ORAL STATEMENT
Dr. Irving Wladawsky-Berger
General Manager, Internet Division
IBM Corporation
April 21, 1999
Mr. Chairman, Senator Leahy, and Members of the Committee, thank you for the opportunity to comment on the question of privacy in the emerging Digital Age.
With your permission, I’ll submit a written statement for the record and summarize its content.
My name is Irving Wladawsky-Berger and I am General Manager of IBM’s Internet Division.
Let me begin by saying that all of us — individuals and businesses alike — derive incredible benefit from the free flow of information over the Web.
At any hour of the night or day, people can check the status of a shipment, analyze their investment portfolio or compare prices over a whole universe of suppliers.
Likewise, businesses gain efficiencies they could only dream of before the Internet — efficiencies that restrain prices and bring them closer to their customers.
All this requires information, lots of it. So, clearly it’s in everyone’s interest that the privacy of information be protected.
After all, the consumer’s embrace of the Internet, and the electronic marketplace it makes possible, will last only as long as they trust us and all the other participants in that marketplace to respect their privacy.
IBM is no stranger to this issue, having pioneered far-reaching privacy policies since the 1960s — policies detailed in my statement for the record.
Not surprisingly then, in 1997 we adopted a worldwide privacy policy for our thousands of web pages and established a new executive position to oversee our compliance.
At the same time, we recognized the need for industry to unite on some basic principles and actions. In fact, we played key roles in the establishment of the Online Privacy Alliance, and the TRUSTe and BBBOnline privacy seal programs, and actively supported Call for Action.
Most recently, IBM announced that, effective June 1, we would no longer advertise on U.S. and Canadian Web sites that did not post privacy policies. And, as the second largest advertiser on the Web, our action should influence the practices of others.
That commitment to privacy and our experience in making the promise of the Net real for thousands of customers give us an excellent vantage point from which to view the issue.
And it seems to us at IBM that the key question to be answered at this point is: how can our society strike the right balance between the value of a free flow of information and privacy.
In our opinion, a broad new statute is not the answer.
The Internet is too global, too instantaneous, and too decentralized for a fixed, rigid statute to regulate. The Net and its related technologies simply change too quickly to be amenable to centralized control.
We strongly believe that the best way to strike the balance between the free flow of information on the Net and privacy protection is through market forces, which are invariably the product of consumer preferences.
This “self-regulation” would ride atop a broad base of consumer protection laws and targeted sectoral regulation.
This approach envisions a mix of business involvement and commitment; government support and targeted action; international cooperation among businesses and governments; and individual responsibility.
Government should defer to private-sector leadership for any number of reasons:
First, the private sector has many incentives to respect privacy, not the least of which is self interest. The members of the business community simply have too much to gain from the freest possible flow of information, and too much to lose if concerns over privacy limit the growth of the networked economy.
Second, excessive regulation can exclude many small and medium firms from the e-business marketplace.One of IBM’s strategic markets is precisely the small and medium businesses for which a pervasive regulatory regime would increase costs and decrease the opportunity to participate in this emerging electronic market. We want e-business to benefit Main Street, not just Wall Street.
Third, private-sector self-regulation can adapt and change much more quickly and responsively than government regulation.
The TRUSTe web privacy program, for example — launched in 1997 has already revised totally its privacy policies and practices to reflect the principles of the Online Privacy Alliance. A regulatory agency could not have accomplished such a significant change in that time frame.
Fourth, the Internet — and the e-business marketplace — are fresh, new phenomena and should be regulated very, very carefully and only with good cause.
In five years, the Internet has become a mass market, one in which an estimated $68 billion will change hands this year.
Clearly, the Internet is taking off, but so are self-regulatory efforts. In 1998, the US private sector, in consultation with government, agreed on robust self-regulation for online commerce and the ensuing progress has been encouraging.
IBM urges the Committee to encourage such efforts, and to be extremely wary of additional regulation.
The fifth reason for deferring to market forces is the fact that on the Internet, information is borderless and the Web itself decentralized — complicating immeasurably all efforts to impose traditional regulation.
Members of the Committee, the last few years have seen any number of promising market-based privacy initiatives and, as I said, a lot of progress as well.
One of the most promising efforts — one which IBM strongly supports — is the Online Privacy Alliance — a cross-industry group established in 1998 to agree on a basic framework for privacy policies tailored to individual industries.
My written statement treats the Alliance in some detail. Let me simply state the basic principles of the Alliance members
First, each company should adopt and implement a privacy policy and post it at its Web site.
Second, each visitor to a site should be informed of what personal information is collected at the site, its use, and whether it will be disclosed to others.
Third, visitors to a site should have a choice in whether information about them will be disclosed to others.
Fourth, the Web site owner should take reasonable steps to keep information secure.
Fifth, the owner should take reasonable steps to keep data accurate, and should provide individuals as much access to their personally identifiable data as is appropriate and feasible.
Finally, all Alliance companies are pledged to use self-enforcement mechanisms that give easy recourse to consumers in the event they believe the company has violated its privacy policy.
Following these principles, industry has made genuine progress in the last year. In fact, the large majority of people visiting commercial web sites in the United States now will click on sites that post privacy policies. To my mind that is a mainfestly successful start for self-regulation.
Members of the committee, privacy regulation, as with most policy issues, has two opposite poles. At one extreme, a pervasive regulatory regime could assure the public that nothing improper would happen to their personal information by making sure that nothing at all would happen to it . . . nothing bad certainly, but nothing good either.
At the other extreme is the laissez-faire solution which might suffice in a perfect world but as the Founding Fathers knew human nature is far from perfect.
Somewhere between those two poles lies the answer, some balance between legitimate government action and the rewards and sanctions of the marketplace.
Frankly, I am inclined to find the balance much closer to the marketplace.
After all, the great majority of the business community recognizes that its real interests lie in maintaining the trust and confidence of their customers — and therefore in respecting the privacy of personal information. That’s why any government privacy policy should provide maximum latitude for stringent self-regulation . . . the kind of discipline that business is already adopting.
Thank you again for the opportunity to appear before you. I would be pleased to answer any questions you may have.