INTERNET IDENTITY, PRIVACY
AND PUBLIC POLICY

Testimony of

Mike Sheridan

Vice President, Strategic Businesses

Novell, Inc.

Before the

US Senate Judiciary Committee

April 21, 1999

 

 

Mr. Chairman and Members of the Committee:

I am Mike Sheridan, Vice President for Strategic Businesses and a member of the Executive Committee of Novell, Inc., which is the world’s largest provider of directory enabled network software. Prior to joining Novell in 1997, I worked at Sun Microsystems where I was one of the original members of the team that created Java. I testify before the Committee today not as an expert on privacy policy, but as a technologist who is building software products that are relevant to the online privacy debate.

What do me mean by online privacy? At Novell, we view it as an extension of Internet identity. It is about empowering users to make decisions about how much information they wish to share and with whom.

Online privacy is a front-page story. With all the press attention has come a chorus of calls for government legislation and regulations. We should exercise great caution in responding to them. We are in the early stages of the next big phase of the Internet — a phase that will focus on the creation and management of digital identities and relationships. It would be a mistake to pass legislation regulating privacy on the Net before we fully understand the commercial products and services that will be available to us in this new environment.

The first line of defense for online privacy is commercial technology. The genius of Net culture is the immediacy with which it funnels talent and resources to new areas — like protection of personal privacy — and the furious pace at which it develops new products. Entrepreneurs have already established several new firms to address privacy on the web, and they are attracting significant amounts of venture capital. We must allow the market to address privacy concerns to the greatest extent possible since it will deliver solutions that are the most flexible, speedy and cost-efficient.

The second line of defense is industry self-regulation. Before we regulate the Net, we must allow the private sector to attempt to develop best practices and industry norms that satisfy consumers needs. The work of TRUSTe, the Online Privacy Alliance (OPA), BBBOnline and the World Wide Web Consortium’s Platform for Privacy Preferences (P3P) exemplify this effort. Only after we have given commercial technology and self-regulation a chance to work should we turn to government intervention, and even then we must be sure that they support America’s leadership in the networked economy and the needs of consumers.

In my comments today, I will examine three issues that are central to the privacy debate: 1) The next phase of the Internet; 2) The promise of commercial technology; and 3) The principles for future progress.

    1. The Next Phase of the Internet: The Identity Wave

The Internet began as a Department of Defense research project and for many years was used primarily by scientists at national laboratories and research universities. The first big wave of the Internet occurred in the mid-1990s with the advent of the world wide web and the browser. Suddenly, it was easy to surf the Net, and there was a scramble to connect. Companies like Netscape and AOL led the way. Businesses wanted to connect to improve their communications and productivity. Schools wanted to connect to improve educational opportunities; government at all levels wanted to connect to enhance their operations; and individuals wanted to connect to the new world of digital information. Today, US Internet users number about 80 million. The Internet is having an economic impact that is on the scale of the industrial revolution, and it is occurring much faster.

The connection phase will continue for several years as we build out the infrastructure of the web, but it is about to be supplanted by something else — the identity wave. Now that the problems of getting online, getting a browser and using the Net have been largely overcome, we are faced with massive scale issues. These scale issues are really identity problems. How do I find what I want? How do I control my identity when it is scattered over dozens of different sites? How do I keep track of all my passwords? How do I authenticate my digital relationships? How to manage a system this complex in ways that create trust?

Questions about Internet identity are closely related to privacy, but they are not synonymous. Privacy is only one aspect of this identity, albeit a very important one. The best way to resolve privacy concerns is to address the larger issue of how to manage Internet identities.

The transition from the connection phase of the Internet to the identity phase should carry a red flag for public policymakers. Instead of being well along a road we already know we are moving into unfamiliar terrain. Decentralized decision-making and market solutions will serve us better during this transition than centralized government policy since they can respond more quickly and more flexibly to consumers’ needs.

    1. The Promise of Commercial Technology: Directories and digitalme™

Entire new companies are being formed and many technologies are being developed to deal with different aspects of online privacy. I cite Novell’s approach, not as a panacea, but to illustrate the innovative ways that industry is beginning to respond. Novell believes that online privacy is an extension of Internet identity and that by addressing the broader issue of identity we can resolve many privacy concerns.

The key to building a world of Internet identities is to develop products that let individual users create, manage and secure them. The directory is at the center of our efforts to do so. A true Internet directory is an integrating layer of software that cuts across operating systems to provide a platform for network services. Without a directory, you cannot find, manage or use your network. Directories are what allow network administrators to keep networks up and ready for the user, regardless of where he is or what device he has.

Perhaps the simplest way to think of directories is to compare them to the white pages of a telephone book. Just as white pages contain the information for telephone identities, directories contain the information for Internet identities. But while the white pages are nothing more than a reference guide, a directory is a dynamic database that makes it easy to manage networks, maintain digital interactions and, ultimately, enable widespread electronic commerce.

Digital identities and network directories are two sides of the same coin. Identities describe who you are on the Net; directories process this information so that you can connect to the right people, applications, services and devices.

Novell recently announced a new identity product called digitalme™ that leverages Novell Directory Services so that consumers and businesses can manage their digital identities. Consumers are looking for secure ways to manage and protect their personal information (such as bookmarks, cookies, preferences, user IDs, credit cards and contact information) since these attributes define what they can do, where they can go, and who they are on the web. Companies are looking for opportunities to differentiate their business by creating secure, personalized services that are beneficial to customers.

digitalme™ has a flexible interface built around digital “cards.” These virtual meCards can be customized so that users share different information about themselves with different sites based on their personal preferences. For example, a user may want a card for their favorite airline to hold information about their frequent flyer number, their e-mail address, their telephone number, their business travel patterns and their favorite vacation destinations. Voluntarily providing this information would allow the airline to customize its interactions with the user so that if low fares to the users favorite vacation spot are available, for example, the airline can alert them. The same user would provide an entirely different set of personal information to his bank or local hospital. Since the user knows what information he shares, who he shares it with, and when he shares it, he is in more control of his identity on the Net and more aware of his Internet privacy.

digitalme™ is all about user choice. It is downloaded voluntarily from the Net, and is designed so users can enter only the information that they want to share. If they choose to include highly sensitive information a trusted third-parties can hold it for them. It puts users in control. By giving users control of their identities, it allows them to create customized solutions that meet their individual needs.

  1. Principles for Future Progress

Some seem to have already come to the conclusion that prompt government intervention is necessary to address concerns about online privacy. Surveys show the protection of personal privacy is the number-one concern many people have about the Internet. And advocates of this view note that it is easier than ever for businesses to gather digital information about consumers without their knowledge or consent and to use this data to market products, or worse, in discriminatory and invasive ways. There is no doubt that the issue of Internet privacy raises legitimate questions about the rights of web users. To the extent that it leads to the erosion of consumer confidence in the Net, it could even retard the growth of electronic commerce.

Nonetheless, it is too early to make a judgement about the need for privacy legislation. Just like the Internet, our understanding of digital privacy is still evolving. The success of Free-PC shows that many consumers are only too happy to trade their privacy rights given the right incentives. And although Internet identifiers can create an invasion of privacy, they are also what allowed the FBI to find the perpetrator of the Melissa virus and to discover who posted the fraudulent Internet articles that artificially inflated the stock price of Pairgain Technologies.

In order to balance these competing concerns, many companies have created privacy policies that share a common set of guidelines. Among the most important are giving consumers notice before gathering any personal data, disclosing how any information that is collected will be used, and letting users choose to opt out of personal data transfers that are not necessary to complete a transaction.

Novell’s policy, which is posted on our web site atwww.novell.com, was created in accordance with the guidelines set forth by TRUSTe, the Online Privacy Alliance (OPA), the US Federal Trade Commission, and the EU Directive on Data Protection. It consists of the following guidelines:

  1. In general, people may visit Novell web sites while remaining anonymous and not revealing any personal information. Novell will at times request basic data — such as name, address and e-mail — in order to respond to visitors queries about our products or services, but we will not contact you with additional marketing information unless you indicate that you want to receive it.
  2. Novell will not disclose your personal information for marketing purposes to any third-party company without your consent.
  3. Novell will not collect information from people who identify themselves as being younger than 18 years of age.
  4. Novell may use cookie technology only to obtain non-personal information from its on-line visitors to improve their on-line experience. If you do not wish to have a cookie set when visiting the Novell web sites, you may alter the settings on your browser to prevent them.
  5. Novell will take appropriate steps to respect and protect the information you share with us. Whenever you give Novell sensitive information (e.g., credit card numbers), Novell will take commercially reasonable steps to establish a secure connection with your web browser. Credit card numbers are used only for payment processing and are not retained for marketing purposes.
  6. All of the information Novell gathers will be available to you at the Novell Identity web page. From this site you can see what kind of information Novell has collected from your visit to our web site and update the information you have provided us in your personal profile. From this site you can also indicate that you would rather be anonymous and provide no information about yourself or your visit to our web site.

As the debate about Internet privacy evolves, we should look to the following principles to guide our efforts:

1. Rely on market-inspired solutions as much as possible.

The private sector still has a lot of work to do, but we should not let the highly publicized privacy problems of the past few months distract us from the real progress that has been made. Many organizations have invested a lot of time, effort and money to create a self-regulatory system in which business takes real steps to protect online privacy. OPA, TRUSTe and BBBOnline have educated industry about the issue. Novell and several other companies have developed technologies that hold promise. AOL has made a huge effort to educate consumers. AT&T has funded studies to better understand consumer demand. And IBM has withheld advertising dollars from sites that do not have privacy policies. As a result of these actions, new products are beginning to emerge and privacy policies are steadily proliferating across the Net. If the government decides to take legislative or regulatory action, it should persist in its role as champion of best commercial practice. The private sector is likely to develop faster, more flexible and more cost-efficient solutions than the government and should be encouraged to do so.

2. Refrain from a one-size-fits-all policy approach.

Just as no one technology or company can solve the privacy issue, neither can any one policy. Not all information is equal. Some data — such as medical and financial data, and information about children — is especially sensitive. Other types of data can be quite mundane. Moreover, different users have different privacy preferences. Aggressive legislation that treats privacy as a uniform problem could create more problems than it solves.

3. Keep government intervention consistent with the Internet.

Where government involvement is needed, it should support and enforce a predictable, minimalist, transparent and simple legal environment. Government should follow a decentralized, technology-neutral approach to policy that encourages private sector innovation. It should refrain from picking technology winners or implementing policies that undermine America’s leadership of the networked economy.

4. Enforce existing laws and self-regulation.

The government already has an extensive mandate to protect consumer welfare

and should vigilantly enforce laws that prevent deceptive trade practices. Preventing fraud and false advertising are as essential to consumer confidence and the growth of e-commerce as they are to ordinary commerce.

Conclusion

Mr. Chairman, the privacy debate has at times been difficult for the Internet industry, but it has also been very constructive since it has helped reveal consumer preferences and the new landscape of e-commerce. Just as importantly, it has highlighted industry responsibilities and made us think hard about the appropriate role for public policy. We should not cut off this debate by pretending that Internet privacy concerns don’t exist. Nor should we pass premature legislation that assumes we know all the answers. For now, government’s role is to encourage private sector solutions, investigate and prosecute deceptive business practices, and monitor privacy abuses to determine the actual harm to consumers. Only after we are convinced that the private-sector cannot meet consumers needs through commercial products and self-regulation should we consider government intervention.