The FTC hosted a public workshop to examine emerging wireless Internet and data technologies and the privacy, security, and consumer protection issues they raise.
Transcript - Text
WIRELESS WEB WORKSHOP
DECEMBER 11, 2000
Panel Number 1
The Wireless World - Where are we today? Where are we going?
Panel Number 2
The International Experience: Wireless in Europe
Panel Number 3
Business Models, Consumer Relationships and M-Commerce
Panel Number 4
Opportunities and Challenges: Industry and Consumer Perspectives
FEDERAL TRADE COMMISSION
THE MOBILE WIRELESS WEB, DATA SERVICES & BEYOND:
Emerging Technologies & Consumer Issues
Monday, December 11, 2000
Federal Trade Commission
600 & Pennsylvania Ave., NW
Washington, D.C. 20580
- - - - -
MR. WINSTON: Well, Good afternoon, everyone, and welcome to the FTC's wireless workshop. I'm glad to see so many people here who have survived walking across Pennsylvania Avenue, which is a challenge in and of itself. I'm Joel Winston, I'm the Acting Associate Director for Financial Practices at the FTC, and I'm looking forward to a good day and a half on wireless technology. As we enter the wireless age, I think this workshop is a very timely and important one. It's an opportunity for all of us to learn more about this exciting new technology and about the consumer issues it raises. It follows in the footsteps of a number of other recent FTC workshops we have had on technology and consumer issues, including the issue of online privacy. We're very fortunate today and tomorrow to have an exemplary group of speakers and panelists who will share their knowledge and insight with you over the next day and a half. First I would like to introduce Robert Pitofsky, who has served as the Chairman of the Federal Trade Commission for the last five years. This is Chairman Pitofsky's third stint at the FTC, having previously served as a Commissioner and Bureau Director of the Bureau of Consumer Protection. I'm sure you know that Chairman Pitofsky has had a very distinguished career in antitrust and trade regulation and is widely recognized as one of the nation's foremost scholars in this field. I could stand here for a long time and extol Chairman Pitofsky's virtues, but let me just say one thing that comes from a profile in today's New York Times of Chairman Pitofsky, a very good profile, and I think there's one sentence in here that really sums it up. The Times says that, "Mr. Pitofsky has been a central player i the transformation of the agency from what was known as the little old lady of Pennsylvania Avenue to a formidable institution that is the leading regulatory body of Internet and consumer issues, as well as one of Washington's two antitrust enforcers." I think that's a pretty good summary. Chairman Pitofsky?
CHAIRMAN PITOFSKY: Thank you very much, Joel, and welcome to all of you, I add my welcome to this mobile wireless web workshop, the latest in a series of workshops that the FTC has been holding in recent years. In 1995, we held an extensive set of hearings on globalization and the impact of technological innovation on competition and on consumers, and since then we've held workshops on online privacy, advertising disclosures and new media, online dispute resolution, global electronic commerce, business-to-business electronic marketplaces and so forth, and I'm especially pleased about that. It is in the tradition of what this place really was designed to be, not just a law enforcement agency but an agency that met with business leaders, consumers, academics, and other government agencies and tried to anticipate important economic trends, and I think that's certainly what we're trying to do. This time we explore the wireless data services sector of the economy, a new technology that has been heralded as allowing people to communicate and gain access to information when they want, where they want and how they want. I understand that some industry analysts predict that over the next five years, mobile commerce and wireless data services, including Internet services, access to wireless devices, will grow at an even more rapid pace than electronic commerce and the Internet did over the last five years, which itself is amazing. A few examples of what this wireless technology could be about. It's the eve of the holiday and you decide to do some last-minute shopping. As you walk into a mall, your all-in-one cell phone, pager and digital assistant rings with a message. Your phone talks to you and says, "Doing some last-minute shopping? Stop by the gift shop next to the food court and give the cashier this number and you'll receive 25 percent off your next purchase." You find a parking space on the street outside your favorite store, and then you realize that you don't have the right change. Not a problem, you take out your cell phone, dial a number, point it at the meter and enter the amount and the time that you want to keep this space, and the cost is automatically deducted from some account you have elsewhere. After a full day of shopping, you decide to grab a cup of coffee. With a buddy list on your smart phone, friends and family within a five-block radius can be alerted to your location in case they want to stop by and chat. I'm not so sure about that one. I mean, it's not an unmitigated virtue, all this technology, I mean, whatever happened to a quiet cup of coffee? But all these examples make clear the benefits of mobile commerce for business and for consumers. They are potentially enormous but like other high-tech developments, they can be good and bad. They can be profoundly pro-consumer, but there are risks involved. If people can be located any time they use wireless technology, is that a good thing? Well, in some respects it is, but I'm reminded of Professor Larry Tribe's comment somewhere, I think it's in his treatise, that part of human dignity is the ability to hide. We also want to educate ourselves and other interested parties about these emerging technologies and the implications for consumers. Toward that end, we have, as has become our tradition recently, brought together industry representatives, privacy advocates, consumer advocates, government officials and researchers to explore three fundamental questions. First, where is wireless Internet and data technology today, and where is it going? What types of relationships will consumers have with this new equipment and with various providers of wireless and data services? Critically, will consumers' wireless data services be supported by advertising, as many Internet sites are, or will consumers pay separately for these services? Second, what privacy and security issues do wireless devices raise? For example, how will location information be used? Is transmission of personal information secure in this wireless media? As wireless devices converge so that cell phones, personal digital assistants, electronic wallets become a single device, what are the risks of identity theft -- are they increased and what security measures are possible? Third, what forms will wireless advertising take? How can companies make effective advertising and privacy disclosures on small screens? How do traditional concepts like clear and conspicuous and equal prominence apply with respect to this new medium? Obviously there's a great deal to cover over the next several days and a lot for us to learn and I hope to learn from each other. In providing a forum for discussion of the privacy, security and consumer protection issues raised by these new technologies, we hope the FTC can facilitate the dialogue among the various interested constituencies. In the best traditions of this agency, we look forward to exploring these complex and fascinating issues with all of you. Thank you.
MR. WINSTON: Why don't we have the first set of panelists come up to the table. Before we begin, one request, which may seem a little ironic, but if you could turn off your wireless devices so we don't have all this beeping going on, thank you. Our first series of presentations concerns wireless technology. First we will have Walt Mossberg of The Wall Street Journal to tell us where technology is today. Next, Bill Bodin of IBM's Pervasive Computing Lab will show us where wireless technology may be heading in the not-too-distant future. Then last, we'll have Danny Weitzner of the World Wide Web Consortium explain some of the mechanics of the wireless web, to give some of us without a technical background some context and some vocabulary on the discussion that will follow the next day and a half. Now, some ground rules. After the three presentations are completed, we should have at least 15 minutes or so for questions from the audience. Those who are in the overflow rooms, hopefully you can hear me, who would like to ask a question should come downstairs to this room, 432, where we will have some microphones set up in the hallway and you can ask questions, in the doorway there. You might want to come down around 2:15 or so. Now, as many of you probably know, Walt Mossberg is the author and creator of the weekly Personal Technology column in The Wall Street Journal and is a contributing editor to the Journal's monthly magazine, Smart Money. Walt is the source that consumers and industry insiders go to for the straight scoop on technology. Walt?
MR. MOSSBERG: Well, thanks, Joel. I'm sorry to start off by disappointing people, and picking up on the Chairman's speech, I'm not an industry official, not a privacy advocate, not a government official, I'm just a newspaper reporter, and you are just going to have to settle for that in the next 20 minutes or so, but I can assure you of a few things. One, wireless communications, wireless data communications, are going to be incredibly important. Two, they will be incredibly important at a much later date than most of the people speaking to you at this conference and, indeed, on Wall Street and in the press say they will. Everything about it, every single thing about it, is being grossly over-hyped, just as was true of the Internet, is still true of the Internet, and even of the PC itself. Three, they will not work nearly as well as their manufacturers and service providers say they will. They will be a source of considerable frustration. They are today, and they will continue to be over at least the next four or five years. If you don't believe me, I would point out that even the older technology of wired and portable computing with no effort to do wireless Internet is still so inconvenient, so clumsy and so difficult that very few people in this room are taking notes on any electronic device. Danny, who's I'm sure a brilliant fellow and works in the heart of the world wide web and has a laptop is -- thank you, Danny, you knew just what I was going to say -- using a fountain pen, and when I attend the computer and Internet industry's most sacred inner circle, high-tech conferences, attended by people like Bill Gates and Steve Case and all these people and you give a talk like this and you look out over the room, 80 to 90 percent of the people are using pen and paper to take their notes, and that's -- these are just important cautions I want to leave with you. I would also say, picking up on the Chairman's point, there are many more qualified and in-depth privacy experts in the audience and certainly a lot more people from the industry. Based on the experience of the Internet, I will absolutely guarantee that the wireless Internet will be saturated with the worst sort of marketing pitches, worst both in terms of how annoying they are, how ineffective they are for the shareholders of the companies trying to market things, and how much they will clog the bandwidth, which, as you know, is very limited for the things you really want. This is true in every pixel of your computer today, and it will be true in the far more limited number of pixels on the screen of a wireless device. Well, what I am going to do in a very short time here is to try to talk about where we are and give you some context for thinking about this, and for those of you who read my column, and even those who don't, let me just explain that what I do is try to look at the state of what we have in technology, services, technologies and devices, for consumers and small businesses today and also out into the near future. I think it is folly, although I'm sure some will attempt it, to predict what will happen even as far out as five years, but I can certainly talk about the next year, year and a half. As a result, I get to see -- and have seen, in fact, as I stand here -- lots of the things that will not come on the market until the next six months or nine months or a year. They are brought to my office, I look at them, I try them out and so forth, and some of them I write about and some of them I like and some of them I hate. Everything I do is from the perspective of normal, nontechnical, mainstream consumers. So, from that perspective, where do we stand now on wireless? Well, let me start by giving you a way to think about the Internet that I think is a little different. The Internet is not an activity you perform on a box called a PC. In fact, we are just closing out the first year of the post-PC era. What do I mean by that? What I mean by that is we are just closing out the first year in which we see the introduction of a proliferation of devices that can do digital things, all of which have been performed only on this thing called the PC. We are going to see a massive diffusion of digital tasks, including Internet tasks, both in wired devices and in wireless devices. The best way I think to think about the Internet is to compare it to the electrical grid. In this room, God knows when this room was built, but in this room there are electrical outlets, I think, and there are electrical outlets in every room you will be in today, and I think we are gradually evolving into a situation where there will be sort of plugs into the Internet everywhere you go. Some of them will be physical, like ethernet jacks or telephone lines, and some of them will be virtual, think of it as a wireless plug into the Internet grid. Now, the electrical grid provides a certain kind of power to an innumerable array of devices. Some of them make toast; some of them wash dishes; some of them play music; some of them are PCs. I think that that's what the Internet is going to become and is rapidly in the process of becoming. There will be an innumerable array of devices that will take some portion, not everything, but some portion of the services and the information and the entertainment and the commerce opportunities that are afforded by the Internet and present them to you in a form that is convenient for where you are and what you are doing at that moment. You will still have something like a PC that will give you a more full-form experience at the cost of crashing every two or three hours. You will also have something like a phone with a small screen that will give you a very tiny amount of information that's appropriate and formatted for that screen, and you'll have lots of things in between. But when you go and plug an electrical device in today and you use it, when you made toast this morning, when you made coffee, when you used your hair dryer, you did not turn to whoever was with you and say, "Hey, I'm on the electrical grid." And this phrase we have now, "I'm on the Internet," will look as ridiculous and archaic as that in the next five years, I think, because everything you do with a powered device that has any kind of user interface, a screen or an audio interface, anything, will be informed by some extent by some sort of content or service provided over what we now call the Internet. So, when you turn on the television, a television program will have information and richness behind it that comes from the Internet, and you're not going to say, "I'm on the Internet." You're just going to think I'm watching television. And I'm not talking about the early WebTV idea of looking at sort of the web pages on the screen. I'm talking about television shows being enhanced. When you're on the phone, when you're doing many things, the Internet will be behind it. Part of this new spectrum of digital devices and services will be wireless, which is what we're here to talk about. Now, where we are today on wireless is that it is essentially in the United States an extremely bad, extremely limited service on extremely inappropriate and bad devices that cost a lot of money but is accompanied by, as I said a few minutes ago, unrelenting and unrealistic and ridiculous hype that is propagated by people who hope to make a lot of money by convincing you to buy the stuff. That is where we are today. Only a true techie geek or somebody who has invested in this is ever going to try to read an e-mail on this screen, and yet you can pick up any newspaper and any magazine and read articles that make it sound like this is not only cool, not only useful, but ubiquitous. It's not. There are millions, tens of millions probably phones in this country that are so-called web-enabled, but there are only thousands of people that use it. This is a web-enabled phone. Most of you probably have a web-enabled phone. I took a look at it once or twice, because it's my job. They pay me to do it. There's no way in the world I would scroll through these ridiculous menus to try to look up some piece of information which would then require me to constantly scroll to get the next bit of data at the hopelessly slow speeds we have in this country. So, I think today what we need is two or three important things. We need new devices. This is never talked about. Everybody talks about the networks and the services and the spectrum and the fees. We need new devices. This will not happen until we have new devices. This is a great voice device; in fact, this was a fairly advanced voice device. It's a very bad data device. And if I need to know what movie is playing somewhere, if I need to know what a stock is trading at, how low the Internet stocks have gone today -- and I have to assure you that one of the bad things a few years ago and one of the great things today is under the ethics policies of The Wall Street Journal, I have no shares of any technology company -- but if I want to know, the best thing for me to do is to hit the speed dial button on this phone which calls a service called Tell Me, which is free, which is a voice recognition and audio service that takes all this material from the Internet, and guess what, transfers it into what this device was made for, which is voice. On this particular device, that's the best way to get Internet information. Now, we have this. This is a Blackberry, the new Blackberry with the bigger screen, and this if I turned it on would be collecting my e-mail. It would be a little rude since I'd attempt to look at it here. It also can get the web. You can actually read a reasonable amount of an e-mail message on the thing. It's still slow, but at least the device is better. But I have got to carry both of these devices. This also has a calendar and appointment book, not as good as a Palm, much clumsier. What I really want is a Palm, about this size, that I can make phone calls on and can get this data. And there's a race on right now, there's a huge race on between the guys that make phones and the guys that make PDAs to try to create sort of hybrid devices. I'm covering this race. If you read my column, I review these things as they come out. There are a few of them that have come out. I have not seen one that's really great yet. I'm not personally convinced that we're going to have everybody carrying just one device, because people will have preferences. Some people -- I mean, you are not going to have a device this small that's a great data device, because the screen can't be very big on a device this small, but if you're primarily a phone call person, you may want to carry this. If you're primarily a data person, you may want to carry something like this with some phone capability that you occasionally use. The Handspring Visor is a device that is essentially a clone of the Palm, made by the people who developed the Palm, but it has an expansion slot in the back, and one of the things you can pop into that slot is a phone. It's just a small little phone. [Holding up Blackberry device.] When it pops in, this thing becomes a phone, and, of course, because it has an antenna, you can also get wireless data. So, now you have a device with the wonderful Palm interface that synchronizes well with your computer, get your calendar, get your appointments, you can make phone calls on it. You can also get the web and e-mail on it and so forth, and that will be an -- that's probably the best early effort to combine everything in a PDA format. The phone attachment I think will be out probably right toward the end of this year. I used it for a few weeks and wrote a fairly favorable review. The phone guys are fighting back with somewhat bigger phones that when you open the lid, you see sort of a regular phone window, but then you can do this and get a Palm-type screen, which can get all your web data. Kyocera, which has taken over the phone franchise from QualComm, will have a phone like that out in a few weeks. Sprint brought one out a few weeks ago that actually isn't very good, but they're working on it. So, there's a race, and there's going to be more of these devices coming. But even if we get the perfect device, we have the network problem, and the network problem, again, is the source of great hype. It's not going to be fixed nearly as fast as people hope, and here is the source of the greatest embarrassment technologically for the United States of America in the 23 years since the personal computer came out and maybe for long before that. We are now in a situation where we are behind Europe and behind Japan in a key consumer mainstream technology for the first time really I mean in my lifetime, and I'm 53. It's because of a failure, a massive blunder, there is no other word for it, committed by our government and by our industry 20 or 30 years ago, I don't know the details, when it was decided not to set a technical standard for wireless phones in this country. In Europe, they picked a technology and they went forward, and you know what? We did it for television, we do it for all kinds of other basic technologies. The idea in this country is competition. It's what this building is about and certainly The Wall Street Journal is about, and I'm all for capitalist competition, but there is a role for standard-setting bodies and for government bodies in saying, Okay, here's the basic technological choice, now you boys go off -- or girls -- go off and compete and make money and make this better. We didn't do that. We decided to have an unending competition on the very basic technical choice, unlike Europe, and what's the result? The result is that today we have less digital voice coverage, even poorer digital voice coverage, much more expensive phones, much more power vested in the most backward part of the industry, which is the carriers, and much less technologically advanced phones. This is the only area of digital technology in the history of recent digital technology where the coolest things now come out first in Europe and Japan and arrive here maybe a year, year and a half later. This is the opposite of what drove our economy in the PC era, when people in Europe and Japan were dying to see the new computer or the new software or the new web service, and all of it came out here first. If you don't think that this has phenomenal international economic and even national security implications, I would suggest you're wrong, and I speak with some slight qualifications as the former international economics lead correspondent for the Journal and as the former national security correspondent. This is important, and we've blown it.We have flatly blown it. There are lots of other consequences. Every time somebody wants to extend wireless voice or data services to a part of the United States where it doesn't exist or to improve it, you have to build a tower. The same in Europe, the same in Japan. At least in Europe and here, you have a big environmental fight, and I'm not disparaging the people who don't want towers, I'm just making a point, you get an environmental fight. Here you have to have it three times, because you have three ridiculous incompatible standards. You have CDMA, TDMA and GSM. If you want to introduce -- if you're Nokia or Ericsson or even Motorola, which is an American company, and you want to introduce a very nice, interesting handset with new data capabilities, you've got to wait on, beg, plead with and court these phone carriers, because they control it all here. In Europe, it's all one standard.What works with one carrier works with another carrier. So, we made a big blunder, and you all know and you'll hear about later that there's a thing called 3G, and that's going to unify the world and we're all going to move toward it, but I'll tell you two things about that. One is that Europe will get there faster by over a year, and the other is it will disappoint you.Everything I know about it off the record tells me that there's an excellent chance it will be nowhere near as fast and as high bandwidth as it's supposed to be. So, we're faced with, no matter what great devices come out, for a while with a slow, weak, wireless bandwidth proposition that will be worse in the United States than anywhere else. Now, we have a silver lining, and I'm going to go out on a limb here and say this, and that is American innovation and American high-tech. We've been somewhat behind not only in the actual roll-out of good wireless devices and a wireless infrastructure here, I think we've been behind on mind share. I think our best technical minds have been very slow in getting to this, and what has happened is they've been just locked into the PC, while the rest of the world was moving forward into wireless, and so we haven't really paid much attention to it. But now people are beginning to work on some very interesting things, and I would caution you when you think about this, when you read about it, when you listen to the other speakers here, that this progression from GSM to 3G and all this stuff that's approved by the ITU and all of that may not be the whole story. There are at least two technologies I know of in the United States that are unofficial, not approved by the European international bodies that I think could break us out of the box. One is Ricochet. It's by a company called Metricom, and it's here right now. It's unlicensed spectrum, and it operates at 128 kbps, which is stunning. It's so much faster than any wireless technology anywhere in the world that it's breathtaking. It's almost broadband, and it's wireless, and it is here now, and it's rolling out slowly and without the benefit of sanctions from any government body because it's unlicensed spectrum, in six or eight cities, and they have plans to be in something like 70 cities in the United States. A slower version of it three years ago was rolled out in three cities, including D.C., and three years ago its slower version was still faster than the fastest wireless technology we think of today. That's one. There's another one called I-Burst that I heard about just recently which promises a megabit. So, I just want to leave you with -- I know that some of what I said was discouraging or gloomy, but I do think the same kind of American ingenuity that has given us a lot of benefits in the PC and the Internet space in a fixed wire is finally being applied to wireless, and there may be a ray of hope. I look forward to listening to everybody else, and thank you very much for your time.
MR. WINSTON: Thank you, Walt, for a very interesting presentation, although I wish you had been a little bit more up front about how you really feel about these things. Our next speaker is Bill Bodin. The range of wireless devices and services available today is impressive enough, but much more is on the way as we will hear from our next speaker, Bill Bodin. Bill leads the advanced technology and prototyping efforts for IBM's Pervasive Computing Division. As you'll hear from Bill's presentation, this lab is where the future of technology is actually taking place today. Bill?
MR. BODIN: I just have a little bit of reconfiguration here to do. There's a couple of different -- well, I am totally depressed. You mean it's not going to be as easy as they say it's going to be? I don't think it ever is. As I was introduced, I'm an STSM, senior technical staff member, with IBM and charged with the mission of making all these advanced technologies actually real and incorporating them into a lot of the mainstream product ideas that IBM has. What pervasive computing is, just to kind of define it, is basically delivering any data over any network to any device, and as Walter said, it's not going to be an easy proposition, and there are a lot of things that make it tough. In other words, on the any device side here, we have a heterogenous mix of clients, right? Things like screen phones, things like PDAs, wireless PDAs, transiently connected PDAs, PDAs with color VGA screens, PDAs with monochromatic screens that are 160 by 160 pixels like Palm devices. Walter, I was taking notes on my Palm, by the way --
MR. MOSSBERG: You were the one.
MR. BODIN: -- I was cheating on you over there. I was writing down all these new ideas. And devices like Internet access devices in light of wireline devices or wireless devices, in-vehicle information systems that will help us navigate in vehicle scenarios, those kinds of scenarios go on and on, but basically they'll be shored up by technologies like speech recognition, technologies like the ability to replicate e-mail, calendaring data, location-based services directly in the car and communicate with location-based services wherever you are, all the way to set-top boxes and things we call gateways, either residential gateways or enterprise gateways, with these gateways bringing the broadband experience into the home, right, and also providing network address translation, IP filtering, VPN functionalities, virtual private networking functionalities, inside the home or the enterprise seamlessly to these devices, and as you can see here, attributes of the network here are availability, security, and scalability. One thing I did want to mention is that IBM has recently, as recently as last week, appointed a CPO position. Now, CPO is chief privacy officer, and8 that's Harriet Pearson for the IBM Company. So, you might want to make note of that. Any data, data in this case in terms of these broad scenarios are news, weather, sports, banking, travel, stocks and things like that, all sorts of things all the way to the enterprise side of it, which has us tied into the ERP processes, the CRM, customer relationship management processes, all the way to the back end. So, as you can see, the fabric here is really taking this any data paradigm, moving it through networks and delivering it to any device very seamlessly. Now, the challenge is how do we make that seamless and how do we make that a great proposition for the consumer? One thing that we're working on is standardizing a toolset for all of these particular client devices, client devices as varied as Internet appliances, wired, wireless Internet appliances, web pads, automotive, set-top boxes and service gateways. Now, the last thing that we will be working on is interfaces that transcend operating system infrastructure into the mobile phone arena. Just a little bit of infrastructure speak here before we get into the nature of pervasive computing and the scenarios of pervasive computing. The device9 architecture that we're working with puts a very strong emphasis on the ability to run cross-platform program logic on devices, and what we have here is a JVM, something called a Java virtual machine that actually abstracts the application logic from the hardware beneath it so that we can take an investment that we make in one particular application that might run on a cell phone and move it over to a PDA environment or move it over to a set-top box environment and even an in-vehicle information system and maintain the investment, preserve the investment that we make in that particular device. Now, you might also notice that to the left-hand portion of this, I have things that are relative to things called GUIs, graphical user interfaces, or speech recognition, text to speech. A lot of those particular features are what we call native features, features that run languages that are compiled with particular devices and particular CPUs in mind. In our lab, and a few people in the audience have actually been to our lab in Austin, this is basically the schematic for the lab. The lab really uses service gateway technology, the same technology that I talked about just a while ago, to bring a broadband experience into the home, whether it's a cable modem scenario or a DSL scenario, even dial-up for that matter, but brings that capability in and shares Internet connectivity with a host of devices. Now, you'll notice that the host of devices can range anywhere from WAP-related phones or Internet appliances and conventional home PCs, all the way to wireless web pads, and I do have an example -- I do have an example here of an appliance that has a bit more acceptable user interface for actually giving you a broadband experience. Now, this is a wireless web pad. This wireless web pad is -- it's an 802.11 client, which means that it's running a fairly rich bandwidth in terms of its ability to take information from a gateway and actually populate this device. It's running at 11 megabits. If I wake it up into its awake state, we'll see that we have a web page here, and this web page obviously could be any web page. This particular appliance is basically a research grade appliance, but it gives you an idea of where technology is actually going in a very robust, handheld kind of way. That's one device. You'll notice that there are a lot of other devices on here, devices that we deal with every day, things like microwave ovens or refrigerators or washing machines. In our lab, we experiment with all of this infrastructure and all of these devices, and, in fact, all of these devices are actually network-enabled. So, we have rapid-cook technology that actually cooks -- it cooks ten times faster than regular oven cooking technology, but it's aided by the web, because we can actually get recipes, and these aren't recipes that allow us to bring food to the cooking stage, but they are recipes that are device-specific, and they are recipes that we can actually download dynamically simply by clicking on a URL either on the device or on the wireless web pad and delivering them straight away to the device itself. So, that device can then use that granular recipe data to ideally cook the food. So, it's not necessarily implementing Internet-enablement or Internet connectivity for connectivity's sake, but it's actually using it for something beneficial. You will notice that many of these devices here, the microwaves and dishwashers and things like that are all connected simply by the power line. We are using a combination of technologies there. We're researching CeBus technology, researching Ethicon technology, but we're moving bits over the power line using this service gateway, simply by plugging this service gateway in, which has a modem inside, not a modem that really modulates things over telephone wires but a modem that actually modulates data right over the power lines so our networked appliances can actually communicate. Just a few words on standards, actually more than a few words on standards. OSGI, HAVI, WAP, XML, SyncXML, all important standards to us. OSGI, meaning open services gateway initiative, is an approach that we're actually implementing in our stack of software that we offer for pervasive computing that enables us to keep the platform open, to keep it very minimalistic but then to increase the opportunity that many, many more businesses can actually populate a device with that kind of an approach. HAVI, you know, I guess not too many of us thought too many years back that our home audio/video receiver or our VCR or our DVD player would actually be network-enabled, but the time is now coming with the HAVI architecture to actually implement network connectivity in those kinds of devices, as well. Once those devices are actually communicating back and forth, it becomes easier for us to actually deal with any one of those devices or actually take data from those devices and deliver it to things like WAP phones, for instance. Imagine, you know, making a trip to Blockbuster because you think you might need to rent a movie that night but actually being able to communicate back and forth with your 300-disk DVD carousel. You'll be able to take that data, have it transcoded uniquely for that device and delivered to that device. In fact, one of the things I'd like to do as part of the very last part of this presentation is to bring an online tour of this lab up and running here and actually communicate to that lab with a WAP device. More on HAVI, you will notice that HAVI is an architecture, and, you know, even things like havlets, let's say, many of you in this room may have heard of servelets. Servelets are technology that are server side that enable servers to interact with, you know, things like search engines and do all sorts of logic. Now we even have havlets, which will be living in our home theater stack. A few words on cellular protocols. I think Walter was right on the money here. He talked about the disappointing data rates that we get in the U.S. here. In fact, CDPD, which purports to be 19-2 in terms of its data rate is, you know, more like 4800 when you really get down to it. So, it's 4800, maybe 9600 tops, and that's what we have had to put up with for quite some time. A couple things on the forefront. GSM in two different flavors, one at 43.2 kilobaud and another at 120 k-baud, the 120 k variety coming in early 2001 and the lower bandwidth -- maybe, okay -- may be coming currently. RF technology, RF technologies like 802.11, like the one that I just had here, the wireless web pad, they run at about 11 megabits tops. They're currently available from a number of vendors, IBM, Cisco, Nokia. Bluetooth is something that's coming more or less on the horizon. Bluetooth is going -- the promise of Bluetooth I'll talk about in a minute, but basically it's close-range device interaction that forms things called personal area networks or PICO nets, and then Home RF, which is more of a consumer-grade variety of wireless. In terms of wireline, Home PNA. Home PNA is a home networking and phone line alliance which basically enables us to communicate via phone lines. That's actually how I have a large majority of the PCs in my house wired up, and my kids now enjoy a music collection -- I'll not tell you where I got that music collection, of course -- but, you know, they have an old Pentium I, 133, upstairs, and, you know, it was either buy them a stereo or just buy a network card.So, the network card prevailed, and they had a phone jack there, so now they have 10 megabits that they can communicate downstairs to the monster PC in the kitchen, all right, and they have all their Britney Spears and all their NSync and all the tunes that make them happy upstairs now, and they share that, you know, in realtime. There is no local copy of it, and like I said, 10 megabits. What was that? Do I have a question already? Just a few other technologies, POTS, conventional dial-up, DSL, many flavors, cable satellite. Bluetooth's vision actually is to create ad hoc personal area networks wherever you are and however you need to collaborate. In other words, if you're in a business scenario and you have a number of individuals that want to collaborate online, right, but they don't have the necessary network connectivity to the firewall there, they might use Bluetooth in a way that they form this ad hoc personal area network and actually collaborate between themselves, either pass notes during a presentation and make that presentation stronger or do something of value.6 Ease of connectivity is one of the benefits of Bluetooth, yet to be realized, but something that needs quite a bit of work. Freedom to work anywhere, high interoperability and a lot of new applications. Lots of industry adopters worldwide. One thing, like I said, this really brings up the point of personal area networks, and you see here what is called a scatternet. This scatternet is basically an overlapping of networks. In other words, there are two nodes to the right there that are communicating with another node in the middle that is communicating with a further node as a gateway to other devices. Now, these can be any kinds of devices in the future. They might be PDAs, might be cell phones, or some other ubiquitous device that emerges, might be laptops, you know, full-feature devices that have broadband capability within airports, with technologies like Walter mentioned like Ricochet, but there are many other trials going on with technologies other than Ricochet, like 802.11, in various airports at high speed, 11 megabits. But some of the scenarios here are, you know, either mobile PCs communicating with -- you know, communicating with phones that are nearby, hopefully your phone; the phone on your hip, the phone in your pocket; digital cameras that use Bluetooth to communicate to Bluetooth-enabled cell phones so that you can actually share that digital photo experience with anybody that you want in realtime. In other words, you're standing on a mountaintop taking a picture of the family. Well, there is no reason that that picture can't instantaneously be a part of your family's web page, be delivered to that web page and be administered to that web page seamlessly. Even digital ink, there are companies that are coming up with technologies that have pens that are Bluetooth-enabled, pens that since they are in the proximity of a more beefier CPU can actually decode what you're writing down, store that, transfer the pen contents to the robust device and store that as documentation. So, just a background on Bluetooth, basically 2.4 gigahertz variety communication, either 10-meter or 100-meter optional, eight devices per PICO net, ten PICO nets, and you can see there are a couple different bandwidths, either 400K or 700K depending on the implementation. Now, just to revisit this pervasive computing residential topology here, one thing you'll notice that I didn't necessarily make evident here is that the car -- and we have a car in our lab. That car is considered to be docked, all right? You don't just park your car in the garage anymore; you dock your car, okay? Exactly. This car, since it's in the proximity of a service gateway and the service gateway is actually capable of delivering wireless content from a broadband Internet connection, can do things like replicate e-mail and calendaring to the car and things like that. In fact, the in-vehicle information system topology looks a bit like this, where we either have satellite-to-ground stations or we have all sorts of connectivities that enable us to do things with either wireless modems or Bluetooth capabilities, interact with PDAs, interact with cell phones in a hands-free way and take advantage of delivering data right when we need it, either for -- either for doing things like navigating around town or navigating through your e-mail. Fairly extensive web infrastructures are going to be critical for this, and one thing I want to get to here is not just the service side of the structure that makes it all possible but something called transcoding actually, and if I refer back to the notes that I took on my PDA here, I heard a term called -- I guess it was pixilation clogging, right, so we have clogged pixels on devices that are very, very small. We have small -- small bits of -- small user interfaces here, which it's very critical to populate them ideally for the -- for a good user experience to actually come about. We call that at IBM, we call that transcoding, and what that does is take data of one particular style and brings about a change in that data, a fundamental change in how that data is actually constructed and how that's going to be rendered on a particular device, matching, like I say here, the form factor to the capabilities of the client devices, personalizing the data for environmental requirements. One environmental requirement might be if you're driving, right, and your car knows you're driving because it's making progress and either inertial guidance or GPS navigation is telling it that it's being driven, you may not be able to actually read your e-mail on this in-vehicle information system, but you might be able to hear it. So, environmental factors come into play. Enhanced B-to-B communications, this is supporting a wide range of devices and systems. One just pictorial example of what transcoding looks like or content adaptation is here in this particular web page where we have Yahoo's weather forecast, right? We have a very rich set of graphics that went along with that weather forecast, but it is possible to deliver content fairly seamlessly to a WAP-enabled phone, and as you can see here, that the actual rendering on the WAP-enabled phone tells you the essence of it. It doesn't necessarily deliver the ad banners or all the eye candy that you might be accustomed to on conventional web pages, but it does get down to the nuts and bolts of it. So, things like converting images from one type to another type, things like reducing the size or the bravacity (phonetic) of text and converting languages from one type to another type is what transcoding is all about. And really, what it does for customers, for users, for actual companies that deliver data is make it a little bit more palatable to deliver that to a wide variety of devices, because they actually render content one way, but it's transcoded dynamically for a number of different devices depending on those devices' characteristics. One thing we've done fairly successfully with Safeway in the UK is actually bring the experience of shopping to a fairly small PDA. This is a Palm PDA, actually Palm PDA made by -- rebranded by symbol, made to our specs that has an on-board scanner right inside, okay? So, you can go into your pantry, you can shop in your pantry, you can have all those items actually accumulated to this device and then actually hot-sync this device to have your groceries delivered. It can be used anytime. It can be used while you're at the doctor's office, waiting in line anywhere, and it's actually boosted sales by about 10 percent. You'd think that people would be more judicious on what they bought when they had something like this to organize their thoughts, but the thought is that they're actually spending less time at the convenience stores and more time at the Safeway store. All of our technology's based on open architectures, just another note on that, and I'll be ready to go into this demonstration on the lab in just a minute, but I thought I would give you a little idea of how the thing is laid out, how the floor plan actually is. We have a family room, a kitchen, garage, all with network connectivity. It's really a living lab where developers work every day. The server farm is located right there in the lab with video conferencing facilities. And just to give you a look at what it looks like, large-screen televisions rendering web pages, but web pages that are being delivered dynamically from things like the service gateway here and web pages that actually allow you to interact with other appliances within the home, things like e-fridges, and I think I probably have a close-up on this. You know, everybody has to have one of these. If you have an advanced technology lab and you don't have an e-fridge, then you're nowhere in this business. And we have to go out on a limb actually. We do a lot of things that we think are very, very leading edge. Some things will get adopted; some things will not. We even have antenna arrays in the fridge that actually detect the RF tags that are affixed to food items, okay, so you can actually tell dynamically what you have in your fridge at any one given time, and since you can tell, right, since your fridge knows that, there's no reason your WAP phone doesn't know that, as well. So, we transcode that to WAP phones and things like that. Rapid code technology with wireless web pads, this is an older version wireless web pad, the one I had up here is a little bit newer version, but with the same CPU cloning and the same wireless infrastructure. Internet access devices, in-vehicle information systems, all with voice capability. So, what I'll do now is -- hopefully I'll wake this PC up and start really quick a browser session, and I will also disconnect this and connect it to the video here, and hopefully we see something, right? Okay, so, we have a browser session started here, I'll maximize that, look for my bookmark that I left earlier -- pays to get here early -- and we'll just bring up the lab here. Since I'm bringing up a new -- now, hopefully this will work, Walter, or else you can claim to be right on every point here.
MR. WEITZNER: I think he will claim that anyway.
MR. BODIN: Fair enough, though.
MR. MOSSBERG: Just to clarify one thing, though, while you're doing this, Bill, I want to make sure people understand that a lot of what you described had to do with wireless networks like 802.11 and Bluetooth inside a building, but the actual Internet is being received to your house or to this lab over a wireline network.
MR. BODIN: Correct.
MR. MOSSBERG: You are distributing wirelessly inside the building, but it is not as if the broadband Internet connection is coming wirelessly to the building.
MR. BODIN: That's correct, absolutely correct.
MR. MOSSBERG: That's an important distinction.
MR. BODIN: Absolutely. If you notice here, I actually have some presets that I can actually go and visit here.Hopefully everything, like I said, all of the network is working correctly here, but we have a little bit -- it looks like we have the Fox News channel on, and if I -- well, who is that?
MR. MOSSBERG: So, you are going all the way to Boston and back to show what's happening two blocks from here?
MR. BODIN: That's right, that's right. Hey, you know, I use this elsewhere, you know? I'm going to take my WAP phone, and I think that we have a connection here, so it looks reasonable. Now, I have family and -- oh, I have to use the mike? Okay, so, I have a user interface here that actually is the user interface being used from the service gateway. In other words, I have -- number one corresponds to lights on, number two, lights off, mundane things but things that actually enable us to prove some concepts here, and what I just did was I just -- to hit number two, which is lights off, and if we're still receiving data here, and we should be, we should notice a change in the device itself, in the lights itself -- let's refresh that real quick, and I did get an indication that it did actually happen over my -- over my phone. Number three would be, in fact, blinds up. Now, these just -- what these do for us is actually give us a way to pioneer how we can actually get back into the lab. I mean, the lab is behind a firewall. We are going over public Internet services to actually make, in effect, changes on devices like this but then tunnel back into the service gateway so that we can actually effect the change on the device itself. I think I'm all set. What I'm going to do is I'll click over to just a couple of different rooms here, and as you can see here, our network connection is still continuing to be up and running, albeit a little bit slow right now. You notice I just zoomed in on the ceiling fan. If I turn fan on, what that really does is it's going through the service gateway, right, from here, via tha public Internet, but it's also effecting a change in the thermostat. It's actually changing the set point of the thermostat to a temperature below the current temperature, and it seems like we have a very, very slow connection here, but if I -- hey, there you go -- there you go. So, we're getting a few frames, and that might be because I'm set up at a bit of a high frame right now, I'm just blowing the buffer on the navigator here, but as you can see, a lot of the interaction with devices is actually possible. Whether or not all of it will happen or not, I'm sure that they will not, but we go out on a limb. We study some of the more advanced, evolving technology, and hopefully we win on a few and a lot of business partnerships are the result. That's all I have. Thanks a lot.
MR. WINSTON: Thank you, Bill. For those of us who are trained in law rather than technology, I can't tell you how impressive that was. I'm just hoping we're not going to be quizzed on this later, because I'm not sure I'm ready. In our last technology presentation, we have Danny Weitzner. Danny's the director of the World Wide Web Consortium's technology and society activities. In this role, he's responsible for the development of technology standards that enable the web to address social, legal and public policy concerns, including privacy. Some of you may recognize Danny from his presentations at previous FTC workshops. Danny? One reminder before Danny begins, we're going to be having questions starting in about 15 minutes, so for those of you in the overflow rooms who want to ask a question, you might want to come down in a few minutes. Again, we'll have microphones in the doorway.
MR. WEITZNER: Thank you, Joel, very much. To prove what Walt Mossberg writes, something about Bill's presentation crashed my laptop, so bear with me while this restarts.
MR. MOSSBERG: And it will scan your hard disk and punish you.
MR. WEITZNER: That's right, that's right.
MR. MOSSBERG: If only someone in Washington would do something about Microsoft, that's...
MR. WEITZNER: I don't think I have a snappy comment on that last one. First of all, let me -- while we're getting started up here, let me thank the Commission for holding this workshop. Indeed, I was -- had the privilege to be at the first workshop that the FTC held in 1996 on privacy and the web, which certainly for me was an important opportunity to start to get a handle on some of these issues, and I think that this workshop is actually in many ways analogous. Someone who I won't mention was saying, boy, we're really so far behind on all these issues, and I think that's the way a lot of us probably on just about all sides of the table here felt back in 1996. Whether we feel that we've caught up any further on these issues and the web space, I guess I have a glass half full view and think that we have made some real progress, in some part thanks to the FTC, since 1996, but there is clearly quite a bit to do. And my laptop is still churning a little bit. Just by way of introduction, let me say that -- I hope you can see this. Good, okay. My name is Danny Weitzner, and I'm with the World Wide Web Consortium. For those of you who don't know the W3C, we're the organization that sets the technical standards for the web. So, we're best known for our work in areas like HTML, the basic language that just about all web pages are written in, we're known more on the hype side for a lot of our work on XML, the next generation markup language that is somewhere in Walt Mossberg's time scale of a couple of years from now going to make I think a very substantial impact on the way we all experience the wireless and the wireline web, the web we know today, and we also have the responsibility, I suppose, of trying to keep track of where a lot of these technologies are going. So, one of the implications of that has been that we've spent a lot of time over the last year or two in very close consultations with standards bodies that are oriented specifically towards the wireless world, such as the WAP Forum, to try to make sure that as we develop many of the new technologies that Bill pointed to and that Walt maligned, that they at least all work together to one degree or another, and I'm going to talk a little bit about what that means. What I'm going to do today in the time we have left is engage in what I think is going to be an exercise in dramatic oversimplification. I was asked to talk about a lot of the underlying technologies in the wireless space. Number one, I'm probably not the right person to do that, and number two, it's pretty impossible to do that at this point in time and come out with any kind of meaningful understanding of what we ought to expect relative to the public policy space. So, what I'm going to try to do is to talk a little bit about how many of the new technologies that we've heard about are going to change the experience that people have -- both of their traditional voice wireless telephone experience around the world and how those same technologies are going to change the experience that people have of the web today. I think that for many of us those are hopefully kind of solid starting points, and what I hope to do is to point out some of the changes that are going to be underway and the ways that I think we'll need to respond as a public policy community. I am lucky enough to have just returned from a joint workshop that W3C held with the WAP Forum last week in Munich specifically on mobile web privacy issues, trying to understand some of the privacy requirements that many of the new wireless access technologies bring to core web infrastructure, and we had a very fruitful two-day set of initial discussions and I think all came away feeling that there's a huge amount of work to do in this area, both in terms of clarifying the basic public policy requirements and understanding how to help the technology in both of these industries evolve to better address the privacy issues. I know that's going to come up later today and tomorrow, so I won't dwell on that. Oh, and I think I brought up the wrong presentation.
MR. MOSSBERG: The analog, Danny.
MR. WEITZNER: Well, I did all this work on these slides, so, you know -- there we go, okay. So, this is the web today in, as I promised, diagramatically oversimplified form. There's a client on the website, that's us when we sit down at a web browser, one of these machines with Internet Explorer or Netscape Navigator or Opera or any of a number of web browsers, in effect, there are a bunch of them out there, and we interact with a web service, whether it's the FTC website where we find the agenda for today's meeting or CNN to find out what in the world is happening with the election saga at this moment. This is a pretty straightforward set of interactions here I think we all understand and that I would dare say even the public policy communities around the world are beginning to get their hands around the kind of relationship here. The world changed, the public policy world, particularly with respect to privacy issues changed somewhat significantly when we added another element to this relationship, and that's what I would generically call third-party embedded content. Specific examples of that include ads, banner ads served by the various networks and serving organizations and streaming media, in fact, so all of a sudden what was really a two-way relationship, a simple two-way relationship between me, the user, and a content provider out there has three components, and I think any of you who have paid even the slightest bid of attention to some of the questions that have come up in the online advertising debate understand that the addition of this extra architectural element, this extra piece of the network into the relationships that we have raise all kinds of questions, including some of the questions that the Chairman alluded to. How does notice work? Who do you go to complain to if you have a problem? Is it the web service or is it that third-party content provider? The mobile web world, what I think is actually sort of appropriately identified by Bill as pervasive computing environments, introduces I think a dramatic extra degree of complexity in the kinds of relationships that we're going to participate in as users that content providers are going to interact with and perhaps particularly a dramatic expansion in the relationships that the public policy community is going to have to look at and understand and respond to in one way or another. So, again, this is a simplification of a lot of the very complex set of technologies that Bill talked about and that I'm sure that we'll hear about during the day, but in what is really I'll just say my own kind of personal reflection on what's different about this new environment from the web environment today, what I think has to be striking to all of us is that all of a sudden, there are a whole new set of intermediaries between us as users on the left side and the traditional web service up there on the top right side. So, what are some of those intermediaries or what in many contexts are identified as gateways, what do some of those do? Well, you heard about some of them from Bill. For example, when I'm accessing some kind of service here on Bill's little Thinkpad -- little Palm Pilot here or whatever IBM calls it -- here, I'll give it back to you -- when I'm accessing -- oh, and there's another one here, they're everywhere -- what I'm accessing -- no, let me keep this -- when I'm accessing a service -- accessing a traditional web-based service on a little screen like this, as Bill pointed out, the service, in order to deliver meaningful content to me, has got to, number one, assume that I don't -- that I can't see color, that all I'm going to see is black and white. Number two, it's going to assume that I don't have anything that looks like a mouse. So, any of those web pages that allow you to move a mouse pointer over certain parts of the screen and have other stuff pop up, that may not work here. Number three, the data path, the bandwidth available between this device -- this device -- well, I don't know about this device, because it looks like it's been modified all kinds of ways, but between a typical device like this and a typical web page is dramatically smaller than the bandwidth available between an average PC that runs a web browser and a website. So, the expectation is either that people are going to sit around for hours and hours while home pages download onto these little devices or those home pages, that content that's over there on the right side are going to have to be, in IBM's words, transcoded. They are going to have to be changed so that people can -- so that people's little devices like this will remain useful. Now, how is that going to happen? The way that the technology seems to be evolving is that the devices that we carry around will be identified to these gateways. The gateway will know I'm using this particular kind of, in fact, customized Palm Pilot, and when it receives a request, it may do one of two things. It may then tell the web service that I'm trying to access, Danny's got this funny device and it's got this ID number, make sure you send content that that device can understand, or instead, it may do something different, and it may do -- it may actually engage itself in this kind of transcoding that Bill was mentioning, so that the -- that full, feature-rich, content-rich, color-rich, mixed-media web page that we're used to seeing when we look at the CNN.com site is going to be shrunk down in all kinds of ways dramatically by this intermediate device. Another function of the gateways is going to be that, for example, if I'm trying to order the proverbial airline ticket over this cell phone because I'm stuck in O'Hare because it's snowing, how am I going to do this with these little four lines of display, and more importantly, with these nine buttons where I have to press them multiple times just to get a single letter? Well, probably what I'm going to want to do is I'm going to want this gateway, this entity that sits in between me and the content provider, in between me and in my case probably United Airlines, I'm going to want United Airlines to know that I'm Danny Weitzner, that I'm at this address, that I use this credit card number, that I use this frequent flyer number, that I like window seats, et cetera, et cetera, et cetera. Who is going to store that information about me? Who am I going to trust to store that? Am I going to enter it all in, and I'm going to say window -- no, I'm not going to do that, because I'll miss the last plane possible. What instead I'm going to do is I'm going to rely on these -- on the user profiles that are stored by someone in between me and United Airlines to send that information, to send them my credit card number, to send them other preferences that I may have. Finally, lots of services that I may be interested in, some of the services that the Chairman, in fact, mentioned, the buddy service, the "I'm downtown and I want to have a beer with someone" service, rely on knowing a fair amount about the location of me, assuming that I'm connected to the particular wireless device I'm using, and they rely on some ability to provide that location information hopefully to the people I want to see it only, to services out there. And again, this is not going to be a situation where I'm going to see on this little device that maybe is enabled with a direction-finding service, like GPS, that's going to tell me I'm at 49 degrees, 22 minutes, et cetera, et cetera, and I'm not going to type in all these things, I promise you, into these phones. Even the geekiest of people are not going to want to do that. Instead, we are going to end up in many cases relying on gateway services provided somewhere inside the network to relay that information to the people who we want to have it. Now, finally, the question about how the third-party content, such as ads or streaming media, gets between the services and the users in this network I think is substantially an open question, but no doubt there will be a lot of interest in doing that. What I would also point out here is that my expectation is that when I'm using this kind of network, I'm going to -- I'm going to have access to in some sense what are technically really two different kinds of services. I expect that I'm going to have access through the traditional web services we understand that can be accessed -- where the same service can be accessed either through one of these mobile devices that goes to this relatively complex network architecture, or through a PC web browser, and also a web service that I access in this very simple way. I don't think that just because we add all this complexity we're going to lose what we now understand to be the traditional and perhaps somewhat quaint kind of web interactions that we have today, and I would suggest to you that it's very important for all of our thinking going forward that the user here, the client on the left side, in many cases isn't going to know what kind of service he or she is accessing. Maybe it's a traditional website. Maybe it's a service provided uniquely by that user's network provider, their cellular network provider. The user's not going to know, and in many cases the user's not going to care. So, I want to try to address very quickly how you do all this, how do you make that very complex world possible. As I said, I think that whereas the web in 1996 was in a state of significant development, if not confusion, it has now more or less settled down, and the way that we from a technology standpoint interact with web services is relatively clear and stable. All of us essentially use the basic Internet protocols to access websites, TCP/IP and HTTP. Those are the -- TCP/IP is the basic network service that moves information around, whether it's for the web or e-mail or for anything else. For the web we use a protocol called HTTP, which is specially designed to give people access to web pages and to create links among web pages. We access a pretty uniform kind of content.People who want to make content available on the web today know that they have to do it with a particular language called HTML. That will change probably over time. And increasingly even on today's web, the way that people's public policy-oriented services, such as information about privacy policies, information about the signatures or the authentication of documents, are managed according to a developing set of technical standards. On the wireless web today, I think what we see is a pretty substantial diversity. I don't know that I'm quite as pessimistic as Walt about the kind of Tower of Babel problem, but it's pretty clear that at all of these levels, there's quite a lot of diversity. There is not a single standard for the underlying network transport; there's not a single standard for the protocol that moves information around in these networks. Content has not settled down into a single standard, and certainly for security and privacy and other kinds of policy issues, there's not a single standard that everyone can rely on. Let me -- since we're coming close to the end of time for this panel, I want to try to conclude very quickly. These are some issues that I think we have to keep in mind as we explore this public policy space, and they're my effort really to point out what I think are some of the critical differences between policy frameworks and ways of thinking that we've evolved for the web and the ones that are going to be appropriate for this environment. First of all, as I talked about, there are going to be a variety of gateways, a variety of intermediaries that stand in between the user and the service at the other end of the network. In many cases, those gateways are for purely technical purposes. In some cases, those gateways will exist to manage or in some cases alter the business relationship or other kinds of relationships that the user has with the service provider on the other end. What I would suggest -- and finally -- and those gateways are important both from the user perspective and also from the content provider perspective. I think it's sort of axiomatic on the web today that when I put up a website, I don't have to negotiate with anyone to make sure that that content is available to every single user on the web who wants to see it. Whether that's the same in this environment I think is an open question. I think that what I would suggest, though, is that for all of the importance of these gateway relationships, the boundaries between interactions that go through these gateways and those that don't, interactions that are secured perhaps by some intermediary, interactions where perhaps some intermediary is watching out for my privacy rights, interactions where perhaps an intermediary is monitoring the intellectual property rights of a content provider, that from the user perspective, those interactions will blur together with the interactions that we have today with a typical website. I think that from my perspective, what is most important as we go forward is to build on the common shared information space that we have with the Internet and the web today. This is not to say that every single device has to be able to access every single kind of content. As I think was eloquently pointed out, I may not want to watch a full motion video on this little device, and we shouldn't require that that is the case, but I do think we have to pay very careful attention to making sure that the evolving protocols ensure the possibility of consistent access and make sure that we don't create Balkanization between different islands of content spread around. Finally, I would say -- and this was really the subject of the workshop that we had with the WAP Forum last week, so it's very much a work in progress, because of the fact that users will be navigating across different environments between the traditional web world and the new kinds of services that will be possible through the wireless world, I think there was a fair amount of consensus just in the discussion that we had that users do expect a common experience. They expect that if they have a privacy relationship with a website in the traditional web world, that that relationship will be carried over when they access that same service in the wireless world. I think that they expect that if they have digitally signed a document with a web service, maybe it was a check that they sent, maybe it was securing access to a credit card statement or something like that, that they will have that same kind of security in the wireless world. So, we have to be very careful I think to create a consistent set of expectations, and certainly work to build technology and policy approaches that alert users when they're crossing boundaries and when the expectations are changing. So, since I see several people encouraging me to conclude, I will do that, and thank you very much, and I look forward to questions.
MR. WINSTON: Thank you, Danny. I think we have a few minutes for questions. We're going to do this the old-fashioned way. If you have a question, raise your hand, and I will call on you. Wait for the microphone to come from someone, there's a microphone right there, and if you could just identify yourself and your organization when you ask the question.
MR. DANIELS: Sure, Seth Daniels. I think everyone did a very good job, and I want to thank you, but one thing that really came across to me is that there are really different technologies that we're talking about. We're talking about cell phone technology, and then we're talking about a new technology that wasn't really clearly defined, that being wireless IP. I think we identified that Ricochet and a couple other providers are talking about wireless IP, and if you're talking about wireless IP, WAP does not necessarily apply, because WAP is more device-dependent with the issues involved with the cell phone technology. So, what's kind of interesting is even in this room of people that should be in the know, there's still a lot of confusion or not -- maybe I shouldn't say confusion, but there's not a clear message being sent, and to the consumers, it's even more obscured. The other part or maybe more of a question is what are the regulatory requirements for the wireless IP providers that are not making calls but seem to be somewhat outside of the scope of some of the guidelines as I have read them relative to location reporting?
MR. MOSSBERG: Can I just say, I can't -- I don't know anything about regulatory requirements, maybe others do, but I think you're right, that just observing the three of us so far, and the conference has hardly started, this word "wireless," this term "wireless" is way too broad, and it means many things to many people. Bill showed you what I thought was a very interesting demonstration of a whole kind of wireless that I didn't even mention, which is essentially wireless inside buildings. 802.11, which incidentally has been renamed just to confuse you further Wi-Fi, Bluetooth, which has produced more press releases than actual devices, and Home RF and some other things, all of those things are designed to allow devices that are properly equipped to talk to each other over relatively short distances, and one of the things that they can do in talking to each other is to pass along an Internet connection and, of course, hopefully a broadband one, but that Internet connection today is primarily coming across the same wired system, not wireless, but wired that we all know about. So, in other words, I wrote about -- for those of you who read my column, a couple weeks ago I reported on what it was like to set up an 802.11 high-speed wireless network inside my house to distribute a wired DSL line coming into my house, and I hope you're following me. I don't have wireless Internet in my house just because I have a wireless network that operates within the walls of the house. I have a wired Internet connection that's distributed wirelessly. The experience is wonderful, incidentally, in terms of being able to carry laptops and eventually things like this around in rooms, and I actually have one or two of these in my house that I'm testing, but it's not the same as being out on the street or in this building or in a cab and trying to get this thing to give me a broadband wireless connection. So, we have to be very careful in the terminology that we use. I'm sorry, I don't know about the regulation part. Did you guys -- okay.
MR. WINSTON: Yes, over here. If you could introduce yourself again.
MR. LEMAITRE: Mark LeMaitre, I work for Nextel Communications. This is going to be difficult. I'm not going to talk about technology, but it's quite obvious that amongst the speakers today so far there's been both a desire and a concern about extending the wireline existing Internet experience out to the wireless device. I think it's both desirable in some circumstances and very difficult practically to achieve, but I was interested to -- and I was at the workshop that Danny was at last week. One of the things that we found was that -- or discussed was that in order to make the experience a lot more compelling in a wireless environment, certainly with the PDA, the notion of where I am and what I'm doing becomes extremely important, and so whilst I agree that protocols that we have got on the -- being developed on the Internet today for privacy satisfy the notion that I'm in front of a big screen surfing content, when I get into a wireless environment, the stakes go up in that I've now got information about my personal location, my personal --you know, my state, what am I doing. What am I doing and where am I doing it are very difficult things for people to give away easily, and I'm wondering if you can just touch, Danny, on the notion that as the stakes go up, so do the controls, and the levers that we have to put back in the consumers' hands have to get better.
MR. WEITZNER: I think that there is no question that they do. There is -- and one of the points that I found particularly striking about the workshop, and I don't want to give anything more than my personal impressions of it, because we're still working on developing a kind of a common statement coming out of it, but my personal impression was that there is a shared sense across the web industry and the wireless industry, however you define those boundaries, and everyone in between that putting users in control of their personal information, particularly, as you pointed out, when it comes to very sensitive information such as the location of your device or whether you consider yourselves at work or on -- or having fun at any given moment, whether you're receiving calls or not receiving calls, et cetera, whether you're in a restaurant or in a bar or whatever else you're doing, that indeed I think we need much finer-grained user control mechanisms for the wireless world than we currently have for the web world. In the web world we've taken one step in developing a privacy-oriented standard, P3P, which I won't rattle on about, but I think that the wireless world introduces a whole set of requirements on top of that. I think we need the consistency of a common platform like P3P, and this is true really for essentially any protocol we're talking about, I would suggest, that the user is aware of, whether it's security or privacy or any number of other things, but we clearly need more features available, and most importantly, I think we need a higher degree of control so that users are comfortable operating in an environment where they are, in fact, disclosing and relying on the disclosure of quite a bit of personal information. One of the points that I would just bring out quickly from the workshop that, Mark, you had a lot to do with raising was really the question of who is the user going to trust in these sorts of situations? The wireless carrier is the source maybe of that location or maybe it's some other entity in the network that knows your location. Who is the user going to rely on to mediate in some sense the disclosure of that information to make sure that as it's used in various other parts of the network, it's used consistent with the desire of the user, and how are we going to work that, and what kinds of interoperability protocols do we need across all the services that are going to participate both on the web and on the wireless side?How are we going to get that all to work together? I think it's a very substantial challenge that the wireless world has brought here and one that I think we've got a lot to do to figure out.
MR. MOSSBERG: Can I interject a note of deep skepticism for a moment, as I have been trying to do all morning? I don't even for a nanosecond doubt your sincerity, Danny, or those of the people of this workshop, although I would point out that WAP is a 100 percent utter failure as of the moment on cell phones, but to tell you about the privacy thing, I just would like to note that we have had four or five years now of experience with consumers using the wired web on very powerful devices which could afford you a tremendous amount of privacy protection, and we have done very, very badly. There is no privacy and a very bad level of security for people using the web on computers in a wired way today, and I personally now -- speaking as a journalist who is paid to offer opinions, that's what being a columnist means, I would tell you that I believe you won't hear this from many other people who write in The Wall Street Journal -- I believe we need a federal law that is very tough and very powerful on privacy that would cover wired and wireless, and in the absence of a federal law enforceable by jail terms -- I'm very serious about this -- none of -- as I said, I attribute complete integrity and honorable intentions to you guys, but none of that will matter, because to the extent the wireless web and location-based services and user profiling become economically important and marketable, you will have the same kind of irresistible pressure from people ranging from the worst sort of hucksters to the most honest businesses to try to sell you things based on that. There has to be some basic legal -- I'm not talking about micromanaging every transaction, but a law that would set out at least some general guidelines on who -- saying that the consumer should be in control. In other words, little things like opt-out versus opt-in, and I know there are privacy people here who know much more about it. Sorry, I just needed to try to inject reality, that's all.
MR. WEITZNER: Could I just respond very quickly? All I can do is to say that I think that what we have to do is take a global perspective on this and recognize that any of these infrastructures that we're talking about exist in a context that I think will always be marked by a real diversity and a real divergence in real standards. Already Europe has I think the kind of environment you might want to have, without getting into it too far, and what we see is the need for services to be able to exist in a variety of legal environments --
MR. MOSSBERG: Well, ultimately you need a treaty -- ultimately, I'm sorry, there is a role for governments, and you need a treaty ultimately.
MR. WEITZNER: And I'm not disagreeing with that in any way. I think there is absolutely a role for governments. I think the question on the table is whether it is more than is currently happening, and I think there are serious arguments on both sides of that.
MR. MOSSBERG: Nothing is currently happening.
MR. WEITZNER: Let me just say real quickly, you say you're not trying to micromanage. I am actually talking about trying to micromanage, because I think whether you're working in an environment where there's a real comprehensive privacy framework such as the European Union or whether you're working here where I think everyone would agree there's a much lower profile legal environment, without making judgments about it, that from the user standpoint clearly what users want is the ability to make very fine-grained choices --
MR. MOSSBERG: I'm sorry, I meant the government should not be micromanaging, but the user needs to be in control. They need to be able to say no, you can't -- you know, I want you to know my location because I want to know what's playing at the nearest movie theater, but that goes no farther, and by the way, I don't want you to serve up an ad based on my location or I do want you to serve up an ad.
MR. WEITZNER: That's right, and I was just riffing off of your micromanagement to say that the need for micromanagement is there. I tend to agree with you that it's not at the level of regulation.
MR. WINSTON: We are going to be spending a lot of time on this topic over the next day and a half, and it's obviously one people have a lot of opinions about, so why don't we hold off for now. We do need to move on to our next speakers, so I want to thank our panelists. We have enjoyed your presentations.
MR. WINSTON: If you could all wait around, we have one more speaker before the break. We are now going to turn from the discussion on technology to look at the international experience in the wireless area. As we've heard, both Europe and Japan are ahead of the U.S. in terms of deployment of wireless services to consumers, and so we may be able to learn some lessons from the international experience that will help us. Our next speaker is Jason Pavona, who is the director of wireless strategy and personalization for Terra Lycos. He's been instrumental in building the infrastructure necessary to take the Lycos network into the next generation of content, including Lycos' extension into wireless, and he's going to be speaking about the development of the wireless space abroad and offer an assessment of how that may translate to the U.S. Again, hopefully we will have time for a few questions afterwards, but we'll see how it goes. Jason?
MR. PAVONA: All right, so, I am going to start off with just a couple remarks and then really kind of delve into what's reality now in Europe and finish a little bit on Asia. I, unlike some of the other panelists, do not share the skepticism that's really out there in the market. I think that as you'll see moving forward that as the Internet grew, it was about applications and services, and wireless is much the same way. You know, we have kind of three mantras that we move to in this space that make it pretty appropriate. The first one is the right device for the right person. I think one of the most interesting things that I saw was not the presentation that Walter gave but the fact that he spent the entire time actually using his Blackberry checking e-mail. So, obviously he found a very interesting way to use wireless, and I think that that's really what this is all about. It's finding the right device and the right application that drives adoption and drives usage across the board. Obviously there are technology needs that need to be addressed, there are regulatory needs that need to be addressed, but at the end of the day, this is an industry and this is a mechanism for delivering data and information that is incredibly important and going to happen. We just need to make sure that we're addressing it. So, let me kind of walk through how Europe is different. First, GSM technology standard, one standard across the board makes it very easy for operators and content providers to work together to deliver up content and services and to roam across different countries. Next, lack of a traditional land line infrastructure, why is this important? Basically in the U.S. we are very lucky to have the ability to get almost universal access to the Internet, while in Europe, for example, in Italy, it can take up to six months to get a telephone line into your house. Obviously this means that mobile access is something that people are incredibly willing and have the need to get as soon as possible. So, what you'll see is that while in the United States the GPL land line structure is important, it will leverage wireless, where it's opposite in Europe, where the traditional wireless user will leverage land line as it continues to grow out if it grows out. Negotiation, metropolitan environment, moving towards oligopoly. Obviously most of the countries in Europe had a state-owned telephone agency. That has obviously opened up over the last decade in terms of competition, but it is still very much pervasive where the traditional carrier still holds a majority of the penetration of wireless users. Next, operators building portals. They're very much moving towards an AOL versus EarthLink and Terra Lycos model. So, AOL provides access and they also provide content in a walled garden type environment. Now, this is obviously changing across the board wherepeople want open environments to get information, but it's important to realize that in some ways, especially in Europe and Asia, carriers want to control what information people are seeing. Next, pay-by-the-drink culture. In Europe, it's very different, where people actually do not pay for every call. If you receive a call, you do not pay for that call. So, it obviously drives adoption upwards. Next, limited flat rate pricing. The culture in the U.S. is all about what am I going to pay? I want to know what's the most I can pay, and if there's a maximum, that's important to me. So, that's very different than where everything is pay by the drink. Prepaid and low credit card use, which means that people understand what the billing is or they have already set up a calling plan that's important to them. And caller pays, obviously driving usage, as we talked about before. So, I did not put up this slide to make everyone have a problem reading it or test your eyesight, but it really goes to showing kind of where online penetration and mobile penetration are important. So, as you can see, mobile penetration in most European countries is extremely high. This is not true in the United States; however, the lines are completely different that PC at home or actually access to land line infrastructure is hugely -- has a huge penetration versus the wireless penetration, and this goes back to the point where in the U.S. we are very much considered centric on the home and the PC and how that's very different than wireless and that's why most people have had a bad experience. Now, take it to a different level. What happens if the only way I can access e-mail is on a WAP phone or on a device that has a limited ability to view that information? I will tend to use that advice, I will just use it in a very different way, and that's what we're talking about here. So, how to view the European market, really three ways that we really look at it, Internet focused, Internet aware and mobile focused. Internet focused is much like the U.S. where PC and Internet access is pervasive and the relationships with portals and other content providers are already there. Next, Internet aware, where, you know, there's medium PC penetration, Internet access rates are lower, there's really not a distinct relationship on the Internet side for particular access. And then finally mobile focused, where there's a very low Internet penetration but high mobile penetration, and what you'll see is these cultures taking on devices and services very differently than they would in the U.S. or around the globe. So, what have we kind of learned across Europe and Asia with our joint ventures, and what mobile applications do people really prefer to see? Number one by far, and I think that this -- this line should be across the top, e-mail access. It's really about communicating with one another. Instant messaging, it's about being able to access people on the go wherever they are and be able to get important messages to them. Obviously there is -- there is an incredible need for that not only in the U.S. but around the world, and it's incredibly important that we have the ability to do that, whether it's on a small device, whether it's on a traditional PC, whether it's a voice application, it doesn't matter, it's about communicating with individuals across the board. As you move down into some of the other content areas that we've worked with, driving directions is incredibly -- has been an incredibly sticky product that people want to use, traffic and driving updates obviously, weather information, finance and stock information. So, obviously things that are near and dear to people's hearts, sports, for example, and betting. Where the laws are somewhat different around the world, betting is an incredibly popular application on these devices. And then entertainment. So, as we'll see moving forward, one of the key facets of mobile devices will be entertainment. This is incredibly important if you look at some of the demographics of cell phone use around the world, and it's a very high penetration of teens and people within their -- in their low twenties. Why is this important? Because those people are on the device for two reasons. One, to talk with their friends, and two, to entertain themselves, and that is something that will not only drive the penetration of wireless here, when gaming and chat and all those other things that you think of on your PC move to your device, whether it's, you know, a Palm device, whether it's a phone or whatever, but it will just be in a very different way. So, mobile applications road map, where are we and where are we going? The number one product and service for most mobile carriers in Europe in terms of data is SMS. There's about a billion SMS messages sent in Europe every day. So, most people in the U.S. have never received an SMS message, they don't know what an SMS message is, they don't care; however, if any of you have been in a train in Europe or seen teenagers or school kids in a classroom, the number one thing that they're doing is they're sitting on a phone and typing in messages to their friends or they're receiving messages about updates. Now, this may seem insane to a lot of you, and it seems insane to me a lot of times, but really what it's about is communicating, and what we tend to do is find the easiest way to communicate with people, and whether that's an SMS message, whether that's voice, as we've kind of talked about here, it's finding the right application, it's finding the right device and it's finding the right means to get that information to them. How does this kind of change, though, as technology changes? We talked a little bit about next-generation networks. What does that mean? At the end of the day, it means how much faster can I get data to the user? So, whether that's -- you know, obviously a roll-out that is, you know, in the future or today, in Europe right now we're looking at roll-outs in several countries of what's called GPRS, and that's basically a data network on top of GSM, their current standard. Is the bandwidth that that's providing, an incredibly huge jump, does it make it compelling to play peer-to-peer video games or download the video of the Supreme Court hearing? No; however, what it does do is provide a mechanism for us to allow users to have different experiences, and that's what it's all about. As you'll see, you know, some of the things that will continue to come, you know, device location, something that I'm sure will be a heated battle not only today but for years to come in terms of privacy and getting that information to you. Gaming, as we talked about. Video, but not video in terms of, you know, 15-minute clips of ABC News, but more importantly, small clips of information. For example, you know, I'm driving to Logan Airport. For those of you that live in Boston, that could be a 15-minute trip or that could be a three-hour trip. So, I'd like to see, you know, what -- one of the -- you know, what 93 looks like at the current time. So, I want to get a snapshot of that. Now, is that a -- you know, is that a 15-minute process? No, it's probably a three-minute, two-minute, one-minute application that says, show me the best route to Logan Airport and show me what the traffic looks like. So, that's what we're talking about, designing applications to use the best technology. Obviously local advertising, emergency services, things that you've seen already come out, like OnStar. So, there are a bunch of applications that continue to come out and be driven by new technology and consumer needs. So, mobile revenue streams and why is this important? Because in order to understand what people are doing, you need to understand in some ways what people are willing to pay for. Information services, this is really about connecting people with information that they may want. It will be a tiered system. There will be services that are free, there will be services that are premium, just like there are today. Mobile advertising, the same thing, a tiered system. Peoplewill either pay for services or they won't. They will be able to opt out of those services if we, you know, create the correct mechanism to allow them to do that in a compelling way. Mobile services that connect you to e-mail and PIM and unified messaging and mobile commerce, so the question is how broad is mobile commerce? It's the same way when you take an example of calling a call center. You know, when I am -- instead of calling Tiffany's or going to a Tiffany's store for -- for a, you know, a diamond earring for my girlfriend for Christmas, is that Internet commerce? Is that, you know, brick and mortar commerce? I don't know, but the question is, you know, how do I get -- how do I make it as easy as possible for people to buy in the way that they prefer to buy? And whether it's defined as mobile commerce, whether it's defined as e-commerce or whether it's traditional, you know, brick and mortar commerce, it doesn't really matter, and it's about providing them with the best service. Mobile distribution, providing mobile ISPs, whether it's through products like Ricochet, whether it's through products like a traditional carrier would provide, it's getting them the type of ISP they need. And then mobile enablement, really allowing people to move across different areas of the world and have the same access, and that's going to be an incredibly important piece. One of the relationship pieces that we talked about earlier that started off to be a heated battle was location and billing. So, one of the keys that will drive this, and I'll talk a little bit about this when I talk about DoCoMo in Japan, is the location of the user, obviously that can drive an easy product or it can be a nightmare for privacy, and then finally the billing relationship, how easy is it for me to pay for something, which is an incredibly important piece of mobile commerce and mobile moving forward. So, North American mobile consumers are different. I think that this is a statement that I often hear within the industry, and I don't always buy it, because at the end of the day, cultures are always different, and the applications that are within those cultures really drive the adoption. For example, you know, we've talked with some folks in the Midwest that want to basically have built for them a way to get the hog report every week, and that -- well, that would not transfer anywhere else in the world, but for them it's a very important application and one that needs to be built. So, is that something that we should do? Definitely, and that's providing access to information that's important. So, some of the things that we talked about earlier in the panel is U.S. technology standardization and carrier market infrastructure drive adoption. No technology standard in the U.S. is an incredibly difficult problem, not only for people within the industry but for the consumer at large. Multiple operator choice and limited nationwide coverage. I'm sure all of you have had the experience of traveling across the U.S. and having poorer coverage in some areas, depending on the network that you're on or the carrier that you use. High land line, low mobile penetrations, so obviously the U.S. consumer has very high expectations of what mobile data is, and that's a very dangerous thing. Obviously we want to make sure that we have the best possible product that makes it very easy for the user to use, but it's not the Internet. It's not, you know, high-speed, you know, video and voice to a phone, and people need to understand that. Flat rate pricing and all calls are billed, so this makes a very different piece of the puzzle for sure. Low affinity carriers and high churn. So, because of the multitude of carriers across the United States, it's a very different mechanism for providing products and services, because you don't always know where you are. Next, applications drive adoption in any region. So, I don't care if we're in the United States, I don't care if you're in Israel, I don't care if you're in Russia, in Japan or Europe, it's all about applications in specific markets, and it's making those applications as simple to use as possible. The one thing that we have learned across the board, whether it's on the Internet or it's on wireless, is if you make applications and services simple to use, people adopt them, especially when they're compelling. Then finally, culture drives applications obviously. So, I am going to talk a little bit about NTT DoCoMo now as a case study. Besides NTT DoCoMo, for those of you who don't know, has been used a great deal in the wireless community as one of the wireless success stories, and that's had a lot to do with the number of subscribers that they've gotten, the number of applications that they've built and the adoption of the product across the board. Obviously it doesn't help that they're a monopoly within their country and that there's, you know, little competition, but that being said, they have built a very compelling product, and as you'll see, it's very interesting. What NTT DoCoMo has reallyat the end of the day provided is an ISP, a content source and a billing mechanism. So, consumers have the ability to easily access content and services and be billed for those. And what is this really translated into? Let's look at the subscriber growth rate. The service launched in February of 1999. There was an original one-year target of 3 million users. By mid-May of 2000, there was already 7 million users, and basically out of 60 million mobile subscribers in Japan. So, that's a huge jump. I think now they're up to about 12 or 14 million at this point. So, this slide is actually old. And half of iMode users are less than 30. So, subscriber growth rate, what are the services that people are using? Messaging, 60 percent of iMode users use mail every day. So, as you would obviously log onto a PC to get mail every day, e-mail users log onto their phone to get mail every day, a very different paradigm. Database access, whether it's a telephone directory search, restaurant guides, trying to find out information, where you are, where you want to go. Information, something that is near and dear to all of our hearts, we want to find the most up-to-date information as fast as possible. Entertainment, one of iMode's most popular products right now is a ridiculous based game that involves, you know, karaoke types characters, and it drives absolutely immense minutes of use within the teen-age market. Transactions -- being able to access 270 banks, online purchases, stock trading and travel reservations. So, it's a very different model but much of the same products and services that you see in the U.S. Now, obviously there is a need to temper some of these points, I'm not -- I'm sure most of you can't imagine walking up to a bank and instead of use an ATM use your phone to transfer information, but that time is coming. Is it coming tomorrow? No. Is it coming down the road? Yes. So, I won't go too much into the pricing model here, but, you know, at the end of the day, what NTT did, NTT DoCoMo, that is, is really price it so that it can provide personal access and they would get a high adoption rate, but it has incredibly increased their average monthly bill across the board. So, what's the future look like? And we talked a little about this earlier, but it's really about enabling mobile assets for the future, and the future will look very different than it does today, but the same principles will be there. It's about providing people or having -- providing access to people how they want and when they want it. So, whether that's through a WAP device, whether that's through an SMS alert, whether it's through voice or whether it's through the Internet, everyone will be able to access the same information that same way. It's also about providing personalized content. So, people want to be able to see the same user interface and same piece of information no matter where they are. Now, that is somewhat different in terms of -- let's take an example of -- let's take an example of a stock portfolio. If I'm sitting at my PC at my desk with a broadband connection, I may want to see charts, I may want to see information that is about that -- you know, news stories, whatever it may be. Now, if I'm on my Palm Pilot, I may want to see a subset of that information. I may want to see four or five stocks I want to know about. If I'm on my cell phone, I may want to see one stock, know if it moved and know what the current price is if I trade, as easily as possible. So, it is about having information that iscompelling and also being able to access it in a means that the user wants, and that will continue to be a compelling piece of where the Internet moves. So, it won't be the traditional means of just the PC. That is it. So, happy to take any questions that you guys have.
MR. WINSTON: We are not going to have time for questions.
MR. PAVONA: Okay, then I guess I'm not.
MR. WINSTON: Thank you, Jason. Sorry about cutting off the questions. We're going to take a break. We need to be back about 3:20, that's in 15 minutes. Just a reminder, we have all the presentations upstairs of the various devices on the 7th floor, and I want to thank the U.S. Chamber of Commerce for providing the refreshments during the break. See you back in about 5 minutes.
(A brief recess was taken.)
MS. FEUER: If everyone could take their seats, we would like to get started with this session, and if people can sort of pull the people in from the hallway if you're standing by the door. Great. Well, I could tell it was a wireless conference, because when I walked outside, everybody was on their cell phone. It was pretty amazing. I didn't know if you all were just making calls or accessing the Internet, but it's more cellular use than we're used to seeing here at the FTC. I'm Stacy Feuer, an attorney in the Bureau of Consumer Protection and the moderator of this workshop's first round table discussion. During the opening presentations, the speakers talked to us about various technologies, products and services, described how consumers are using these products in Europe and Japan and the issues implicated in delivering wireless services to American consumers that will meet their expectations. Now we shift focus to take a look at the business models that the industry is employing for the wireless space and how these models will help or hinder consumer adoption of e-commerce and wireless services. In Jason Pavona's words, what are people going to be paying for and what are they going to get in return? To discuss these issues, we're pleased to have on the panel Amanda McCarthy, an analyst in the telecommunications group of Forrester Research, a leading independent research firm that analyzes the future of technology change and its impact on businesses, consumers and society. Next to Amanda is Mark MacCarthy, the senior vice president for public policy at Visa USA, Inc. who coordinates Visa's public policy initiatives and strategies in electronic commerce, the Internet and m-commerce. Then we have Alan Reiter, president of the consulting firm Wireless Internet & Mobile Computing. He has been analyzing the convergence of wireless communications and computing since 1978 and specializes in jump-starting new businesses and enhancing existing operations in the development of leading edge wireless products and services around the world. He also publishes a newsletter covering the wireless industry. Jerry Cerasale, senior vice president for government affairs at the Direct Marketing Association, the largest trade association for businesses interested in interactive and database marketing is also with us. We also have Reuven Carlyle, the vice president for strategic development at Xypoint Corporation, a provider of wireless location services. Xypoint, which was one of the earliest companies to develop location technology, last year refocused its business operations and added wireless data and voice applications. Just last month, Maryland-based Telecommunications Systems, Inc., purchased Xypoint for $68 million in stock, which will enable them to offer new services. Mr. Carlyle, who has also worked with various wireless startups, has kindly offered to substitute for Al Gidari who was supposed to appear on this panel but unfortunately came down with the flu. Finally, we have Jack McArtney, director of messaging for Verizon Wireless, one of the largest wireless providers in the United States. Mr. McArtney is in charge of messaging and integrating all types of messaging into Verizon's wireless strategy, including its development of voice portals. Mr. McArtney has asked me, and I have to read this, to advise the audience that Verizon Wireless is in the registration period for a prospective initial public offering of its equity, and therefore there are restrictions on his ability to discuss certain matters concerning Verizon Wireless operations, especially with respect to forward-looking statements and forecasts. Being an attorney, I can appreciate the person who drafted that and sent it to me. Before I pose the first question to the panelists, I want to invite members of the audience who are viewing us from the overflow rooms to join us for the Q&A period. If you want to ask a question, please come down by about 4:05 and stand at the door to 432 and we'll give you a roving microphone so that you will be able to participate in the Q&A. To start off, I want to start by asking Amanda the first question and encouraging the other panelists to jump in if they have thoughts. Amanda, in your May 2000 report on mobile Internet realities, you advise the main operators in the wireless space, the carriers and the portals to "give up trying to own the customer and instead offer multiple distribution channels, best of breed content and new branding." What types of relationships do you see consumers having in this new wireless space and who will those relationships be with primarily?
MS. MCCARTHY: Thank you, hello. That sort of statement makes a lot of friends and influences a lot of people in this industry, and I think the statement is really important, and I think it's important in the States right now today only because those folks to whom the wireless web is being offered are really adopters, if you -- it's really hard to explain the mobile Internet in one sentence, let alone explain all its nuances and benefits. So, those folks using it are in the vanguard of technology adoption today. I think that will change in the future, but today it is those early adopters. So, those early adopters today have a lot of different communications services provider relationships. They might have relationships with online providers of content and commerce, and they undoubtedly have a whole lot of relationships with mobile operators and carriers for things like broadband services. My question then is, all right, if the mobile Internet will be offered to these people, who is in the best position to offer it to them? Is it a major operator who is in the phone business suddenly bringing the Internet to these people, or is it the online leading brands who will bring these mobile Internet services to consumers? I think that's a real issue, and I think that already we've seen folks trying to get together to use those big brands to market the mobile Internet, but a whole lot of cooperation is not yet in the cards, because let's face it, everybody wants to own the customer, and I do feel for the mobile Internet to really make sense, to really be brought home, there's got to be an awful lot more cooperation and kind of working together to create new applications than we've seen thus far.
MS. FEUER: Does anyone have any response? Mark?
MR. MACCARTHY: I'm not sure it's a response, but it's I think an agreement. As this market matures, I think we'll see that the customer is going to maintain a relationship with each of the major players in the market. The device manufacturers, the wireless operators themselves, the merchants, the content providers, and the payment facilitators, such as Visa, will all maintain a direct relationship with the customer, but we don't think that any one player in the market is going to maintain a dominance in the relationship with the customer.
MS. FEUER: Jack, what do you think of that from the carrier perspective?
MR. MCARTNEY: Well, I think the point that struck me the most from the first comments by Amanda was the term "ownership" and what is meant by "ownership," and I think that a very important element of that is the responsibility for providing service to the customers, and we take very seriously our relationship with our customers, and I think if it comes down to defining ownership as the person that gets the phone call at 3:00 in the morning when something doesn't work, we have that obligation, and we must honor that obligation. So, we have to be very careful about how we define those terms. As we look at our relationship with our customers, we would hope that it is always one of if not the primary, relationship that we have for wireless communication and that we work in partnership with content providers, services providers, commerce providers to offer those services.
MS. FEUER: Alan?
MR. REITER: I don't know about the people in the audience here, but my carrier doesn't own me; it holds me hostage. I don't think most carriers -- I would say that Amazon and Nordstrom own me more than my cellular carrier. If you look at how the carriers have not been doing a job in selling wireless data in this country, I think it's incumbent to see that the future, the future of wireless data services will be based not upon what the carriers are doing as much as what Yahoo is going to be doing and what AOL will be doing and what the retail industry will be doing that they haven't been, like Nordstrom and so forth. Give me Amazon for a customer service rather than a cellular carrier. So, I think that the future in the United States will have to be other companies that really know how to service the customer getting into this market and providing good services.
MS. FEUER: Well, I -- Jerry?
MR. CERASALE: Yeah, I think that the relationship with the customer potentially changes. I mean, when you have something where your wireless communication doesn't work, you're going to go to Verizon and complain, because that's with whom you have a contract to get your service, but if you're looking at the web and you're on a web page, you are dealing directly with that web page. Now, also potentially there's an AOL that could be inside somewhere, so the relationship that I have as a customer can change as the application -- where I'm looking -- changes, and I would know that. So, I don't think that there's any particular one person that owns the customer in these applications.
MS. FEUER: Well, let me if you don't mind, Amanda, segue into another area I think that directly relates to this, and it was one that Reuven and I were talking about this morning. He's been in the wireless space for a long time, both working for a carrier and working for an application provider and working with various startups, and we were talking about how many in the industry are combining, carriers and information providers and location service providers, to create one product, and there's, of course, many questions about how it ultimately gets delivered to the consumer, but I'd like to ask Reuven to address what kinds of partnerships he sees developing and how do these partnerships impact on consumer issues like price and choice and availability.
MR. CARLYLE: It was discussed this afternoon that wireless carriers have a relationship with customers that some customers object to. If you look at it in the context of like an ISP in terms of access, the reality is that the wireless carrier does have a relationship and they're going to continue to have a very substantive relationship for a very long time. One of the reasons is that the marketplace drives services to carriers, because they have a billing relationship fundamentally, they have a desire to provide enhanced services and applications to the user base, but the fact is that the bumblebees that buzz around major carriers from a vendor point of view, from an application provider point of view, from an infrastructure point of view, that provide wireless data, that provide software and provide services, fundamentally treat the carrier as the customer. So, that means that applications that come to market are going to have that kind of orientation. That's not to say that there isn't a revolving customer relationship, but what's interesting is that Yahoo mobile has been live with their mobile portal for 18 months or 24 months. It's been for all intents and purposes a complete disaster. I mean, it's one-way SMS to your phone. Now, users don't particularly value that service, okay, and that's been the primary data application from the web to the phone. Nobody uses it. I mean, how many people want to get SPAM on their phone? There's a very personal, intimate relationship that users have with the phone, and the fact is that data is still figuring out its comfort level around providing services to users given that reality. Now, the Palm and other hand-held devices obviously have a different type of relationship, and you have got all these startups and companies trying to provide applications to that market, but let's deal with the reality. People buy phones to have a phone conversation. Voice is still the driver. As data becomes more of a viable business model and a viable service model, which, of course, is what the carriers and others are driving toward, there is a reality that there's going to be a shift in what people use it for, but until there's an appreciation that the marketplace is looking for applications that carriers can provide as enhanced services to the user, other applications, like Yahoo Mobile and others, are still going to struggle outside of the infrastructure side.
MS. FEUER: Well, let me recognize Amanda. One note, though, I have received a note asking all the speakers to speak closer to their microphones so that this is all picked up in the overflow rooms and for the videotape.
MS. MCCARTHY: Sure. I'd just make a quick point that I don't think mobile operators are necessarily going to be able to deliver continued great services, voice and data, and make them result in a reduced churn on the part of their customer base unless they actually do work with folks like the Yahoos of the world, to have them work with pieces of the network that are doing very interesting things, such as in the arena of location-based services to build the compelling mobile data apps. I agree with you 100 percent. I think carriers as a distribution channel, you can't beat it for reach and for relevancy; however, if mobile operators only pick and choose those services that basically pay the most for a great position on the start deck, we're not going to get a situation that I think iMode actually did benefit from, whereby a whole lot of different applications are basically thrown in front of the consumer base, and those that stick continue to be developed and continue to be honed and perfected, and those that don't fall by the wayside. So, I guess what I'm really arguing for is we've got to open up the world guard to some extent so that the innovative mobile applications can come in. Other than that, I don't think we are really going to deliver something really compelling in terms of a data service to consumers over mobile handsets.
MS. FEUER: One interesting point, I just recently read an article saying that there was something like a thousand applications for iMode in Japan, those are the official ones. There are about 19,000 unofficial applications that you can access through your iMode. So, I think that points to what Amanda is saying. This is a service that's controlled primarily through the carrier, NTT DoCoMo, but that there are lots of partnerships out there. Mark?
MR. MACCARTHY: I want to speak to the partnership question, because we think that that's the way this will actually have a future in the United States, and to find out more about how those partnerships might work, we're working with a company called SkyGo in a trial in the Denver area. A thousand subscribers were given Internet-enabled cell phones, and we're working with 50 retail operators in the Boulder area, we're working with AT&T, with Nextcard, and the purpose of this experiment is to find out to what extent the merchants themselves will experience an uptake in their business based upon the advertisements and promotion that the people who got the thousand Internet-enabled phones receive. Longer-term, we're looking to find out what kinds of promotions, what kind of advertisements in that kind of context really prove to be the most beneficial and helpful, both for the consumers and the merchants. In other contexts, we have done the survey research asking the users of mobile phones what their interest in mobile commerce is, and we've found that for many of them the top interest in mobile commerce comes in the area of ordering hotel rooms, flight reservations, delivering food for themselves, mobile delivery of pizzas and such like that, ordering movies and sporting events, and the market tends to be young. People who are 18 to 24 tend to be most interested in this, 18 to 34 to some degree, but this is clearly the kind of market that's in its infancy. We've found that the three most important variables to determine whether a product or service is of interest in the mobile context is location, time sensitivity and whether the product or service is customized to the interests and needs of the subscribers.
MS. FEUER: Alan?
MR. REITER: I think there is something of a misconception that there is very little mobile commerce going on. There's a significant amount of mobile commerce going on already. We just happen to be in the wasteland of the United States where we don't see that. There are 647, as of a few days ago, content providers on iMode that are officially sanctioned, because iMode bills for that. There are over 19,000 other sites. You are able to buy tickets, you can download cartoon characters, in Austria you can get railway tickets. There is mobile commerce going on all over the world, and it is just in the United States where we're spending years doing surveys without actually rolling out product. That's what we're doing. What we have is statisticians and not implementers. So, if you want to look at what's happening, you know, these bees buzzing around the death star carriers, they are the ones that are actually interested in providing services, but unless you go to a carrier with a silver platter plan where you basically hand them the business and with all perfectly ordered, you are not going to see innovative services. It is not about news, sports and weather. This is generic pap. People aren't paying a great deal for news, sports and weather. They may pay a little bit, but what they're doing is they're getting their bank accounts all over the world. They're getting it in Slovakia. I mean, they are getting their financial information all over the world, they're buying things all over the world. It's only here where we think getting a two-way SMS is a big deal.
MS. FEUER: Well, Alan, let me refocus this question, because some of the things you said raise some sort of fundamental consumer issues, and I'd sort of like Mark and Jack to comment on those, and everyone's raised iMode and Amanda's mentioned billing, and there is a real question here, how are we going to pay for m-commerce? Are consumers going to be using traditional credit cards? Is this going to be billed to the carrier's bill? Again, going back to the fundamental question, what are consumers paying for and what are they getting? And another big question is how, and maybe both Jack and Mark can comment on that.
MR. MCARTNEY: Well, I can I think on the commerce side. I think all options are open for consideration. There's several ways that that can manifest. The first one would be that commerce, you know, pays its own way or that advertising-supported commerce is presented to the customers. That presents the issue of, you know, privacy and intrusion into the customer and I think will be offset by services that ultimately will be borne by that end customer. We had some examples earlier today of services that I think Mr. Mossberg referenced, you know, wanting to have complete control and not having anything sold to him or presented to him that he did not want, and I think that that service is currently available. What needs to be developed are those services that allow consumer choice to opt in to services and to receive solicitations for commerce to present location information in order to be given opportunities to participate in other services and that those will be developed in unison with the carriers and the application providers to present services to customers that they're looking for and that provide them with the type of control that they want. If they want to completely control the access, then it will be most likely at the cost to the consumer, and if they want a relatively free and unlimited service, then that would come with the cost covered by advertising or by the commerce transactions.
MS. FEUER: Right, that's a really interesting point, and, in fact, I am going to turn and ask Jerry about that, but first I want to go back to Mark and just ask him for his views on how are consumers actually going to pay? You've offered one model. I know that I've talked to Mark a little bit about what Visa sees as the actual mechanism, given the huge range of mechanisms out there, smart cards, debit cards, the potential of billing to the carrier's phone bill like is done in Japan. So, Mark, if you could comment on that.
MR. MACCARTHY: Well, clearly, you know, we think that, you know, Visa brings the same strength to the m-commerce environment that it's brought to the regular Internet environment and the brick and mortar customers. We have got the brand strength, we have got global acceptance, we have got wonderful technology, we have security, and I guess most important we have the consumer protections that apply to the use of Visa cards, whether it's in the brick and mortar environment, the online environment or the M-commerce environment. In particular, our zero liability policy applies in all three areas. This is a policy that protects consumers in case of unauthorized use, it basically says that they have no liability for unauthorized use of their card in that environment. In addition, we're moving various new programs, various new security programs and payer authentication programs into the M-commerce spaces as quickly as possible. So, we think that at least initially and, you know, as m-commerce develops, the cards of choice that will be used will overwhelmingly be the traditional payment cards and established billing mechanisms.
MS. FEUER: What role do you see for e-wallets in that? I know that's a term I see a lot.
MR. MACCARTHY: Well, the e-wallets I think is a crucial payment mechanism, because as you try to make an order online, you know, the keypad is small, you know, inputting the payment information is not convenient, it's awkward. The payment information really has to get into the system in an easy and convenient method, and mobile wallets really are the way that that can be done most easily and effectively. The way that would work would be typically via a consumer entering the billing information, the billing address, the credit card information prior to engaging in mobile commerce, and then after that there would be a simple process of referencing that information without having to re-enter it all the time. The most familiar of these is probably the Amazon.com one-click service, and in the m-commerce space, Amazon is really doing fairly well compared to some of the other wallets, but this will really develop we think with the development of multisite wallets, which cannot be used in one particular place but in many places throughout the Internet.
MS. FEUER: Now I would like to turn to Jerry, because I think Jack raised an interesting issue in talking about how is this going to be paid for, and that's obviously part of any company's business model. Commerce attracts advertising, we know that, and lots of advertisers are turning to cell phones and PDAs. I'd like you to comment, if you can, Jerry, on what role DMA and direct marketers will have and what kind of trade-off you think that consumers will make in terms of expensive service in hoping to lower those costs and accepting advertising and being open to advertising on these new devices.
MR. CERASALE: Well, I think that there will clearly be attempts to try and offer services for advertisement on the web. I think that we've seen some failures recently with free ISPs, advertising ISPs, closing up. So, some of that doesn't necessarily -- it's not always going to be successful. I do think the model that we have in North America, the pricing model for at least cellular telephones, et cetera, where the recipient pays for all calls, both outgoing and incoming, have an effect on marketing. You can see that marketers know the exchanges of -- the wireless exchanges, and there is no telemarketing to wireless exchanges at this point. So, I think that there has to be, as you look at it, a -- marketers do not want to go to and will not go to, at least good marketers won't go to customers where the customer has to pay to receive that message. They're going to try and offer something to try and get that together. So, I think that those types of -- that type of a business model is going to come around as we look to m-commerce. The same kind of thing will happen even in how you pay. At some point, as you noticed even with the long distance telephone, you initially received a bill from the local carrier and then suddenly others decided to send the bill separately for long distance phone calls, because they wanted to keep in touch with the customer. So, I think that even with whatever card, the Visa cards and so forth, a marketer will still try and at least verify, here's how much I billed your account and so forth, to keep in touch with you, because that's a way to build the relationship. So, that will continue, as well. But I do think that we will move towards -- especially in an area where the customer is paying for receiving messages, you're going to move to advertisers offering discounted or free service somehow in connection with telecommunications companies and so forth to try and put that package together.
MS. FEUER: Jack, you mentioned that Verizon doesn't have any separate advertising on its wireless service right now, only advertising that comes up when you access specific content providers. I know about the SEC rule, and if this violates it, don't answer, but does Verizon see itself as moving into offering advertisements either to subsidize services or to somehow get customer attention or branding on its SMS messaging and web-based services?
MR. MCARTNEY: Well, I think I can get around the legal issue, and my attorney's in the audience, he can throw something at me if I go too far.
MS. FEUER: Good, good.
MR. MCARTNEY: Our industry is looking at all of those areas. In my office, I get a call at least a day from somebody presenting me with the newest approach to solving churn for my business, for raising my revenues and for increasing stickiness and customer satisfaction, and they come in all different areas, including paying I think to a certain extent where Jerry was paying the cost of a call to a customer to present them with an opportunity; or paying for their monthly service to present them with multiple opportunities; or paying for many of the messages that they get so that every once in a while one of those messages may be presenting them with an offer for something that they've offered up and said I'm interested in getting information about running shoes, let's say as an example. So, the industry is actively considering all of those issues and also looking at opportunities and relationships with content and commerce partners that can offer those same types of transactions, not on the advertising basis but perhaps paying for the delivery of a service.
MS. FEUER: Reuven?
MR. CARLYLE: You know, a couple of key points on that. There is we all know a ton of experimentation going on with respect to the advertising model. If you look at the "Tell Me" voice portal model, which is what a lot of the carriers are moving toward in terms of attempting to in the wireless environment have a voice portal that allows for access to content, as well as Yahoo and a lot of other folks, it's very questionable whether or not it is cost-effective in a wireless environment given the additional layer of costs that you have in that model. What is not questioned, though, is that in a wireless environment, as Mark said, you want localized information, timely information, and -- what was the other thing -- and customized in every way. From an advertising model, you can look at a customer's willingness to pay based upon really meeting those three objectives in a very, very clear way. We have a trial underway that we've been learning a lot from about localization where essentially what happens is in a voice environment, a customer calls a dedicated number, so a number, pound, Starbucks, something like that, and it says, "Hello, welcome to the service. For the nearest Starbucks from your current location," and, of course, that's based upon privacy requirements, et cetera, but it asks the customer if they want that information, and then they can get the address of that Starbucks sent to them in an SMS message just by saying yes or they can get it read to them in a text-to-speech engine or voice recognition. There does seem to be some willingness to pay for that service but more in the insurance model. So, if you look at AAA, for example, customers would probably be willing to pay a couple dollars a month to have the ability to be located. Their wireless carrier could provide that service to them. Would they pay a couple dollars a month to be able to find the nearest Starbucks? Absolutely not. But there's a lot of experimentation, as you say, as we talk about the bumblebees, all the companies that are flying around and calling Jack every day with these different ideas, and one of the things that is very clear is that wireless carriers are not going to provide applications and services in the marketplace unless there is a very clear value proposition around the user getting value and there being some kind of revenue model that makes sense. The "dot com" phase did not bowl carriers over by any stretch as we all know, and partnerships are critical, et cetera; however, there is no question that some of these applications are being stifled, some of them have the opportunity to succeed, and it really depends upon what carriers are going to do with aggressive roll-out of those kinds of services.
MS. FEUER: Amanda?
MS. MCCARTHY: I would like to make a quick comment and actual proposition that maybe the advertising model as applied to mobile data applications isn't the right one. I'd hate to see us take the path of supporting everything with advertising and coming up at the end of the day with a bunch of applications that nobody wants and nobody needs, and I do think there's a real present danger of that, mostly because as an industry we're pretty darned focused on extending things for sale that are online and offline through mobile networks and then through to the device. I think that wireless networks are beautiful and great and I think that devices are exciting, but I do not think they're natural shopping mechanisms. I think folks will pay for great mobile data apps in the area of safety, in the area of customized delivery of various sorts of information and indeed messaging, but I do think that simply extending offers for a cut-rate T-shirt or a pair of shoes or what have you maybe isn't what's truly compelling about the mobile Internet. Maybe if it's a combination, as some of the folks here have suggested, of the customized information and the personalized information, then we won't need to have things advertising-supported; however, I would suggest, as well, and I'd love to hear some commentary on this, is how we get to a level of customization and personalization that actually makes sense, because let's face it, it's fairly crummy online. We've all been SPAM'd. I get a lot of really bizarre offers that certainly aren't appropriate for me, and I'd hate to have those on my mobile handset where my location could be tracked, and I think that most people are going to feel that way. So, I'm sort of wondering what are the business models then behind the creation of really interesting mobile data services that I and a million billion other folks will happily shell out for?
MS. FEUER: And actually, Amanda, as you were speaking I was thinking these were some of the issues we will be going into in-depth tomorrow when we talk about location-based advertising and services, but I am interested by the question that you asked, which is what are the alternative business models? If we're not going to use advertising, will we have subscriptions?I know that the wireless providers used to pay a certain amount of money per phone call, and now we seem to have buckets of minutes. How is that going to work out, and what is most consumer friendly and accessible? Alan?
MR. REITER: Well, I think you are going to find a variety of different plans, and it's based in part on technology. Right now, we are used to paying per minute; too bad for us. In a lot of other countries, it's per second or less than that, but right now we're generally paying per minute; however, we're getting new technology, packet data, general packet radio service. We are going to be paying in chunks of data. In Japan, you pay generally a dollar or two for a subscription or maybe you pay a dollar to download a cartoon character once a day every day for a month. Now, you want a timetable? Well, maybe you pay 5 cents. That's what you might do in Japan. The same thing in the United States. We don't have to do per-minute billing, and it looks likely -- in fact, I'd be shocked if we don't do packet pricing. On the other hand, we like flat rates, as well. So, we have flat-rate pricing for things like paging. Advertiser-supported services? You don't have to have either/or. You can get news headlines brought to you by New York Times, that's it, or an ad, news headlines and detailed financial analysis gives you one more little ad, or you have a scroll-down ad where you're able to say -- you put your cursor on a line and it says, "Subscribe to the Times, get more information."There are different, innovative ways. So, I think over the next year we are going to see a lot of pricing models and we are going to see a lot of interesting advertising models, and people are going to be working on the phone ergonomics, as well.
MS. FEUER: Thanks. Jack?
MR. MCARTNEY: In addition to that, I think there are also opportunities for nontraditional players to offer telephone services similar to the applications that Mark talked about before where they sponsor the entire package, the phone, the service, and in exchange for that, they're presenting that customer with opportunities for commerce or solicitations, as well. So, I think Walter Mossberg hit it very well. We're all right now, sitting even I think at this table here, really limited by, you know, four lines of a display and a ten-digit keypad, and I think we need to step past those pieces and think way beyond this device that's not a computer, not a typewriter, not a big display. There's other ways of taking advantage of that audibly and orally that have nothing to do with text, and I think the "brought to you by" is an excellent example of that. People who want a better service, more reliable, perhaps a more trusted service, will be happy to have that delivered to them by a trusted source, like a reputable news or financial agency who's sponsoring the whole series of transactions to have that opportunity to speak with that customer.
MS. FEUER: Amanda?
MS. MCCARTHY: Just a quick question as to the business models to the folks who are sponsoring the new business models to the mobile Internet. If I'm a financial services company, I still have to pay out a big chunk of money to actually support my ability to sponsor, you know, a whole series of mobile transactions or ads served or content being delivered, right, it's not going to be free for me. So, if I'm a financial services player or retailer or any other kind of company, what's my business model in terms of what I got from paying this to various parties in the mobile Internet equation?
MR. MCARTNEY: I'd offer existing examples. Most of the premier automotive companies are now putting GPS and radio systems in their vehicles, and they are not presenting the costs of those directly to the owner.
MS. MCCARTHY: Sure, right.
MR. MCARTNEY: They're getting a customer for their cars, and one of the ways that they're getting that is by giving them GPS service, by giving them road tracking, by giving them emergency calling services, which is wireless service. It's not presented as a monthly subscription. And they would enter into a relationship with a carrier to deliver that service to the Mercedes Benz or Acuras or GMs or whomever of the world so that they can present a wireless service to their customer wrapped around a big hunk of sheet metal that gets them to and from work or to the mall to consummate other transactions.
MS. MCCARTHY: Sure, right, I think that's a particularly fascinating example of some very interesting technologies being deployed in an everyday occurrence of sitting in a car, but actually my understanding on the part of some of these car makers is that indeed they are charging a subscription service for a lot of these and they'll probably continue to do so. Some of the infrastructure behind in-car mobile services is not only extremely complex, it's really, really expensive. But barring all that, and they may well change the way in which they charge, and various auto makers will deploy various business models, I still question, even if they are doing it today, I still ask, is there a business model that's viable behind this, because when you get in a car, you want to go somewhere, there is huge issues of privacy, security and safety, for goodness sake, in the automobiles themselves, so you may be trying to sell stuff up and down the highways to consumers even with all sorts of lovely interfaces, like the voice-enabling technologies, this, that and the other. There are still major issues there, and we do not know at the end of the day if it will fly and if people, indeed, want to even use these services and will be influenced in their purchasing patterns going ahead. So, I'm always very interested to ask retailers and other folks, and especially financial services folks, as well, what are you going to get out of this? You're putting money toward it. Do you have a return on investment sort of analysis that says this is going to help move a transaction, maybe not on the device, but down the road, and if so, how are you carrying that out in concert with your online initiatives and your brick and mortar everyday business models? And that's real tricky, and I'd love to hear some of your insights on that.
MR. CARLYLE: I would just jump in real quickly. It should be treated as an enhanced application. So, you are not going to get all of your sunk costs paid by one application, but there's a core capability of providing services around wireless data that makes extraordinary sense, and whether it's a simple SMS app, whether it's two-way application, whether you're really starting to get some functionality in there down the road, there is a willingness to pay. It is an enhanced application. I think the subscription model makes a lot of sense, you know, $4.95 a month gives you the ability to locate your nearest facility kind of thing, and I understand that there's all kinds of questions around which one is going to be the killer. None of us in this room can pretend to know which one is going to be the killer, but a combination of three, four, five, six of them that give core capability in and of themselves become killer. And the reality is that you have got two fundamental issues also from a policy point of view. One is the whole equity side and access, who can access these kinds of things, and one is the marketplace, what's going to drive revenue from this, and that in and of itself means that you have a very tiered system. You have early adopters that are going to being willing to pay. GPS in the car I think is going to be extraordinarily popular, because there's a lot of value. There's a lot of fun little applications that you can get from there. Where is the nearest parking space in this lot as you come in and flash on it, lots of funny little things like that. Now, are people willing to pay much for that? No, not too much, but something, and then they add up and they add up. So, enhanced applications do provide value, and they improve the relationship with the provider as well, whoever that is.
MS. FEUER: Jerry?
MR. CERASALE: I think one of the things, Amanda, is that Daniel may know all kinds of technical applications and so forth and be working on that, but the person making the decision whether or not to advertise is someone who's got an MBA or something in marketing, and that's the decision they make, and they are going to go through the cost-benefit analysis, and there are going to be failures, absolute failures in the sense they are going to try an app and it's not going to work and the retailer is going to yank it, going to yank the advertising from it, similar to I imagine we're going to see very different kinds of ads in the Superbowl this year, because there were attempts and they decided to yank them, the same kind of thing in this app. So, I think you have to understand that that business model, a lot of it is going to be driven by the marketers who are not necessarily technologically enhanced.
MS. FEUER: Mark?
MR. MACCARTHY: Just in response to, you know, what do the retailers get out of this, I don't think we really know the full answer to that. That's one of the reasons why we've got this SkyGo experiment going on in Boulder, to work with the retailers. We have a group of about 50. We don't have any results yet, it just started in September, but they're clearly hoping that working with subscribers, there are a thousand subscribers in the area who are receiving advertisements and promotions, they clearly think that something good is going to happen to their business as a result, and part of the test is to measure how much of a result there is. One thing, this is just as an aside, not a policy remark, but in terms of customer acceptance of the advertisements and promotion in this area, our sense is that it's going to work best if it's done almost entirely in an opt-in kind of environment, whereas if customers are sort of walking along and unbeknownst to them and unrequired by them and unrequested by them they start receiving promotions or advertisements, this could create a consumer backlash.
MS. FEUER: What I think I hear everyone saying is that there are likely to be different business models and that nobody yet knows which one will prevail, but it seems to me that there may be some space here for different layers, that there may be some consumers who are more receptive to advertising and there may be some consumers who want to pay maybe even a lot of money, $49.95 a month, just to get the information that they want. How do you all see that working out in terms of your businesses and the kinds of choices that you see becoming available to consumers? Alan?
MR. REITER: Well, it does depend I think to a great extent on the market. If you're a kid and you don't have a whole lot of money, you will listen for 15 seconds or 10 seconds to an advertisement in order to get two minutes of free calls. If you're a business person whose cellular phone bill is paid for you, you are not going to opt in to listen for 15 seconds to the ad. Now, the other thing is that what is SPAM to one person is not SPAM to another. What is an advertisement? If I stop off in San Francisco and I get a message that says, Pavaroti is playing, I have two tickets for $350, do you want -- each, do you want to buy them now, yes/no, that's not SPAM to me. On the other hand, if they say, well, he likes music, maybe we'll give him like Twisted Sister or we'll -- we'll send him some other stuff, because he likes music, well, then -- then that's SPAM to me. So, I think what you're going to -- I think that what you're going to find is there will be a lot of different business models. The kids get it. The oldsters with the Platinum American Express cards don't get it for the most part. The kids get it. And you see around the world carriers are marketing to the youth. They are in many cases the earliest adopters, not the people who have to spend six months going before a budget committee to justify something. It's a kid who says, "Cool, how much?" And if it's subsidized, you look -- the kid's going to get into this, and that's something we haven't seen as much in this country, kid-oriented marketing for wireless services. It's not a $400 pager that's going to address the youth market.
MS. FEUER: Amanda?
MS. MCCARTHY: Just a quick problem in the area of marketing to children. At the end of the day, the parents pay the bills --
MR. REITER: No.
MS. MCCARTHY: Certainly in the case of a 12-year-old kid, I don't know quite how they are going to secure a wireless phone in any other way, and actually I think there will be, yes, business issues that come up around marketing to children probably because you're going to have some flak from consumers that say, hey, I don't know if I want my kid exposed to so much advertising on everything, including the mobile handset. So, I think it all does come to impact business models, because at the end of the day, if one wants to sell something and there's a whole lot of objections along the way, that's not going to work out.
MR. REITER: One follow-up. You are wrong, Forrester analyst. I just -- it depends how you're defining "kid." If a kid is a 12-year-old, 12 years old, then unless he's got some "dot com" company on the side that actually works, he is not going to be able to afford the service, but if you consider a kid in high school and college, they indeed are able to afford in many cases cellular phones and wireless devices.
MS. MCCARTHY: Increasingly so.
MS. FEUER: It is interesting, we learned at some earlier work at the FTC kids spend about $41 billion a year, but I can see still how they might be more inclined to a model where they either give up personal information or agree to accept certain advertising in return for wireless data services. I want to open up the discussion now and make sure that we leave enough time for the audience to participate. As you can see, we have a real range of views up here, and I think this discussion was quite lively and informative. Again, if you do want to ask a question, please stand up and state your name and your organization, I'll recognize you, and anyone who is in the overflow room who wishes to ask a question, please come to the foyer of Room 432 and there will be a mike there.
MR. SHERRIER: Mike Sherrier, Intel. Right now the architecture is a very powerful tool for defining the customer relation, and you mentioned the unofficial to official sites of DoCoMo, which is like 20 to 1, and the reason why they still make a lot of money off of those odds is because the Japanese don't want to have to punch in their credit card number every time they want to make a purchase. We used to talk about the real estate of a desktop, if you had an icon on there, the first icon, that was very valuable, because it was the first thing the customer sees. Well, on this thing the real estate is far more valuable. So, I guess my question is for Mark, how do you get a piece of this real estate here so that if I want to use my Visa card, I just have to push a button, when you might be competing against a guy that owns the real estate?
MR. MACCARTHY: That goes back to the discussion we had before about e-wallets. It is inconvenient to enter your credit card number, your address, your billing address and all the other identifying information you need to complete a transaction on the Internet on one of these handheld phones, but the only way it's really going to work in any serious way for large-scale mobile commerce is if e-wallets take over, and e-wallets will enable you to enter that information once, and then in the context of making a mobile commerce transaction, a very few number of entries will allow you to select the item that you want to purchase and then go ahead and complete the purchase. If that doesn't develop in an easy and convenient fashion, then I think you're probably right, that there won't be an easy way for people to engage in m-commerce.
MS. FEUER: Danny?
MR. WEITZNER: Hi, I'm Danny Weitzner, W3C. So, I want to come back to the initial point at least attributed to Amanda that everyone's got to get out of these walled gardens, and I heard I guess some squishiness frankly on the panel about the import of this 19 to 1 ratio in iMode, and the question I have really is in this country or at least in this market, are we actually going to go the iMode way and enable those 19 of the 20 applications that seem interesting to happen? I mean, I hear of tests and experiments and, you know, evaluations, but it seems to me that in iMode there was a basic architectural decision to build a pretty open network, and I wonder whether that's actually going to happen here or whether it's just going to be studied.
MS. FEUER: Before you answer, let me see if I understand what you're saying. Are you asking if you think there is going to be more of a proprietary model or whether the carriers and the portals will make their systems available for anyone just to come in, just the way we're used to on the web, where anyone can put up a website?
MR. WEITZNER: Right. I mean, I guess I hear at least a fair amount of questioning, which seems like legitimate questioning, about where the revenue is going to come from and particularly where carriers are going to get the revenue to offer these basic services. So, I'm sort of wondering how much of an inclination there is to take the iMode style, web style leap of faith and say this is going to work or to what extent are carriers looking at this and saying, well, being an ISP today, as an example, is not a great business, so maybe we'll go a different route? And I'm just really curious about how you think this issue is going to play out in the structure of this market.
MS. FEUER: Who wants to grab that one?
MR. CERASALE: Well, for a first shot -- just a first shot on this, from the point of view of -- let's first look at from a marketer's point of view trying to get information out, right now you go on the web and virtually you're open to the world. I think that's in a marketer's thoughts, and I think going into something that's very restrictive and having to then try and get my information out, I have to go to Verizon, I have to go to Cellular One, I have to go to others, Nextel and so forth, and make all different kinds of contracts is going to become very problematic, and there's going to be pressure from marketers if they want to go in there to try and expand. Now, you may get one big dominant app that will take it away, but that's the type of thing from the marketer's standpoint. From the customer's standpoint, I think one of the presentations this morning was saying that we're cursed -- we're blessed as well as cursed with being wired in this country, that as a consumer, I go on the web, I can go anyplace, and I think you're going to get -- if I suddenly go mobile and that becomes big and I'm on -- sorry to use Verizon, but you're here -- I'm on Verizon and I'm very limited as to where I can go on the web, I'm going to, you know, look elsewhere, and you're going to get different kinds of other providers maybe offering broader expanse, and that's where we're going to go. I think the mindset that the Americans have right now is the web is open and I can get it anyplace whenever I go on it.
MS. FEUER: Jack?
MR. MCARTNEY: If I can add to that, I think one of the parts that we are struggling with is you can go a lot of places on the wireless web. You just have to pick and choose very carefully where you can go for a pleasant experience that meets your requirements, that meets your value equation, as well, and the challenge there for carriers is how do we help that grow as fast as possible, because if you can get to everywhere on the web via a Verizon Wireless phone, we do well and we're very happy about that, so the question is how do you go with a limited interface, with limited bandwidth, to places of value? And until that proliferates, the challenges are going to be direct to provide valuable services to that limited space.
MS. FEUER: So, in a way you're talking about consumer expectations. From Verizon's standpoint, you can go anywhere on the web, but you want to offer a service that meets consumers' expectations that they have had in the wired world with respect to the type of content and the type of delivery. Is that what I hear you saying?
MR. MCARTNEY: I'd qualify it further. I want to offer services that customers want and value, and if it's an experience on the web, great. If it's an experience with telephony, great. If it's an experience with something that is not related to either of those, great, as well. The challenge is getting there and covering the costs of getting there, and so I think that quite often, I think that there's this expectation on this limitless resource called carrier that can just open up and allow everything to come through, and, you know, the market is going to drive what people value and what they're willing to pay for, and those are the services that will get offered early on, and then others will add in as access becomes more important, as the market customers find their avenue into there and help to defray some of the costs of providing those services.
MS. FEUER: Alan first. This was a great question, Danny, because everyone wants to speak.
MR. REITER: Well, first of all, there are no such things as walled gardens; they're walled prisons. Walled gardens --
MR. WEITZNER: You don't like gardens?
MR. REITER: No, you are supposed to grow and blossom. A walled garden means that you cannot go to any site except where the carrier says you can go to. In many countries or in some countries, that's going to prevail. It doesn't matter. There will be walled gardens -- prisons, and you will only be able to go to the sites that the carriers strike deals with their content providers. In the United States, and increasingly in Europe and many parts of Asia, we will have fairly open sites. It is unsustainable in the United States to say you cannot go to any sites you want to go to. I don't think that's going to happen. What you will find is carriers are going to strike deals with content providers, and they'll say, you want to be on our portal and you want to be on the wireless desktop? You give us a million bucks and you split the revenues with us and we'll put your icon there and so forth. Now, the question is, what if I don't want Amazon? What if I want Barnes & Noble as my number one -- as my number one menu item? Today, you're screwed. You can't change that in many cases in the United States. In Japan, you can change things around. So, it's going to be difficult. Somebody goes to Verizon and says we'll give you a million dollars and we'll split the revenues, but we want that top spot. Verizon says -- well, what do they say? They need to make money, as well.So, I think the challenge for the phone companies is to say we're going to get some good sites, we're going to make some money, but we're going to make it as easy as possible for everyone -- for all our subscribers to go to every other site that he or she wants to go to, and if you have that model, then I think that seems like to me a decent way to go.
MS. FEUER: Mark?
MR. MACCARTHY: Yeah, I think, Danny, it will develop in the United States in the much more open fashion that some people are worried about, but insofar as the iMode in Japan sort of stands for the proposition that the way to pay for things in mobile commerce is through a billing relationship with the carrier, I think it won't develop that way in the United States. You know, the surveys we have done show that about three-quarters of the people trust their credit card company rather than their carrier to carry out the billing relationship, and we do have the other relationship with the merchants and the customers, we have got the established system. So, I don't detect really in the United States, at least, that the carriers really want to substitute themselves as the billing arranger. They may want to have relationships with the merchants and offer discounts and special deals and positions and all that kind of stuff, but I think in terms of actually paying for the transaction, the way to go forward is going to be with an established credit card operation like Visa or American Express.
MS. FEUER: Are there any more questions from the audience? I see several hands up.
MR. HENDRICKS: Thanks, I'm Evan Hendricks with Privacy Times. This is Jerry's only appearance, you know, the --
MR. CERASALE: Is that good or bad?
MR. HENDRICKS: We heard -- sorry, I blew it. You know, Mark talked earlier, he sees these services working only if they're opt-in, obviously if they're wireless data form, I heard Verizon and AT&T saying they need to be opt-in, CTIA says they ought to be opt-in, WAA they have to be opt-in. Does DMA take a stand on this? You have always been praying at the altar of opt-out for all these years, and I wondered if that will continue to be the same or if you see the advent of the 21st Century.
MS. FEUER: Provocative questions from this audience.
MR. CERASALE: One of the -- I think we want to look at this in two ways. The first is to determine what's your -- what the privacy questions are and then take a look at the customer relationship and the potential -- especially the cost-shifting that the wireless m-commerce provides, at least under the current cost model. So, that's the way we look at it. Plus you have the locator information, which I think under the Children's Online Privacy Protection Act, you have name, street address, to try and locate you, well, I think locator information probably falls under the same type of that information. That's where we stand. So, I think that when you look at if the customer has to pay, it's clearly a -- under the current cost model, that's clearly an opt-in type model, but if the customer doesn't have to pay, I think we still go to some notice and choice. Notice and opt-out type stance is where the DMA is, Evan, and thank you.
MS. FEUER: I saw that there was a question in the back of the room, if you could stand up and identify yourself and your organization, that would be helpful.
MS. GIBSON: My name is Melinda Gibson, I'm with the Newspaper Association of America and Press Time Magazine, and I wanted to take this issue a little bit further that Jack was talking about. You broached the concept of the marketer paying for service, and, of course, newspapers and a lot of other content providers are in the subscriber-based service. Are you saying that you could envision the day when the content provider could also pay, that you would become a carrier's carrier, per se, you know, because content providers certainly have as much interest in the subscriber information as you might as a carrier.
MR. MCARTNEY: Well, I was speaking in the broad context of wireless, not just the limits of 800 megahertz and 1.9 gigahertz cellular in North America, but in the broad context of wireless, I think I can envision that very much like broadcast television, that the entire relationship is paid for by marketers. Now, I'm not suggesting that cellular is going to stop sending bills to customers and Jerry's going to start paying all of your bills for you, although some of you are smiling already -- we may be onto something, Jerry -- but I think that all of those types of opportunities are being considered very aggressively. As I said, I get a phone call a day from somebody with a different nuance that I had never considered even imaginable as a possible transaction.So, yes, I think it's possible. Will it happen? I think, you know, some of Jerry's questions have to be answered, some of Amanda's questions have to be answered for them to come to fruition, but possible, yes.
MS. GIBSON: In the interim, could you address the issue of wanting to know more about who your subscriber is, who's actually getting that information and how transparent you're willing to have that information be?
MS. FEUER: Actually, if we could hold off on this, we are going to have a whole day tomorrow where we talk about the privacy and security questions. So, I'd like to just hold off on that question and maybe encourage you to speak with Jerry and Jack afterwards and recognize some people who have more questions about the business relationships and consumer models.
MR. ADLER: I'm Steve Adler, I'm from IBM. This is a boring infrastructure question for Verizon. This is a really inconsistent and unreliable communication device. Its penetration in the U.S. is really largely -- sorry to hold up the Sprint logo here -- is --
MS. FEUER: I'm sure our speaker from Sprint won't appreciate that.
MR. ADLER: -- but its penetration in the U.S. is really only in urban and suburban areas. In countries where m-commerce is successful, like Finland, coverage is universal, and this is really reliable.Penetration is 80 percent. How long will it be in this country -- when we talk about business models and success, how long will it be in this country before we have reliable, consistent, universal coverage with these devices?
MR. MCARTNEY: Well, I think that that's a question without a good answer. First of all, the coverage in most of the European countries that that would be deemed universal is really centered around populations. I would challenge you to go to the very northern central regions of Finland and try and make a phone call, but I think that the carriers have a business obligation to provide reliable service where the greatest majority of their customers go to, and that is our objective, that's Sprint's objective, it's Nextel's and other carriers', as well. So, there's not an answer that's complete to that question other than we strive regularly to expand our networks to meet the coverage and capacity requirements of our customer where it's economically feasible and obviously within the requirements of the licenses that we have to offer those services.
MS. FEUER: Any comments from any of the other panelists on that question?
MR. REITER: Well, we have got a problem here in the United States because the Federal Communications Commission, not the FTC, the FCC in its wisdom did not allocate nationwide PCS licenses. So, what we have is Verizon and Sprint and others piecing together systems, so we have a collaged system in many cases. Now, Verizon actually has good coverage and so does AT&T, but you go to the UK, and approximately 95-97 percent of the population is covered there. You go to other countries, and they have high penetration -- good coverage, as well, but they're smaller than we are, as well. I mean, these countries are -- Finland is a lot smaller than the United States. So, I think the answer from Verizon is we won't get the sort of coverage that we want, which is everywhere, because it costs too much, it's not economically justified, and too few people live in certain areas to build those antennas, and until the antennas are cheaper and labor is free or satellites, you know, or satellites are viable, we're just going to have to live basically with what we get. It will get better, but it probably won't be as good as some other countries.
MS. FEUER: I want to thank the panel. We're running out of time, and we want to be able to --
MS. FEUER: -- we want to segue into our next panel, which discusses some of the opportunities and challenges facing both consumers and industry, and I think some of the questions we've talked about here relate to this.
MS. RICH: Hello, my name is Jessica Rich, and I'm an Assistant Director in the Bureau of Consumer Protection, and I'll moderate the last panel of the day, Opportunities and Challenges, Industry and Consumer Perspectives. Up until now, we have heard about the current state of wireless and innovations that are underway in this area. We have also discussed the international experience and business models being considered for these services. Now we want to enlist our panelists in identifying the major challenges industry and consumers face as we move forward and actually try to use these technologies. We see this panel as basically an issues-spotting panel in which we lay the foundation for some of the more detailed policy discussions tomorrow and for future discussions as this medium continues to develop. We'll talk about the appeal of wireless to industry and consumers but also the hurdles to its widespread adoption, and I think we've already touched on some of that today, but we'll try to bring it together in this last discussion. I also want to touch on whether there will be a wireless divide akin to the digital divide we've talked about in the Internet and the likely effects of e-sign on the development of wireless. We've a lot to cover and a relatively large panel, so I hope we will keep the discussion pretty fast paced. For right now, I guess people should maybe just -- it may be necessary to put your name plates on their side, on the side when you want to speak, you know, to tilt them up, but maybe we'll just see how it goes and implement that rule if it's necessary. At about 5:15, I'll open up the panel to questions, so anyone in the overflow room should come up and use the microphone by the -- well, actually, ask for the roving microphone now. Our panelists are Adonis Hoffman, senior vice president and counsel at the American Association of Advertising Agencies; Wally Hyer, vice president and associate general counsel, AT&T Wireless; Rick Lane, director, eCommerce and technology at the U.S. Chamber of Commerce; Peter Lawrence, business development manager, Wireless and Internet Service Organization at Hewlett-Packard; Margot Saunders, managing attorney at the National Consumer Law Center; and David Stampley, Assistant Attorney General at the New York Attorney General's Office. I guess a good place to start is at the beginning, which is what's appealing about wireless, what's -- you know, everyone talked this morning about all the hype around wireless and maybe we should just go back to the fundamentals and identify why people are excited about wireless, what's appealing from both the business and consumer perspective, and what are some of the applications that hold particular promise in this particular medium, I mean wireless as opposed to the Internet. Who would like to start that off? Wally?
MR. HYER: Sure. Let me make a few comments I guess to try and dive in on both the business and the consumer side from the perspective that I've noticed. An advantage of wireless technology from the business side is that it offers the opportunity to be able to provide to the consuming public access to websites, services and so forth that enhance the mobility character of the device, so that the consumer can have -- these are circular, because if it works, what is beneficial to businesses is hopefully going to be beneficial to the consumer and vice versa, and make money at it, but in so doing, it needs to be able to provide a product, be able to provide services and linkages which would provide the benefit to the consumer that the consumer has something that they can really use. They can have a meaningful device and service, provide the linkages and value-added services that will enhance the ability to be mobile and not tied to a line phone or not tied to a PC at a desk and the Internet. And the consumer I think is demanding that the provider be trustworthy and have the integrity so that the expectations of how that consumer's information, personal information, is treated are in a way that they can rely on the carrier to be able to provide the basic access and the integrated interlink services.
MS. RICH: Adonis, do you have anything to add?
MR. HOFFMAN: Well, for the last five years or so, we have all been looking forward to broadband, and the value and the benefit of wireless is that it's one other delivery device that we can receive broadband applications on. There are a lot of -- obviously a lot of challenges there, enhanced content clearly, reduced cost or free services, the prospect of getting, as Wally mentioned, greatly enhanced services and applications value added, highly targeted messages for advertisers, personalization. It's narrow casting really at its finest. On the other hand, there are some real challenges there that, you know, in spotting issues that we have to be mindful of. Privacy, clearly the question of opting in, and the notion that how do we, from the industry perspective, how do we measure results, the effectiveness of it all? How are the standards developed? Are there some models, formats, sizes and display requirements or possibilities that will make it a widely effective technology? Those are all challenges for the industry. And, of course, what's the best process in technology standards for delivery? WAA has -- I know they will be here tomorrow -- they have identified some of these issues, but this is a dynamic, interesting marketplace. I think you can't underestimate the value of buzz. Wireless is buzz right now, and retailers and advertisers want to get in front of that curve.
MS. RICH: Are there differences in the costs?Are there advantages to wireless in terms of the costs as opposed to a PC? Anyone, Rick?
MR. LANE: Well, I just would like to kind of talk about how we're viewing the advent of wireless technologies, mostly focusing on small businesses. All the Internet really is is an enhanced communications mechanism to contact your suppliers, sales force and customers. Wireless now brings that to the small business level. If you saw what happened in the Internet and the creation of the Internet and how it's been used with the "dot com," you have a bookstore in Seattle, Amazon.com, you sit in front of your PC, you order products, or you go to eToys or Kaybee Toys, but what we see as the future of wireless is finally the ability for the first time, local retailers being able to use the power of the Internet, because, for example, if I walk into a store and they don't have a particular book that I'm interested in, I would be able to maybe scan the bar code and find out what other stores in that area have that book, so I'm still purchasing, because I want to buy that book before I go on a trip. Another example is what kind of -- what happened to me this summer when I was driving with my little boy and we forgot his Pokemon 2000 movie at home, we were an hour and a half away, and we have a DVD device that we use in our car, and he wanted us to drive all the way back home and get it. It would have been really nice to have been able to put on a Palm Pilot or something "Pokemon 2000, where is the closest one nearby," and be able to drive there instead of hearing him whine for, you know, 15 minutes, or in the future, with broadband, download it instantly and say, we're going to rent it for $3.50. So, what we see, though, is the small business finally able to take full advantage of the Internet, because since wireless is location-based and you can figure out exactly where you are, you're on the move, you're ordering movie tickets, or as -- why the first reason I bought a cell phone was to order a pizza while I was driving in my car on the way home, these are the things that we think will allow small businesses to really move forward.
MS. RICH: Margot, did you want to address the appeal from the consumer perspective?
MS. SAUNDERS: Sure. I represent low-income consumers, so I have a slightly different bent than some of the rest of the folks up here. I think we need to keep in mind that as of the last analysis by the Department of Commerce, it was still well over 60 percent of households that were not online, either at work or at home. I mean, not wireless online, online using a PC. So, the wireless technology offers us really a pretty exciting possibility to get more households, more people online. It doesn't cost a thousand dollars or fifteen hundred dollars to buy a wireless phone. You can -- now you can get one free, not one that hooks up to the Internet, but presumably eventually that will be available, and you can get service for $20 a month that has numerous applications. Now, I have a number of strong concerns about that, but --
MS. RICH: Well, let's move to those now.
MS. SAUNDERS: -- I'll hold off.
MS. RICH: No, those are next, you know, what are the barriers here and also what are the concerns, it's part of the same picture, what are the concerns maybe consumer advocates or law enforcement might have about this technology? Do you want to start with --
MS. SAUNDERS: All right. Well, as most of you know, the Electronic Signature Bill passed in Congress this year, and most states are in the process of adopting their own version of the Uniform Electronic Transactions Act. These laws all have the effect of allowing us to enter into contracts online, signing our names electronically, and accessing important documents both initially and eventually perpetually throughout the relationship that one has with a provider. Crucial to the ongoing -- crucial to that -- to transacting business online is the ability of the consumer to be able to retain basic documents. When I buy a car, I want a copy -- I want a piece of paper or some other kind of record that records the kind of car I got, that records the warranty, that records the financial arrangements I make to pay over time, so that if I have a dispute about any of those issues, I can go back and have -- litigate them -- either arbitrate them or litigate them in court, and I have a copy of the agreement that I was a party to. So, it's important for me to have a -- some record of the transaction. If I do it -- do that transaction in person, I get it on paper. If I do it online through my home PC presumably, I have that information e-mailed to me so that I can have an electronic record of it, but if I do that transaction over my wireless telephone, there's no possible way I can either transmit the information to paper, or that's certainly not a provision, nor do I understand that there's even being contemplated a way that my wireless telephone would be able to retain a document or a series of records that would be important for me to be able to have. So, those are -- then I have a whole -- I'll wait later, I have security issues, but the retention of important documents is a very -- is obviously a very important issue.
MS. RICH: Well, let's get the industry perspective as to what maybe some of the technological or other barriers are to widespread adoption of wireless. Peter?
MR. LAWRENCE: So, when we talk about m-commerce, right, m-commerce is essentially e-commerce given wings. I mean, it's able to do e-commerce anytime, anywhere, that becomes m-commerce. So, if e-commerce by itself has not -- or the adoption of e-commerce has not gone to that level where we would like it to be, then we cannot expect m-commerce to do well either. So, that is just one component of that for m-commerce to be successful. The other portion is what makes -- what provides good mobility is basically access anytime, anywhere, and what a lot of people have kind of discussed today, is as far as coverage is concerned, today in the United States, it is pretty bad. So, although there may be ads prophesizing or mentioning that we can do this thing and that thing anytime, anywhere, in reality, most of the time that is not true, because the areas of coverage are pretty limited. If you look -- I think if you look at data, for example, today the most pervasive wireless data users, CDPD technology is coming, right, but although we negotiate space on an unlimited plan, the monthly charge is about $75 a month. Will a normal consumer be willing to pay that amount a month? Most of our experience has been, we negotiate 40 to 50 percent of the time, people can expense it through their company or the office. So, as far as barriers for mobility access is concerned, cost is definitely an issue, coverage is an issue, as well as speed when it comes to applications, because the best you have with CDPD is 19K, we negotiate 128K, but 128K is pretty good as far as bandwidth is concerned, but again, the cost factor comes in.
MS. RICH: Wally, can you address some of the other technological issues that may be an issue for industry?
MR. HYER: Sure, let me try from the technological point but also to address Margot's concern about the -- that the one issue of the Electronic Signature Bill. When a transaction takes place, I would assume that the customer that would be buying over the mobile phone through the Internet would be doing it with a credit card, and having done so, there would be a record of that transaction, and I would also expect -- and this is the way we do business -- but I would also expect that when this product arrives, assuming it's a hard product, the terms and conditions under which the product is being shipped and warranties and so forth also will come. So, the customer would have in those instances that type of a record and a record of the transaction. But broadening it out in terms of other benefits to low-income students, the homeless and so forth, the wireless Internet would offer with e-mail short message services opportunities to communicate, which would basically be an address, where people may not otherwise have an address, and be able to provide Internet access without the expense of PC investment to help with homework and so forth through Brittanicas or other types of websites, who provide a whole array of other benefits that would be of added value to the entire range of our socioeconomic structure.
MS. RICH: Adonis?
MR. HOFFMAN: Just briefly, talking about barriers, clearly one of the main barriers would be imposing any kind of strong regulatory overlay. I think that one of the benefits that we've seen -- what has allowed the Internet to thrive and survive has been the fact that the restraint -- the refraining from any kind of serious regulation, with the exception of a few areas, and here in the wireless context we certainly would like to think that industry self-regulation would be the most appropriate way to proceed, and again, with the exception of a couple of areas that we can identify -- we've identified, privacy, children.
MS. RICH: Before we move on, we mentioned privacy and children and children was discussed in the last session. What concerns -- let's expand a little on that before we move on to other issues, on the privacy concerns and concerns about marketing to children. Who would like to address that? Dave?
MR. STAMPLEY: I think the concerns about marketing to children are caught up in the broader concerns, but children are certainly a special group.So, if you're dealing with a new technology going out to an audience that you can't yet predict whom you hope will view a particular application as a killer app and you're asking yourself, well, gee, am I marketing directly to children or are children likely to be customers of this, or even if children don't have direct control of their parents' pocketbooks, we know that they have proxy control in a lot of cases, and so they are still going to be the customers. So, I view that as a subset but an important subset of not just the privacy concerns but the broader issue of data control. So, all I've done in answering your question is say it's a big question, probably a bigger question that goes to probably all of the issues that concern me about protecting consumers in an electronic environment.
MS. RICH: What about privacy, who wants to talk about privacy? Rick, do you want to say something?
MR. LANE: Sure. First I'd like to talk about e-sign, and Margot and I, we were on different sides of the notice and record retention piece of the e-sign legislation, but we thought from a consumer standpoint that the retention of records in electronic format would actually be beneficial. If you're driving your car and you were able to access through a wireless environment your records, if you got pulled over by the police and you didn't have your car registration, and you actually had that in an electronic format. Also, if you were going shopping and there was -- and you had a product with you that you wanted to return, you could go online and pull up the warranty either through the company website or through accessing back to your own computer at home that you stored the document on. So, we thought that would be incredibly beneficial to the consumers. Also, electronic notices, which were another key component, where there was differences of opinion, we thought electronic notices would be very helpful, especially in a wireless environment. If I go to the beach or if I'm traveling somewhere and I'm able to access e-mails in a wireless environment of a notice that if I waited for snail mail, it would be a week because I'm out of town, or I'm someplace else and I can't access my mail, it would be nice to have notices that something was going to occur in terms of required noticing. So, we thought those two pieces were key consumer issues and that businesses would be able to save money on it, as well as consumers. On the privacy side, what we're really concerned about, and getting back to over-regulation and what do we do in terms of the privacy side, the concern -- if everyone pulls out their wireless phone, and if we're talking about privacy statements and if we get to the local level and there's state privacy laws and requirements and a federal and international, you know, when I pull out my phone, which one am I under? Am I under the D.C. cell phone law, because it's a 202? I live in Maryland, so am I under the Maryland cell phone laws in terms of privacy, or is it where the location of the server is, which could be anywhere? Is it the location of the building or the headquarters or the company I'm doing service with? Or maybe it's their suppliers who are gathering that product for me and putting it together and shipping it to me. So, the problem in the wireless environment regulations is very difficult, and until we can answer some fundamental questions, I think this rush to enact privacy legislation either at the state or federal level is premature, because there's a lot of questions we do not have answers to. It seems simple to have notice and choice, but when you look at what is notice and what is choice and who determines that, it becomes much more complicated. I'd love to have an easy fix. It would make my members a lot happier, but it's not a simple question to be answered, and those who think that it is really don't understand how the technology is working and what the ramifications of stopping the flow of information will have on the economy.
MS. RICH: Dave?
MS. RICH: Margot, you said you wanted to talk about some security issues that might be hurdles to adoption.
MS. SAUNDERS: Yes, but I would like to just respond to a few things that have been said. E-sign was passed and we continue to talk about this wireless technology from the perspective of most of us sitting in the room, where we have PCs and we have the wireless already. I'm trying to remind everybody that the majority of this country are not yet in this situation. So, we're -- and I am not a troglodyte. I keep being implicitly called that in the -- I don't -- I am not against the development of the Internet, I think it's a wonderful thing. What I am -- the same with the wireless. What I'm trying to say, obviously not successfully, is that when we develop these -- the legal framework for transactions over the Internet or transactions over the wireless, we need to keep in mind that not everyone will have access to the same type of technology. So, your example, Rick, about being -- the convenience of being able to go online and get the warranty so that you can use it to prove the terms of the warranty when you're standing in the store trying to get your product fixed is a perfect example. There's nothing wrong with that. Nobody has ever opposed your ability of being able to do that. What I am saying is when a consumer doesn't have their own PC and is engaging in commerce from a public access computer, so that he doesn't have a place that he can go online on a regular basis, we need to make sure that we are not requiring that consumer to go to the library and sit and wait for two hours until they can get on an online computer to get their regular notices or to -- we are not requiring that consumer to do only physical world transactions because to engage in a real -- in an Internet world transaction, he wouldn't have the capacity to continue -- to constantly go back in and continue the e-commerce method of communication that would be required. We need to make sure that we remember that the majority of this country are not yet like us, and we need to create a system that essentially recognizes that retention of a document is important for not only the business but the consumer both need the original document, not just relying on the business themselves. The credit card example that Wally brought up I thought was a very good point. So long as consumers are using their credit cards to buy goods online, we have no concerns. The credit card application provides all the consumer protections that the consumer advocates want. Our concerns are created when consumers go online and make a promise to pay in a contract, where the credit card is not used, or make a promise -- or debit their bank account automatically through one of the new electronic banking applications that are being provided right now, so that credit card protections are not used. The Fair Credit Billing Act was passed in 1968 and provides more than ample -- well, not more than ample but totally ample consumer credit -- consumer protections. It's the other applications of e-commerce that we have concerns on. And I don't -- I hate to go on too long, but I still haven't addressed your security question, so I can wait if you want.
MS. RICH: Well, why don't you quickly address the security question, then we will move on.
MS. SAUNDERS: The security question is this: When I go online and use my credit card to buy a book -- let's say not a book, let's say to buy a computer, an expensive item, if my -- if the computer -- if I thought the computer was going to cost $1,500 and it ends up costing $2,000, I have a remedy because of the Truth in Lending Act, the Fair Credit Billing Act. If the computer doesn't come, I have a remedy because of the Truth in Lending Act, if I use my credit card. If I go online and I sign, electronically sign my name at the bottom of an electronic record and say I agree to pay $2,000 billed over however many months and that's the mechanism that the computer company agrees to accept my -- to send me a computer on, and then the computer doesn't come, I am going to have a -- I am going to have a lawsuit, and who -- and who -- they've got the contract, they've got -- they can sue me for not paying and make me pay, but my defense is going to be I didn't get it. Who is going to have the burden of proof in that situation? That's a fairly easy one to sort out, because that will be determined somewhat by the underlying contract language that you see. But what if you take the next step and rather than my ordering the computer, my baby-sitter sat down at my computer and ordered the computer and signed my name and had it sent to her Post Office Box, so that now it's -- now, if -- rather than the computer not coming, my complaint is that I didn't order it to begin with, but my name is electronically signed to the contract, and I'm bound to pay for it. Who has the burden of proof or the burden of loss in that scenario? Well, we all tend to think about these transactions in terms of the protections that we have under the credit card system, but it doesn't -- the same laws do not apply in a signature environment.Actually, the law is if I were to -- if I have signed the document, I have the burden of going forward to show why I should not be held responsible for that contract, even if I didn't sign it.
MS. RICH: Let me jump in, because it looks like we're running out of time. Do people feel there are increased risks of identity theft or any other problems here that we should be alerted to in this phase? Rick?
MR. LANE: In the secure environment, again, I'm not a -- I don't know if I'm the only nonlawyer here on this panel, so I can't answer your question, Margot, I wish I could, but in terms of fraud and your baby-sitter, what happens if she uses -- she signs your name, steels your identity or you lose your wallet on the Metro and someone creates a new identity with your name and they start purchasing? It happens a lot unfortunately. We have all seen the Best Buy commercial where the dog starts ordering a whole entertainment system online. Best Buy says you can return it all free. I don't know, you know, what the law says on that, but obviously good business practice says we would try to work something out. But from our standpoint, we look at the security side as critical, because one of the key burdens for e-commerce in the wireless environment or the traditional environment is consumer confidence. Consumers want to feel that their purchases are secure, that their identities are going to be secure as they move across the Internet, their personal information is secure, so unauthorized individuals don't have that information, and the technology is developing in security areas. I mean, we just read this past weekend about what happened at the local, at a hospital -- a university hospital, where someone was able to get pass codes and had access to individual medical records. That's not a privacy online issue; that's a security issue. We at the Chamber are very interested in working as a partnership with critical infrastructure security trying to address these types of concerns. There are a lot of unanswered questions, and we are trying to move forward. From our standpoint, we see a secure environment as becoming more the norm than an unsecure one as we learn about some of these holes in our current security map.
MS. RICH: Some of these, you know, issues that are being raised are unique to wireless, and I guess some aren't, some we're inheriting and we have learned about in our experience with the Internet. Can somebody address what they believe are the lessons from our last five years in the Internet area and perhaps also -- I don't know, Peter might be able to also address what the lessons are from the international experience and what that may tell us about how -- what we should be focusing on here. Dave, you wanted to --
MS. RICH: Adonis and Wally, I'd be interested as you think about advertising and developing products, what lessons you're drawing on from the Internet.
MR. HOFFMAN: Well, I think first of all it's clear that the wireless space is not quite as dynamic as the Internet was, but I think we have to look at the marketplace. The market is bigger than any single actor. We've learned that from the Internet. It's bigger than any single application or particular pricing model. Look at what happened with the New York Times in the early days of the Internet. We thought that -- they thought perhaps that that was the way to go. Clearly the market decided that was not the way to go. I think this -- the evolving wireless m-commerce marketplace is now experimenting, as we heard in the previous panel, with a number of possibilities in terms of what is the -- what's the best way to go? So, I think one of the clear-cut lessons is we've got to wait, sort of fool around with it, stir it up and see what happens. From the ad perspective, we want to preserve as many options as possible.
MS. RICH: Wally?
MR. HYER: Well, I think there is not a difference between what we learned from the Internet experience and what can be applied to m-commerce, as such, whether it's hard-wired Internet access or whether it's access through a portable phone, it's access to the same Internet, and the skinned knees and pitfalls that we've experienced in the past years as e-commerce has developed, we're still learning from that, and it's going to be incumbent upon the mobile access Internet industry to continue learning in that area. To a couple of -- just real quickly, to a couple of other points that were made earlier in terms of heavy regulation and legislation, the industry itself is making strident efforts through alliances like the Online Privacy Alliance and the BBB Online to work with carriers as well as with the Internet service providers and ISPs to work through a rational, grown-up solution so that that basic issue of customer trust, customer confidence in the safety and security of PKI, as well as security of transmission of information, is going to work. I would counsel strongly against any strong regulation or legislation, especially in a time when innovative technology is evolving. I think we have a tendency to over-regulate and then stifle the growth and the maturation of that technology.
MS. RICH: Peter? Can you -- actually, Peter, can you address the -- maybe the lessons from the international experience?
MR. LAWRENCE: Yeah, I mean, I just want to reiterate the fact that whatever concerns we have on security and privacy apply to wireline just as much as to wireless, right, and if you look at security, for example, at least to date, there have been no viruses detected on wireless phones or wireless devices. That does not mean that tomorrow there wouldn't be any such case, right? The amount of damage that a virus can cause on a PC is much more than what it can cause on a wireless device. I think a danger with wireless devices is especially when you talk about a PDA, it has the ability to synchronize with PCs. So, that's where the safeguard needs to occur, at the device level, so that when a virus goes into the device, when you synchronize with the PC, you don't end up passing on the virus, but inherently, transport -- I mean, when you talk about security, inherently wireless is much more secure than a wireline. You can tap a wireline, but you cannot possibly -- just because data is transmitting over the air, you cannot possibly tap data from there, because inherently it is very secure.
MS. RICH: Before we go to questions, I'd like to quickly address whether people think there's going to be a wireless divide akin to the digital divide. Rick, have you given that some thought?
MR. LANE: Yes, we actually have. In terms of -- I think Margot hit the nail on the head. The wireless may provide greater opportunities for the have-nots really beginning to partake in this new economy that we have seen. They are less expensive, they're mobile. As Wally I think had mentioned, you don't need to have a fixed address. So, there is a huge potential there that we see and are very excited about, because we believe it's not just a wireless divide but obviously the digital divide and being able to educate individuals with the use of technologies, downloading e-books, for school systems that it takes 15 years to get new history books and being able to update those books instantaneously. So, there is a way that we see. We are working through a variety of mechanisms in trying to reach out to our businesses to cross that or to bridge that digital divide, and wireless I think will play a key role in that effort.
MS. RICH: Adonis?
MR. HOFFMAN: With respect to the wireless divide or the digital divide for wireless technologies, clearly when there are new technologies being deployed, those who are on the other side of the divide are going to be more acutely affected, perhaps less so in the wireless context because of the -- you know, the devices themselves are a little less expensive, and you look around and you see -- and you go to black communities and Hispanic communities and poor and urban communities, and you see young kids running around with all sorts of wireless devices that I certainly don't have and have not been able to get until I get a new job, but seriously, I mean, you know, there are -- it cuts both ways. On the one hand, there are some real opportunities there to leapfrog old technologies and to go into those communities and provide value-added services very positively. On the other side, you really have to -- you know, there has to be a commitment on the part of industry, retailers and industry at large to make a concerted effort to serve those communities. Otherwise, this will be one new technology that we have some buzz over but that ultimately bypasses large segments of our population. So, we know that, just in terms of consumption, very quickly, you know, ethnic demographics consume certain products more than the general population. How retailers and marketers deal with that from a wireless perspective is going to be very interesting. Whether it's going to be a little different than we do in the other technologies remains to be seen, but it cuts both ways, and we can't just say that because this is a new technology, it's automatically going to be a good thing or going to reach that population that has been under-served by the PC and even by wireline telephone.
MS. RICH: Are there questions from the audience?
MR. STAMPLEY: May I add a real quickpost-script on that, on the issue of technology haves and have-nots? And that is that I just hope there is also a consciousness that if the economies of scale make this available to populations that maybe haven't had it before, that the attractiveness of it won't be used to trump what would be those groups' interest in protecting their information and being able to have some control over what happens to it and that some account would be taken of how you can have effective disclosure with a highly diverse population to which you're marketing.
MS. RICH: Are there any questions from the audience for this panel? Is there a microphone we can use?
MR. STUTMAN: Thanks. Yeah, the question would be --
MS. RICH: Could you state your name?
MR. STUTMAN: My name is Steve Stutman, I'm from ClickaDeal, I will actually be on a panel tomorrow. With respect to the -- I'll call it the empowerment comment, I did some wireless work in South Africa to put Internet out in places where there is not infrastructure in very densely populated areas. So, the question becomes if you talk about digital textbooks and you talk about differential marketing or what have you, what are your thoughts with respect to this being either at the handset level or at the last mile level with respect to more conventional installations?
MR. HYER: I was on a -- served on a group in California four or five years ago with -- it was with AT&T -- it was right after the AT&T-McCaw merger, and one of the commitments in that was to develop a partnership or alliance with all of the major community groups in the state of California, and hopefully I'm getting to the question that you're asking, and in the course of that, over two or three years, with monthly and then quarterly meetings, we found even at the time that wireless telephony was yet even a duopoly, that strong recommendation was made that this is a technology that can reach out into low-income and can help -- it can be the home and communication source for the migrant workers and the farm communities, thelow-income students in the inner cities. It helps to give the empowerment pointidentity, an address, the ability to communicate, I'mtalking about voice, but now as the technology evolves,it expands to that, as well. So, based upon thecomments and the corporate community alliances thatwere made to that particular experience, I think what you experienced is something that's very viable here in the United States.
MS. RICH: Are there any other questions? Rick, would you like to --
MR. LANE: I just was going to make a comment on an issue that was touched upon and people laughed about but is actually a pretty serious issue in terms of hindering the growth of wireless, which is the whole IP copyright issues that we will see. Obviously the huge -- there is going to be a huge growth in the entertainment industry, as we know, MP3 and the Napster issues, and those are some critical issues that need to be addressed as we have more wireless devices or any devices that are being created, but at the same time we're worrying about the copyright issues, we also must ensure that we are not stifling innovation and the use of new technologies. Technologies can be good or bad depending onwho uses them, and so we as a business organization arelooking at how we balance those two interests so we canbe competitive in the world market, so that we are notbehind the eight-ball as other countries develop newtechnologies and our manufacturers aren't able todevelop those technologies, while at the same timeprotecting the rights of copyright holders who areinterested in how that information -- how their copyrighted materials are being used, and that's going to be a tough struggle I think as we move ahead.We saw that in the DVD realm where there was a lack of content for a very long while, even though the DVD players were technically available, because the content holders felt concerned about the digital use of their movies, and I think that has overcome -- they've overcome those obstacles, and so now we have DVD movies online -- DVD movies that hopefully someday will move online and into this wireless environment.
MS. RICH: Any other questions today for this panel? Okay, before we close, I want to mention that we welcome submissions of research papers, articles, white papers on issues that have been discussed here today and also issues that will be discussed tomorrow.We will say that again tomorrow. And if you want tosubmit such papers, you can mail copies -- e-mailcopies to firstname.lastname@example.org or you can mail hard copiesto the Secretary here at the Commission under "WirelessWorkshop Submissions," and all of the submissions needto be received by January 12th so we can consider them. The purpose of such submissions is just so that FTC can further educate itself, and we -- and I expectwe'll be posting them on our website.This has been a very helpful overview. Thanks to the panelists.
MS. RICH: I can -- I must add, though, that I'm grateful we will have a transcript to look at later. With all these panels, there is so much jumping around, I could use sitting down and reading the transcript.Tomorrow we pick up at 9:00 with opening remarks from Commissioner Thompson, followed by panels on privacy, security, location and advertising issues, should be a good day. Please arrive at 8:30 to sign in, get a seat, but the program will start at 9:00.Thank you.
(Whereupon, at 5:30 p.m., the conference was adjourned.)
WIRELESS WEB WORKSHOP
DECEMBER 12, 2000
FEDERAL TRADE COMMISSION
THE MOBILE WIRELESS WEB, DATA SERVICES & BEYOND:
Emerging Technologies & Consumer Issues
Tuesday, December 12, 2000
Federal Trade Commission
600 & Pennsylvania Ave., NW
Washington, D.C. 20580
- - - - -
The above entitled workshop was held on Tuesday, December 12, 2000 of commencing at 9:00 a.m. at the Federal Trade Commission, 600 Pennsylvania Avenue, Room 432.
P R O C E E D I N G S
MS. ROSENFELD: Good morning, and welcome to day 2 of FTC's wireless workshop. My name is Dana Rosenfeld, and I'm the assistant director of the Office of Director here in the Bureau of Consumer Protection. A couple of just housekeeping notes. There are demos that are continuing to run in the cafeteria all day, so when you get a break, please go up and check those out. The other thing is I would like to thank the Wireless Advertising Association and Wiley, Rein and Felding for providing the wonderful breakfast we had here this morning. We're going to open with a panel on the introduction to privacy and security issues, but before we do that, Commissioner Thompson, who is in Europe, is here by videotape and will make a few introductory remarks.
PRESENTATION BY COMMISSIONER THOMPSON VIA VIDEOTAPE
MR. THOMPSON: I welcome you for the second day of our workshop on mobile wireless technologies. I have long followed the development of wireless technologies, and I have previously spoken about the impact of new information delivery platforms on the future relationship between consumers and industry. I'm sorry that I won't be able to join you, but if I carried a satellite phone or a global positioning system, perhaps you would be able to find out that I was somewhere in the Hague talking about online ADR, and that's one of the wireless privacy problems that you'll be talking about today. Yesterday, we all had a chance to learn about the breadth of exciting business and technological opportunities presented by the wireless world. These opportunities are not expected at some time in the distant future. Instead, they're at our doorstep right now, but we've also learned that these opportunities impose important challenges, and today we will focus on some of these challenges and how they should be addressed. More specifically, we'll examine three topics that are particularly relevant as wireless technologies develop: Privacy, security and the form that advertising will take in this new medium. Now, the Commission has examined these issues in the context of online commerce and how they relate to the FTC's core consumer protection mandate. Now, we're seeking to learn how they'll develop in the mobile world. This workshop provides a forum for all of us to get to know the companies and issues involved in creating these products and services. It also provides us with an opportunity to engage in an interactive dialogue between government, industry and consumer advocates about how these issues should be addressed. Now, I think we all recognize that this is a rapidly changing area. Accordingly, our responses should be creative, flexible and organic built with an ability to embrace change. At the same time, however, I hope that we will have laid the foundation for a continuing discussion of these issues in the upcoming months, so thank you again for coming, and I hope you'll find this workshop fun, informative and thought provoking.
PANEL ON INTRODUCTION TO PRIVACY & SECURITY ISSUES PANEL
DANA B. ROSENFELD, FTC, Moderator
DONALD A. BROMLEY
LORRIE FAITH CRANOR
MS. ROSENFELD: Thank you, Commissioner Thompson. If the first panel would like to come and take their seats, we'll get started. As Commissioner Thompson just highlighted, along with the exciting opportunities mobile wireless technologies offer come a host of issues that will affect consumers as wireless providers introduce new equipment, services and applications to the U.S. market. The first panel today is introduction to privacy and security issues. We plan to give you a broad overview of the privacy and security issues that will affect consumers and guide public policy discussions as consumers increasingly take advantage of mobile wireless technologies. With me to discuss these issues are Donald Bromley, the practice leader for the wireless risk management service group at Fiderus Strategic Security and Privacy Services.
MR. BROMLEY: Good morning.
MS. ROSENFELD: Dr. Lorrie Faith Cranor, a senior technical staff member in the secure systems research department at AT&T Labs Research. Dr. Cranor is a chair of the Platform for Privacy Preferences Project (P3P) specification working group at the Worldwide Web Consortium. Alan Davidson is an attorney at the Center for Democracy and Technology. David Moore is the president and chief executive officer of 24/7 Media, and Dr. Lawrence Ponemon is a partner and global leader of compliance risk management for Pricewaterhouse Coopers and is the founder of its privacy practice. Peter Swire, who is the chief counselor for privacy in the Office of Management and Budget, was supposed to be here this morning but unfortunately was not able to make it, but he did ask me if I would read a statement that he prepared. "I'm sorry that other events made it impossible for me to join you at this important panel today on wireless privacy. For wireless technology to develop to its full potential, consumers will clearly need to have an understanding of how their personal information is used and confidence that it will be used only in ways they approve. "I particularly draw your attention to an issue that has been a major theme of the administration's privacy efforts, the strong protection of medical and other especially sensitive information. Wireless users will sometimes be medical patients. What rules and practices will be in place, for instance, for the information that a user has visited a psychotherapist or an HIV clinic? "Whatever privacy practices develop generally for wireless information, I urge you to consider how to build an infrastructure that will also assure proper privacy protections for the most sensitive information." And with that, I will turn to our panel, and really -- I'm sorry, before we get started, I want to let those know in the overflow room and here that we will be taking again questions from the audience about 20 minutes before the end of the panel, and that will be at approximately ten o'clock. And, panelists, if you would just let me know when you want to respond to a particular question, if you want to put your tents up or raise your hand, that's fine. First really just getting into the basic issue here is what type of information is collected when consumers use wireless devices and who is collecting that information? I think before we talk about whether protections need to be in place and how those protections work, really the fundamental question here is what information are we talking about? Would anyone like to get started with that? David?
MR. MOORE: I think Alan raised his hand.
MS. ROSENFELD: Oh, I'm sorry, Alan?
MR. DAVIDSON: I didn't raise my tent though. Well, I'll jump in and start and say, first of all, thank you for having us, and thank you for having this workshop because I think this is continuing in the Commission's excellent tradition of looking at these issues, trying to get ahead of the curve thinking about a lot of these issues early on at a time when they can make a real difference, and so I think that this is an excellent effort. There are huge looming privacy issues in the wireless space because of the collection and aggregation of new information that was never before collected and aggregated in new ways and in ways that the consumers don't understand, and I think you start off by asking the right question, what are we talking about? In addition to -- well, to start with I think the same kinds of information that we are concerned about in both the off line and the traditional online Internet environment, both personally identifiable information, transactional information about what people are doing online and how they're using their phones, that can be very sensitive, but beyond that I think there's some particular challenges in the wireless environment because of different kinds of information that we didn't collect before. Of course, the biggest one and one that we've talked about already in this workshop is location information, and it's the snapshots of location that service -- that providers of services in the wireless environment may be getting that can create when aggregated over time a very detailed and invasive dossier of a person's movements in a way that we never were able to collect before, so that's a starting point. The carriers, in addition, when we were talking about not just carriers but others who may be collecting this information on a regular basis, we may be facing a situation where individuals are having their location tracked in a detailed way, in a way that was never available before through probably any technology being applied to a hundred million users in the United States who don't necessarily know that this is happening, so that is a huge element of this. Another big piece of this is the fact that the information is very closely linked to identity. We're seeing the downstream transmission in the wireless web context perhaps of a mobile phone number or a unique user identifier that may be transmitted outside of the carrier to other individuals and may be collected. And in the case of mobile phone number, of course that's a very sensitive piece of information for a lot of consumers. In the case of a unique identifier, there's an additional issue in the sense that I think individuals are more closely linked to these wireless devices than we've seen in other environments, that a person's wireless device tends to be really theirs and theirs alone, and it's less sort of the kind of thing where there's a computer in an office or a house where an IP address may be used by many different people. So there's particularly -- there's extra issues there, so we've got problems, the traditional problems that we've seen in the off line and traditional online environment plus this extra information that's being collected both by carriers and by those downstream.
MS. ROSENFELD: Larry?
MR. PONEMON: Well, I agree with everything that Alan says. Can you hear me, by the way? Good. The major issue in my mind is that you need to have very significant personalization to have success in the wireless environment. If you don't have that level of personalization, basically your Smart device, something like this Nokia that I'm holding here, becomes meaningless. All of it is SPAM. You think it's bad now, you're sitting down with your family and you're having dinner at six o'clock in the evening and the phone rings and it's the guy from a financial service organization trying to sell you insurance, right? Well, now it's going to happen all the time, right, because now you have one of these devices, but understand that with personalization, you could actually express in clear and concise language your preferences, and you could turn it off or you could turn it on. You could be the recipient of the messages that are important to you, and that's real important. The flipside of personalization is in order to do it right you have to collect a lot of personally identifiable information, and included in that quandary would be locational information and velocity information. Just like a boat on some water where you can triangulate a position, we're seeing technology today that could actually figure out where you're heading and how fast you're going to get there. So suppose you like Starbucks and at ten o'clock you normally have your cafe latte, right? This is your cafe latte time. It's 9:58 you're going to get a phone call and it's going to be someone from the local Starbucks telling you, Hey, if you make a right turn right now we're going to give you a 10 percent discount, and if you're a consumer, that might be a good thing. But if you're not interested in that or if they basically called on the wrong person, it basically starts moving in to the SPAM zone. This personally identifiable information, I'm not a security guy. I'm a privacy guy, but on the security side, that information as far as I'm concerned is top of the line. This is as bad as it gets if it gets into the wrong hands, so you basically have to build the right security infrastructure. And quite frankly a lot of companies that are starting to move in this space pretty quickly might not have the resources today to build that infrastructure. So those are some of the issues. May I respond to one other point very quickly?
MS. ROSENFELD: Sure.
MR. PONEMON: And that is the concern that was expressed yesterday. If you're a physician, a practicing physician, you might want to use a Smart device like a Palm Pilot to collect information about patients, and there are many business models currently that require the physician to actually use that type of device. And in fact I was told that one Palm Pilot, I think it's a Palm VII, can collect up to 14,000 records, 14,000 patients. Imagine if you're like me and you're absentminded and you leave it in a cab? So we're basically dealing with just basic blocking and tackling issues as well as the whole wireless environment. The device itself needs to be engineered in ways that allow you to have immediate turn off, the immediate ability to track it if it's lost, so those are other issues that hopefully we'll try to address.
MS. ROSENFELD: We'll try to get to the security issues a little bit later, and those issues of course are exacerbated when everything -- all of your devices are converging in to one single device where all of your highly personal information may be held. I think Don was next.
MR. BROMLEY: And I agree with Larry. In order for these devices to have any value to you as a consumer, the content needs to be very highly personalized, and from that viewpoint, it's not just that I like Starbucks, but it's if I'm traveling, it knows where I am. It knows the state, whether I'm working or it's pleasure travel, and it presents to me information that's relevant and timely to where I am, who I am and what state I'm in, whether it's work state, leisure state or whatever, and then it becomes of real value. But again that provides some real opportunity for abuse of that information. If I'm collecting and bringing together all that kind of information, I know a lot about you. I know a lot about your habits. I know a lot about where you are, who you are and what you're doing at any point in time. It sounds somewhat Orwellian, but it's true, and this technology is available and generally distributed today. It's not something that's ten years off.
MS. ROSENFELD: Lorrie?
MR. CRANOR: Yeah, I just wanted to comment on what types of data are actually available today, and I think this is definitely an evolving thing. From my understanding today a typical cell phone that most of you have in your pocket actually sort of phones home every ten minutes and identifies where the nearest cell tower or cell site is to it, and if you're out in the country, that means they can locate you to about 30 miles, but if you're in the city you can be located to about two blocks based on that. And so this is happening today. For the most part service providers are not archiving this information. They just keep it until the next ten minutes when you check in and they find out you've moved to the next cell site. It's a huge amount of data, and for the most part they don't have anything that they're doing with it, but there are a lot of interesting business models that we've been hearing about that of course could make some really valuable use of that information. And it's really nice in these business models to know not only where you are now and where you were ten minutes ago but that for the past two weeks you've come here every day at this time, so keeping that kind of data is something I think we're going to see more and more of in the future. We're also going to see it get more precise. Instead of knowing just to the nearest cell site, we're going to know within a few hundred meters of exactly where you are, and that's something that once you have GPS capabilities, that you're going to have. There's also the issue of who is going to have access to this data and what form it's going to be in, so you may actually opt in to a customization service that you may say, This is very valuable to me, I actually want this service, I trust this service provider, it's fine for them to collect this data. They now have this entire dossier on you, and the question is, Who else might have access to it, and the service provider may be very trustworthy, but with a court order, now all of a sudden your ex-spouse or all sorts of other people may have access to that data.
MS. ROSENFELD: We're going to talk about the Fair Information Practices in a little bit, but I think David wanted to comment on the initial question.
MR. MOORE: Yes. I also think there's quite a few issues that we have to address, and I commend the FTC for getting involved early as this medium begins to evolve because there's many important policy issues that I think will need to be decided over the next 12 to 24 months that allow the medium to grow in a way that is conducive to consumers and industry. I think Alan identified a lot of the important issues, and I think Larry also brought up something that's very important, which is personalization. I think that it behooves us to help educate the consumers about the types of issues that they face when they go about buying a web phone for the first time and similar to some of the issues that we face in the E mail sector or the online advertising sector, consumers aren't all that aware of what types of tracking occurs and why some of that tracking is necessary in order for an advertiser to be able to advertise in a way that is conducive to ultimately selling their product. So I think that the opt-in as soon as possible is very important for consumers so that when they sign their first wireless carrier agreement, for instance, and all this information is laid out up front and that if they're interested in accessing content from the web through a WAP phone, that they have a choice. They could either pay for that content or they could accept advertising with that content. And if they accept advertising with that content, there will be a number of other items that they have to agree to that would enable that advertiser to know that an ad has been seen and been effective with that particular consumer. So my recommendation would be that the consumers are advised as soon as possible in the purchase of a wireless device and given the choice as to the type they would like to pay for the content that they will access.
MS. ROSENFELD: I think these comments are a good segue into the next question which is: Is there agreement here? I'm hearing about notice. I'm hearing about opt-in choice. Should the Fair Information Practice principles of notice, choice, access and security apply in the wireless world? Larry?
MS. ROSENFELD: Alan?
MS. ROSENFELD: David?
MR. MOORE: While there's a whole bunch of different technologies that are available for phones today, and it's been tough to find a standard here in the U.S. I think it's pretty clear that the Fair Information Practices principles are a standard that can apply not only to the Internet E mail but of course to wireless as well, and I think the real question is how those standards or those practices are applied to this medium. In the case of the opt-in and opt-out, it's pretty clear right now that there's no real standard for opting in or opting out right now. In fact, opting in or out might be pretty difficult in the medium as it stands today, and those are clearly policies that have to be established, but as I look at the practical use of that Nokia that Larry has over there, one of the great uses would be to be able to access a restaurant in midtown Manhattan, and in order -- a French restaurant in order to ask for that type of information and to have that phone feed back to you that Pierre's is right around the corner and there's reservations available. It's a real benefit, and I'm essentially opting in for that type of information, and of course the location I'm in is of critical importance here, so I don't know whether or not that type of activity would qualify as an opt-in at that point in time and whether or not that would transfer over in to other events over the period of time that I used the phone, but it would seem to me that that type of activity is something that we certainly want to promote and find ways to protect the consumer from that type of information going any further but being available at that point in time to provide valuable service.
MS. ROSENFELD: Don, I think, wanted to comment on the Fair Information Practices question, and then I would like to move on to the issues you're already talking about but implementation, what are different ways to implement notice and choice, but, Don, go ahead.
MR. BROMLEY: Yeah. I would agree that the Fair Information Practices Act really is a key in bringing privacy and security together because you can have security without privacy, but you can't have privacy without security, and when you bring those two together, you create confidence and trust, and that's what's going to explode the market with wireless devices. When people begin to trust and have confidence that the information that they're providing is protected and shared according to their wants and needs, then you'll see an explosion in these devices because they're very valuable. I can use this to make travel arrangements or make restaurant reservations, and I could even use it to vote. I'll preface my next remark with the fact that I do live in the state of Florida. My question to the audience is, How do I determine a dimple or a hanging chad with something like this?
MS. ROSENFELD: So I guess we have some consensus here about the Fair Information Practices, but as I think Alan said, the devil's in the details. How will notice be given in an effective way in the wireless space? We've heard about possible notice in service contracts with carriers, P3P type technologies. Maybe there are other ways, pop up screens, a way to access notice at another place on your PC at home or making a phone call. Does anyone want to comment on that? Lorrie, I think you had your tent up, but go ahead. You can comment on the previous question.
MR. CRANOR: Actually I was going to comment on that, although it's hard to resist on commenting on the voting and other things. In any case, yeah, I think that there are a variety of different ways to offer notice, and I think that at least initially I think the most obvious one is through service contracts, that you're not going to just decide one day to get a restaurant listing without actually being subscribed to a service that provides restaurant listings, and so when you had subscribed to that service that will allow you to get information about nearest restaurants or stores or whatever, as part of that there will be a contract which indicates what types of information they have to collect to provide that service to you and what they're going to do with that information. And so any opting that you're going to do will probably be done at that point, not each time you want to go to a restaurant. As also has been mentioned, P3P is another way that we can probably help facilitate notice and choice when you're doing kind of more web surfing type activities with your phone. It would be very analogous to when you're doing it on your PC. So I think that those are some of the main ways that you're going to get the opt-in and out. Also with the security, clearly we need really good mechanisms to protect the security of this data, but another thing that I think we need to do is find ways of reducing the amount of data that needs to be kept in order to provide the services, and I hope that will be addressed on the panel this afternoon. But I think that there's a lot of things that companies that are doing marketing, they have all sorts of fancy algorithms that allow them to try to match you up to different sorts of things. I think they can also use that in order to reduce the amount of data that they have to keep on you so it serves their marketing purposes without having this complete dossier on you.
MS. ROSENFELD: Larry?
MS. ROSENFELD: Alan?
MR. DAVIDSON: First off, I would definitely second those remarks in that the enforcement is going to be an incredibly important part of this, but we're going to be talking, I think we've already touched a lot on the search for technical solutions here, and I think the reason is because the kinds of mechanisms that exist right now seem like they may be very unsatisfying for the consumer in terms of protecting their privacy, the difficulty in putting up really good privacy policies that people can look at on this device, the difficulty of trying to figure out where the information is going to go and when it may be used downstream by many different providers you may not have notice of. That's one of the reasons why I think we're all looking for things like P3P to be expanded into the wireless environment to be able to find technical solutions that make this simple for consumers. We're talking about probably a much broader group of consumers using wireless devices, broader than who are even on the Internet right now in the United States. And it needs to be something -- the discussion about this needs to be something that consumers can understand that's simple, and we needed technology to help us out. The other piece of that, and I really want to echo something Lorrie said, is looking at how we limit collection, which is sort of an implicit part of the Fair Information Practices as articulated, but the fact is that if you collect this -- if a company collects this information people are going to try to get it, and that's not even thinking about commercial uses. What we're talking about is government access to information in a way that right now has very little privacy protections and also access to information in the context of civil actions and civil lawsuits, so this is all lawful access, but where the standards are very unclear and the information that could be collected is extremely sensitive, and we need to work out the rules for that too. The base line answer is if you can find ways to deliver the services without keeping the information, you'll be doing yourself a huge favor and the consumer a huge favor.
MS. ROSENFELD: Don, I think you were next.
MR. BROMLEY: Just briefly. I think Alan brought up a good point about the kind of information that may be discoverable in a civil action. Let's say, for example, you're driving one of the most popular SUVs on the market, and your in-vehicle information system is telling you that your tire pressure is low, and it's been telling you this for weeks, and you have a rollover accident and try to bring a civil action against that manufacturer, is that kind of information then discoverable in a civil action to claim contributory negligence? I don't think anything like that has been discussed in the courts, but it's information that's collected and available.
MS. ROSENFELD: David?
MR. MOORE: Well, I think a lot of these issues should ultimately revert back to the consumer and where this consumer has notice of what the issues are and then choice, and I think to a certain extent, it's a mistake to go overboard in terms of the protection of the consumer because you will find many instances where consumers are very willing to give information in exchange for a valuable service. Stock quotes are a great example here where a consumer can sign up to have quotes sent to their wireless device every 20 minutes, every hour, however often they choose, and in accepting that information, they're agreeing to a set of guidelines that that content provider will use in order to be able to sell advertising to that consumer in exchange for providing that content for free. And I know Lawrence mentioned earlier about accessing a site on your phone and you don't know really what their privacy policies are. In many cases you could argue that the carriers should have agreements with content providers that require privacy policies that are identical to their own, but at the same time then you've got consumers that might see an advertisement for a particular type of content that they think is really terrific that they would like to access, and I'm not so sure that they should have to go back through the carrier to be able to get that type of content. So while we're totally in support of protecting the consumer, I would caution that there's a point where you go overboard in terms of protecting them in a manner that actually becomes a disservice and makes it a lot tougher for them to get the content that they would like to receive.
MS. ROSENFELD: That's a good lead in to my next question which you've already touched upon but: How should choice be provided and who should provide it? We've heard about putting it in service contracts, but isn't it possible that that choice could be a condition of providing the service, or is it more appropriate that choice be provided at each site or each location that the consumer visits and wants to obtain services or content from? Anybody? Larry? MR. PONEMON: Basically as I mentioned before there's a chain, and that chain requires a chain of trust, right? It's not just one organization. There are many parties involved, and quite frankly I think this is a great opportunity for some consistent form of disclosure that cuts across organizational boundaries. Consumers need to understand what they're getting into here, and it's not going to be that easy. I think about do you ever call up the telephone company and complain about a charge on your telephone bill? Have you ever tried to do that during the day? You know how frustrating that is? You want to kill, you want to kill, just very, very bad. So can you imagine if you're trying to figure out, Geez, you know I've opted in, now I choose not to opt-in or I want to change my choice? You need to have a process that works for the consumer, and I think it's a good opportunity for self regulation. I think if we can come up with a self regulatory program, I think the Wireless Advertising Association, John Kamp, is leading that initiative, really start looking into coming up with a self regulatory framework with teeth so that you could actually enable trust. That's what it's all about, but if you can't come up with the right self regulatory framework, then basically you have to look at government, so I think that that needs to be factored into that equation. I think I answered your question. I started going astray a little bit. I apologize.
MS. ROSENFELD: So which parties are in the best position to provide notice and choice? Is it the manufacturer of the wireless device? Is it the wireless supplier, the carrier, or is it the content service provider? Anyone? Alan?
MR. DAVIDSON: I think it's going to be all of the above. Sorry. The fact is the people who -- the organizations and entities that are collecting information obviously are in a good position to know what information is being collected to try to provide some sort of notice and choice to the consumer beforehand. But it may be in this environment in this network environment, in this architecture it may be something that everybody -- all of the pieces here need to work together for. For example, you can imagine a situation where a hand set can be designed in such a way that it provides very clear notice to a consumer through an icon or a light whenever information is being -- location information is being transmitted or collected. That might require coordination between the handset manufacturer and the carriers and maybe even the downstream application providers, and I think we're still in the early stages of trying to figure out how to build an architecture that builds that, but it's going to require that kind of coordination probably, but there are a lot of great possibilities here for designing architectures that make it really simple for consumers so that you just push a button when you want to send that location information or not perhaps. There may not -- some of the solutions that we're talking about, the network based solution where the carrier is the one who's providing the location information, maybe you're going to have to send something back to the phone to let the consumer know it's happening, but I don't think there's any simple answer that there's one party here, that's who's responsible.
MS. ROSENFELD: Lorrie?
MS. CRANOR: Yeah, I think it definitely requires all the parties to work together. I mean, already even in our very limited functionalities that we have where we have had situations of cell phones that are broadcasting the user's phone number or a unique ID. In looking at how to solve those, we've discovered that there's no one party you can go to, that in fact when you go to the service provider, while it would seem like, well, they're the ones broadcasting it, but actually the software in the phone is generating it to begin with. Well, where does that come from? Well, that's another company that provides the software for the phone. So until they change the software, it's hard for the service providers to change what's happening, so basically you end up with a lot of different parties that really need to cooperate to really make this work.
MS. ROSENFELD: Don, then David, and then we need to move on to security so...
MR. BROMLEY: I'll be brief. I would just agree with the previous statements and add that as Larry said, it's a chain of custody. It's a chain of confidence that has to happen so that every party has to be involved from the handset manufacturers to the carriers to your -- to the service providers and the ASPs and every party involved in that transaction has to provide that confidence that that information is being protected and used for appropriate purposes based on the consumer's choice. And again there's no easy answer to this, and it's a fairly complex process.
MS. ROSENFELD: David?
MR. MOORE: I'm also in agreement, but my agreement is more based on the need for educating consumers on a regular basis about the various types of tracking and choices that they have when they purchase a wireless device. I think education is our friend here, and to the extent that we can do more and more of it, I think it will allow consumers to feel more comfortable giving the information, personal information in exchange for services that they really value. Now, one last comment I have, many of you may be aware that Qualcomm has a product called Snap Track that they're working on which is little switch on your cell phone that allows you to transmit your location when you click the switch, and it sounds like a terrific idea. The real question in all of this is there's going to have to be an economic model that works for the wireless providers, the cell phone manufacturers, the advertisers, and it may be that that switch, as great an idea as it sounds, may not be economically viable in this arena, and as a result we'll have to look for other ways to give that consumer a choice when it comes to revealing their location.
MS. ROSENFELD: Alan, real quick, and then we have to move on.
MR. DAVIDSON: I just want to put a sharper edge on this one. When are talking about a massive coordination effort for a self-regulatory approach to work here. It's very early in the process right now. There's still a lot of opportunities here, but when you're talking about this many different people having to coordinate in this many complicated ways, different carriers, providers, handset manufacturers, you may be in a situation where it may be a very natural place to look for a base line of regulation. Before we go there, I think the answer is there's an opportunity that the technology presents to give people a lot more control, and if we can actively work in that direction, that is the hope here. We're talking about a very different kind of architecture than the architecture we've been used to, where there's a lot of different intermediaries, a lot of different players to have to worry about. If we can try to change that to give users back more of the control over how information is being used and what information is being generated, we'll do for ourselves a lot of favors in the future in terms of what kind of regulatory approaches are going to be needed and what kind of self-regulating approaches are going to work.
MS. ROSENFELD: Thanks, Alan. Moving on to security, the initial question here is how secure is transmission of personal information in the wireless medium? We've heard I think a lot about consumer concern and perceived risks of transmitting information. Would anyone like to comment? Don?
MR. BROMLEY: I think security has two aspects, and it's even more exemplified in the wireless arena today. There's the perception, and there's the reality. The perception is that the airwaves is where the vulnerability exists where people are setting up scanners and putting on headsets and listening to stuff on the airwaves. I would say that that is -- the probability of that happening, of anybody gaining any information that has any real value today is very, very small. The real vulnerability exists in a couple different areas. One is within the carrier networks, where those gateways are for web phones. The carriers own those gateways. It's the place where the transmissions are translated from wireless to wire line capabilities, so the carriers control security over those gateways is the key point in today's environment. Now, there's new versions of software and controls where that issue can be resolved. The idea though is to having of course the carriers to implement those in their gateways, and the problem with that is it becomes a political issue with them. Today they control that relationship. Today they own those gateways. Therefore, they have the power in implementing the new proxy gateways and some of the new technology they lose that policy to the service providers or other intermediaries so it's more than just the technology issue that's driving the adoption of those new and better technologies. Then again, once you get past that gateway, it's just the common security vulnerabilities of the Internet whether it's protecting web sites or protecting transmission, and then you have the handset. As I have to -- because of bandwidth issues, because of capability issues in the software, as I want to roll out new and more sophisticated applications, I have to bring down more information. As these devices become more capable of storing local information and doing local processing, what happens when I leave this in a taxi cab? Talk about identity theft. This is me. Depending on how that application is defined, depending on how the authentication is designed to the local device, it is very easy for someone to high-jack a phone number and a serial number off this phone and make phone calls on my bill. As these become data capable and transaction capable, that doesn't change, so those controls and procedures need to be designed into the applications.
MS. ROSENFELD: Larry?
MR. PONEMON: Again I have to admit here, confess, I should say, I'm not a security expert, but let me just tell you what I have seen in the last 26 years, a lot of -- in business. A lot of companies that are start-ups have a difficult time spending the real dollars required to secure their infrastructure. Security is usually at a lower level of priority. It's normally about getting your burn rate and getting some profitability, and it does create a lot of vulnerability especially when there's an area on the Internet where there are a lot of great young start-up companies, so if you don't put the dollars in to the security solution, the critical infrastructure, there will be significant vulnerability. It goes back also to some other issues, that there's an engineering opportunity as well because I spoke at an I-device conference a year ago, and in the audience of about 4 or 500 people were all engineers developing these Smart devices, these I-devices. They didn't have a clue. They never even heard about this privacy debate. They were just trying to build the best possible product, and so if we develop technology that is supportive of the privacy issue and the security issue as a starting point, I think we can solve a lot of the problems that would otherwise happen in the future.
MS. ROSENFELD: Anyone else want to comment? Lorrie.
MS. CRANOR: I agree that trying to build these things from the beginning is going to be really crucial, and I'm a technologist. I go to these security conferences, and one of the things that was really kind of a wake-up up for me is I went to an electronic commerce conference about a year ago, and there was a panel on mobile devices, and there were all these great experts from fancy universities who got up there and talked about their vision of the future. And they had these demos of these little devices that you put your shopping list in them, and as you're walking down the street, it beeps when you pass a store that has items on your list, and it radios in, and you can walk in there and your purchase is waiting for you to pick up. It's already paid for, and this sounded really fabulous, and I was sitting there thinking, but what about the privacy issues, and so during the Q&A, I raised my hand and said, What about the privacy issues, and they looked at me like I was from outer space, and they said, Well, we'll worry about that later. And it seemed to me that if you don't worry about it now, it's not going in there, and somebody even made a comment, Well, we can think of it like an arms race. We'll put in better privacy and security, and then they'll find ways around it, and when you do patch it on later, it definitely does become an arms race, and that's all the more reason it's important to design these things in from the beginning.
MS. ROSENFELD: We're certainly glad you were there, Lorrie. Alan?
MR. DAVIDSON: Me, too. I've had a couple of experiences over the last year being on panels on privacy at various wireless conferences, and I have to say, they haven't been well attended, and that may be more of a personal commentary than anything else, but I do -- I think there may be a take home lesson that people are not paying as much attention to these problems as early on as they should. Just on the security side, I think part of the security puzzle here is the sensitive nature of the information that we're talking about being collected by a lot of different people, so when you're talking about location information, especially a location profile over time or real time location information, there are real public safety issues regarding the security of that information as it's in various places, real concerns for people who might be worried about who might get access to that information. I think we may -- unfortunately we have to hear real horror stories before we start thinking about how to protect that information. Authentication's another variable, piece of the puzzle, and what the liability rules are for example for the average consumer who's used to buying Coca Colas with his cell phone according to the commercials but then leaves her cell phone in a cab and finds that other people are buying Coca Colas with it, you know, unanswered questions.
MS. ROSENFELD: David?
MR. MOORE: I think as Don mentioned up front that you can't have privacy without security, and I think that's absolutely true, particularly when you look at what will inhibit the growth of this medium and to a certain extent has inhibited the growth of online commerce today is that people are very concerned, particularly about their financial information. And if we're going to be trading stocks on our wireless devices, there has to be the proper type of security that makes sure that information is safe and sound. At the same time I think we talked at the beginning of this panel about medical information, very, very hot item with consumers as well as industry and everyone else, again critical to protect that type of information from getting into the wrong hands. And of course the last part of it is, and this is perhaps to a lesser degree on wireless devices. But particularly on the Internet people don't want others to know what type of content they access, and again I think that when it comes to security, we're going to have to find a way to protect those consumers from that type of information getting into the wrong hands.
MS. ROSENFELD: Well, thank you everyone. This has been a very interesting panel. I think given the time we'll go ahead and move to the general audience questions. If you would give your name and your organization before you ask your question, please?
MR. LE MAITRE: Marc Le Maitre with Nextel Telecommunications. Obviously the wireless carrier has a part to play in the security and privacy of this information.
MR. DAVIDSON: A small part.
MR. LE MAITRE: Just a small part. I'm interested in hearing your thoughts on timing because, Alan, I've heard you say thanks to the FTC for raising this issue before the event and Lorrie's saying we're playing catch up. I think without talking about Nextel's plans in this area it's fair to say that some of the carriers on an international basis are already delivering wireless location based services and I'm viewing this as an implementation issue at the moment, and I was wondering if you could talk us through where we are on the implementation curve, and is this a problem I should be worried about today or something I should wait for legislation in order to make a first move.
MR. DAVIDSON: Well, I'll start by saying I guess you should -- I guess it's something we should have been worrying about yesterday, and I guess I was probably being more courteous than anything else to the FTC, I guess, although there are a lot of people who have not spent a lot of time thinking about this, so I'm glad that we're here. But this is happening now. You've said it yourself. This has been happening, that there are millions of consumers out there using devices, for example, where the location -- their location may be roughly, may be very specifically, is available in ways that they, for example, don't have any idea of. There are millions of people moving to use the web over wireless devices and without giving any thought to what kind of information is being transmitted downstream, so this is a problem that's very real for consumers right now, and the protections are not there. There are huge drivers. Some of them come from our government. We haven't spent a lot of time talking about the E911 or the CALEA mandates that many of us are concerned about may be pushing industry to develop systems that are not as privacy friendly as they ought to be. This is also a very real issue in terms of government access to this stuff, and I just want to jump in because we haven't talked about this yet, but to say every company in this industry ought to be supporting higher privacy protections in the law or location information vis-a-vis government access. This is something -- HR 5018 is a bill that got passed through the House Judiciary Committee that heightens the standard for location information. Right now that information is available to the local sheriff or the FBI without serious privacy protections in it right now, not anything close to the kind of probable cause Fourth Amendment protections that consumers are used to and we need to be working on this now too and get those privacy protections added in because consumers are going to start hearing about this, and I think people are going to react very negatively to the situation right now.
MS. ROSENFELD: We'll be hearing just a little bit later about the E911 rules, and also we're going to focus specifically on the use of location based information but, Lorrie.
MS. CRANOR: So even before you start talking about web, for just a normal cellular phone, when you make a phone call, your location information is recorded in your billing record by your service provider, and as I said, if you're in an urban area, that's about down to two blocks, and that information is on a regular basis requested by law enforcement to track an individual as well as to say some crime occurred in this area at this time. They may go to the wireless provider and say, Tell me everybody in your service who was in that area at that time. They really can't tell them everybody, but they can tell them everybody who made a phone call or received a phone call in that area at that time.
MS. ROSENFELD: Any other questions? If you could -- I'm sorry, if you could just spell your name too for the court reporter, we would appreciate it.
MR. DEVINE: Tim Devine, D E V I N E. The question has to do with whether folks are thinking about sort of cross channel preference respect, preference compliance provisions so, for example, folks have taken more and more care to express their privacy statements toward the consumer information on a web site, but the same company might have web contact with consumers and wireless contact, and the question I guess is what sort of compliance and very practical logistical measures are you seeing or hoping folks are undertaking to match up the preferences and to update them, so that you could foresee somebody saying in response to a web provided privacy statement compiling a fairly sophisticated preference profile for consumer data handling and consumer contact. But then the consumer saying in response to opt-in or opt-out opportunity on the wireless context, No, I don't want to be contacted in such a such a way or, yes, you can use my information in such a way, and it might be in conflict with what they've previously stated in the web and an 800 number and some other application. I'm just sort of wondering if people are thinking of sort of the cross channel preference setting.
MR. PONEMON: Do you mind if I comment?
MS. ROSENFELD: Larry?
MR. PONEMON: We're starting to see a lot of local initiatives developing along these lines. There have been some rather radical ideas. There's a data integrator. I'm not going to mention their name, but they're quite, quite good and very interesting on the privacy issues, and basically they're thinking about coming up with a privacy cookie for every person in the United States, maybe in the world. They would be this cookie that respects an individual's preference, and you as the consumer could actually change and adjust your cookie. It's not that dissimilar to the P3P model, but it basically allows you to control all your choice on everything that you do. So if you have different preferences on M commerce versus E commerce versus the off line universe, you could actually specify that, but then it goes back to something really basic, really fundamental. It's about education. I think a lot of people are just unaware, and so there's this hype issue. People are concerned, and maybe they're overly concerned, and that's going to block innovation in this new technology, and then there's a side that education could actually help people who are not concerned today who should be concerned. For example, I talk about this story, but my mother is 80 years old. She basically is the most incredible user of the Internet. She buys everything over the Internet, and she gives all her information away, by the way, so this is very interesting. And when I asked her why are you doing this, Mom, she said, I'm going to die pretty soon, this isn't valuable, but understand that I think educating -- it's really what we've discussed before, what Dave discusses, about getting the consumer to understand this issue and to control it, and we're starting to see movement in that direction, but we have a long, long way to go before we have consistency across platforms.
MR. MOORE: Ultimately it would be terrific to have the privacy cookie that expands not only from online to off line too because right now we confine our talks to what's happening online in terms of privacy, but if you go off line for a minute, you find that there's quite a few more flagrant violations of our privacy there than you find online. So from a cross channel perspective, I would suggest that we want to expand it beyond just the Internet, wireless and broad band into some of these other off line arenas so we have the ability to actually control what types of information go to industry both on and off line.
MS. ROSENFELD: Thank you. Any other questions?
MR. CHARTIER: Mike Chartier from Intel.
MS. ROSENFELD: Could you spell your name, please?
MR. CHARTIER: C H A R T I E R.
MS. ROSENFELD: Thank you.
MR. CHARTIER: This is for the panel about implementing one of the Fair Information Practices. You talked about notice and choice and security, but I think access is real interesting in this domain. If my location is information that I should have access to, then it ought to be a relatively simple matter for that ten minute polling that you talked about of the carrier when he finds your location to ship those bits down to my phone so my phone will always know where it is. And it would seem to solve some of the authentication problems because only a particular wireless device would get its location, and if you do that, then the wireless device knows where it is. I could contract directly with a third-party like Starbucks who could get the information from me without having going through the carrier or somebody that is the repository of all this information. And if you could do that, if third parties could get the information directly from the users, it would tend to remove some of the economic incentive for people collecting that information.
MS. ROSENFELD: Anyone want to take that on? Don?
MR. BROMLEY: Yeah. I would agree that with the nature of cellular communications, your carrier always knows where you are, but it doesn't know that I'm who I am. Again the example, if I leave this in a cab, it knows that my phone is in that cab, but it doesn't know that the next person that picked it up isn't me, so I have a local authentication issue or I have to authenticate remotely to the carrier to whoever to authorize services on this phone. And that's the real issue is the phone is me as long as it's in my hand, but once it leaves my hand, it becomes me in somebody else's body.
MS. ROSENFELD: Anyone else?
MR. DAVIDSON: I would like to comment. I would also like to say there's something very attractive about user control oriented solutions like that where the information is in the user's hand or it's specifically in the user's control. I think those kind of things are things that consumers are going to feel better about when they know they're the ones that have control over this information. The access issue, we didn't get into it. I mean, it's a very complicated issue. Of course it goes to a much broader question about all of the kinds of information that's collected over time by many different carriers and access to that after the fact and being able to verify it and take a look at it and make sure that it's correct. And it's going to be very difficult in this arena, I think we've touched on this, because of the fact that there's so many different parties involved here and the consumer doesn't necessarily have a clear understanding of who they are.
MS. ROSENFELD: Lorrie, did you want to respond?
MS. CRANOR: One of the things that I hope we'll hear more about this afternoon in the technology session is how much of this personalization information can we store on the user's device, and when I go to get a personalized service basically have my device engage in a dialogue with the service provider to just answer the specific questions needed to provide the service now rather than the service provider keeping my whole profile and everywhere that I've been.
MS. ROSENFELD: Next. The mike is over there.
MS. FAGRE: Danielle Fagre from O'Connor and Hannan spelled F as in Frank, A G R E. I have a question, a follow-up question to one of Dana's questions regarding choice. I've heard choice described as -- I've heard the Fair Information Practices described as both notice, choice, access and security and more recently as notice, consent, access and security, so it's kind of a two-part question, but the question is to me consent more implies opt-in, and choice implies either opt-in or opt-out. Is there a consensus that we're moving toward opt-in in the arena of advertising and M commerce, and if so, does the panel think that that will spill over into the financial services arena specifically which is right now opt-out under Gramm Leach Bliley. Thanks.
MS. ROSENFELD: Who would like the first crack at that? Larry.
MR. PONEMON: Yeah. Just let's talk about GLBA, Gramm Leach Bliley. A lot of our clients are having a lot of difficulty complying with GLBA today, and what went into effect November 13 but there is this window of opportunity through July 1, 2001. If you put the pressure on financial service organizations to move from an opt-out to an opt-in world, it would be unbelievable. It would just be unbelievable right now. I think the spiritual answer is opt-in is better than opt-out. I think choice, really honest capturing of a consumer's choice is what it's all about. We can give these labels, opt-in, opt-out, opt up. It's really irrelevant. It's about giving the consumer the power to make the choice, so one of the problems with opt-out or opt-in, excuse me, from a financial services point of view is the breakage, that if I basically allow the opt-in before you could actually use this information, you start to see that people just don't want to spend the time to read the disclosure, and we have one client that actually tested that proposition. They found that in an opt-out world, they would lose about 5 percent. In an opt-in world they would lose about 85 percent of participation so there are really consequences to financial services organizations right now.
MS. ROSENFELD: Alan?
MR. DAVIDSON: I would just jump in and say I think opt-in and opt-out it may be a false dichotomy here. I mean, we are really talking about trying to find informed consent, and I'll go back to say I think the devil is in the details here in a lot of ways in terms of trying to figure out what's going to give the consumers the feeling that they've got that kind of control. There may be a much greater level of granularity that's needed in terms of what people feel like they have the ability to chose or not chose in terms of which interactions, which kinds of information. That may ultimately be a lot more important than some sort of dichotomy here. I think you hear about a lot of people talking about opt-in because of the recognition that we are talking about some incredibly sensitive information here from the consumer standpoint.
MS. ROSENFELD: Next question?
MR. BARNES: Milton Barnes from Spirus, Incorporated. I'm kind of trapped back here. I'm not standing. My question to the panel has to do with education. I've heard some of you mention we need to educate the consumer. What form will that take from industry and government because the wireless environment is coming about because of people's need to move fast, and the American attention span is short, so how are you going to educate them on these complex issues of opt-in, opt-out, security and privacy in a form that's easy to understand and quick enough to hold them and get that information to them so that they can make an intelligent choice?
MS. ROSENFELD: That's a great question. Does anybody want to take the first crack. David?
MR. MOORE: Well, I think as we indicated earlier, the first step would be to make sure that that type of information is pervasive throughout the various chain of delivery systems that exists today, whether it's the wireless carrier contract, whether it's the content that's going to be provided to a user. I think to the extent we can put it in as many different places as we possibly can in a way that it's clear, robust and easy to understand, that's a great first step. Now, does the industry need to go further and spend a lot of money educating consumers? The question is who would do that and at what cost and what's the return on investment for a company to do that, so I'm not sure there's a clear-cut path to education that goes beyond just putting that type of information throughout all the various content and delivery systems and providers that exists today.
MS. ROSENFELD: Larry and then Lorrie.
MR. PONEMON: Basically I'm not sure if it's an education issue initially. It's an awareness issue. I think you can come up with powerful ways of communicating. On line for example you would be learning models, get people aware of their rights and their choices and the whole issue. Obviously you don't have to get into the technology discussions unless someone is really interested. There might be another little button you push if you want to scroll down, but there is something else we didn't discuss, which is educating the employees of companies that are providing this new technology. In my experience, as an auditor, the biggest vulnerabilities are inside the organization. It's not what you say. It's what you do, and a lot of organizations have a difficult time doing what we consider reasonable levels of compliance around the privacy and security issues, so training, education has to start internally, and then let's focus on the consumer.
MS. ROSENFELD: Lorrie, did you want to comment?
MS. CRANOR: Yes. I just wanted to say that one of the things we hope P3P will do is help serve to help raise awareness and educate consumers, so in particular once P3P is built into the consumer's web browser, when they see this little privacy light, that they'll get curious. They'll click on it. They'll want to follow it to get more information, and we hope that the software that gets developed will provide that information, not in this long legalese form, but in a more digestible format that the consumer will be able to understand.
MS. ROSENFELD: Next question?
MR. PINKERTON: Name is Mark Pinkerton, P I N K E R T O N. I'm with ClickSure. I just wanted to ask you, Larry, I saw you at the Microsoft conference. I would like to find out, is your account with Verizon Wireless, by the way, because one of the things that has come to light --
MR. PONEMON: No comment.
MR. PINKERTON: One of the things I would like to ask, a number of us here in this room obviously have Verizon accounts. It's one of the largest cellular companies in the United States, and following on with what Larry said, it's recently come to light that when you open your account with Verizon, you probably -- you gave them your Social Security number. One of the things that has recently come to light is that, speaking to a comment that was made about the off line world, that Social Security number is displayed to every Verizon wireless employee in every single store in the United States. If you go in and buy a battery, they ask for your wireless account number. You give it to them. They pull up your account, and there displayed on that screen is your Social Security number, so I would like to ask the panel what could be done about what I consider to be an egregious release of personal information that I didn't opt-in to releasing that information to all of their employees when I simply opened my cellular account.
MR. PONEMON: You start by killing people. That's the starting point. No, but in answer to the question, this goes back to the education issue, seriously. There is probably no logical reason, at least in this universe for collecting a Social Security number and having that as an identifier, but yet it's done. These are the practices that are done, and it's just the general idea more information is better than less information so let's collect everything, so I think we have to stop thinking in those terms. We have to understand how this information could be used. If it's not useful, at least let that be the first critical decision that a company like Verizon makes, and I will be changing my account. Thank you.
MS. ROSENFELD: Anyone else? No. One really quick question. Then we have to wrap up.
MR. WEITZNER: Danny Weitzner, W E I T Z N E R, with W3C. Just a quick comment on the education question, I agree with Larry. I think that the user interfaces here are going to have to do the lion's share of the education. If we've learned anything since the Florida vote it's that people don't read directions, and if you rely on people to read directions, we see the problems. My question is actually about security, and I wonder if the perfect is not going to become the enemy of the good here. I hear these comments about what happens when you leave your wireless phone in a car, a cab and then it's you and you've lost yourself. I mean, I've left my wallet in a cab, and it's a real pain in the neck. It's a bad thing, but we actually don't have the expectation that we can somehow secure our physical wallets with the level of kind of end to end perfection, and I'm just wondering for anyone's thoughts about how this is going to play out, whether we're going to kind of meet the practical expectations that people have of security that you can cancel your credit cards and that sort of stuff or where we're heading on this question.
MS. ROSENFELD: Lorrie?
MS. CRANOR: Sort of two thoughts on that. One is that there should be a way of canceling, especially if the wireless device -- there should be some way that I can send some code to it that basically turns it off so, yes, maybe it was vulnerable for an hour or two until I realized it, but after that it shut down. The other idea is that there could be basically a thumb print reader or something like that on the device itself so basically when I'm holding it in my hand I have my thumb on it and it's on. When my thumb is not on it, it's not on. People get scared about biometrics but this is something only between me and my device. That biometrics doesn't go anywhere else.
MS. ROSENFELD: Alan?
MR. DAVIDSON: I was going to say it's not knowable right now exactly what these security mechanisms are going to look like. What's important is that the redress for the consumer takes into account whatever kinds of security exists out there, so in the credit card context, my credit card gets stolen, I have a liability limit. The law actually got involved here in trying to help us come up with those base line rules. We're going to need the right kind of base line rules for consumers here depending -- we may have an extremely secure thumbprint activated device. We may have a device that's only somewhat secure, that's kind of got practical security. Regardless, there's got to be appropriate levels of protection for the consumer on the liability front to deal with that. Just real quick on the education thing, I would say I agree that the interface is the best place if it's done right for consumers to get to learn to understand this stuff. We really do have a big education job on the company side, on the employee side and for the consumers even beyond that as we try to make the choices right now, and right now we're engaged in education, kind of maybe not the best way which is the front page stories and newspapers about horrible privacy violations. And I think we're going to see more of those because we haven't I think been straight with people exactly about what kind of information is out there and how it might be used, and while it might be good for privacy advocates to get a lot of those front page stories, it's really not good for the debate in the long run. There's a better way to help consumers understand this, and I think we've got to try to pursue it. It may take some resources to do it.
MS. ROSENFELD: Thank you so much to the panelists for a really wonderful discussion.
MS. ROSENFELD: Thank you to the audience because those were really terrific questions. We appreciate that. We'll let the panelists take their seats, and then we'll move on to our next speaker in just a minute. This is not a break so please take your seats.
MS. ROSENFELD: Okay. Everybody, please take your seats. Everybody? I don't want to have to name names. Please take your seats. Thank you. I think that panel really set the stage for the rest of the day, so as many of you know, the federal law requiring carriers to implement enhanced 911 or E911 is driving the move to location based technologies. We will now learn more about the regulations with a presentation from James Schlichting from the FCC. Mr. Schlichting is the deputy chief of the FCC's wireless telecommunications bureau. He oversees the bureau's policy and commercial wireless divisions. These two divisions are responsible for the bureau's rulemaking proceedings relating to commercial wireless services, the licensing of commercial wireless services and the review of the wireless license transfer issues involved in merger transactions. Mr. Schlichting?
MR. SCHLICHTING: Sorry about that. Every laptop seems to be slightly different, where the buttons are put and how to get from here to there. Thank you for the invitation to spend a few minutes going over some critical issues relating to privacy on wireless devices, and what I'm going to focus on are the three key areas that the FCC -- both are federal laws, and they're also federal regulations, the wireless enhanced 911 service, CPNI or customer proprietary network information, and the Wireless Communications and Public Safety Act of 1999 which enacted some specific privacy provisions dealing with wireless location. What I'm going to do, generally I had an extensive set of handouts that I had included, including a somewhat longer version of my presentation here, plus some briefing sheets and more detail on the Commission's wireless E911 requirements and the like, so I'll be trying to run through those relatively quickly. Sort of the overview, wireless E911, the Commission's rules do require covered carriers, basically wireless and PCS carriers, to provide location information automatically to 911 call centers on calls from mobile wireless phones, and we'll get into more details on precisely what the Commission's rules require both in terms of timing and in terms of accuracy and the like to have a backdrop of what's going on in that arena. Customer Proprietary Network Information is broader than mobile wireless, but it's a key element to discussion of the privacy protections that consumers have with regard to common carrier derived information and the like. Then the Wireless Communications and Public Safety Act of 1999 specifically addressed the issue of privacy protection for location information generally, and also focused some specific protections on wireless location information. All right. Wireless E911, the Commission has had rules since 1996 requiring carriers to adapt their network to provide location information automatically to 911 call centers. E911 in the wire line world, I think people are familiar with. For a wire line phone, you dial 911. With E911, there is on the screen of the 911 call center the subscriber, the address and the like which means that when the public safety officer starts to talk to the person who's made the call, they start with an idea of where the person is, and so they can go directly to the question of what the -- what the emergency issue is and what necessary response vehicles and the like may need to be called with regard to it. Now, when we went to having wireless 911, it was both a blessing and a curse. It was a blessing in the sense that you could call from wherever you were with your wireless phone. You didn't have to find a farmhouse with a wire line phone or a pay phone or the like to make a call or you could call directly from your car or from wherever you were. The curse or the disadvantage is that while on an E911 call from a wire line phone, the 911 call center has on the screen your location. With a wireless call it's a blank screen, so the first part of the conversation oftentimes has to deal with -- an early part has to deal with trying to figure out where you are. In some situations the caller knows precisely where they are, and that's quick, but in a lot of locations, a lot of situations the caller doesn't know precisely where they are, and there has to be a dialogue, assuming a dialogue is possible, between the caller and the person at the 911 call center, so the length of the call, the amount of delay before emergency services can be dispatched is potentially much, much longer in the like and in some cases may not be possible, and so that's behind the mandate of having rules that require implementation of wireless E911. We've divided up broadly into both phase 1 set of requirements where the wireless carriers have to provide to the public safety answering points, that is the call centers, the telephone number of the wireless 911 caller, so there can be a call back in case the connection is broken, and secondly, the cell site or the base station receiving a wireless 911 call which is not necessarily precise. In fact, on some cell sites that could be an area that includes a number of square miles and the like. It just gives a general facility in most instances of where a caller might be able to be. Phase 2 is where the information will be getting more helpful, more accurate for purposes of emergency call situations. In particular, the requirement would be that a 911 caller would have to be located by latitude and longitude using either a handset based technology or a network based technology. Now, accuracy standards, what the Commission's requirement -- these are Phase II -- is a handset based solution to be in compliance. The location technology would have to locate you within 50 meters on 67 percent of the calls, and 150 meters for 95 percent of the calls. For network based solutions, our requirements are double that so it's a hundred meters for 67 percent of the calls and 300 meters for 95 percent of the calls. So in terms of how precisely will somebody be accurately located under Phase II, one, it's not as accurate as a global positioning satellite with all the money in the world to target you to the last three or four meters and the like, and in both cases they're going to be some calls where the senses -- the sense of the technology is where you might not be locatable at all which is why the last 5 percent and the like. That goes to a broader question because with regard to sort of what's possible today, the technology providers are on later in the day, but certainly the sense that we've gotten is that the locating cab and the cab at the corner of X and Y on a broad market basis for all cellular phones isn't something that's technically feasible today or again talking -- the providers can talk to what they actually do on their networks today. To be honest, my understanding is the information that carriers collect today include, one, the information necessary to do your bill, which is generally based on what the general vicinity is. If I call from Arlington to Leesburg, it needs to know I'm in Arlington as opposed to Leesburg or Richmond or the like. I don't pay a different rate because I'm on the corner -- this corner as opposed to that corner a half mile away, so for purposes of billing they have a general location, and then the other information they collect on a real time basis is, at least I understand it, where the cell phone is so that if somebody wants to call you, the network knows generally where to look. And that is the base station where you're located and the like, but as I say, that's my general understanding of what's going on right now as a general proposition but representatives from industry and the carriers can better address that down the pipe. Deployment schedule, in general the 911 call center has to ask for -- has to be able to receive and utilize the 911 information and be able to recover the cost. For phase 1, you would have to implement within six months of a PSAP's request. In phase 2, if you have a handset based approach the handsets have to be available October 1, 2001, and delivery of the information within 6 months of the PSAP request for a network based solution, a 50 percent coverage within 6 months of the PSAP request. That's very general. The slides I passed out and the handouts and the attached briefing sheets are much more detailed as to what the requirements are. So let me move on to Customer Proprietary Network Information. That is subject to section 222 of the act and it governs the use and disclosure by carriers of their Customer Proprietary Network Information, and generally it restricts the use of your CPNI without your approval, and section 222 also enables customers to have some control over the relinquishment of the privacy, presumption of privacy as they see fit. More particularly, under section 222 (c)(1), the Commission adopted a rule some years back that before carriers may use your CPNI to market outside the customer's existing service relationships, they had to get an opt-in method of approval, but the customers also had the right with regard to third parties to have a carrier disclose their CPNI to third parties upon affirmative written request. Now, the status of the CPNI rules, the U.S. Court of Appeals for the 10th Circuit vacated the opt-in portion of the Commission's rules, and that goes primarily to the use of information of your CPNI within the carrier for marketing and other purposes. It didn't go to what protections you have for release of information to third-parties and the like. We're in the process of preparing, initiating a rulemaking to address the 10th Circuit's opinion with regard to what the rules ought to be with regard to consent to use of your CPNI within the carrier. So let me go finally to the Wireless Communications and Public Safety Act of 1999. In particular, the 1999 Act added location to the definition of Customer Proprietary Network Information. Customer Proprietary Network Information is now basically information that relates to -- and I set the definition out there. It includes location of a telecommunications service subscribed to by a customer and made available to the carrier by the customer solely by virtue of the carrier-customer relationship. So CPNI goes to information, these particular types of information that the carrier has about you because you're their customer. Now, the customer approval requirement for CPNI generally is 221 (c)(1) and 222 (c)(2), and it provides, except required by law, and I think one example is the emergency services exception, or with the approval of the customer, a telecommunication carrier can only use or disclose individually identifiable CPNI of the telecom service where service is necessary or used in the provision of such services. As I mentioned earlier, there's more specific protection with regard to wireless location information. 222 (F) was adopted, and for this the carrier actually needs the customer's "express prior authorization" in order to use or disclose call location information concerning the user of a commercial mobile service or the automatic crash notification information and the automatic crash notification system operations that are found in some cars and the like to anybody other than -- any person other than for use in the operation of that system. Now, there are some exceptions to this protection and particularly emergencies. 222 (d)(4) permits three emergency related disclosures of your wireless call location information where this express prior authorization is not needed. I thought these were so important that I quoted them in their entirety, but the focus would be -- these are very much emergency service related circumstances or situations, and the information is to be used solely for that purpose and the like when it is provided without your express prior approval. Then the question of -- there is another provision related to emergencies of other subscriber information that can be released with regard -- released more specifically to emergency service providers, and this goes to the names, telephone numbers, addresses, and 222 (G) provides "The carrier shall release that information but only to the providers of emergency services for the use with regard to the provision of emergency services." So that's a very quick overview of a lot of information. What I have focused on and what the laws the FCC administers and what the FCC's regulations focus on is the privacy protections and wireless location information, the carriers, telecom carriers subject to the FCC jurisdiction have available to them and what they may or may not do. One of the questions that I think people need to worry about is when that information, location or otherwise, goes to folks that are not carriers, and it's not provided to the carriers' part of your subscription to a telecom service, these protections don't apply, but if you're talking about information that a carrier has by virtue of their relationship to you as a subscriber, these protections do apply. Sort of in the broader picture, as in most consumer areas, one needs to be sensitive to and aware and look at what permission are you giving when you give consent for the use of your information, whether it be wireless location information or other private information about you, make sure that you understand to the extent you're able how that may be used and when that may be used. So in any event, that's sort of a regulatory backdrop from the FCC's perspective of various laws and rules that apply, and I guess we will go from here in the sessions to hear from various folks in the industry involved in the technology that provides this information and industry efforts and the like to provide further information in this context, so thank you very much.
MS. FINN: Thank you very much. We're going to take a very short break now to about 10:50 a.m., and everybody should be back here, but I want to advise everybody there are additional people doing demonstrations up on the seventh floor in the cafeteria today, different folks than were here yesterday, so even if you went by there, you may want to stop by and see who is here.
(Break in the proceedings.)
PANEL ON GENERATION AND CONTROL OF LOCATION INFORMATION
DEAN C. FORBES, FTC, MODERATOR
ARTHUR D. HURTADO
MR. FORBES: Good morning. My name is Dean Forbes. I'm an attorney who works on advertising, privacy, fraud and related technology issues here at the FTC in the Bureau of Consumer Protection. Our last panel really segues into our next set of discussions and the discussions for the rest of the day. We're really taking about, at least for this panel, the balance between the generation of default in some cases, at least in the E911 perspective, location information that's transmitted for safety purposes with the maybe opt-in transmission of such information for either enabling E commerce, or rather M commerce, and personalization services, and what control the consumer has over that information,. I'm pleased to introduce our next panel of very technically savvy individuals, Michael Amarosa, Jonas Neihardt and Art Hurtado. This panel will present to you, make presentations on the technologies that reside behind really the issues that we're here for this two-day workshop to discuss. These issues are very technological in nature, but we have asked our panelists to present them in as much of a consumer friendly and laymen's presentation as possible. The technologies that are going to be discussed are terrestrial triangulation or a network overlay solution as well as a GPS or a hybrid of that I think is called Snap Track and finally a location information gateway. The panelists are Michael Amarosa who is the vice president of public affairs for True Position, Inc., out of New York City. His presentation will explain how location information is generated in a network overlay or terrestrial triangulation system; Jonas Neihardt, who is the vice president of federal government affairs for QUALCOMM, and he works on GPS and Snap Track GPS assisted technology. His presentation will explain how location information is generated in GPS based system or a Snap Track system. Arthur Hurtado, who is the CEO of Invertix out of Annandale, Virginia, his presentation will speak on Invertix's plans to serve as a location information gateway. Michael, just by way of background, he as I mentioned is vice president. He's vice president of public affairs for True Position, a position he's held since November 1997. He joined the company from the New York City Police Department where he served for over 24 years in various managerial capacities. For the last three, he was a deputy commissioner for technological developments. In this position he was directly responsible for the implementation of E911 for the city of New York. Michael?
MR. AMAROSA: This shows a lot about my technological abilities, huh? Good morning. Thank you for this opportunity to speak with you folks this morning and tell you a little bit about wireless location privacy and how True Position works through this whole issue. True Position provides end to end wireless solutions that enable a broad range of location aware type of services. We were formed in 1992, and the original parent company of True Position was a firm known as The Associated Group, which had developed cellular properties in the upper New York City area, and out of that we started to get into the location technology business. Our main offices today are in the King of Prussia area in Pennsylvania just outside of Philadelphia where we have over 120 direct employees. We are one of the largest companies solely dedicated to wireless location capability, and our technology has been very well proven over the last several years in terms of our product and our organization's ability to deliver. Recently we were purchased by Liberty Media, and we became a subsidiary of the Liberty Media Corporation. True Position was one of the first companies to put a privacy statement up on its web site. We are totally committed to maintaining the privacy of all individuals. In fact, we've recently guarded against it and protect against it. Now, when we say that we talk about privacy in the context of location based services. When you deal with enhanced 911, the implicit consent is constantly there. I can call upon my prior experience. I mean, finding people in emergency situations, reducing response times saves lives, and I think anyone who calls 911 today is looking to be found, is looking for services to get there in a very expedited fashion, so I think that discussion aside, when you look at the additional services that are provided, this location information is only provided to those that people ask for help. People that subscribe to these types of services, we do not dispense any type of information regarding a customer or a subscriber absent their explicit consent, and this is how the entire privacy issue has been governed in True Position. Privacy is very prevalent in today's society as we all know, financial records, medical records, history information, the Internet and all of the types of services that you're provided through web capabilities that we see today, and even our E mails, all of this is something that has become a very, very major topic that we have to deal with. There are considerable trade-offs of the conveniences we have today in this electronics and this personalized information. Privacy in some cases has to be looked upon very stringently by the consumer as to what and how they want to make available in order for certain services that they will receive. The entire industry has been working very hard to build in certain safeguards, and location is being treated very similarly to the way equipment is constantly looked upon. Two basic, basic questions, do location systems constantly generate location information, and do carriers constantly track the specific information as to where that caller is? The answer is no. Why? How does this work? True Position collects radio signals at the various cell towers. We put a box about the size of a VCR which is the network overlay, and that is placed right on the cell tower, and it captures that radio signal, and through a triangulation capability, through mathematical algorithms, we basically compute the X Y coordinates which I'll get into a little bit later, but that is -- doing that location based when we're asked to do. We only deliver records to these application providers again that are authorized by the users, and the application that receives this information is only for those specific requested services that the subscriber has asked for. Location and transfer points and location and control points are keys in this entire operation, especially when you're dealing with specific applications, traffic services, enhanced 411, concierge type services or road side assistance just to name a few. How do we do this? We do this through a basis of mathematical algorithms which process the signals that are captured from the device, whether that be a telephone or whether it be a kiosk type of device, and we calculate the location. Today on the network side there are many different types of capabilities. There's the angle of arrival capability which measures the angle upon which the signal arrives at a particular side, the time difference of arrival, which is the time -- you're measuring the difference in time when that signal arrives. As we all know there's global positioning systems which are based on the satellites, and there's several other systems that are basically hybrid type of operations which is the enhanced observed time difference and a combination of what we affectionately called TDOA and AOA. Again you should take note of the fact that radio signals of any device can and will be located, and these phones are basically radio transmitters. TP location systems today again are only calculating those of which we've been asked to do and go forward with. Where is this done? The location records are delivered to those application providers. You sign up for a particular service at a given point in time. You ask for certain things. You ask if you want to be part of a concierge service, you want to be part of a personalized traffic service. You sign up for it, and the user controls that security by allowing people to then take certain information they have. The end user will specify who location information is provided to. Records are not stored unless the subscriber service requires that and the consumer himself would have that capability ahead of time, and only those records are provided to those that are identified ahead of time, never using identity or profile information other than to the subscribed services. The applications that connect to these ports are basically for the specific records that are requested and when these applications have no access to any other records that are requested, so there is no mixing of what is going on so that the enhanced 911, the enhanced 411, the road side assistance, traffic services, fleet tracking, if that's some of the services that you are involved with, are not intertwined in a database where this information is shared unless that is requested by the consumer. When you dial and use your wireless phone, the number that is not associated with any location based services will not initiate any processing of the X Y coordinates. Therefore only those services that are linked will allow that to be identified or allow that processing to begin which could be within milliseconds and transmitted on to the application that we talked of earlier. Remember the consumer subscriber always has the ability to turn off and not allow any of these to be linked together. The carriers will eventually determine what services are offered. Again this will be a menu that the users will be able to go forward with. Again our privacy statement which emphasizes that what we have talked about, True Position is continually provided information and protected that information for the consumer and the subscriber and everything that they do. Thank you very much for this opportunity.
MR. FORBES: Jonas Neihardt is the vice president for federal government affairs for QUALCOMM. In this capacity, Mr. Neihardt manages QUALCOMM's public policies and its relationship with federal executive branch and the U.S. Congress. Prior to joining QUALCOMM, Mr. Neihardt was director for congressional affairs with the Cellular Telecommunications Industry Association in Washington, D.C., a trade association representing operators of wireless telecommunication systems worldwide. Prior to that Mr. Neihardt served at the White House Office of Management and Budget as a program examiner for the federal telecommunications agencies. In this capacity, Mr. Neihardt provided budgetary and policy oversight for the federal telecommunications agencies during the Bush and Clinton administrations.
MR. NEIHARDT: And I just got my show to come up. Thank you very much for having me today. I'm glad to have this opportunity to speak to all of you because I've been here yesterday afternoon and this morning. What I am hearing over and again is that the most interesting and exciting sort of killer app that's coming along for mobile phones is position location, and the area of greatest concern for privacy advocates is position location, especially highly accurate position location, which is what we've been developing, so I'm glad to talk about both of those contexts for this issue and hopefully increase your comfort level in the solution that we've been developing. I have a long presentation, and it's sitting out on the table outside. It's greater than a five minute presentation. I'm going to go through it very quickly, but I encourage you to take the presentation and focus in on elements that are of interest to you. Mike just gave a discussion of the network based position location technology, and all I'm going to say about what we have done is we found that for certain situations, the network based solution, it depends on triangulation, and if you are in a situation where you don't have your cell sites arranged in triangles given where you are, you are going to have a little bit more difficulty accurately locating your handset. So what we did to address this is developed a GPS assist technology which is embedded in the phone here in -- you see the red square there? This is part of the central processing unit of the computer, and what our solution does is integrates the GPS receiver into the antenna, in a colocated antenna. The GPS processor is in the CPU of the cell phone. I have one right here, same CPU as in the phone that's on the screen. In this phone, the processing of the GPS information is all done in your handset and then sent back to a box on the network called the position designating entity that Mike referenced where the calculation of the GPS data and information on time delay from the cell towers that the handset can see at that moment, information is all processed, and then your position is calculated. But the key thing here, and if all you take away from this presentation is this one thought, remember this is that with our solution, all of the processing power and the intelligence resides upon the handset and is only activated upon the manual command of the user, okay? You can't remotely tell the handset to process -- to initiate the process. The process has to be initiated by the user. Benefits are, we found in our testing we've got higher reliability. Again in situations where you are not able to achieve an accurate solution fix, we have the triangulation method, the GPS assist we found resolves this. It all solves -- this process getting done in the handset pretty quickly, and we found it's highly accurate, and so we're quite pleased with it. When you talk about accuracy, Jim Schlichting mentioned the 50 meter and 150 meter accuracy standards. This is a hotel on the waterfront in San Diego. The hotel is that sort of big white space. It's hard to really tell, but that's where the hotel is, and in front of the hotel -- there was a trade show there, and we had a person walking around with our handsets and the red Xs you see show his path. He started in the front of the hotel by the waterfront and was walking around, and you can see a 50 meter accuracy. That's an area of 150 feet. It's about -- it's bigger than this room, but it's about as far you can really make visual contact with somebody in an urban setting when there might be trees or bushes or cars. For police work we feel that -- the police feel that this is the standard that they needed, 50 meters, and you can get a sense of how far that is. You can see the cars parked in lines and those are boats in the marina. The picture is a little fuzzy. When you go to 150 meters, you see the circle goes on the other side of the hotel so it's a circle that could capture buildings and again obstructions in an urban setting that might make it difficult for you to find the person, and then when you go to 300 meters, you're talking about really a whole neighborhood. So I show this slide just to make a point that greater accuracy is better for public safety and something that we all in this line of work strive to improve. Now, getting to the privacy implications, as I said before, the key thing to take away from this presentation is that with handset based GPS, the GPS processor lives on your handset and is activated by the user, and I saw Mike's presentation. I understand how the controls they've had built into the system, and I have a better understanding based on Mike's presentation of how that system works, and that was a good discussion of that. And the difference is with the network versus handset is the network, the brains of the system of processing capability physically resides with the network, and with ours it resides with the handset so that's the difference. This is a matrix discussion of some of the same information so I'll quickly go through that. Safety again, higher accuracy means better safety. I'll just go through this quickly. A lot of folks over the last two days have talked about the types of applications that will come online. We've been mainly focused on safety and making sure that we've got a solution that meets the needs of law enforcement which we think we do, and we know that once we get our solution out in the marketplace there will be lots of folks developing applications for it. And conclusions, go back. We think we've really developed sort of the ultimate opt-in scenario here. Every time that you want to be located, you have to pound that message in to your handset and say -- either by dialing 911 or activating a location enabled feature, you have to tell the phone to find you, and that's about as personal as we think as you can get. So when is it going to get here? We actually found that our Asian customers have been very much pressing us to get to the solution out to them. In Japan we think we'll have handsets walking around out there in the Japanese marketplace in the first half of next year. In the declarations that wireless operators needed to make at the FCC in November, the major CDMA operators said they were going to either partially or completely use or rely on handset based GPS to meet the FCC's mandate, so we'll see it in America a little bit after we see it in Japan, and again the same thing in Korea. Our Korean customers also have been very active in their own markets, and then you also see the Samsungs and the Japanese manufacturer coming in to the U.S. with their sets that have the MSN 3300 which is this chip right here that has the GPS processor. And that is the end, but I have to -- since I have the microphone, I wanted to say, a couple times in the last day and a half I've heard said time and time again that European technology in the wireless sector is ahead of the United States and that the Japanese and other Asian countries are ahead of us too, and let me point out that neither the Japanese or any European manufacturers have anything like this, that this is one example where American technology is ahead. And I have to point out too that in the case of the Europeans saying that they're ahead of U.S. wireless technology, the reason the Europeans have -- they base that assertion on the greater penetration rate, and there's a greater percentage of the population in Europe that use cell phones than in the U.S. That's the basis of that assertion, and the reason that they use more cell phones in Europe than in the U.S. is because they have to pay metered local service for their land line phone service. They still pay a couple pennies every minute segment or however they meter it, which we don't have to do here. The local -- their land line telephone service is of what we would consider a poor quality, incomplete compared to what we're used to in the United States. We just have this great local phone service that we've been building on for 120 years, and that really doesn't exist anywhere else in the world, so that's why other countries have greater penetration rates than we do. And they assert that they have a lead, but in fact the whole reason why we're here is because mobile data is now possible, and the technology that everybody is going to use for mobile data is CDMA, which is a technology that was developed here in the America, and it was developed here in America because we had an open standards process. We didn't have the government mandate saying we can only use one wireless standard, and it gave entrepreneurs the incentive and opportunity to go and develop a better mousetrap, which they've done, and in fact in GSM land in Europe, they've already by government fiat decided they will at some point in the future stop using GSM and will use this American invention CDMA, which would not have been invented in Europe because by government fiat they said everyone will use GSM. And I think we'll see that kind of centralized Soviet planning, thinking, resolve and become less prominent as we move further into the 21st century, so thank you.
MR. FORBES: Art Hurtado is chairman, CEO and cofounder of Invertix Corporation. His presentation is going to be a little bit different from the two you've just seen. Basically what Mr. Hurtado will be talking about is Invertix's plans for serving as a location information gateway. Among the things that he'll discuss are what his business model will be, who will have access to consumer's location information and on what terms. Mr. Hurtado?
MR. FORBES: We're going to have time for just one question at this point. In preparing for this panel, I came across a site by a provider of wireless location services, and I'll just read a quote from it. It says they maintain a location database. The location cache keeps a best known database for all subscribers, time stamp, latitude, longitude, confidence and source. And reading that I wasn't clear whether the information that was being talked about was being stored on the client's side on the device itself, kind of like a browser cache or maybe on a server side somewhere or both, and my question to the panel is: Where is the location based information located, and how long is it stored, and following from that, who owns the location of the subscriber? Is it the subscriber, the provider and how does that play into the control of data? Michael?
MR. AMAROSA: Let me take the opportunity of trying to respond to that. I think as you can see the information on location basically is stored with the application provider at that point. Based upon the profile information that I would have provided, based upon my preferences that information would be stored there. Who owns that data? I don't think that's really clear at this point. I think there's a lot of it, and myself as a subscriber, that I have access and control over that data, what is provided as Art was talking about, and you can change things and create different types of scenarios based upon preferences, and based upon preferences of the hour of the day so to speak. There's been a lot of talk that the carriers own the location part of the data and what's coming over their network. I think these are things still open to discussion at this point.
MR. NEIHARDT: On our system, within the phone itself there will be a record of the last couple calls you made. I think the current listing, depending on which chip we're talking about, is 10 or maybe 20, and those locations could -- for those 20 calls if those 20 calls included a location could be stored, but it would be -- in our case would reside on the handset. Now, when you go into part of the scenario that you outlined where you were actually using a third party, then you open up a whole can of worms, as the information leaves the control of not only the handset and the hand of the user but also the wireless operator and crosses that bridge to the third party. Then you have a whole other set of concerns that lie on top of that, but for our piece I can say it would have the last couple locations stored right here on the handset, and then as you kept calling, it would eventually fall off the register.
MR. HURTADO: That's a really important question for this entire value chain from the subscriber to the M commerce world, and without getting into the legal answer of that, which I don't think any of us would purport to be qualified to speak to, keeping it in terms of where does it reside and how do you manage it, from the IM Anywhere perspective, obviously it resides in the gateway. But in terms of the ownership, the nonlegal ownership, certainly the data that we derive comes either from the subscriber or from the carrier or both, and so the carrier has the unique responsibility as to how they manage that, and that gets back to some of the issues raised yesterday concerning the walled gardens and the walled prisons. Carriers recognize today that they have a very large responsibility to manage that data in a very effective manner with all the privacy issues that are intact. Having said that, they also have a tremendous opportunity to monetize that data, and that's the issue. That's what this is all about, how do you monetize that data. Corresponding to the location data is the presence of information, that is, that you're on or off the net, that your buddy list is appearing as an instant message as an example, and third is the subscriber profile interest, the fact that one of us may want to have our interest known so that we can receive personalized, localized, customized kinds of information. From the gateway perspective, we believe that we're kind of in the lend/lease basis. We are lend/leasing, if you will, access to that data from the carrier world or from the location provider world such as True Position or whoever that might be or from the handset vendor. As we move that data to the M commerce side, then what we have to make certain is that the M commerce side does not come up with the same level of access that the carrier had, and that's the break out or the go between, if you will, the role that the gateways are going to play in the future and it's a very important question and it's one that is going to require a lot of working through very carefully.
MR. FORBES: Thank you. Thank you all. I would like to thank our panelists for a great presentation. Our panelists' Power Points are available or will be available on the tables outside. Thanks. Our next presentation will be headed by Anne Maher.
(Pause in the proceedings.)
PANEL ON LOCATION-BASED SERVICES AND ADVERTISING: POSSIBILITIES AND PRIVACY CONCERNS
ANNE MAHER, FTC, MODERATOR
MS. MAHER: Hi. Welcome to our last panel before our lunch. My name is Anne Maher. I'm the assistant director for the division of advertising practices. Throughout the morning the panelists and presenters have talked about the feature of wireless communication, which is really different -- which is really different from any other media that we have experienced, and that is location information. In this discussion we're going to pinpoint, to use the lingo, the types of consumer applications that the availability of location information may generate and what the benefits and the drawbacks are of such location information to consumers. Our goal is to help put consumers in the position to understand for themselves whether location based applications will be useful to them and whether they will pose -- and whether location applications will be useful to them or whether they will pose threats to their privacy and security. And to discuss this issue, we are fortunate to have a really good panel here. Joseph Assenzo is an attorney from Sprint which offers wireless web services, including a wireless web browser that allows subscribers to access specially designed web sites and also for mobile users that GPS enabled phones soon to come out. Evan Hendricks, the publisher and editor of Privacy Times, which is a Washington based newsletter about information, covers the information world. John Pollard, the director of business travel and mobile services at Expedia.com, which currently offers Expedia To Go, a service that allows you to access travel information on the web and on cell phones and PDAs. Marci Weisler who is vice president of business development at Vindigo who has developed a personal navigation tool that delivers location specific content to PDAs. Steve Stutman, I should say actually Reuven is there now, Reuven Carlyle, VP for strategy planning at XY Point Corp., which is the provider of wireless location services, and Steve Stutman, who is the president and chief executive officer of ClickaDeal.com who just informed me that he was in traffic for an hour and a half, and I apologize for the mess that our city is in right now.
MR. STUTMAN: I'm sure it's your responsibility.
MS. MAHER: Absolutely. Each of these individuals and companies is affiliated with, is grappling with issues relating to how and whether to deploy location services and advertising consistent with their consumer relationship goals, and short bios of each of the panelists are in your folders. And before I pose the first question, I want to remind everyone that we will have questions and answers in the last 20 minutes, and so people who are in the overflow room can come up to the hallway here, and we'll have people with microphones to help them ask questions. So I think I'll begin now. I'll start with John, as a representative of Expedia.com, a company that's been putting a lot of money and effort into developing wireless -- applications for wireless services. What do you see as the so-called killer apps that we've been hearing so much about over the last couple of days, and that will use location information to enable M commerce and mobile advertising to work for companies and for consumers?
MS. MAHER: Let's leave privacy to later because I want to talk first about what the applications are that are out there and also what's useful to consumers. I thought, Marci, from Vindigo's point of view, could you add to that? What do you see as the applications that are available now and that will be available and will really spark consumer's interest?
MRS. WEISLER: Sure. What Vindigo does is we provide a platform for the delivery of location based information to hand held devices. We work with leading publishers ranging from the New York Times to Zagat's to the industry one companies and deliver city specific information in a way that makes it very easy for the consumer to navigate. And by location based services, we're not necessarily focused on auto location and knowing where you are at. It's about putting in a location about either where you are or where you want to be and finding out what's in the world around you at that location. I think a lot of people in the industry have put a lot of emphasis on the auto location feature, but it's not necessarily always about where you are. A lot of times it's about where you're going, so if you are going -- you work in Midtown but you're going downtown to find a restaurant, you can plug in a location and get the nearest Italian restaurant to your destination. You can also going forward get coupons and special offers as John was saying that are relevant to the types of information you're looking for and the location, so we help you find that today on a Palm, into next year on all different types of mobile devices both unconnected as a Palm client side application and in the wireless world.
MS. MAHER: Joe, did you want to add to that, and please just lift your cards put them up vertically if you want to speak. Joe, would you like to add to that?
MR. ASSENZO: If Steve had accessed our wireless web, he could have found out about traffic delays because that information is -- that type of information is already on there. There are a number of applications that already make use of a customer's location. These are application also where a customer actually has to key in an address or location or Zip Code so, for example, we also offer a service on our wireless web if you want to locate ATMs in your area, it will tell you how to get to them and how close they are. All of these applications right now require a customer to key in that information, and I think those types of applications, personal navigation, is something that would be almost immediately available and we think accepted.
MS. MAHER: Steve?
MR. STUTMAN: The comments I would make, I've been doing wireless apps for 14 years so my perspective on these things is a little bit different, and insofar as we're a business that has to live by profit and is not backed up by 200 megaworth of venture funding so we can go buy lobster for lunch, the fact is that we look very simply at where is the money. And I think a lot of the applications that are discussed are very good, for example, the comments about incremental costs of hotel rooms. You don't sell them, they're burnt. You can't get them back in terms of inventory. On the other hand, we question whether once they go after the mass market or the premium market, and I think a lot of the people who are in this market tend to be sophisticated, high end business travelers, and a lot of the apps that they come up with are aimed at themselves. And I think that where you really want to go is after the other arguably 98 percent of consumers who being Americans go shopping in their cars, unless their area code is 212. So what we're doing at ClickaDeal is basically trying to go after the mass market, coupon guided M commerce opportunity. With respect to the earlier comment -- by the way ClickaDeal also thinks handsets are getting boring, not to offend any manufacturers in the audience, but whether your PDA is your phone or your phone is your PDA, pardon me, who cares. Your phone is an RF modem and come Bluetooth come 802.11, come whatever, your phone will RF enable your PDA, your laptop, your visor in your glasses, whatever you happen to be wearing. So as you go forward with this, what we've started to do in the last roughly four or five months is concentrate on the automobile cockpit for the North American market because we think that when Americans go out to do commerce that has immediacy, they're either in their car or just got out of their car or they're going towards their car. Once in your car, you have a display bandwidth, you have terminal bandwidth and without going into details you have channel bandwidth that you probably don't have on a handset. The things -- I'm sorry, you said to hold privacy until later?
MS. MAHER: Yes, I thought -- I know we have a lot to discuss.
MR. STUTMAN: So that's what we're doing. Initially, about a year and a half ago, a year and three quarters ago we had a location based directory that ran on a handset, put in a city name, put in a zip code. You might know it if you're going to visit someone in a given town. You might have his or her Zip Code because you have their business card. It would come up with some restaurants. It would come up with some gas stations, some motels, the usual sort of stuff. Obviously you're dependent on your database and the quality of your database in order for that to be good. Initially we thought, as everybody else does or has thought, Gee, we'll go to Holiday Inn and Dominos and whatever, all the rent a car guys that will put their information in, but even if you get all of those people, and we have not, the fact is that you still I contend don't really have a rich enough database to be truly useful. So I think one of the big questions that we all face is, how rich, how detailed, how granular is your database before any of the stuff becomes real hard core real, generates money. That said, I think I'll hold off until we get to the privacy issues because I have some specific comments then.
MS. MAHER: Please everyone speak into the microphones so the overflow room can hear. Reuven?
MR. CARLYLE: I think there's one thing we haven't touched on, and that's the enterprise market. The discussion today has been driven by the consumer market, and a big driver of that is travel, of course, the premium services around travel and where is the nearest I think in a voice environment, so where is the nearest ATM or in data environment, so where is the nearest ATM, where's the nearest -- so electronic yellow pages types of idea from your current location from a consumer point of view. From an enterprise point of view is, what we have is a lot of market demand from large companies to provide location based services for their mobile work force, so as well as getting into supporting some of the comments that Art made about the presence and the privacy and the location together, so knowing whether the phone is on or off, those kinds of functionalities in an enterprise environment are also I think from an application point of view what are going to drive the marketplace.
MS. MAHER: I see. With regard to the location information, what do you think? Do you think it's necessary to make wireless work just because the technology is going to develop for the emergency 911 purposes? Does it -- does it make sense for the wireless business to have to use it, or can they use broader, more general location information? Do they really need to pinpoint specific information for it to work?
MR. CARLYLE: I can take a shot at that. The whole issue of what was discussed this morning of the difference between proximity location, which is cell site or cell sector based location and precise location, knowing the actual X and Y coordinates of a user, is extraordinarily important with respect to looking at applications as well as the development of the marketplace. A lot of studies from Forester and others say that anywhere from 30 to 50 to 80 percent of applications will be viable just knowing the proximity of a user. Of course in New York City the proximity of a user is down to a couple blocks because there are so many cell sites on each corner practically. In a rural environment, the opposite extreme. It's up to 30 miles, and, it's pretty useless in terms of location information. Now, which applications are viable with proximity? Tough to know. A lot of experimentation currently underway with that. Precise location is better. I think none of us here can pretend there's going to be any kind of ubiquity in precise location in the next very large number of years, given not only the technical issues, but also the fact that the backbone in this country is currently being driven more by the 911 issue than it is the commercial issue, which is a catch 22 and I think unfortunate by a lot of standards. So you have a regulatory issue that is driving the wireless carriers under this obligation to move forward with the development of the technology, and then you have the commercial opportunity and the revenue opportunity that is driving it in other parts of the world, except at the same time you have U.S. carriers which are very much interested in trying to design applications that are going to pay for this regulatory obligation. So it is a catch 22 you have both those commercial and the regulatory obligation moving the technology forward, but I think as this forum has indicated, the real particular issues right now are the policy and the political issues that are having a substantive barrier in many ways toward the effective roll out of the services. And I think in many ways it's just very important to put on the table, and I think CTIA has made a real effort on the self regulatory side to step up to the plate and to provide some context for the development of these services, and I think it's a really, really critical realization that that is imperative before you're going to see really wide spread technical roll out of services.
MS. MAHER: Joe, did you want to add to that?
MR. POLLARD: John.
MS. MAHER: I'm sorry.
MR. POLLARD: Not to be a Luddite, I'm also a technology optimist in a big way. I think location based information is nice to have for some applications. At Expedia, we're a unique proposition, and we happen to know what airport you're flying to, what hotel you're staying at, things like that, and those entities are all geo coded on Expedia, and they have been for four years. We're in a unique position to deliver value based on your itinerary, but I also think for many Americans there's something you could do very simply called land marking. In conjunction with a web site, if you're in a small town or a medium size town or what have you, you can simply say, Here are the various places I tend to go, and reality is for many Americans, that's not a very complex or long list of places to go. And based on that, location information or deals and information can be given to the user. In other words, they don't need super specific within 50 meters kind of information. I know the five shopping malls that someone goes and shops at. Here's downtown. Here's the airport. Here are the places that constitute the 90 percent of places that I go to in my life. Land marking is a very simple way of doing it. I think location based services are going to be there so we will use them when it's available, but it's not absolutely necessary.
MS. MAHER: Joe?
MR. ASSENZO: That's true. That is one way that you could get location information without actually knowing person's point location.
MS. MAHER: Could you talk into the microphone?
MR. ASSENZO: We don't intend to pay for our E911 mandate through advertising. That's not the pressure that we're feeling. We will probably attempt to recover that E911 mandate through a surcharge to our end users. We will, however, be proactively entering the advertising space, and the pressure there is the pressure on our content partners to try to monetize their presence on the web because right now all of the services that they are providing are free of charge, and so they are feeling heavy pressure to monetize their presence. Advertisers are ready to go, and if we want our content partners to stick around, we're going to have to be able to meet that demand, but we're going to have to do that in a way that does not antagonize our customers. Our business is not advertising, and advertising should be something which adds value to our customers. We don't want advertising to be just another thing that promotes churn.
MS. MAHER: Evan?
MR. HENDRICKS: Just to answer that question, in the short run I think a lot of the M commerce applications are without location capability. They're based on the profiles provided by the participants. If you look at the Sky Go test, if you look at the Media Tube test over in Europe. Basically it's people signing up and saying, This is what I do. And there is a lot of advertising you can do to wireless devices that doesn't have to be location sensitive or at least the functionality of the device, but I think that -- I think it's good that we're dealing with that because there will be location functionality, and so I think it's inevitable that that will become wide spread and something that we'll have to deal with that becomes an issue.
MS. MAHER: Steve?
MS. MAHER: I think that actually is a good segue into the privacy issue since we've all been talking around the edges of it, and especially as we move into talking about profiling, and what are the issues raised by the location based information? Are the scenarios that we've all heard about, about mobile dating services being used by stalkers and car location systems being used by divorce lawyers and on the advertising side with respect to that Walt Mossberg raised yesterday of people being constantly annoyed by promotions coming up on their cell phones and being run up with annoying ads? What are the implications of these concerns? Are they real? Are the privacy concerns that we have in the regular traditional online world going to be enhanced in the wireless world?
MR. HENDRICKS: Yeah, I think they're huge, and we've seen how privacy has had an impact on E commerce's development and acceptance by consumers. The failure to adequately deal with privacy has hurt E commerce. Then you open up wireless, which deals with location tracking potential, and that's ongoing surveillance, and if you also think the car is one of the last refuges of privacy in the United States and a sacred cow in America, it doesn't take too much thinking to realize that this is going to spark huge privacy concerns. And it's not just the location based tracking. It's the accumulation of personal details and the profiles that are dynamic that show where you're going, and that information can be stored by a third-party, and unless it's a carrier covered by the law described by the FCC official, that might not be protected by law, and then if you throw in advertising -- unwanted advertising on cell phones, you see that the whole wireless experience brings all the huge privacy concerns together, surveillance, SPAM, profiling and brings them together under one issue. Now, one of the things that I've learned going through the FTC seminars is listening to Chairman Pitofsky for instance talk about how E commerce is a pro consumer medium that gives consumers more choices to do more things at more times of day and gives them better prices, and that's true, and I think that is also true for M commerce. This has a potential to be a fantastically pro consumer medium, which I agree could transform how we do business in some of our commercial experiences and expectations, and we've seen, there's a lot of companies doing a lot of great work on it. But unless privacy is gotten right here, and I mean talk to them about them head to toe and comprehensively, a lot of the killer apps that you're hearing about will be dead on arrival.
MS. MAHER: Marci, do you have anything to add to that?
MS. WEISLER: Yes, as I think was said on the panel earlier this morning, in the mobile world you're carrying a personal device with you, and that's open to a lot more privacy abuses than when you're sitting at your desktop. You don't carry your computer with you, and there are ways to get good, personalized experience in an anonymous way that take advantage of general user profiles and general location that may not necessarily invade your privacy but can deliver a good consumer experience because I think ultimately it's the good consumer experience that's going to drive the wireless medium forward.
MR. CARLYLE: I think we're all here because we recognize that there are extraordinary opportunities for abuse, and as in any sub culture, in any organization, in any industry, there are rogue elements, and I think there's a very real concern about the fringe elements in terms of those folks who would make a real attempt to abuse what this technology can enable. From a technological point of view, I think we all have to readily acknowledge that it is possible to at some point and to varying degrees of accuracy, but it is possible to essentially track a caller. It is possible to aggregate the data. All of those worse case scenarios, it is not a technical issue, it is a policy and it is a political issue, and it is right that we have to get it right from an industry point of view. And there's no evidence to suggest that we can't do it right at this point. It's just that the implications of doing it wrong are so serious that we have to have a real dialogue as an industry and as a public issue about getting it right. The other thing that's important is to recognize that the regulatory issue of the 911 issue as a driver of the technology to date does -- the law that was passed a couple years ago, as it was discussed earlier, does provide for location information in a general sense to be categorized as consumer information, CPNI, and that fact does set the stage for core protections of that data. That's not to say that there aren't elements in the industry that take a very extreme view that they feel like a customer's location or the aggregated location of where a customer has been should be available to the general populus, if you will, or to those that have the technology to capture that location outside of the wireless carrier network. That is a minority view. It is a very extreme view. Very few people hold that view, but there are companies that are real, that exist that hold that view as organizations, and we have to acknowledge that and put that on the table. It is absolutely the minority view. At the same time, though, the core driver of the industry has been the carrier's desire to explore the revenue opportunities, the carrier's desire to meet their regulatory obligations under e-911, and the fact is that the applications we talk about today and in the whole discussion, no one knows which one is going to be the driver or killer of the market, but a handful of them together are going to drive the marketplace, and they are going to be in the marketplace that add value to consumers. And it is a very pro consumer opportunity for services, but that's what getting it right is all about.
MS. MAHER: And it seems from this morning's discussion also that where that information is stored, where the location based information is stored is also -- will also have an impact on how that information is treated, whether it's stored at the carrier, whether it's stored on a handset. Do any of you have anything to add to that?
MR. ASSENZO: I think that really is important. It does have to be a good consumer experience, so whenever we disclose -- if there is going to be any disclosure of information location, it will always be permission based, and the receipt of advertising will always be permission based. We will establish business rules which our customers can invoke similar to what you saw Invertix demonstrate. But there is a real concern about where the location information will be transmitted from, and this was recently brought up at the WAP forum last week. I don't know if it was resolved. I doubt that it was resolved, but as we understood the proposition by certain handset manufacturers, the location information would be transmitted from the handset, and we are strongly opposed to that. We believe that the information should be transmitted from the network, and the business rules established in the network because our network is highly secure, it's protected by firewalls and all other types of security devices. A handset in contrast is at best a very simple computer, and it will be a lot harder to protect a handset from being hacked into by an unwanted third-party application than it will be, for our network, to be hacked into.
MS. MAHER: Steve.
MR. STUTMAN: One of the things I think goes to the SPAM or the annoyance factor is that your mobile device is much more a center of attention while you are mobile arguably than your desktop is when you're fixed. When your desktop is up, there's a bunch of other things going on. You're sitting down. If it doesn't work right or if you don't quite like something, you go to another site, and your brain goes elsewhere for 20 or 30 seconds. But if you're really paying attention to your handset and you're trying to look at this screen and you're getting a bunch of annoying messages, it really tends to, what's the polite term, irritate people, so I almost misspoke and I had to remember what town I was in. But that said, when you come to pull, and although I'm sure I can get a lot of contention from some people on this panel, we don't have a lot of two way apps yet running on phones because network penetration and coverage are not what you would like, and without going back to the QUALCOMM gentleman's discussion earlier, things in Europe and places like South Africa, believe it or not, are much, much better than they are in the U.S., whether it's Soviet thinking or martian thinking. And we're Americans. We're hip shooters. We have six or eight technologies deployed as they say, and it shows from a standpoint of network cohesion. That said, when you come back to the privacy issues, and I come back to is it static information or is it dynamic information, what we do at ClickaDeal on our terms of services is very clear. First of all, we say to the customer, Look, we're not going to tell anybody anything about you because we don't know who you are. We know your phone number because we need your phone number as a means of sending information to you, okay, or your pin or your cap code, whatever the wireless device might require, but we do not know that your name is Smith or Jones or Horowitz, okay? So first of all, even if the information was gotten in a worst case, somebody would be able to bother you over your telephone because they could call you or send you other annoying information, but arguably they wouldn't necessarily know who you were unless they had hacked the network provider and know that phone number thus and such is really John Doe. That said, I think it's generally important to focus on what kind of histories are kept, okay? We right now are thinking about basically cleansing our positioning logs every hour. That is, we'll know where you were in the last hour because that might be useful in helping you plot a traffic route or, you know, something that was earlier alluded to. But you know something, we're really not going to know where you were the previous week or two weeks or months because we're just going to get it out of there. It's also the case that -- I'm sorry if I said this, I don't know if I said this earlier or not, but again our terms of service say unless you have a court order we're not going to tell anybody anything, and we happen to have a very good CTO, and he understands firewalls, and basically you would have to hack us badly in order to get this information but you would then need the phone number to user correspondence to determine who the individuals were. But I would like to see perhaps some comments on people talking about histories that are kept in terms of preference, in terms of behaviors once those static preferences are set. But one last comment I would like to make on this issue is that from rather extensive experience with real users over the last 14 years, I think it is very, what's a nice word -- it's very optimistic to assume that people are going to read, if you will, all the fine print, whether it's presented on a screen or whether it's in some 12-page contract with respect to what your rights are and aren't and what we're going to do and we're not going to do. I think in order to get things accepted from an M commerce point of view, we need a very simple initial uniform, and I agreed very much with Reuven, I thought he had a very good set of comments, that is, I think we need to have a dialogue to say, Look, we the M commerce crowd, the location sensitive crowd, the advertisers, the carriers, we're going to do this so when you opt-in to this type of service, this is what we're going to do because to assume that the public will go to a screen and say, Well, give me this but not this, if it's Thanksgiving do this, if the Supreme Court is going to make a -- give a decision, do that, it's very doable, and I applaud people who have done it, but I don't think that the public is going to use it.
MS. MAHER: That's very interesting.
MS. MAHER: I'm sure we'll be having a lot more discussions about this in the future, and Evan's principles, the principles that Evan just summarized I know he has in a handout that he put out on the table this morning that people can pick up. Now we're going to move to the questions and answers, and we have people with the microphones going around, and please give your name and your organization and spell it too, please.
MR. DANIELS: Seth Daniels, D A N I E L S, Brisbane Management. You know, while I'm attending this conference or workshop, I've kind of picked up on a few things that I think are kind of essential, and I don't know that we're totally addressing them. The premise of this conversation or this conference has been a regulated industry, that being cellular, and that's pretty much been the focus, and I think in the regulation of cellular, they have the mandate for the location services. There's a whole burgeoning industry which is a wireless ISP that is not used to make phone calls, which is an 802.11 which is a Ricochet that are really outside the scope of this. We're not -- I don't think we have addressed that, and it's kind of interesting, and I may get some -- I may upset some people here, but we're talking about how the experience has to be a trusting experience. But I'm sitting here thinking when I look at the ads for the cellular phone companies, they always say fast mobile Internet access through my cell phone. They never define fast, and I think if the consumers were to understand that we're always talking about less than 19 2, they wouldn't consider it fast. So when we talk about making the consumer aware of what's going on from the M commerce perspective, if we started talking about the speed of the Internet connection, I think we would get one sense of the direction that the consumer would go if they were aware of the fact that there were high speed access to the Internet from other devices that are not cellular phone specific. And I don't think it's intentional on anyone's part, but I just think that it kind of goes to the fact that we're pretty myopic in scope in our direction of our conversation here, and there are a lot of technologies that are not regulated that fall outside of this, and I would like someone to respond.
MS. MAHER: Sure.
MR. ASSENZO: Just to take I think the first part of your comment, there is a concern that there would not be regulatory parity. There's discussion about the FCC's CPNI rules, but only telecommunication carriers are subject to that, and FCC as you heard earlier today will be opening a docket to determine what is the appropriate form of affirmative consent that a carrier must acquire from a customer before releasing location information. But there are other entities that are not telecommunication providers that are working on and some have already released this technology which can track cellular phones, and they can find out what phone number it is and then have to filter it out. Another concern about having information transmitted from the handset is that that location information be transmitted to someone who has a server who is not a telecommunications carrier, and that server and that company would not be regulated by the Federal Communications Commission.
MR. HENDRICKS: Also I think as we're talking about privacy, consumers don't care whether you're covered by the 1999 law or you're Ricochet. They want to know that their privacy is going to be protected and that there's an easy to understand set of rules, so there's a real concern about that. There are these outliers there that won't be covered by this, and if you look at like the TRUSTe example that they said that one web site had a TRUSTe seal, but what they did they did through software registration so it wasn't covered by their seal. This is kind of distinctions consumers don't care about, and that's why I think it's incumbent upon everybody who wants to promote this space to sign up to the most basically strongest pro consumer standards in a way that they're easy to communicate to people and then can say that there's an enforcement mechanism standing behind them. It's the only thing that's going to create the environment that could allow this to take off.
MS. MAHER: Steve, do you have something to add?
MR. STUTMAN: Yeah, although I RA engineer, I understand that this is basically 30 percent technology and 70 percent sociology, and I think that's real important to keep in mind, and I think the way the public interacts with wireless devices. And information services as a very broad class, including wireless IP as the gentleman alluded to, is probably a lot different than many people who are involved in making those things think, that is to say, people who are actually defining products and even in some cases deploying products arguably in my humble opinion have not perhaps done enough focus to know what the mass market is really aimed at, and I think -- or is interested in. And I'll give a very simple example. There are some carriers, for example, who talk about the wireless Internet in the palm of your hand, on television frequently, and I've had people ask me knowing what I'm doing, How can that be the Internet, it's a little screen and it's not -- is it the Internet? Well, I understand how it is the Internet and what the conductivity issues are, but that's not the way the public perceives it because the Internet to them means arguably AOL or some familiar browser in color, and it does this. Again to the people on this panel and probably to most of the people in this room, you'll pardon me, it's obvious, AFCPS, any fool can plainly see, but the fact is that the way the public uses these things, even an informed public, is probably very differently than we think, and that's why I will come back to there has to be sort of a simple offering. It has to be clearly defined and it has to go out there because I completely agree with the fact that we all want this to go forward. And by having a simpler defined, easier to understand offering I think we're going to get further faster.
MS. MAHER: Marci?
MS. WEISLER: Just to add, I think it's important that whether it's regulated or not, like my company provides an application that doesn't fall under any of this regulation, but it's important to build a backbone of trust with the consumer, and we do that through anonymity and not tracking people on an identifiable basis, but I think ultimately businesses can't survive if they're violating the trust of the consumer, whether or not they're being regulated by the government.
MS. MAHER: Another question?
MR. CONLEY: My name is Jason Conley with the Intelligence Transportation Society of America, and I would like to bring it back to a point a gentleman raised earlier about the difference between anonymity and personally identifiable information. A number of our member companies are very interested in the use of location data that would not need personally identifiable information attached to it such as State Departments of Transportation or Traffic Station.com, any of these companies that are looking to use aggregate data of anonymous cell phone pings to track traffic information, and the question is have any of the corporate policies of your companies addressed a different standard for anonymous location information versus personally identifiable location information?
MS. MAHER: Reuven, do you want to take that?
MR. CARLYLE: Xypoint has provided a technology trial with a major wireless carrier that at the request of a municipal transportation department in partnership with them, and that issue was raised directly, and it was very interesting in the sense that what stopped it after a period of time was the carrier's lack of comfort with the policy of essentially doing an anonymous ping occasionally of users. And that was at a period of time when the privacy policies simply weren't clear where the carrier was going, so even though this was no aggregation of data, even though there was no identifiable information outside of that, it was just beyond the comfort level of the carrier at that point even though it was at the request of the municipal government. I will suggest though that that tees up the reality that carriers are really just exploring in a very serious level at this point their privacy policies around how they're going to design these issues, and so I think there's an extraordinary sensitivity about violating the trust of users in anything that is even remotely unclear about how it could potentially adversely affect a consumer as simply not being permitted to flourish right now, and that's okay because the implications of the issue are so important. And one other thing I would note real quickly is as a provider of technology we have apparently six million cellular callers that we can track with respect to the 911 mandate on behalf of about 15 wireless carriers, and our contractual obligations to our customer, the wireless carrier, is very clear around our obligations in terms of not providing any kind of open API to any other application provider that would allow them to even test out those services without the express permission of the carrier. So the ownership of the data whether it's anonymous or not anonymous, the ownership of the data is absolutely essential, and Xypoint's position is very clear, it is absolutely unequivocally the carrier's and the consumer's data, and other application providers are not the gate keeper of that data. That doesn't mean applications don't need to have the opportunity to flourish, but it needs to be clear on ownership.
MS. MAHER: Joe, did you want to --
MR. ASSENZO: We do not transmit telephone numbers. Our subscriber -- all of our subscriber's telephone numbers are encrypted so when someone is surfing the wireless web and they decide to go to Expedia, the information that is transmitted is anonymous, so today our content partners have no idea about the identity of our subscribers, and we certainly keep it that way for location. This is a very interesting advertising space. It's a different advertising space than online retailing. It is an advertising space that drives back to brick and mortar rather than driving online retail, and this goes to the gentleman's point that what our advertise-- what advertisers and content partners are most interested in is transactional -- trying to drive transactions. And so you get sort of creative ideas, how can you use aggregated information to supply information to brick and mortar businesses, so things that have been proposed that you probably read about is providing aggregated information to the Department of Transportation or providing aggregated information to a billboard owner, how effective is my advertising, are people seeing it.
MR. HENDRICKS: For E commerce, there are certain lessons we can learn and know what to expect. Example, America Online gets so many subpoenas both from law enforcement and civil attorneys that they had to set up a separate office in the Loudon County sheriff's office to handle all the subpoena traffic. In other words, collect it and they will come. There are information pros out there, whether they're lawyers or information brokers or private eyes. If they know it's out there, they'll come and get it. The other issue is what was anonymous, Double Click used to collect the anonymous profiles, and then their technology allows it so if you actually gave your identity away at the sweepstakes site or some place else that was on their network, then you can be identified throughout their whole network so you have to be careful that anonymous really means pseudonymous and synonymous means pseudonymous. The other thing is payments. E commerce had this perception that people were afraid to put their credit card number on the Internet, and to some extent that was irrational. To some extent it wasn't, but the point is that now we're seeing companies like American Express and MBNA and Discover and others are moving into the single use number where they're having technologies where one number is used for each credit card purchase. And so if it's stolen it's worthless, and this is a way of anonymizing data, and what we have are systems for really their open exchange of data, so you have to find ways of anonymizing data within that open exchange, and I think that's why you're going to see a lot of gravitation towards single use numbers, and I expect to see them put on credit cards within a year or two.
MS. MAHER: Steve?
MR. STUTMAN: I was just going to actually make an entreaty to any lawyers in the room, and there's probably more than one, that I think something that would be very welcome would be some boilerplate that you could append, that one could append to any data of any kind on a site such that if there is a successor company or an interaction with a more powerful company, this is something we're sensitive to being a small company, that basically they can't alter your terms of service. And to be specific I brought up the comment saying that your phone number to us so that we can message you or your personal -- we don't know your name, we don't know where you live, et cetera. Having said that, we do capture some information, okay. I said we cleanse histories because we think they're dangerous to keep, and I'm not sure how profitable they will ultimately be, but with that said, there are still people who will want to come in and in plain terms mess with the data legally, so the question is what boilerplate would one put on top of this data so even if there was -- Anne, you mentioned it yesterday, Toysmart, was that the company?
MS. MAHER: I think a number of us have mentioned it.
MR. STUTMAN: Sorry. Where I guess the company went 11 and they were bought or something, and then the successor went and messed with the data and did things that were, let's just say, not nice, and not in keeping with the original terms of service, so anyway that's just a comment to any lawyers out there and maybe a little niche someone wants to go into.
MS. MAHER: John?
MR. POLLARD: Anonymity is great. The reality is that I have a lot of customers who through research tell me what they really, really, really want Expedia to do is act and feel a lot like their travel agent which is someone that knows them, knows their credit card, knows their habits knows their kid's name and things like that, and that's what I'm competing with, and it's really, really tough to do the whole mass customization thing without tracking user data, asking for profile information. Now, Expedia will work without registration. The only time we require registration, that is your name and credit card, is when you actually buy something, but the product works better and better the more information you tell us, and for instance like seat preferences or food preferences on a flight, things like that, and it's a real explicit deal you're making with the customer, that the more information they give you, the more you'll streamline your product. And I think that's absolutely the case with mobile applications given the form factor difficulties. Now, what do you do you to combat that? We have -- we're one of I think only two top E commerce sites. We're certainly the only E commerce site in travel in the top ten that has three seals. One is TRUSTe. One is Better Business Bureau and the third one is this Pricewaterhouse added station that actually says that we're doing what we claim we're doing. That policy is we never sell to anybody. We don't sell your data to anybody. Everything is opt-in, and that kind of stuff if it's out there very, very explicit I think customers, especially Americans are pretty comfortable in signing up for that. There are a lot of businesses out there where customers actually want your service to be personalized, and anonymity doesn't get you there.
MS. MAHER: I think we have time for one more question?
MR. LE MAITRE: Marc Le Maitre again from Nextel. Realizing that I'm probably the only thing standing between this group and lunch, it will be very short, but I think, Reuven, you probably gave us the single biggest ray of hope in this. You talked about the business -- use of this information in the business environment. I think one man's advertising is another man's privacy. There are going to be businesses, and I can envision scenarios where my location and availability or where I am and what I'm doing is going to be very important to businesses, especially as they advertise to each other. I think Nextel has done a good job of showing how B-to-B works in the wireless environment, and I can very readily see this information that we worry about as a privacy issue in the consumer space as actually being very important as an advertising tool for business to business, and the fact that I could if I'm in the building industry and I'm looking for the nearest plumber to solve this problem, the fact that I can go to some place and people actually pay to have their location and their availability advertised to me completely turns the model that we've been describing as a challenge for the consumer market right on its head. And actually I think, Reuven, that's probably having spent 16 years in wireless data the first people to adopt wireless services have been business who get an ROI immediately, and they were certainly the ones that first took out wireless data.
MS. MAHER: Anyone want to respond to that?
MR. CARLYLE: Well, you can think of a hundred examples where it really is a great opportunity in the marketplace, and if you look at plumbing and delivery services and the web -- Home Grocer.Com and all those kind of delivery capabilities, if we can get the privacy issue addressed in the appropriate manner, the ability to go to a terminal at your home if you want to, tap in a phone number from a safety point of view and have that red dot come on with a map of the proximity or the precise location of the user, if that's your spouse, your child, a teenager or somebody you want, again recognizing the opt-in, recognizing the policy implication. But if you realize that businesses can make extraordinary value out of that, and consumers can make extraordinary value out of that, there really is a great opportunity to make something powerful happen in the marketplace, and I think that's why the market is driving this very aggressively forward.
MS. MAHER: Thank you. I think we're going to have to wrap it up now. It's unfortunate because I think we could talk a lot longer about all of these issues. I have a couple announcements to make. First, I really want to thank the panel since they are terrific. We're going to have an hour break for lunch now, and then we'll come back to the next round table which is building privacy and security solutions into the technological architecture. If you go out to lunch, there is a list in your packets of restaurants. You can also eat upstairs at the Top of the Trade, the FTC restaurant, and also upstairs we have demos of wireless services and devices upstairs on the 7th floor so everyone can go up and look at those. Please keep your badges too when you leave the building and come back in so you don't have to sign in again.
(Whereupon, at 12:30 p.m., a lunch recess was taken.)
AFTERNOON SESSION (1:35 p.m.)
PANEL ON BUILDING PRIVACY AND SECURITY SOLUTIONS INTO THE TECHNOLOGICAL ARCHITECTURE
ELLEN FINN, FTC, MODERATOR
JANELLE W. EDGAR
MARC LE MAITRE
MS. FINN: Welcome back. My name is Ellen Finn. I'm an attorney in the Bureau of Consumer Protection at the FTC, and I'll be moderating this panel on building privacy and security solutions into the technological architecture. This morning panelists and presenters explored a variety of privacy and security issues that are raised by emerging wireless technologies and services including issues surrounding location information. In this panel we're going to try to talk about ways that privacy and security solutions can be built into the technological architecture of devices, networks or businesses to try to minimize or eliminate some of the concerns that were raised earlier in this workshop. To discuss these issues, I'm going to give only brief biographies, the written biographies are in your folders, we have Eric Bergeron who is the general manager of Wireless Solutions, ZeroKnowledge Systems which is a leading provider of privacy enabling technology services for consumers and businesses. We have Janelle Edgar who is the director of implementation management for Diversinet, digital certificate software PKI company based in Toronto. Marc Le Maitre is director of technology strategy for Nextel Telecommunications. Greg Miller is the vice president of corporate development and chief privacy officer for MEconomy, an emerging company in the Internet privacy infrastructure sector. Richard Purcell is the director of Microsoft's corporate privacy group. Shekar Rao is included in your addendum. He's with us from Aether Systems. And Richard Smith at the end is chief technology officer for The Privacy Foundation. Detailed bios for all of them are in your program materials, and as I say, Shekar is in the addendum that we handed out. As we have done before, I'm going to try to leave 20 minutes for questions and comments from the audience at the end of the panel, so if you are listening in the overflow room, if you would like to ask a question, we ask that you come become to the door of room 432 at about 2:25 and we'll have microphones available. Panelists, I'll remind you if you want to answer a particular question or get my attention, you can turn your nameplate on its side or just raise your hand to get my attention. To start with, I wanted to ask whether there are some basic principles of technology and design that we have learned in the wired Internet space that can be applied in the wireless context to increase privacy and security. Maybe Greg, if you want to start us off.
MR. MILLER: It sounds like I'm the sacrificial lamb. Good afternoon, and I would like to thank the Commission for pulling this together and allowing us to come here and contribute. I'll try to say something reasonably intelligent. We at MEconomy have actually looked long and hard at this issue, and I think that you're going to find as the hour wears on that this could be one of the most interesting panels. A lot of contentious issues are going to go back and forth with a lot of red herrings and rat holes of technical detail on sufficiency of security and privacy, but I think there's a lot to be talked about, and I think we need to basically pull the covers back and look at reality here. From our perspective, there are five principles that we think are worthy of consideration for privacy and security in the wireless infrastructure, and I'll just run through them real quickly. First the user's direct access device should be the initial source of encryption. We believe it should be performed end to end without untrusted intermediaries. Secondly, we think the end device should be an open platform so users can load and unload their own privacy and security technologies. Third all technologies that directly and initially touch consumers' data such as at the point of collection should be available for unfettered public review, in other words, yes, I said it. We support open source initiatives. Fourth, I think consumers might have complete control of information so once again fair information reporting principles we think apply: Notice, consent, access and security, noting that I said consent, not choice. And finally any data collected for a transaction should be decoupled from personally identifiable data and only used for that transaction. We think those should be the five guiding principles from what we've learned in the Internet space.
MS. FINN: Is there anyone else who has thoughts on that? Richard Smith?
MR. SMITH: One of the things that came out earlier this year was an issue with both Sprint PCS phones as well as AT&T wireless web phones around the use of what's called persistent identifiers. In this case when you browse the web site with the phone, the web browser that was in the phone gave out your phone number to the web site you were going to and in the Internet space this is considered let's say bad form. You wouldn't do this. It's very interesting to watch the reaction among the different players in this because I ended up speaking to press people as well as equipment manufacturers as well as also the wireless carriers, and the web browser company said, Yeah, it's not a great idea, the phone number goes out, but we don't want to upset the wireless companies. They're our customers, and we can't tell them how to do a more secure system or more private system, which I found interesting, and then the wireless companies kind of said back, well, the only place you can go with this phone is some place you subscribe and therefore there's not a privacy problem because they already have that information. And it was interesting, that was not really a true statement because I had set up my own web site to collect phone numbers. This was from press people that had these phones, and sure enough, it worked. These phones were not in a walled garden at all. What's interesting to me in this situation is that the wireless web didn't seem to know about what's going on in the regular worldwide web. We invented, or I won't say we, but cookies were invented six or seven years ago to solve this problem, how you deal with identifying people and at the same time giving some level of privacy. So I think there's a lot that can be gained from the Internet here on basic technologies. Part of the problem though is an educational one of getting the people who are building these phones to appreciate some of this, and this goes back to something that Larry Ponemon said this morning, a lot of people within the companies don't understand what they need to do. I believe they're getting more educated. I know that Dan mentioned there was a conference on the issue of privacy, so I think it's beginning to rise on the radar screen.
MS. FINN: Thank you. And, Marc, did you have -- I'll remind also all the panelists, try to speak into the mike as much as you can so we're sure the folks in the overflow room can hear. Marc?
MR. LEMAITRE: So what do we learn from the web? We learned that this really is an extension of the web experience, although it's got all its own little specialties. I think we've learned that -- I've seen enough rhetoric in the press about how WAP isn't working, and I think that blaming WAP for that experience is like blaming HTML for the fact that you don't like the web page that you visit. It's deflecting the problem. I think we've recognized that there has to be a unique experience in wireless, and probably in order to be able to bring that experience to bear it has to include things like location or state information, where I am and what am I doing in order to be personalized to me. I think we've learned it's not a web browsing experience. It's more of a transaction oriented type of environment, but I do think the wireless industry is actually giving something back to the Internet as well because the single largest presence for Smart Cards is currently in the wireless industry, and I think we struggled with the uptake of that particular technology, but if you look at the GSM standards and the future CDMA standards, you see a Smart Card. And I think as we go forward, while Gregory has made a fine point about end to end security, what I encrypt only gets decrypted at the other end. It's a great goal end point, but I think that certainly one of the things we've learned from the web as we've tried to use WAP as a protocol is that it doesn't always work to have this direct -- this content directly delivered to the handset. There has to be some notion of some sort of proxy on the network. The name for a proxy in this case would be an agent and another name for an agent in this respect of privacy would be a trusted agent, so something that's acting on my behalf and identifiable as mine is something that we have learned as we've sort of migrated web standards into the wireless industry.
MS. FINN: Richard?
MR. PURCELL: We have to be very careful in all of our discussions around this because one of the things that is a logical though irrational outcome to a lot of this is that all of us go back to our company and constituent groups and say, Oh, gosh people are really concerned about our privacy both online and in the wireless space, and they don't want to be creeped out by surveillance, and they want to keep their information secured and private, so start coding. The developers say, Code what? There's no particular vocabulary that we have developed that actually explicitly defines what it is we're requiring here. There's no particular clarity around what it is that privacy is. What is privacy? Is it modesty, a word I can define for you. I know it doesn't make much sense to this group or even to this town, or is it beyond modest and is it hiding or is it simple desire to be not recognized or not known. I mean, there's a lot of ways that this can be interpreted, and there has to be some parsing out of this issue very carefully and methodically because you cannot code technology either for privacy purposes or security purposes or for delivering services unless you have an unambiguous purpose first of all. So what we're doing, what we need to define, what we're doing in our company is we're defining the purpose, the common purpose to be achieved here, the principle that that common purpose meets, the policies that support those principles, the processes that are supportive of the policies and of the needs that are expressed, and only then can we get to the technologies, and then looping back there has to be of course a verification process as well. In the technology space, not dissimilar from Greg but we're demanding that there be an authentication method and also that that authentication method be flexible enough to support persona management, who do you want to be for a particular activity, do you want to be anonymous, pseudonymous, do you want to be known? Do you want to be your persona at work or do you want to be your persona at home or do you want to be a different persona? There has to be support for people to be -- the person that they think is contextually appropriate. Authorization, authentication is one thing. I am me. Authorization is an entirely higher order of technology and security requirements that says, Not only am I me, but I have authorization to access certain services, certain -- and authorization goes both ways. It's not just the consumer. It's also the enterprise. Encryption as Greg states is incredibly important, secured transmissions of data which arguably the wireless space will tell you that there is security in those transmissions. There are many commenters that will say that that is simply not the case. That has to be straightened out, absolutely unambiguously answered. Secondary preference recognition, in other words, you may have a primary relationship and your preferences may be expressed to in that relationship, but how do you -- how are those transmitted to secondary and tertiary parties and how confident are you in that they will recognize those and manage them appropriately. And finally as we've talked today on and on and on again, what's the user interface, what do you see and how do you control that? We think without a doubt customers expect that they will always want control over their personal data, identity, location, activity, state, presence, all of that stuff, and we need to start demanding a listing of these kinds of requirements because we can't code without them.
MS. FINN: Greg, I see you have your tent up, but I would like to try to move us to a question that arises out of something Richard just said. You said there may be some debate about this, whether or not wireless really is secure, and I think since that's our focus here, I would like to ask the question, moving from the broad principles that we may have learned in the wired space, what are some of the concrete things that companies are doing today to build privacy and security in the wireless medium and are the current protections adequate? Janelle, maybe you would like to speak to that.
MS. EDGAR: Well, I think that certainly the lessons and the tools that come out of the Internet, like encryption and authentication using public key infrastructure are needing to be leveraged in the wireless environment because of the personal nature of a wireless device and then of course the restricted memory and the bandwidth issues. There are greater challenges in implementing the security and of that environment, and that difference, the technology difference where the overhead is just more of an issue, and there are trade-offs there between the higher level of security and the speed and efficiency of your transaction operations, and these are some of the things I don't think consumers even realize they have to deal with those trade-offs and when they are expecting greater security which they need, and you have to have but the technology provider is needed to be conscious of that and provide the tools that will provide as much speed and efficiency as possible.
MS. FINN: Greg?
MR. MILLER: I think that generally we believe that the protections that are currently being employed are actually an attempt to strike a balance between what I call breakability for government intelligence agencies and sufficient security to thwart the casual intercept, and I think they're reasonably justified by limitations in the technology: Bandwidth, CPU, memory, user interface. Those are really the four corners I think of any technical discussion. We look at what we can do within the wireless space, but I think it's also well settled that academicians have argued that for a variety of the reasons such as the ATA 5 ciphers specified in the GSM consortium are a classical example of this trying to build something that's breakable for government purposes but good enough for most thwarting. The problem is that powerful cryptographic capability is now so widely available in the intelligence world it's actually percolated down to the public and is available in very low cost computing techniques, and inexpensive but powerful hardware. In fact, the types of intrusions that could be performed by relative amateurs are surprising everyone. If you thought we had problems with analog phones being hijacked, I can tell you that I've actually witnessed demonstrations at Cal Berkley where PCS devices that are being marketed by Pac Bell like this and a couple other devices are being also -- basically identity theft is available to them. I think one initiative that's demonstrating these trap doors frankly is WTLS which is wireless implementation of the transport layer security or what we also know in another world as SSL. And I think it's well said in the literature that while in the authentication area there's been some good work using sufficient key links such as the electrical curve digital signature algorithm, the key links are not foolproof. Any good authentication algorithm can also be used to encrypt. So take, for example, for those in the technical space the algomal encryption variation on Diffey Hellman. And we don't need to go down that rat hole, but I think the bottom line here is that we need to understand that the WAP forum has arguably introduced several major cryptic vulnerabilities to TLS, and TLS is being -- WTLS is being used widely in the American GSM standard and in telephones, PCS devices that are claiming that they have security with that. So I think that we need to look at the reality here. There are definitely vulnerabilities that are very clear and present.
MS. FINN: Eric?
MR. BERGERON: I would like to state a different point, which is the difference between security and privacy in the industry at large. There's a large confusion between privacy and security. One is equated for the other and these are very two different topics. Why? Because security is a means to enforce privacy but privacy goes much beyond simple security, so you can have a fully encrypted end to end secure communication channel, but at the other end, your service provider or your portal can attract, profile, build a dossier on you and sell it to another party. So you can have full security on a channel and have absolutely no privacy so those are two topics that are very different.
MS. FINN: Richard?
MR. PURCELL: It drives me a little crazy when we all know that encryption is widely available. You can -- it's there. Now, anybody in this room, anybody, send me an encrypted E mail and certify that you are the author of that E mail unambiguously. Anybody can do that? Anybody can do that? If you're not in law enforcement it's unlikely that you have the skill set to actually do that on any common platform today. One of the things we've learned in our bringing the Internet to the mass population is that we have lots of theoretical protections for these people that are fundamentally not available to the common person. It just isn't part of a person's every day life to even use PKI, Dan, send me a PKI encrypted sheltered piece of E mail. Can you do that? Well, hell no. I mean, it's outside of our control. Now, the problem is that we have an incredible amount of technology available to us, and that technology is so far in advance of what's's available to consumers in every day use to just use it, it's hard enough for most people to send E mail, much less one that is fully encrypted and certified through an authority, very difficult. It's not difficult, it just doesn't happen. It just doesn't happen. I have a guy, a security guy at Microsoft that sends me mail, it's always encrypted and it's always certified, and it says stuff like what are you doing for lunch today? Okay, fine. Nice demonstration that you can do this, but let's -- it's nonsensical that we're applying that kind of technology to those kinds of messages. At the same time I'm sure every one of us gets messages in E mail from our attorneys that says privileged and confidential. It's being passed in clear text -- it may be privileged. It's not confidential by any means, so what I'm trying to say is one lesson we've learned is we haven't learned much about how to put realistic usable tools into the hands of the consumer.
MS. FINN: Marc, did you want to respond?
MS. FINN: I would be curious if you all have views of -- I hear you saying there are technologies that are out there that can improve security at least in theory or at least in the academic literature. There are tools available, but that they are not necessarily widely being implemented and employed. Is that simply a matter of economics or are there other reasons why these technologies are not being widely implemented? Eric?
MR. BERGERON: Well, the first reason is that mobile phones are poor computing devices so for. This is changing very fast, and when the phones become powerful enough to compute easily and perform functions, then you will see more and more the PC paradigm moving to the phone, so you will be seeing applications that you can build yourself. Applications you can already see in Europe today, applications built on smart card use to program stuff or PKI so the more the phone becomes powerful, the more you will see a full array of new applications and new services that will enable security and privacy.
MS. FINN: Janelle?
MS. EDGAR: As those certificates do end up on the devices like a client certificate, digital certificate that can be used for the encryption and for the digital signing, it's going to address a lot of the security concerns, but there are still issues around who is going to issue and validate those, who is going to stand behind the digital certificates that are issued, but I do think that as these industry is maturing and as the business models stabilize, those answers will be addressed.
MS. FINN: Shekar? MR. RAO: I think I agree with both Eric and Janelle's point. The one thing which will actually help that option is what we're seeing in the PDA rule I think with the open OSSs that Palm has and Microsoft has versus those in the phone world there is going to be a little more time towards an end option toward the encryption models and other things. I think if one may be able to look at all the applications that I deliver for palm devices, you can see a couple of interesting paradigms emerging. One of them is it's possible or it is necessary with all the limitations that these devices have to have different levels -- to be able to say that certain pieces of information like the one that we just said about let's go for lunch, maybe it's not encrypted so it becomes a much nicer user experience whereas something that's privileged and confidential does have that kind. And some of the applications that are out there from a security encryption viewpoint I guess the next piece that many of us including those at Aether are working on is authentication, how do we get the certifications out for the devices, how do we make sure they're secure and private, how do we make sure that they're one off so they for certain transactions can be changed and have a random nature. So it's happening there. It's happening at a slow pace. And the one thing one should be careful about is just taking the paradigms that are used in the wired world directly into the mobile and the wireless area. There are some lessons that can be learned, but just taking them directly across and trying to put out some heavy processing will cause this whole marketplace to get significantly stymied. I think there is progress is happening, and it could be accelerated, but it needs a lot of different players to step up.
MS. FINN: Eric?
MR. BERGERON: This is a fundamental paradigm of the wireless, E Commerce that the wireless industry being a telecom industry is based on strong authentications. We must authenticate that you're paying your bill that you are who you are in order to process calls, and privacy is based on the contrary of that so how can we build strong authentication and strong privacy at the same time? This is one challenge we face as an industry, and the second challenge is technology tools must be enabled to give carriers and portals and consumers and ways to feel secure and respect regulations. One example I can give is imagine you're a U.S. executive traveling in Europe. You have a rented phone from the UK where you arrived in the first place. Now you are in Germany, and as a father you feel guilty so you want to buy toys for the kids at the airport, something that most of you I think have experienced before. So you use your web phone in Germany. It's a UK phone to access an E commerce web site and you ask to buy a toy delivered at the door of your home in the U.S., so the phone must comply with the UK data protection act. It must comply with the online children protection act in the UK because it's a toy site. Also it must comply with the privacy directive from the European Union, and lastly the web sites sets a cookie on your web browser but in Germany there's a law on cookies that requires express written agreement before you see cookies, so how can you comply with German, European, UK and U.S. multi dimensional regulations? It's a nightmare so we have a multi industry value change. We enter a multi technology universe, so there must be technological solutions to take care of that. Otherwise the business will not take off.
MS. FINN: Richard Smith?
MR. SMITH: I want to make a quick comment about the security systems. One thing we need to be very careful about, that's something that Richard Purcell has already mentioned here with E mail, but this whole issue of security systems or authentication systems and certificate systems. They all have to be very transparent and intuitive to the users. Otherwise they're just not going to get used and you've wasted all your time and that's what really is Phase II beside just the issues of computing power and a phone is making systems that are easy to understand. I heard this morning, Lorrie brought up the system where you use a thumbprint and I think that sort of fits into the intuitive system. On the other hand it does raise, as Eric just pointed out, there's a real tension between security and authentication in particular and privacy.
MS. FINN: Richard?
MR. PURCELL: Very quickly, we've been pulling phones up all day today and yesterday, so I won't hold mine up but phones have locks. Every one of them is enabled with a locking mechanism. Anybody using it at all? Yeah. We've talked about what happens if I lose my phone and somebody gets at it. Well, there are locks on them right now to prevent unauthorized access but they are simply not used. There's a reason they're not used. It's because essentially it's a barrier. I've got to punch in four or five numbers before I can punch in the ten numbers that I need in order to punch in my 13 numbers in order to get my account. It's a hassle, so absolutely agreed. There's got to be simple yet secure methods, but we also have a big job just getting the consumer, the marketplace, up to speed with the kinds of technologies that we're making available to them. And as long as we don't do that we then have a marketplace that essentially is being victimized by the technology sector. They have to be equally empowered to be able to use this technology in order to take advantage of and control their own information.
MS. FINN: Greg, did you want to add something?
MR. MILLER: Well, quickly. I think there's another issue. Notwithstanding the various degrees of reliability for biometrics, assuming that a thumb print or whatever would be a nice addition to the telephone it gets back to business propositions too. You add 2 or $300 to the cost of the phone and what have you done to user adoption in this era where user adoption is everything. Part of the problem is adding security and privacy functionality into this wireless state necessarily means changing everything from the design lines and sort of the look performance and the price performance of the devices. I also want to add too that I think at the risk of sounding like one of those, there are probably these continuing frictions between the interests of government agencies and law enforcement and their ability right now to take advantage of weaknesses and protocols so that they can get their job done, and the interest of consumers in seeing those protocols strengthened and fortified so they can keep their nyms, so I think that's another competing issue that we need to look at.
MS. FINN: Marc?
MR. LEMAITRE: I have one other point I would like to add on the business model side of thing. It's just not the additional cost of the phone that I think is going to be impacted by this privacy. I think a number of panelists have said that really the only way to empower the customer is to put the information back in the customer's control. Now, there's a huge amount of legacy information out there about me and probably everyone in this room, and that's where zealots in this space have taken real serious care about it, so it's a problem of not increasing the bleeding, but essentially when it comes to adding value in the wireless location, wireless state space, that is this personalization for wireless, I think that there's another issue that we have to very carefully consider. And that is that how do we create a mechanism that allows the customer to be empowered with this information, despite the fact that it actually resides in a customer's database at this moment in time, that it is somehow marshaled by the customer. It's owned by the customer, and the big problem there is how do you provide businesses with access to that information under the customer's concern. What I'm most concerned to make sure is that the wheels of industry are greased as we put the brakes on, that we don't actually stop businesses by over empowering the customers. It's not something I've heard, but if I take back all the information I ever got about myself most of the companies I do business with would die fairly quickly if we all did that. So I'm looking forward to some type of mechanism that allows me to be able to empower the customer but at the same time continue the wheels of industry moving and you put in your crib notes, I would very much like another get together to bring out all the opportunities and options for technology here because some of them, some of the emerging technologies, you put down particularly a product called XNS that has been built specifically on top of P3P to extend its capability for something like a wireless technology might solve these problems. The problem is it lacks the overall governance because I think ultimately the issue is going to be about do I trust this framework. In that respect it's very much like a card holder agreement, the credit card. If I trust that card holder's agreement, the transactions, the contracts that I sign, the receipts that I get from the merchants when I do this ultimately becomes trustworthy. I don't refer back to the card holder's agreement every time because I trust it and as long as the card holder knows I am who I am, and that's the identity management piece, that ultimately that gives everybody a level of trust that there's a level of recourse. I think that's what's missing in all this privacy thing is the recourse issue.
MS. FINN: We've heard a lot about how there are a lot of differing technical standards, particularly in the U.S. Does the wide variety of technologies that are employed in this space itself create security issues? Shekar, maybe would you like to speak to that?
MR. RAO: Yeah, I think that that's definitely a cause of concern by different players in the solution space especially end to end. I think a lot of people are seeing but are not sure what needs to be done. I think one of the points brought up by the panel was the issue of PKI. A lot of people are asking for PKIs but there's no clear understanding of what PKI means, how is it going to be enabled, how is it going to be enforced, who the certificate authority is, how do they get transferred. So there's definitely confusion as to what to implement, and I think as Richard Purcell appropriately pointed out, it's hard to tell the callers to call when at the business side or at the government side there's no idea what is needed to be done. So I think the need for some kind of a framework, some kind of an architecture that says that these are some of the basic standards to enable the E commerce or the M commerce to happen and if these standards are adopted at least the different players, the retailers and the space and the credit card agencies can all say, okay, we subscribe to that and hence you have a certain degree of assurance with the public will become more adopted or more acceptable. I think one of the things I was reading the Forester report which estimated that as approximately due to this confusion on security and privacy and all the other aspects of this case as much as $5 billion worth of online preventive potential was lost last year, so I think there is definitely some kind of a confusion with the standard. There's some need for some standards body to step up to the plate and say that this is what we think are some minimum standards and if you do this maybe you can reinforce the common person to think that there is something happening there and they only have that to worry about.
MS. FINN: Janelle, did you want to add something?
MS. EDGAR: I wanted to add that certainly the standards for how the security models will end up being framed out and the standards for that, then in speaking just about the challenge of implementing security, implementing PKI as a company, that we do have a product that is working. And these environments with digital certificates on the client side and such, that the challenge is all of the different standards just in the communications industry particularly in the United States and a variety of devices and networks, and all of you are probably familiar with this. But as you're implementing security technology where you have to keep in mind or pour into different OSes and different devices and such, that makes it a lot more difficult and that is a great challenge to us particularly in the United States.
MS. FINN: Does the need to communicate over so many platforms and with so many devices -- not only does it create difficulties but does it create additional costs that may be an impediment to reaching a level of security that you might otherwise implement?
MS. EDGAR: I think it will -- it's going to make it take a little longer to reach the optimal level of security across the board, yes.
MS. FINN: Eric, did you want to speak to this?
MR. BERGERON: I think once again Europe is showing the way. As we speak today there's a new standards subgroup, that's the standard body in Europe, M commerce so they don't waste time. They started the new standards working group such as I think a display on your phone showing that the transaction is secure. So they are standardizing procedures for M commerce instead of waiting for competitive forces to play, they agree to level up the playing field together and then will compete on services, not on technologies, so once again I think that on the technology forefront we are losing ground and in North America as a whole, not just the U.S. but Canada. We have the same strengths and weaknesses as the U.S. on this, so we are losing ground to the Europeans on that because of the lack of standards and we don't know on what to compete. We compete on basic nuts and bolts instead of basic service.
MR. LEMAITRE: It would be a real shame if we didn't learn from the issues that were raised yesterday about the proliferation of wireless standards in North America compared with Europe. There is innovation in this open free framework, but I just don't believe that it's in any of our interests to have a different privacy framework for every wireless carrier in North America. It's not the area I think we should be competing. It's the area we should be cooperating. We should look to differentiate at a different layer.
MR. PURCELL: I agree completely. I don't think the problem is the lack of standards. We got lots of standards. It's like Mark Twain said, Hey, quitting smoking isn't that hard, I've done it lots of times. The problem is that what we have doesn't so much constitute standards as it constitutes competing protocols that are being used in a proprietary way in order to compete in the marketplace. I agree completely with Marc that that's the wrong place to complete. A lot of the standards that we are claiming are actually products, and we have a product orientation to the production of these standards as if when we finish the standard and we bind it and publish it, we're done. It's not done. That's the hard work that has to be done in order to start, and we too often are looking at standard -- standards development as competition in and of itself and as an end product as opposed to creating a beginning point from which we then can launch our competitive efforts in order to attract customers and to attract them by producing secure and private services.
MS. FINN: Are there sort of technologies that may not be here today but that may be coming soon that can enhance privacy? For example, I think I've spoken, Richard Purcell, with you about and some of you others as well the concept that you can create protections that flow with someone's data so that it is constantly meshed with and embedded with your set of permissions as to who can have it, what they can do with it, where it should go. A lot of concerns we've heard raised as well, I may consent to my carrier having it or to my carrier providing it to this particular service provider, but once they have it how do I know who it's going to, how do I know what they're doing with it? Is there a way technologically to really bind the data to the protections and the permissions I want to have with it?
MR. PURCELL: I would say we don't know if there is yet or not. There are -- there's an interesting circumstance that we face today. Britney Spears music is better protected than your identity because we have -- I'm not sure that she actually writes that stuff, but whoever does, it's difficult to -- it's possible to explore it, it's intriguing to explore the idea that digital rights management approach to protecting the intellectual property rights of digital information could be extended and applied to personal information including identity behavior activities, locations, states, presence, that kind of stuff. It would be a very interesting exercise to get a smart group of people together to start exploring that issue to see if essentially you can wrap around a binary object your data different layers that enforce specific kinds of privacy and security preferences.
MS. FINN: Greg?
MR. MILLER: I was going to add to Richard's comment that there's this old concept in law called covenants that run with the land, and we believe there ought to be covenants that ought to run with the data in much the same way so you might jot that down as a crib note thinking in a paradigm for the lawyers in the room, covenants that run with the data. Are there things we can do to create -- there was a concept before the lunch break mentioned, the concept of a persistent cookie. I think Mr. Poneman mentioned it this morning which also as Dr. Lucas sitting in front of me will immediately say, yes, there are all kinds of controversies behind that too. I think everything has controversy around it either way, but the idea of a -- that I have -- let's face it, in the information economy the wealth creating agent today is information, is data. Just as in the industrial age the wealth creating was raw material. Today it's data. The single most valuable data that we have is our personal profile, and we believe that we should be the manager or in the best position to manage that. And so perhaps there is a peer to peer networking concept here that I manage my own profile and I give permission to entities out there, destinations and services to use areas of that data calling to mind ZeroKnowledge's concept of progressive levels of disclosure. So maybe there's a next generation type of certificate calling to Janelle that says, My health care provider gets to see these data elements about me, my financial services provider gets to see these data elements. None of the two shall mix, and that I control that and finally perhaps the ultimate layer to take what has been historically two allergic entities, data miners and the privacy and security, to make them two sides of the single coin by saying perhaps what we do is realize that every consumer in America needs to be a digital economy knowledge worker. And we do that by incentisizing them for giving permission to use their data, so query if that isn't an interesting model of the future.
MS. FINN: Marc.
MR. LEMAITRE: I agree entirely that there must be conditions as you deliver data information to a third party. I would like to get to the position specifically to deal with location and state where my consumer could pass that information off under terms of the contract that goes something like this. You can keep this information for 15 seconds. During that time you can determine whether there are any location services around me that fit my profile. At the end of that 15 seconds you must guarantee to destroy that data, and by the way you can't share it during that 15 seconds because that gets around the issue of the persistence of this data which I think becomes more destructive or malicious intent as it's built up. The idea that somebody could track where I was last Friday and the Friday before starts to become quite concerning to me, so this notion that the data didn't persist on the other end, although I have some mechanism of pulling it back once I've given it in case I change my mind. Unfortunately people do that. They give out information and then regret it later. That has to be built in at the very core, but I think the initial point is that there has to be a mechanism, and I'm looking at the digital signature laws as a mechanism, I would enforce that. If I get your digital signature on a contract of that magnitude, providing I can enforce that contract in law, then the notion that I could write that contract to suit me, that it's under my terms and conditions I think as a consumer would give me a lot more comfort that that information was not going to be abused.
MS. FINN: Thank you, and the last question as we try to save some time for some questions and comments from the audience is we've been talking about ways that technology may be able to help us address privacy and security issues but what do you all see as the limits of technology in this area? Are there other elements that need to be in place and if so what are some of them that need to surround the technological solutions in order for us to have meaningful and complete and security protections? Greg, you're making eye contact so I'm going to call on you.
MR. MILLER: No, I was hoping that Marc would say something. He was looking at me.
MR. LEMAITRE: Not me. I'm not touching that.
MR. MILLER: Once again, I started being the sacrificial lamb, perhaps I'll end that way. We think actually that -- I guess the answer to all that is yes. There are at least four things that come to mind from our perspective that represent issues that have to be dealt with in terms of the limitations on the amount of privacy and security protection we can achieve. The first, and I'm sorry, Janelle, to drag you back into this but at the end of the day is key management. People will forget their keys or they'll give them away. That's just the fact of life. People still use post it notes for their passwords on their screen. Education, I think unless consumers understand the risks of their personal well-being in an unsecured transaction mechanism such as the ones that are being deployed today in the wireless space, price and style are always going to win out. People aren't going to be willing to pay the extra hundred bucks for the biometric device on their telephone. Regulation, perhaps the scariest word of all. I think what we believe is market forces will be sufficient industry motivators. At least in the perfect world we would like to believe that. I think that's also an important rule partnership or initiative to prudent or regulatory guidelines, and finally incentives. And it comes back to what I was saying a moment ago, our start up is founded on the belief that unless the incentives of the advertisers, marketers and the consumers are aligned these privacy and security concerns will continue. I think the consumers have to be motivated to care about the control they have over their personal information, and advertisers have to be motivated to care about not compromising consumers's personal information, and marketers have to be motivated to gather and not misuse this information. A system like the one I mentioned a moment ago, creating something that I call an assured privacy layer, an APL, think of it as being sort of the metaphor or the analogy to SSL, the secured socket layer, something called an assured privacy layer. You know when you're in it. You know what the world and the experience is like when you're in it and it's made possible by a trusted party. I think that that layer should reward consumers for authorizing specific uses of their data, giving permission to destinations and other web services to leverage that data on a sliding scale of rewards or incentives and other benefits, and I think that's the way you're going to bring those two together. And I think at the same time we really need to focus on APL, so I think that there's things -- there are limits and those limits really are around key management, education, regulation and what kinds of incentives we put in place to get people engaged.
MS. FINN: Thank you. Is there anyone else that would like to throw other elements into the mix? Richard Smith?
MR. SMITH: Real quickly here. In terms of solving the privacy issue with technology, technology does quite well in a lot of areas, but one area it's going to really fall down on, we've already kind of chatted about that a bit is the whole issue of sharing. Once the data gets off your phone and out there in the world, it can be copied around, and that's the nice thing about computers they're very good about sharing data. Then we get into regulation or contracts as Marc mentioned to have to control it there, but technology can sort of help out there, can remind people if I have an X file with data in, I can include tags that say this shouldn't be shared, so it at least reminds the programmer where they need to be careful. But fundamentally technology is really good about not letting the data get out first, but once it's out, then it's less of a good solution.
MS. FINN: I'm going to stop and invite questions and comments from the audience, and I'll remind the people who are listening in the overflow rooms that if they would like to ask questions they can come to the doorway here at 432 and we have microphones available. So let me recognize first the person who's at the door. If you could please give your name and where you're from.
MS. CUNNINGHAM: C A R A, C U N N I N G H A M, Red Herring. I have a couple related questions. We talked a little bit about Europe. I'm wondering if we can learn anything from Japan since the mobile Internet is so popular over there? What do we know about privacy and security issues and what can we learn about that? Also as the world moves to 3G, albeit kind of slowly over here, is that an opportunity for security and privacy to become universal? And lastly how much will we be held back in the U.S. from the Internet being mobile because of privacy and security? Are we going to be behind the rest of the world forever?
MS. FINN: There's a lot of questions there. Who wants to pick one to start?
MR. BERGERON: Well, if we talk about Europe and Japan, Japan is the showcase of what 3G will look like. They do with 2G with nine points kilobit per second of data which is quite slow. They do amazing services with color and video and stuff, so you see that 3G will be based on location profiling, but especially on commerce. And this is one place where privacy needs to be built in. If you want to look at the future, look at Japan, and look at the revenue base that the individual extracts from those services. It's fantastic, and it's based on transaction -- this is a view of the future transaction based wireless services.
MS. FINN: Shekar.
MR. RAO: I think the one point I would like to answer is the second thing, and this is the topic that both the Richards addressed, the user experience. With the advent of the 3G networks and their prevalence, their user experience towards a greater degree of security and privacy of the devices will become something that will become acceptable. By that I mean is that you have a high degree of encryption, it won't take you ten minutes to get it when you're paying the bill on your cellular phone, but it may take you the one second or the half second or something. So I think that's one of the real advantages. 3G networks will help some of the technology limitations that we are facing. The 3G networks are implementing high bandwidth solutions.
MS. FINN: Greg?
MR. MILLER: I'm going to echo Shekar's remarks. I think that's exactly on point. Two other points, one, what can we learn from Japan and Europe? It's a culture experience issue. Let's remember that the mobile web or the mobile Internet experience of Europe is driven by the fact that it takes six months to get a telephone line installed in a typical residence in Italy. Let's look at what's driving the culture, things within Japan that cause technology adoption, and finally I think Walter Mossberg yesterday made some telling remarks about 3G, and I tend to concur with them. I think everything we're hearing we need to factor by an order of magnitude of one or two years. If we think it's going to be next year, wrong, it's here in three years. I don't think 3G is going to nearly fulfill the promise that the hype would have you believe at this point, not that it never will, but we need to sort of think calm blue ocean and take a deep breath before we jump to the next flavor of the month.
MS. FINN: Marc?
MR. LEMAITRE: I think regardless of whether it's one year or three years away, I think it's undeniable that the panels that we've had this past two days have looked at some whatever in envy of what's going on in Europe and Japan and the perception that they are ahead. I worry that in sort of things that are going to drive mobile commerce and things like the location of services, that uncovering this location is going to be so important to us -- us, that's me an English man saying us, sorry. The American market, how about that, good lord, that I would again urge we probably have our own future already met and in our own hands. I've worked again with Danny Weitzner on figuring out what we have to do with P3P to make that the privacy protocol that offers the solution to the problems in the wireless arena, and what I'm concerned about is the time that it's going to take to develop that. And it doesn't mean to say we shouldn't develop it, but I think what we have to look at is what we've already got, the Smart card technology. Maybe the keys aren't quite as big as they should be and so they're too easy to crack. Maybe we've got to beat that key technology up, but essentially we have the component. The Smart Card already exists. We've got most of the protocols we need. You just have to uncover them and make them available to everybody and be reasonable about it but again using the analogy we're late to the dance, we haven't got time to go out and have our frock made for us. We'll take what we've got already and make the best use of it.
MS. FINN: Richard?
MR. PURCELL: Very briefly, I'm going it be the contrarian on this point and say I don't think they're ahead of us nearly at all. I personally do not need to download a cartoon character every day. I personally don't need to have a buddy list so that my phone tells me when people on that list or anywhere in my -- maybe there's a few people I would like to do that with. We have to be very, very careful about not confusing real consumer benefits that are consumable, long lasting, economic benefits with stuff. I'm starting to think that the model that is being discussed in the environmental community might work for me. I do not care for more advertising. I've got all I need. In fact, I would gladly sell my advertising credits to anybody who wants them so that I'll get less and they can get more. I don't necessarily believe they work in kind. I think we're being -- we haven't found an economic model that necessarily works for us, and I include in that things like location data. If location data -- if the business model for location data is lattes and pizza, then it's not a business model. It's not there yet. We don't have anything there yet. Additionally we have to compare the cultural differences that we have. It's a big difference from living your life in a country -- in Tokyo with 30 million people or in Canada with 23 million people. There's a little more space in Canada and that necessarily invigorates something of a greater degree of an idea of privacy that is more of the left alone space in physical space, and I've been in Tokyo and privacy is just like it doesn't happen. It happens inside your head. That's it so far. But we have to be very really careful about confusing cultural ideas, economic benefits, those kind of things with what we think of as progress.
MS. FINN: Are there other questions and comments? Over here?
MR. ALTSCHUL: I'm Michael Altschul of CTIA, and I wanted to offer a contrarian view of the panel's discussion on multiple standards and get reaction from the panel. First it seems to me that market forces are working very well to reduce the number of multiple standards in the United States, at least down to two if my tea leaves are correct, and second I guess I was concerned particularly here in the Federal Trade Commission to hear that technology standards are not a worthy subject for competition and perhaps a better subject for cooperation. It's been the experience in the wireless industry that for the first eight years there was one standard, standard decreed by the FCC. It was analog. The industry was characterized by a lot of cooperation and very little service or feature innovation. For the last eight years we've had multiple standards without the government selecting a standard, and the industry has been characterized by incredible innovation and services and features, and that's perhaps related to the multiple standards, and the prod it provides different vendors to come up with a better mousetrap. And finally, with respect to security, I would think that having multiple standards is like an insurance policy. If, for example, one digital standard's algorithm happens to be cracked and posted on the Internet one day, there will be alternatives to consumers. With one standard you have all your eggs in one basket, so those are the thoughts that I would be interested in hearing your response about.
MS. FINN: Eric?
MR. BERGERON: If you look at a particular class of teenagers, they can send instant messages. Think of a class of teenagers in the U.S. One is a Sprint phone. One is a Pac Bell phone. One is an AT&T wireless phone. They cannot send each other instant messages. That's a simple example of why Europeans are more advanced.
MS. FINN: Marc?
MR. LEMAITRE: It's where to compete and where to cooperate. It's that classic case. I will happily working for Nextel tell you not having to be created as a standard that I did very nicely, thank you, in creating a niche market in the business industry, so I would be a fine one to talk about trying to share that sort of technology with my competitors. They are being developed in competition with us and we know in the next generation we're likely to face stiff competition in this area, and I agree we have to find areas on which to compete but there's some basic things and I worry that if a competitor of mine's customer turns to my network or visa versa, God forbid, that he experiences a different level of privacy or security. That's what worries me is that there's some areas that we have got to agree that we can cooperate and when the fundamentals of the customers is concerned -- and maybe I don't need to be prepared to concede that different radio interfaces are capable of providing different types of service might be a good thing, but I don't agree that privacy is one of them, so that's my point on it.
MS. FINN: Greg, just very briefly, and then we're going to have one last question.
MR. MILLER: If you want to see the effects of multiple standards in practice, during my privacy stint with Netscape, I was working over in Europe, I could wander all over Norway and use a telephone there without a hitch at all, but how many of you have experienced the roaming experience in the United States? That is the effect. That's the rubber hitting the road at multiple standards.
MR. STAMPLEY: David Stampley, New York attorney general's office. I was glad to hear some comments kind of like where's the receipt you get in the store or the statement of rights that run with the data. In fact, I guess the terms I've used is consumer privacy data is sticky. It sticks to you. It attaches liabilities to you, and you incur obligations, whether or not you're still discussing what is privacy, what should we be recording. But in terms of meta data about the promises that you did make to the consumer, if you're now touching a consumer, aside from recording what the permissions are, deciding how those are going to be communicated or stored locally or stored on another platform, how right now are people who are touching consumers and incurring obligations finding a way to record that so the consumers can have access and say this is the permission I gave dynamically while I was on the golf course and it started raining and I was looking for an umbrella shop nearby or where someone who right now such as myself is involved in enforcing general consumer protection laws that do exist. Where do we go to look to see if in fact the promises were kept because it's kind of empty to say, I did a good job, I kept my promises, trust me, there has to be a verifiable way the moment you start touching consumers of demonstrating that.
MR. LEMAITRE: You do need a higher authority to trust and the specific example if I were to read from the bottom of this receipt, which tells an awful lot about my habits, so I'm not going to read the rest of it, but it says, Card holder acknowledges receipt of goods and or services in the amount total shown hereon and agrees to perform the obligations set forth by the card holder's agreement with the issuer. And a receipt like that would fit quite nicely on the screen in one of these web phones so I think the card holder's agreement doesn't so you have to find some other way in order to be able to sign this up, but ultimately my trust is in the agreement that I signed, so it comes back to a governance issue. I think the mechanisms are there in order to be able to sign and exchange contracts, sit it on top of the web standard P3P, make it -- the user interface is clear if not completely obvious from this that this receipt fits on a wireless phone, but the card holder's agreement doesn't. There's significant parallels, and what I'm saying is we probably got the tool kit to make these things happen already. All we have to do is apply them to the problems we've got today.
MS. FINN: Thank you very much. I'm going to stop us now and try and keep us on schedule, but I want to thank the panelists very much for a very interesting discussion. We're going to let these panelists go back to their seats, and we're going to invite up the next panel which is going to discuss emerging self regulatory initiatives in the wireless area. This is not a break in the proceeding so please don't start making phone calls and wandering out. Thank you.
(Pause in the proceedings.)
PANEL ON SELF-REGULATORY INITIATIVES
JOEL C. WINSTON, MODERATOR, FTC
MICHAEL F. ALTSCHUL
JOHN W. JIMISON
MR. WINSTON: If everyone can sit down, please, we'll get started. Let me reintroduce myself. I'm Joel Winston, and our next panel is on emerging self-regulatory initiatives. I think you've been hearing quite a bit about self regulation in bits and pieces over the last day or so, and now we're going to have a more comprehensive treatment. Now, we at the FTC are very big fans of self regulation, if it's effective. Obviously it makes our lives easier, and the model we often point to is the National Advertising Review Council which is the self regulatory arm of the advertising industry. That body is a highly effective organization in resolving disputes involving deceptive advertising. While FTC law enforcement serves as the ultimate backstop for those who don't comply with self regulation, rarely is it necessary. The system works very well. We're very encouraged that a number of organizations have already cropped up in the wireless area to put together self-regulatory codes that provide for the protection of consumers' privacy. Now, we realize there are a lot of thorny problems here, and I'm sure we'll be hearing more about those in a few minutes, but we are looking forward to the further development of these codes. This afternoon we have four panelists who are involved in self regulation or who are going to be commenting on it. Each will speak briefly, and then we should have time for some questions at the end. Let me introduce each of them right now as a group and then each will get up and speak. Our first speaker is Michael Altschul, who is the vice president and general counsel of the Cellular Telecommunications Industry Association, CTIA. That's an international trade association that covers all commercial mobile radio services including, of course, wireless. Next will be Tim DePriest, who is the vice president of Ad Force Everywhere and the founder and chairman of the Wireless Advertising Association. Third will be John Jimison, who is a partner at a Washington, D.C., law firm, and he also serves as the executive director and counsel of the Wireless Location Industry Association. Finally we'll have David Sobel who is general counsel of the Electronic Privacy Information Center, EPIC, a public interest research center here in Washington. So, Michael, why don't you begin.
MR. ALTSCHUL: Thank you, Joel. How do I get started with the laptop? Thanks. Thank you, and I want to thank the Federal Trade Commission for having assembled such an excellent workshop. I thought I was pretty familiar with these issues, and have been humbled by how much I've learned and how much there is to learn from all those who have spoken before. I've also been very pleased by the positive reaction to CTIA's Fair Location Information Principles, which I think reflects the fact that first we've had the opportunity to learn from other's errors, and, second, that our members have been receiving some very clear signals from their consumers, from consumers about their privacy expectations, particularly with regard to location information which is a level of information which heretofore has not been generally available or considered by consumers. I wanted to also note that for the past 15 years, CTIA has been called the Cellular Telecommunications Industry Association. It began representing cellular carriers, then included PCS and we had some carriers followed by their vendors, but just last month we combined with the Wireless Data Forum. That gave us the opportunity to change our name. We're still CTIA, but now it stands for the Cellular Telecommunications and Internet Association. And for the first time our association includes the wireless application service providers, data developers, device makers that will make the wireless Internet world real. I thought that before getting into our proposal, I'll take just a minute or two to quickly describe how we came to be involved in location information. Jim Schlichting in his presentation earlier today touched on a bit of it, but it all comes from the FCC's wireless E911 preceding, known to us who practice at the FCC as Common Carrier Docket 94102, and it was in that proceeding that the FCC required carriers provide in the provision of E911 service the public emergency dispatchers, a group called PSAP for Public Safety Answering Points, the location of the caller. It turns out that these PSAP employees, these dispatchers, are government employees. Oftentimes they work for the local police or sheriff's department. In California they work for the State Highway Patrol, and this triggered concerns, legal concerns that providing location information to police might inadvertently trigger the prohibitions on providing this kind of information which are contained in the nation's wiretap laws, the federal wiretap laws, which really prohibit a carrier from providing location information to the government absent an appropriate order. We supported and continue to support the new E911 capabilities, and we urge the FCC to address this issue so that the unintended consequence of the wiretap laws would not interfere with the provision of location for locating callers and for dialing 911. The FCC sought and obtained an opinion letter from the Justice Department's office of legal counsel, and that letter actually can be found at the FCC's web site as a document in this docket, and it's very interesting, the logic that the Justice Department opinion letter provided to permit this use of location information by government employees. They basically reasoned that when somebody calls 911, that person is seeking to be helped or seeking to help someone else if it's a samaritan call and in so calling has given implicit consent, not explicit, but implicit consent to have their location identified so that assistance can be provided, and it was on this basis, this idea of implicit consent, that the FCC proceeded and adopted the rules that Jim described today. Last year Congress codified this result, again Jim touched on it, in the Wireless Communications and Public Safety Act of 1999. This is the so-called 911 bill, and the exception was codified in Section 222 (d) (4) of the Communications Act. The same bill amended the FCC's CPNI rules, the Customer Proprietary Network Information rules, by including location information within the definition of CPNI and by requiring the express prior authorization of the customer to the disclosure or use of location information. CTIA was very proud to support the 911 bill, and after it was signed into law, we began working on its implementation, and this is sort of the path that brings us to the proposal that we filed at the FCC last month and has been mentioned before, and once again, our goal is to provide consumers with a uniform set of privacy expectations and to provide service providers with a safe harbor if they adopt these principles. And our principles, as you'll see, are based on what I hope are becoming the now familiar Fair Information Practices, though I may need help again getting started. I wanted to start with this slide because this is the slide we use to educate our members, and I start with it to underscore that carriers and service providers are looking for principles that permit them to enter a safe harbor, and we have three points that again are drawn from the basic principles, and we also have the additional point of neutrality. We've talked about different technical standards, different interfaces, and we think that consumers shouldn't have to worry about what network they're on or what digital area interface they're using but can focus on a common privacy expectation. The principles then are notice, consent, security and integrity of information and of course these technology neutral rules. Notice is to provide the customer with specific information on how location information is going to be collected and used before any disclosure or use of location information takes place. Consent of course is defined in the statute, if you're a carrier, but in our request it's described this way, to obtain express authorization prior to any collection activity. The words express authorization come from the statute. We recognize that this is an emerging field. We recognize the advantages and disadvantages of different kinds of devices, whether it's a small screen of a phone or the medium size screen of a PDA or a normal screen of the laptop with an air interface card, and we're seeking flexibility as to how this meaningful consent can be provided, but the bottom line is a consent must manifest the customer's desire to participate in the location service or transaction based on a clear disclosure of what the customer's consenting to. Security and integrity was an issue that was fairly easy in the wireless industry because coming from the telephone industry tradition, there is a long record of dealing with the integrity of call detail information, the kind of information that both wire line and wireless companies collect in order to render bills, and so what we propose of course is that that kind of security continue and apply to location information. We also have proposed that any third-party to whom location data is provided probably under the contract model that's been discussed, that that third-party will commit to the provider's location information practices. And as I mentioned, technology neutrality has been a hallmark of all of our association's public policy principles, and it has to be continued here to assure that consumers understand the protections that you see. Finally, I wanted to point out that the CPNI rules apply to carriers where the FCC's jurisdiction naturally resides, but we also have non carriers providing location information services. GM's OnStar offering is but one example, and we would like to combine the rules that the FCC adopts with a wireless industry self regulatory initiative that would mirror it so that all consumers would have a uniform expectation of privacy for location information regardless of who they were sharing their location information with. And finally just as an overview, there was filed with the FCC last month, and it's my understanding that the FCC intends to put it out for public comment very shortly, and it was filed in case you were wondering with the full support and an affirmative vote of our board which has strongly endorsed these principles. Thank you.
MR. JIMISON: Thank you. Good afternoon. My name is John Jimison, and I'm here representing the Wireless Location Industry Association, and if that's a very new sound to you, it's because we were only organized last month, and the reason we were organized is about ten companies who are dedicated to achieving the commercial benefits of the new technologies of locating wireless signals and wireless devices decided that they were special enough in their orientation and in their focus and in their determination to do it right and to do it with a very positive interaction with their customers and with the public as a whole that they deserved to have their own organization to make a place to talk about it and to move forward. These companies include various technologies, various kinds of software, hardware providers, and certainly the association intends to be open to regulated and unregulated companies and all companies who have a principal focus on the benefits of a wireless location space. Now, of course I'm just delighted at this workshop because it has been a very comprehensive workshop, and there's been a wonderful introduction to many of the topics that will be coming up, and the lead one that our companies all identify as the lead one, the one that is a show stopper for their business, is privacy. They know, and I think Larry Poneman suggested this morning, that start ups need to have focus on this. They do have a focus on this, and it's because of their need to deal with it proactively and cost effectively that they're trying to do it jointly as well. And all of these companies recognize, as Alan Davidson mentioned this morning, that the consumer is simply not going to use a service that he can't trust. We want to have our services trusted, and we want to work together to help build a reputation that they can be trusted, including having self regulatory processes. So we plan to be very proactive. We've had meetings even as we were getting organized with people on the Hill, with FTC staff, FCC staff, privacy interests and others, and we certainly plan to be involved over the coming months. We commend the CTIA on their initiative at the FCC. We hope that the commission as Michael suggested does move forward, create a rulemaking process that will initiate a dialogue, a dialogue like Commissioner Thompson suggested this morning that will be flexible and organic and will respond with considerations on privacy as the applications raise those considerations, will not over react, will not be simplistic, will not deal with platitudes or broad proscriptions or prescriptions but will fine tune standards that will meet the needs and yet leave the space for the commercial benefits that consumers will also be looking for and which we are convinced are there. So WLIA, particularly because it will include many unregulated companies, is very interested in self regulation methods, and we're going to be looking very hard at the most effective ways that we can find of disciplining our industry by setting high standards, by rewarding and noting companies who meet those standards, by being absolutely open to suggestions that standards need to be higher or that standards are not being met by certain companies and within the bounds of what we can do of putting the pressure on companies who are not willing to engage in this business while meeting the standards, which our founding companies are all convinced can both be done simultaneously. So because we're too new even to have a Power Point presentation, I don't want to take up a whole lot of additional time, but I do want to again thank the FTC for organizing this, for giving us a chance to introduce ourselves at it, and to express to all of you our desire to work together constructively and to make the new wireless location services industry a very major and positive benefit in the economy without raising the kinds of problems we've all been talking about. Thank you.
MR. WINSTON: Let's take a couple of questions.
MR. HALPERT: Hi.
I'm Jim Halpert from Piper Marbury for DMA. Jerry Cerasale couldn't be here this afternoon but asked me to pass along some of DMA's thoughts about some of the interesting proposals that have been put forward today. Clearly location information is CPNI and is sensitive information. David offered very clear examples of the way that a cell phone can be used as a sort of homing pigeon device or a device to monitor where people are going, and I think there's pretty broad agreement that that is a particularly sensitive type of data that is uniquely an issue in the wireless context, and Congress has already made a decision to regulate that as CPNI under the whole CPNI regulatory regime. But David's talked about an emerging consensus, and I think there's some very complicated issues that were set forward in the first today's discussion, in particular in Danny Weitzner's presentation around how one might try to apply some of the opt-in models. For example, in Tim DePriest's thoughtful presentation on the WAA guidelines, how one would apply opt-in in situations where the sender of an E mail, for example, has no idea whether the sender is communicating to a wireless customer or to a customer on a LAN line connection to an ordinary Internet access outlet. For example, the AOL Anywhere technology will make it seamless whether a user is logging in from their cell phone, from a DoKoMo cell phone or from their home computer, and it's very important as we think about the type of regulatory mechanisms or self-regulating mechanisms that the process be transparent, that it not draw distinctions that are really impossible as a practical matter for people to follow. And the WAA guidelines are a helpful starting point for discussion, and DMA looks forward to working with Tim and others at WAA to figure out how we can make these principles really work in the world and to flesh out some of the ambiguities. There's an assumption in some of WAA's materials that a whole lot of communications that aren't really true push communications might be covered, for example, sending an E mail to somebody when the person can decide whether to log in and retrieve E mail on their cell phone or from their home computer is a different matter than paging somebody in effect while they're walking around with their cell phone when they get close to say a McDonald's, encouraging them to go to a McDonald's while their phone was on. And it's important that we all give a lot of thought and not rush to assume that there's a consensus beyond the points that really raise unique privacy concerns in the wireless context. So with those statements, DMA really welcomes working with everybody on this panel and with the Commission to come up with some workable guidelines to protect wireless privacy without regulating too quickly in a medium in which, as we've heard, there's tremendous flux, and people really aren't sure where the medium is going, but at the same time coming up with methods that will increase acceptance of wireless devices for all sorts of commercial and non commercial uses.
MR. WINSTON: Does anyone on the panel want to comment on this opt-in issue or would you rather just let it go? You're not suggesting, Jim, are you that in the interest of consistency that both for the wired and wireless the rules should be opt-in?
MR. HALPERT: No.
MR. WINSTON: I wanted to make sure of that.
MR. HALPERT: I think that that would be a very controversial proposition, and the emerging consensus is around the uniqueness of the location information around the wireless and also the prospect that consumers would be paying to receive messages that they didn't request, but where there isn't payment or whether that's not clear to the sender of the communication, this really becomes more like garden variety Internet communications which haven't been subject to an opt-in. Opt-in is reserved for sensitive information. Thank you, Joel.
MR. WINSTON: Maybe one more question? If not -- all right.
MR. HENDRICKS: Since I started this idea, I think this is an example of the -- the wireless industry -- one of the dynamics that's gone on in industry privacy debates is those industries and companies whose core business is trafficking and personal information are usually ones driving the debate. And if the wireless industry that tends to have seen pro privacy standard is very integral to making a medium work as a business model. One of the challenges will be dealing with the kind of arguments you just heard from DMA and from some of the other traditional industries that have usually dominated industry discussions about setting privacy standards, so I would -- as DMA comes knocking on the door I would urge you to hold to your guns.
MR. WINSTON: Why don't we a break now for about 15 minutes, and we'll concentrate on that. Thank you for the panel.
PANEL ON WIRELESS ADVERTISING: WHAT FORMS WILL IT TAKE AND HOW WILL DISCLOSURES BE MADE?
C. LEE PEELER, FTC, MODERATOR
MICHAEL D. DONAHUE
ROBERT E. LEWIN
MR. PEELER: We're down to the last panel, and I think it's going to be the best panel yet. At least that's the objective here. My name is Lee Peeler. I'm the Associate Director for Advertising Practices, and this last panel this afternoon is designed to talk about exactly that, about advertising and about what types of advertisements we're going to see in this wireless environment, what we're seeing now and what we'll see in the future and then address the very important question of in this new environment how will we be making disclosures of important consumer information. If people remember back to the early 1990s, the question was, would there be advertising on the Internet, and I think it shows the progress we've made, but right now the question is really not whether there's going to be advertising on wireless but what it's going to look like. And as I said, we're going to talk about what ads look like today, what they'll look like in the future, and then how do we make disclosures. And finally there's a new federal statute called E sign designed to encourage electronic commerce by allowing electronic signatures, and by encouraging the disclosure of information electronically. And at the end of this panel, we want to try to speculate on what the impact of the wireless environment will be on E sign. We have a great set of panelists today. Mike Donahue is the Executive Vice President of the American Association of Advertising Agencies where among duties he's responsible for all digital media initiatives. Sean Harrison is president and CEO of WindWire, a wireless advertising technology company. Bob Lewin is president and CEO of TRUSTe, an independent nonprofit group which has established an Internet privacy seal program. Steve Lucas is the chief information -- is the chief information officer and chief privacy officer of Persona which provides consumers with the tools to protect and manage their privacy, the privacy of their information online. He's also president of Privaseek, a privacy consulting firm, and he's one of the originators of the P3P privacy initiatives that we've heard a lot about throughout the conference. And finally Barry Peters is director of Emerging Media for Lot 21, an interactive digital marketing and advertising agency. He and his group were the first to place live web content in a TV commercial and to advertise on a mobile portal. So the format today will be first to have presentations from Barry and Sean of ads that they have actually developed or their companies have placed in the wireless environment so we're going to start with Barry Peters. Thank you, Barry.
MR. PETERS: What