Marc Rotenberg
September 27, 2007
Testimony and Statement for the Record of
Marc Rotenberg
President, EPIC
Hearing on
"An Examination of the Google-Doubleclick Merger and the Online Advertising
Industry: What are the Risks for Competition and Privacy?"
Before the
Subcommittee on Antitrust, Competition Policy and Consumer Rights,
Committee on the Judiciary,
U.S. Senate
September 27, 2007
226 Dirksen Senate Office Building
Washington, DC
Senate Judiciary Hearing 1 EPIC Testimony
Privacy, Online Advertising, Google September 27, 2007
Chairman Kohl, Senator Hatch, and Members of the Subcommittee, thank you for
the opportunity to testify today on the proposed Google-Doubleclick Merger. My name is
Marc Rotenberg and I am Executive Director of the Electronic Privacy Information
Center. EPIC is a non-partisan research organization based in Washington, D.C.
Founded in 1994 to focus public attention on emerging privacy and civil liberties issues.
EPIC has played a significant role in the development of the Federal Trade Commission's
authority to protect the privacy rights of consumers and users of the Internet, and we have
a particular interest in the outcome of the matter now pending before the Federal Trade
Commission.1
Today, I will provide a brief background on the FTC's previous actions
concerning Internet privacy, the complaint that EPIC filed earlier this year to block the
merger of Google and Doubleclick, and the developments since the filing of our initial
complaint. It is our view that unless the Commission establishes substantial privacy
safeguards by means of a consent decree, Google's proposed acquisition of Doubleclick
should be blocked.
Attached to my statement is a comprehensive overview of the matter now pending
before the FTC.2 I ask that it be included in the hearing record.
The EPIC Complaint Regarding the Proposed Google-Doubleclick Merger
On April 20, 2007, EPIC, the Center for Digital Democracy and U.S. PIRG filed a
complaint with the Federal Trade Commission in which we alleged that the merger of the
Internet's largest search company and the Internet's largest advertising complaint posed a
unique and substantial threat to the privacy interests of Internet users around the globe.3
We said that the two companies would be under virtually no legal obligation to protect
the privacy and security of the information that they collect and that consumers would
have no effective means to safeguard their privacy interests because of the lack of
transparency in the companies data practices. We urged the Commission to either block
the deal or impose substantial conditions that would safeguard privacy.
Our complaint in the Google merger follows in a line of cases in which EPIC has
asked the Commission to intervene where we believed there were significant privacy
interests and where the Commission has the authority to act. It is based on our experience
in these cases that led us to file the complaint regarding the merger and also to the
conclusion that only a consent decree will effectively safeguard privacy interests.
EPIC and the Original Doubleclick Complaint
EPIC's interest in the advertising practices of the online industry began in the late
1990s when a company called Doubleclick first began to sell targeted ads that could be
displayed on Internet sites based on the editorial content of the site. Doubleclick made a
point of saying that the company did not need to collect the personal information of
Internet users; it was simply interested in mapping relevant advertising to interested
users.
At the time, we expressed support for Doubleclick and its advertising model. We
said it was the type of innovative service made possible by the Internet. We praised the
company for its stand on privacy issues, and we specifically acknowledged its effort to
make anonymity work for online commerce.
At the time, Doubleclick also included a description of its business practices and
its regard for privacy and anonymity on its Web site and the Web sites of more than a
thousand of its business partners. A person who was interested in the company's privacy
practices could read the statement and act upon the data provided by the company.
So, when Doubleclick announced that it would acquire a large consumer database
company called Abacus and merge the profiles of anonymous Internet users with the
detailed profiles of identified users, we were surprised and disappointed. The company
had collected personal information and built relationships of trust based on one set of
privacy policies and then decided to change the rules. We filed a complaint at the Federal
Trade Commission, alleging that the company had engaged in false and deceptive trade
practices, and that the FTC had authority to act based on Section 5 of the Federal Trade
Commission Act.4 It was the first time that the FTC had been asked to use its Section 5
authority to investigate a privacy complaint.
Doubleclick backed off the merger of Abacus. The CEO of Doubleclick said that
company made a "mistake by planning to merge names with anonymous user activity
across Web sites in the absence of government and industry privacy standards."5 The
Federal Trade Commission, in response to EPIC's complaint, required Doubleclick to
adopt privacy standards for online advertising and also required Doubleclick to create an
"opt-out" cookie that would note users who did not want to receive Doubleclick
advertising.6
The FTCs involvement in the Doubleclick-Abacus case was significant and
demonstrated that the Commission had authority under Section 5 to pursue privacy
complaints in the context of a merger. However, the NAI Guidelines that were adopted
were simply too weak and in the absence of meaningful enforcement have had little
impact on the practices of the online advertising industry. We said at the time that the
Commission should have established stronger safeguards.7
We also said that the technical measure recommended by the Commission - the
opt-out cookie - made little sense because it required Internet users who did not want to
be tracked by Doubleclick to maintain a Doubleclick cookie on their computer that would
tell the company not to target ads at the user. This was a nutty approach since Internet
users who did not want to be targeted by Doubleclick would naturally want to remove the
Doubleclick cookie. Doubleclick was saying in effect, "you need to keep reminding us
that you don't want us to track you and if you remove our cookie, we'll start tracking
you."
But over time, we became a little better at privacy complaints to the FTC and the
Commission did a better job responding on matters concerning consumer privacy.
The Passport Case
In 2001, EPIC and 12 organizations submitted a complaint to the FTC, detailing
serious privacy implications of Microsoft Windows XP and Microsoft Passport.8 The
Passport complaint concerned an issue that is a hot topic in the online world today and
that is identity management.
In our 2001 complaint we alleged that Microsoft, thought its Passport sign-on
system, "has engaged, and is engaging, in unfair and deceptive trade practices intended to
profile, track, and monitor millions of Internet users," and that the company's collection
and use of personal information violated Section 5 of the Federal Trade Commission
Act.9 We expressed particular concern that Microsoft would become the sole gatekeeper
for Internet access and we recommended that the development of multiple identity
management systems that would respect privacy and promote innovation. Although the
Passport case was not explicitly about a merger, the antitrust and competition
implications were obvious.
In August 2002, the FTC announced a settlement requiring that Microsoft
establish a comprehensive information security program for Passport, and prohibited any
misrepresentation of its practices regarding information collection and usage.10
The FTC order in the Passport case was significant because the FTC did not
uncover any security breaches, but acted nonetheless based on the potential for a security
problem and privacy harms. This action demonstrated that the FTC has the authority to
protect online privacy prospectively, and that the Commission will hold companies to a
very high standard in their representations to consumers about privacy policies.
Since the FTC settlement of the EPIC complaint against Passport, industry groups
have moved toward decentralized identity systems that are more robust, provide more
security, and are better for privacy. Both Microsoft and the open source community now
appear to agree that meta-identity systems are a better approach for identity
management.11 The Passport case demonstrates that effective action by the Commission
will produce benefits for consumers and businesses and help spur innovation.
The Choicepoint Case
The third case concerned the specific privacy risks associated with the enormous
aggregation of personal information held by one firm.
In December 2004, EPIC filed a complaint with the Federal Trade Commission
against databroker Choicepoint, urging the Commission to investigate the compilation
and sale of personal dossiers by data brokers such as Choicepoint.12 Based on the EPIC
complaint, in 2005, the FTC charged that Choicepoint did not have reasonable procedures
to screen and verify prospective businesses for lawful purposes and as a result
compromised the personal financial records of more than 163,000 customers in its
database.13
In January 2006, the FTC announced a settlement with Choicepoint, requiring the
company to pay $10 million in civil penalties and provide $5 millions for consumer
redress.14 It is the largest civil penalty in FTC history. The FTC also required Choicepoint
to establish, implement, and maintain, "a comprehensive information security program
that is reasonably designed to protect the security, confidentiality, and integrity of the
personal information it collects from or about consumers."15
My only regret about the Choicepoint case is that we did not act sooner. Identity
theft and security breaches have become enormous problems in the United States, as the
FTC has documented.16 Earlier action by the Commission might have significantly
reduced the privacy risks American consumers now face.
The EPIC/CDD/PIRG Complaint Regarding the Google Acquisition
EPIC, the Center for Digital Democracy, and US PIRG have made a series of
filings at the FTC regarding proposed Google-Doubleclick merger. In our original April
2007 complaint, we urged the Commission to investigate the ability of Google and
Doubleclick to record, analyze, track, and profile the activities of Internet users and
detailed significant privacy and antitrust problems in proposed merger.17 In our June
supplement, we explained the need for the Commission to consider consumer privacy
interests in the context of this merger review.18 The complaint provided additional
evidence about Google and Doubleclick's business practices that fail to comply with
generally accepted privacy safeguards.
In our most recent filing, we specifically addressed the proposal that Google made
regarding a global privacy standard, based on the APEC Privacy Framework, the weakest
international framework for privacy protection.19 APEC's framework focuses on the need
to show harm to the consumer, but these guidelines were created prior to research into the
cost to consumers of identity theft and security breaches. We also addressed Google
approach to online privacy in a letter that appeared this week in the Financial Times.20
The complaint and the supplemental filings are described in more detail in the
attachment and are also available online.21
In the materials, we set out the case against the merger and propose to the FTC a
wide range of remedies that could be established by a consent decree that would address
the privacy interests we have identified. Based on the previous experience with the
original Doubleclick case and the subsequent Passport and Choicepoint cases, we believe
it is obvious at this point that a meaningful outcome will only be possible if the FTC
conditions the proposed merger on the establishment of substantial privacy safeguards.
Subsequent Developments
Subsequent to the filing of our initial complaint, the New York State Consumer
Protection Board sent a letter to the FTC endorsing EPIC's complaint regarding the
privacy implications of the proposed Google-Doubleclick merger. The Board stated,
"[t]he combination of Doubleclick's Internet surfing history generated through
consumers' pattern of clicking on specific advertisements, coupled with Google's
database of consumers' past searches, will result in the creation of 'super-profiles,' which
will make up the world's single largest repository of both personally and non-personally
identifiable information."22
We also learned the FTC initiated a Second Request regarding the merger. This
creates a strong presumption that the Commission will move to block or modify the deal.
As Chairman Majoras explained, "the majority of investigations in which the FTC issued
a second request resulted in a merger challenge, consent order, or modification to the
transaction, suggesting that the FTC generally issues second requests only when there is a
strong possibility that some aspect of the investigation would violate the antitrust laws."23
Also, the leading privacy officials in Europe, known as the "Article 29 Data
Protection Working Parking," launched an investigation into Google's privacy practices,
specifically its lengthy data retention scheme.24 Although Google said they were keeping
search records to comply with European law, in fact, Europeans officials objected to the
lengthy retention period.
Last week, European competition authorities opened an investigation into the
Google-Doubleclick merger. According to the Times of London, "Google Inc.'s $3.1
billion acquisition of Doubleclick, the largest broker of online banner advertising, is
likely to be delayed for months by the European Commission."25
At present, the US Federal Trade Commission, European privacy officials,26 the
Australian Competition and Consumer Commission,27 the Canadian competition
authorities,28 and the European Commission Directorate on Competition are all
investigating the proposed Google-Doubleclick merger and considering its possible
effects on competition and consumer privacy.
Competition authorities around the world appear to be in agreement that there is
no merger that poses a more significant threat to online privacy than Google's proposed
acquisition of Doubleclick.
Conclusion
EPIC's complaint to the FTC regarding the Google-Doubleclick merger follows
in a long line of similar complaints that EPIC has brought to the FTC regarding changes
in business practices that raise substantial privacy interests for Internet users. We are not
for or against Google. We are not for or against any of Google's competitors. We are
simply working to safeguard the privacy interests of Internet users. We believe that we
have set out a good case for the Commission. We believe that the Commission has the
authority to act in this matter, and we believe that the Commission should act to block the
deal or to impose substantial privacy safeguards as a condition of the deal's approval.
Thank you again for the opportunity to testify today. I would be pleased to answer
your questions.
1 Letter from Marc Rotenberg, Dir., EPIC, to Christine Varney, Comm'r, Fed. Trade Comm'n (Dec. 14, 1995) (on need to investigate children's privacy), available at http://www.epic.org/privacy/internet/ftc/ftc_letter.html.
2 EPIC, "Privacy? Proposed Google/Doubleclick Deal," http://www.epic.org/privacy/ftc/google/.
3 See EPIC, CDD, U.S. PIRG, In the Matter of Google, Inc., and DoubleClick, Inc: Complaint and Request for Injunction, Request for Investigation and for Other Relief before the Federal Trade Commission (Apr. 20, 2007), available at http://www.epic.org/privacy/ftc/google/epic_complaint.pdf.
4 EPIC, In the Matter of DoubleClick, Inc.: Complaint and Request for Injunction, Request for Investigation and for Other Relief, before the Federal Trade Commission (Feb. 10, 2000),
available at http://www.epic.org/privacy/internet/ftc/DCLK_complaint.pdf.
5 Press Release, Doubleclick Inc., Statement From Kevin O'Connor, CEO of Doubleclick (Mar.
2, 2000).
6 Letter from Joel Winston, Acting Assoc. Dir., Div. of Fin. Practices, Fed. Trade Comm'n, Letter to Christine Varney, Esq. (Jan. 22, 2001), available at http://www.ftc.gov/os/closings/staff/doubleclick.pdf.
7 See OnlineNewsHour, Internet Privacy, May 26, 2000, available at http://www.pbs.org/newshour/bb/cyberspace/jan-june00/privacy_5-26.html.
8 EPIC, et al., In the Matter of Microsoft Corp.: Complaint and Request for Injunction, Request for Investigation and for Other Relief, before the Federal Trade Commission (July 26, 2001),
available at http://www.epic.org/privacy/consumer/MS_complaint.pdf.
9 Id.
10 Fed. Trade Comm'n, Microsoft Settles FTC Charges Alleging False Security and Privacy
Promises (Aug. 8, 2002), available at http://www.ftc.gov/opa/2002/08/microsoft.shtm.
11 Kim Cameron, The Laws of Identity, Identity Weblog, Dec. 9, 2004, http://www.identityblog.com/stories/2004/12/09/thelaws.html; Windows CardSpace, http://cardspace.netfx3.com/; OpenCard, http://www.opencard.org/.
12 Letter from Chris Jay Hoofnagle, Assoc. Dir. EPIC, to Fed. Trade Comm'n (Dec. 16, 2004),
available at http://www.epic.org/privacy/choicepoint/fcraltr12.16.04.html.
13 Fed. Trade Comm'n, Complaint for Civil Penalties, Permanent Injunction, and Other Equitable Relief, US v. ChoicePoint Inc., FTC File No. 052-3069 (Jan. 30, 2006), available at http://www.ftc.gov/os/caselist/choicepoint/0523069complaint.pdf.
14 Fed. Trade Comm'n, Consent Order, US v. ChoicePoint Inc., FTC File No. 052-3069 (Feb. 10,
2006), available at http://www.ftc.gov/os/caselist/choicepoint/0523069stip.pdf.
15 Id.
16 Fed. Trade Comm'n, Consumer Fraud and Identity Theft Compliant Data: January - December 2006 (Feb. 7, 2007), available at http://www.consumer.gov/sentinel/pubs/Top10Fraud2006.pdf.
17 EPIC, CDD, US PIRG, In the Matter of Google, Inc., and DoubleClick, Inc, supra note 3.
18 EPIC, CDD, U.S. PIRG, Supplemental Materials in Support of Pending Complaint and Request for Injunction, Request for Investigation and for Other Relief before the Federal Trade Commission (June 6, 2007), available at http://www.epic.org/privacy/ftc/google/supp_060607.pdf.
19 EPIC, CDD, U.S. PIRG, Second Filing of Supplemental Materials in Support of Pending Complaint and Request for Injunction, Request for Investigation and for Other Relief before the Federal Trade Commission (Sept. 17, 2007), available at http://www.epic.org/privacy/ftc/google/supp2_091707.pdf.
20 Letter from Marc Rotenberg, President, EPIC, to Financial Times (Sept. 23, 2007) ("Google's proposals on internet privacy do not go far enough"), available at http://www.ft.com/cms/s/0/764c5338-6a32-11dc-a571 0000779fd2ac.html.
21 EPIC, "Privacy? Proposed Google/Doubleclick Deal," http://www.epic.org/privacy/ftc/google/.
22 Letter from Mindy Bockstein, Chair and Exec. Dir., State of New York, State Consumer Prot. Bd., to Deborah Platt Majoras, Chair, Fed. Trade Comm'n (May 1, 2007) (regarding "DoubleClick Inc. and Google. Inc. Merger"), available at http://www.epic.org/privacy/ftc/google/CPB.pdf.
23 Deborah Platt Majoras, Chairman, Fed. Trade Comm'n, "Reforms to the Merger Review Process," Feb. 16, 2006, available at http://www.ftc.gov/os/2006/02/mergerreviewprocess.pdf.
24 Letter to Peter Fleischer, Privacy Counsel, Google Inc., from Peter Schaar, Chairman, Article
29 Data Protection Working Party (May 1, 2007), available at http://www.epic.org/privacy/ftc/google/art29_0507.pdf.
25 Rhys Blakely, Europe puts brakes on Google deal, Times of London, Sept. 25, 2007, available at http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article2525217.ece.
26 In a letter to the European Commission, consumer organizations, including BEUC, urged an investigation into the proposed merger. The groups said this merger means "Google could monopolize the on-line advertising business, thereby restricting competition and raising privacy concerns over control of consumer data." Letter from European Consumer Groups to Neelie Kroes, Comm'r, European Comm'n, on Proposed Acquisition of DoubleClick by Google (June 27, 2007), available at http://www.epic.org/privacy/ftc/google/beuc_062707.pdf.
27 Australian Competition & Consumer Comm'n, Google Inc - proposed acquisition of DoubleClick Inc., Aug. 22, 2007, available at http://www.accc.gov.au/content/index.phtml/itemId/788097; Letter from Gabrielle Ford, Australian Competition & Consumer Comm'n, to Online Publishers, Digital Agencies and Other Internet Service Groups Asking for Opinions on the Effect Proposed Google-DoubleClick Merger Would Have in the Australian Market (Aug. 27, 2007), available at http://www.accc.gov.au/content/trimFile.phtml?trimFileName=D07+79501.pdf&trimFileTitle=D 07+79501.pdf&trimFileFromVersionId=796864.
28 Canadian Internet Policy & Public Interest Clinic, Section 9 Application for an Inquiry into the Proposed Merger of Google, Inc. and DoubleClick Inc., Aug. 2, 2007, available at http://www.cippic.ca/uploads/Google DC_s.9_CompAct_complaint_FINAL.pdf; Canadian Internet Policy & Public Interest Clinic, Request for Audit of Google Inc. and DoubleClick Inc. before the Privacy Commissioner of Canada, Sept. 17, 2007, available at http://www.cippic.ca/uploads/G-DC_%20Privacy_complaint_17Sept07(1).pdf.
