and new business models.

We strongly believe, therefore, that given these attributes the best way to strike the balance between information flow and privacy protection on the Net is through private sector leadership--what many call "self-regulation"--built atop a base of broad consumer protection laws and targeted sectoral regulation. In order to succeed, we need a mix of business involvement and commitment; government support and targeted action; international cooperation among businesses and governments; and individual responsibility.

IBM strongly supports such a "layered" approach to privacy protection. Where specific, sectoral concerns are identified and are not adequately addressed by self-regulations, some amount of legislation or regulation may be needed. For example, IBM has for several years supported the enactment of medical records privacy legislation--medical data are among the most sensitive data an individual can share, and for that type of data we support a comprehensive statutory framework.

But with respect to the Internet and electronic commerce generally, we believe that self-regulatory efforts should be given more time to address the reasonable privacy expectations of consumers. There are a number of reasons to defer to private-sector leadership:

The private sector has many incentives to respect privacy.

Frankly, since businesses have so much to gain, and so much to lose, if privacy concerns limit the growth of the networked economy, I believe that the members of the business community need to establish themselves as worthy stewards of privacy. We should be encouraged by business’ efforts in the last year or so (which I describe below) and we should also recognize that it takes time to grow any movement.

The great majority of the business community recognizes that its real interests lies in maintaining the trust and confidence of their customers -- and therefore it is smart business to respect the privacy of personal information.

A number of high-profile examples from the last few years illustrate my point--ranging from AOL, to Geocities, and to the rapid actions taken by Intel and PC makers (including IBM) to address consumer concerns about privacy implication of the new Pentium III chip.

An appropriate role of government vis a vis the private sector in this context would be for all levels of government to lead by example and adopt fair information practices as much as possible. Recent examples involving the reported sale of drivers’ license records are good reminders of the importance of providing individuals with "notice" and "choice" over what is done with information they disclose to others. Clearly, the nature of government’s responsibilities carries with it duties to secure public safety and investigate potentially harmful actions--but those investigations ought to be executed within our Constitutional protective framework.

Excessive regulation can deter Main Street and others from joining the e-business marketplace.

While we agree that the government has a role in protecting the privacy of its citizens, we worry that a pervasive regulatory regime would be cumbersome and stifling, especially for mid-size and small businesses. We want e-commerce to benefit Main Street as well as Wall Street. We want to make sure that businesses of all sizes, from the largest to the very smallest, participate in the networked economy. And, we worry that excessive regulation, with its increased costs, could exclude many from the opportunity represented by the Internet.

Private-sector self-regulation can adapt and change much more quickly and responsively than government regulation.

The genius of our nation’s Founders produced a political system in which legislation usually develops deliberately and slowly, while policy makers weigh the concerns of opposing factions and competing interest groups. Self-regulation, on the other hand, has the advantage of speed, and the benefit of being able to adapt more quickly to technological changes and consumer and other expectations.

The core forces driving the Internet and e-businesses, of themselves, enable more flexibility in addressing privacy concerns. Empowering technologies such as the Platform for Privacy Preferences, under development as an industry standard by the World Wide Web Consortium, will continue to put in the hands of consumers the power to control their information. Simple technology-related tools one can use today, such as anonymizers and cookie cutters--while not perfect--can be used by all who want to use them. And finally, new business models are springing up that allow people who freely choose to provide information, to get something of value in return. Do you want a free PC today? Or a coupon for products? You decide.

In my view, the best example of private sector responsiveness is the TRUSTe web privacy program. Just launched in 1997, the program has already comprehensively updated its privacy policies and practices into order to be consistent with the fundamental principles espoused by the Online Privacy Alliance--the latest "best practices" in online privacy. A regulatory agency would not have been able to accomplish such significant change in that time frame.

The Internet--and the e-business marketplace--are new phenomena and should be regulated very, very carefully and only with good cause.

One school of thought says that a new mass medium has been born when it’s used by 50 million people. Radio took nearly 40 years to cross that threshold. TV took 13 years; cable TV, 10 years. The Internet did it in less than five. By one very conservative estimate the number of Internet users worldwide will surge to 210 million in 1999. Internet commerce will more than double, to $68 billion in 1999. And spending on online advertising grew to nearly $1.6 billion in 1998, an annual growth rate of 83%.

Clearly, the Internet is taking off, but so are self-regulatory efforts. I’ll turn to a description of these efforts next, but my point is: the U.S. private sector came together in mid-1998, in consultation with government, to agree on robust self-regulation for online commerce. Barely one short year later, we are seeing encouraging early returns, that should elicit additional support for these efforts from policy makers. IBM urges the Committee to encourage such efforts, while being extremely suspect of imposing additional regulation.

Where additional government involvement is deemed necessary, it should address a specific, identified harm or concern--e.g. so called "identify theft" or the rights of citizens against government seizure of online information. An additional role for government, as called for in the recently issued recommendations of the President’s Information Technology Advisory Committee, is to support research on fundamental attitudes and technologies related to privacy.

On the Internet, information flows freely across borders; the decentralized nature of the medium complicates efforts to address privacy via traditional regulation. It also highlights the importance of U.S. government actions.

National borders do not reflect the basic fabric of the Internet, where information flows freely across borders. Its distributed, decentralized nature means that traditional regulation will have a hard time succeeding in meeting the expectations of citizens that their data will be protected and keep as private as they specify.

The United States today leads all other nations in our use and development of the Net--I can confirm that personally, based on my dealings with people all over the world. It is clear--based on a number of measures--that we lead in the technology, attitudes and practices that are key to succeeding in the New Economy. Other nations watch what we do in this space, and whatever steps our government takes in regulating Internet-related activity will be carefully studied and potentially copied. To date, our government’s willingness to allow the medium to grow led primarily by market forces and technological advances has been a very important precedent abroad, leading governments that are more inclined to impose pervasive regulation to hesitate and in some instances refrain.

Of course, I do not believe that there is no role for government regulation. But I do believe that the best approach involves careful, tailored legislation that allows maximum time and flexibility for self-regulatory efforts to work.

IV. Responding to the Self-Regulation Challenge

In line with the U.S. system of private-sector leadership supported by statutory requirements, we are seeing a number of promising initiatives.

A number of industry-specific groups have developed privacy principles and initiatives. In the information technology industry, for example, groups such as the Computer Systems Policy Project, the Information Technology Industry Council, and the Software and Information Industry Association have all adopted privacy principles for their members’ use and guidance. Attached as an Exhibit are examples from the CSPP and ITI principles--for example, the CSPP developed a full-page ad for USA Today that explained their principles, and mailed the information with a letter from eight CEOs to the Fortune 1000 companies of the United States.

One of the most promising examples of self-regulation, and one which IBM strongly supports, is a cross-industry group that came together in 1998 to agree on what constitutes a basic framework of privacy policies that could be tailored to the needs of individual industries. These eighty-plus companies and major trade groups of the Online Privacy Alliance have created guidelines for privacy policies and an enforcement framework with real teeth that each of the Alliance companies (including IBM) has pledged to implement. In doing so we consulted with privacy experts, government and advocacy groups, and arrived at a framework that received generally positive support. Attached as an Exhibit for the Committee’s reference are the Alliance Mission, Members, and Guidelines, also found at www.privacyalliance.org.

The basic principles that the Alliance companies support for online commerce are, in abridged form:

1. Adoption and Implementation of a Privacy Policy -- every Web site should post such a policy statement.

2. Notice and Disclosure of Information Practices -- the statement should give the Web site visitor notice of what personally identifiable information is collected at the site, the use of that information and whether it will disclosed to third parties.

3. Choice/Consent -- over whether information is shared or disclosed to others -- the individual generally should have a choice, at least the ability to opt out, about whether information about them is disclosed or used for other purposes.

4. Data Security -- reasonable steps should be taken to keep data secure from unauthorized users or access.

5. Data Quality and Appropriate Access -- reasonable steps should be taken to keep data accurate and up-to-date, and as appropriate and feasible access to personally identifiable data should be given to the Web site visitor.

6. Enforcement of the Guidelines by an Easily Available and Usable Mechanism -- all Alliance companies pledge to employ self-enforcement mechanisms that provide consumers with easily understood and used recourse.

Many Alliance companies are working with "seal programs" -- independent third parties like the Better Business Bureau’s BBBOnLine, and TRUSTe -- that monitor a company's compliance with its privacy policy and confer, as it were, a seal of approval. These seals are not empty standards--both BBBOnline and TRUSTe aim to impose requirements that are consistent with the Online Privacy Alliance’s standards.

Industry has made real progress in the last year. According to Media Metrix, the independent Web ratings agency, when someone visits a Web site this month chances are over 90 percent that it will be operating under the guidelines of the Online Privacy Alliance. More data will soon be available about industry’s progress, when Georgetown University releases a new survey of Web practices next month. I don’t know what all of those data will show, but one thing is clear to me: for the large majority of Web users in the United States visiting commercial web sites, they will click on sites that post privacy policies. And if that’s not a good test of the successful start of self-regulation, then what is?

V. Conclusions

The "layered" approach that I’ve advocated in this testimony is nothing new for the United States: Attached as an Exhibit is a White Paper and legal analysis prepared by the Online Privacy Alliance that explains the "layered approach" to protecting data privacy in the United States.

As this White Paper states:

The layered approach to data privacy protection -- in which publicly announced corporate policies and industry codes of conduct are backed by

(a) the enforcement authority of the Federal Trade Commission and state and local agencies;

(b) specific sectoral laws that protect the privacy of particular types of information, enforceable by state and federal agencies; and

-- differs from the comprehensive government regulatory schemes typically used in Europe. Notwithstanding the absence of any regulatory agency dedicated to the enforcement of privacy standards, however, the "layered" public-private enforcement approach has a long and successful history in the United States.

For example, many professions that traditionally have been trusted to safeguard the confidentiality of personal data--lawyers, doctors and accountants, for example--abide by self-regulatory codes backed up by government or judicial enforcement mechanisms, and the result has been a high level of protection that has stood the test of time.

The framework of self-regulation in the United States, buttressed by the threat of governmental or private enforcement, has succeeded both in protecting personal information and in affording adequate redress to those individual whose privacy has been invaded. Accordingly, a layered approach--as adapted to address the unique conditions of the Internet--should achieve a level of data privacy protection online that satisfies the principles of the [European Union Data Privacy] Directive.

Online Privacy Alliance, Legal Framework White Paper at 2 (Nov. 1998).

In an economy as networked, global, and competitive as the one we are building, customers usually can impose sanctions and punish a company much faster and more effectively than government. In a free and competitive marketplace, customers will gravitate toward those brands that provide them the best possible service, and whose brand they can trust. By the same token, with our free and ever-increasing flow of information, empowered people will quickly realize who they should avoid.

Clearly, the less government obtrudes into the marketplace the greater will be the flow of Web transactions delivering goods and services, health care, government services, financial services . . . indeed everything that depends on trust. And flowing from that will come new opportunities, new businesses, and new jobs in all sectors of the economy.

Privacy is not a cut and dried issue. What is and is not private changes from person to person. For one person the scope of privacy is very narrow, for another very broad. For some people privacy is negotiable and they may be willing to trade information about themselves in return for something of value.

Certainly a pervasive regulatory regime could assure the public that nothing improper would happen to their personal information by making sure that nothing at all would happen to their personal information . . . nothing bad certainly but nothing good either.

At the other extreme is the laissez-faire solution which might suffice in a perfect world, but as the Founders knew, human nature is far from perfect. Somewhere between those two poles lies the answer . . . some balance between legitimate government action and the rewards and sanctions of the marketplace.

Frankly, I am inclined to find the balance much closer to the marketplace.

After all, the great majority of the business community recognizes that its real interests lie in maintaining the trust and confidence of their customers--and therefore in respecting the privacy of personal information. That’s why any government privacy policy should provide maximum latitude for stringent self-regulation . . . the kind of discipline that business is already adopting.

Thank you again for the opportunity to appear before you. I would be pleased to answer any questions you may have.