Senators fail to agree on privacy approach

After six months worth of allegations of privacy invasions involving some of the largest Internet companies, it should come as no surprise that politicians are calling for new laws. The fact that it's an election year probably made it inevitable.

But an unusually lengthy Senate Commerce Committee hearing on Tuesday, titled "Consumer Online Privacy," made it clear that there was zero consensus on what approach to take.

Politicians fretted about everything from retailer Amazon keeping records of what customers purchased, unsubscribing from spammers' lists, peer-to-peer software vulnerabilities, the now-defunct NebuAd, cancer patients whose sensitive e-mail is redistributed, Facebook "commercially scanning" its users' information, which regulators should be in charge, and whether mandating credit card-like disclosure statements for Web sites would be a good idea.

Don't look for any actual legislation to be enacted anytime soon, in other words.

The hearing comes as U.S. companies' data collection and use practices are being subjected to increasing scrutiny on Capitol Hill, in part because of high-profile privacy missteps by Facebook, Google's accidental capturing of some unencrypted Wi-Fi traffic, and allegations that everything from Twitter to smart grids and in-store advertising has become overly privacy-invasive. And there was AT&T's data breach last month that potentially exposed some personal information about more than 100,000 Apple iPad owners.

Meanwhile, two lengthy--and highly regulatory--data use bills recently have been proposed in the House of Representatives. Internet industry representatives have warned they could cause economic harm.

Even if the members of the Senate Commerce Committee agreed on legislation tomorrow, there's scant time left to enact it this year. But in addition to allowing senators to position themselves as pro-privacy in relation to a topic that's been in the news, Tuesday's hearing could set the stage for an actual law in 2011.

The question is just what form it might take. Tuesday's committee meeting ranged so widely it's difficult to find an apt analogy: it was rather like an armed services committee veering from discussions of Wikileaks to Taiwanese tank purchases to nuclear arms reduction to what military bases to close.

Sen. Claire McCaskill (D-Mo.), for instance, was worried that after she "looked up a foreign SUV" on the Internet, she visited another Web site and "there were a bunch of ads for foreign SUVs." (McCaskill carefully assured the cameras that if, in fact, she were to go through with a purchase of an SUV, "it would certainly be an American SUV.")

Of coupons and cloud computing
McCaskill then asked Google privacy engineer Alma Whitten what happens if someone prints out a coupon with a bar code and takes it into a store. "Isn't it true that at this point...embedded in that bar code is a whole bunch of information about you?"

Whitten tactfully replied that Google does not "engage in" the practice of offering grocery store coupons.

Committee Chairman Jay Rockefeller (D-W.Va.), who appeared not to be a frequent customer of Amazon or eBay, was worried that an online retailer "records every book you purchase" and "these machines, as I call them, are storing all of this information about you."

Sen. George LeMieux (R-Fla.) wanted "uniformity like I know we've done with credit cards with the box that you see on your credit card statement that is in bold." In the past, LeMieux said, "Congress passed that regulation (which) allows you to see in clear writing what it is and there's some uniformity to it, I think that that is good for consumers."

LeMieux didn't go into details about what kind of boxes Web sites would be required to post, or how mobile devices would display it. (There are some related industry efforts afoot to do that for browsers.)

Sen. John Thune (R-S.D.) was more concerned with what happens when government agencies move to cloud computing--something that this week's security announcement by Google makes more likely.

"Does that improve the data security of that information?" Thune asked. "And are there particular security or privacy threats that we ought to be cognizant of as government agencies make that transition?"

Julius Genachowski, the chairman of the Federal Communications Commission, replied with a boilerplate answer: "Well, cloud computing, I think, can in some instances increase the efficiency and more options for businesses, small businesses that want to store data."

One of the few electric moments came when the committee chairman accused Facebook's chief technology officer, Bret Taylor, of lying.

"When somebody asked you the question, 'Who's responsible for privacy protection,' you said, 'Everybody who works at Facebook is. Everybody who works there is' and I found that somehow suspicious and disingenuous," Rockefeller said."

He added: "I think companies have to be divided up in certain things and people don't spend all of their time on every single question that comes before them saying, 'What's the--what are the privacy consequences of this. I don't believe what you said."

Taylor was briefly taken aback by being called a liar. "I think that's a very fair point, Mr. Chairman," he replied. "What I intended to say is that the engineers and product managers who are developing the products at Facebook take into account privacy at every aspect of the product design. We do have a team devoted exclusively to (security)."

Rockefeller appeared to be mollified by that response. "I like that," he said. "I accept that."

Perhaps the best line came from Sen. John Kerry, the Massachusetts Democrat. "There is a lot of confusion and a lot of anxiety among the public at large about what power they have over the collection of information and over their lives," he said.

Confusion and anxiety about technology? The same could, perhaps, be said about the members of the Senate Commerce Committee.