Mr. Chairman and Members of the Committee:

My name is Mike Sheridan. I am Vice President for Strategic Businesses and a member of the Executive Committee of Novell, Inc., which is the world’s largest provider of directory enabled network software — and which is located in the great state of Utah! Prior to coming to Novell in 1997, I worked at Sun Microsystems where I was one of the original members of the team that created Java. I testify before the Committee today not as an expert on privacy policy, but as a technologist who is building software products that are relevant to the online privacy debate.

At Novell, we view online privacy as an extension of Internet identity since it is all about empowering users to make decisions about how much information they want to share and with whom.

It will come as no surprise to you that I believe that the first line of defense for online privacy is commercial technology. The genius of Net culture is the immediacy with which it funnels resources to new areas and the furious pace at which it develops new products. Several new firms have already been established to address privacy on the web and are attracting significant amounts of venture capital. To the extent possible, we should let the marketplace address privacy concerns, since it will deliver the fastest, most flexible and most cost-efficient solutions.

The second line of defense is industry self-regulation. Before we regulate the Net, we must let the private sector attempt to develop best practices and industry norms that satisfy consumers’ needs. The Online Privacy Alliance, TRUSTe, BBBOnline and the Platform for Privacy Preferences (P3P) exemplify this effort. We are making steady progress, as witnessed by the increase in the number of privacy policies posted across the Net. Only after we have given commercial technology and self-regulation a chance to work should we turn to government intervention, and even then we must be sure that it supports America’s leadership of the networked economy and the needs of consumers.

The first phase of the Internet was all about getting connected and companies like AOL led the way. For the past few years, we have focused on connecting individuals, schools, government and business to the Net. The next phase, which is just beginning, will be about creating and managing digital identities. Novell believes that the best way to build the world of Internet identities is to develop products that let individual users create, manage and secure them. The directory — a sort of network white pages — is at the center of our efforts to do so. Identities and directories are two sides of the same coin. Identities describe who you are on the Net; directories process this information so that you can connect to the right people, applications and services.

An example of the new technologies that will allow individual choice to govern individual privacy is a product called digitalme™. This product reflects Novell’s belief that the best way to resolve privacy concerns is to address the larger identity issue. digitalme™ allows users to enter and modify personal data in the directory — and control who has access to it. In other words, it lets people specify the personal information they want to reveal. By providing tools that allow users to manage their Internet identity, we can educate them about their online privacy.

Because no one technology or company can guarantee privacy on the web, Novell is also working to promote industry self-regulation. We are currently in discussions with BBBOnline and are already a member of the Online Privacy Alliance, and a premier sponsor and licensee of TRUSTe. Our privacy policy, which is posted on our web site, was created in accordance with the guidelines of these two groups, as well as the US Federal Trade Commission and the EU Directive on Data Protection.

Mr. Chairman, the privacy debate has at times been difficult for the Internet industry, but it has also been very constructive since it has helped reveal consumer preferences, industry responsibilities and the new landscape of e-commerce. We should not cut off this debate by pretending that Internet privacy concerns don’t exist. Nor should we pass premature legislation that assumes we know all the answers. For now, government should encourage private sector solutions, investigate and prosecute deceptive business practices, and monitor privacy abuses to determine the actual harm to consumers. Only after we are satisfied that the private-sector cannot meet consumers needs through commercial technologies and self-regulation should we consider government intervention.