Mr. Chairman and members of the Committee, the Center for Democracy & Technology (CDT) is pleased to have this opportunity to speak to you on the short and long-term implications of the AOL/Time Warner merger on consumers, and on the Internet itself. CDT is a non-profit, public interest organization that is dedicated to developing and implementing public policies to protect civil liberties and democratic values on the Internet. CDT has been at the forefront of efforts to establish and protect the very high level of constitutional protection that speech on the Internet has been afforded by the United States Supreme Court in the Reno v. ACLU decision. CDT led the coalition that wired the trial court in Philadelphia in that case, and CDT has undertaken a major project to ensure that the open and democratic characteristics of the narrowband Internet - so central to the Reno decision - are carried over into the emerging broadband world.

Mr. Chairman, the Internet is at a critical junction in its evolution. Although as a popular mass medium the Internet is less than ten years old, it is already entering into a period of significant transformations. These transformations are threatening to undermine the fundamental characteristics that make the Internet such a unique and dynamic means of communication. We would like to address two different threats to the Internet - threats to openness and threats to privacy - and the implications of the AOL/Time Warner merger on those issues. For both of these issues, the critical starting point is to look at the vital characteristics that make the Internet what it is today.

I. OPEN ACCESS

A. "Open" Characteristics of the Narrowband Internet

In the first comprehensive assessment of the Internet by an American court, the trial court in the Reno case in 1996 found what it termed "a unique and wholly new medium of worldwide human communication." [ 1 ] The narrowband Internet developed into this dynamic medium in large part because it has been "open" at virtually all levels of its existence. The "network of networks" operates using open and freely available technical standards, allowing literally millions of different (and often incompatible) computers to communicate seamlessly. The open protocols used for Internet traffic allow startup companies and individual software designers to create and distribute new modes of communication over the Internet. Speakers, large and small, rely on the openness of the Internet to speak easily, inexpensively, and without significant restriction or limitations on the form or content of the speech.

As one judge put it, the "Internet is a far more speech-enhancing medium than print, the village green, or the mails." [ 2 ] That judge concluded that "[f]our related characteristics of Internet communication have a transcendent importance" to the conclusion that the Internet deserves the highest levels of constitutional protection:

First, the Internet presents very low barriers to entry. Second, these barriers to entry are identical for both speakers and listeners. Third, as a result of these low barriers, astoundingly diverse content is available on the Internet. Fourth, the Internet provides significant access to all who wish to speak in the medium, and even creates a relative parity among speakers. [ 3 ]

The "openness" of the narrowband Internet translates into an unprecedented ability of speakers to speak and listeners to receive content, free from governmental or private interference. Internet users have a wide range of choices as to how to access the Internet and what to do with the communications medium once online. Users can speak to the entire world with little or no investment. Listeners can access a vast wealth of content quickly and easily, without significant governmentally- or privately- imposed limitations. In short, the Internet offers individuals, communities, non-profit organizations, companies, and governments an unprecedented ability to speak and be heard.

The infrastructure in which this open, narrowband Internet exists is the telephone system, which operates with full common carrier obligations. Thus, Internet Service Providers (ISPs), with very little investment, could offer services within a community, free from interference by the telephone company providing the "last mile" connection to the ISP's customers. Internet users, in turn, could easily reach any of the often hundreds of ISPs in any given community, and could do so without facing any telephone-company-imposed restrictions (other than bandwidth limitations inherent in an analog telephone line). The common carrier requirements in the telephone system have led to a great diversity of ISPs, and to a great deal of competition and innovation in the provision of Internet service.

As the Internet moves into the broadband world, it moves away from the mandated openness of common carriage. It is now clear that broadband service over the telephone network - in the form of Digital Subscriber Line, or DSL, service - will be a significant avenue for users to obtain broadband access to the Internet. It is also clear, however, that broadband service over cable networks will for the foreseeable future be the leading method to deliver broadband Internet access. Cable operators are not subject to common carriage requirements, and are thus not required to allow multiple ISPs to offer a diversity of Internet service options to cable Internet users. This difference has raised the very real possibility that the open, dynamic, and democratic Internet might come to be dominated and in part controlled by a small number of private companies that own the critical "last mile" cable connection into users' homes.

B. CDT's Broadband Access Project

As this Committee is well aware, these concerns have led to the often bitter - and often loud - debate over the past eighteen months over whether cable systems should be forced to permit unaffiliated ISPs to offer broadband services over the cable systems. When confronted with the competing arguments and claims in early 1999, the Center for Democracy & Technology decided that it simply did not know enough about the issues to be able to take a position. Instead, CDT undertook its Broadband Access Project to conduct a neutral, balanced assessment of the factual and policy issues surrounding the emergence of broadband technology.

CDT sought and obtained support for the Broadband Access Project from a broad cross section of the emerging broadband industry. The Project's participants include cable operators AT&T and Time Warner, ISPs America Online and Mindspring, local exchange carriers Bell Atlantic and SBC Communications, interexchange carrier MCI WorldCom, and technology companies such as Microsoft. Although these broadband companies were fiercely fighting in the marketplace, on Capitol Hill, and elsewhere, they decided that it would also be worthwhile to participate in a dialogue to discuss the issues raised by broadband technology. In addition to these and other companies, the Project has also included working closely with the public interest advocacy groups that have been at the forefront of the open access debate.

Our consultations and analysis are continuing, and we expect to be able to release the results of the project within the coming months. But two very significant developments in the broadband world have led us to conclude that it is appropriate now to share with this Committee the current draft (as of late February, 2000) of one of the documents our Project is preparing - a clear and careful statement of openness principles that we believe should be applicable to the provision of broadband services over the Internet.

These principles - attached as Attachment A - do not represent any agreement by any company or public interest participant in CDT's Broadband Access Project, but instead reflect CDT's efforts to craft a set of principles that respond to the concerns and views raised by the project participants. These principles are expressly silent on the critical question of whether any governmental action should be taken to enforce the principles - our initial intent was to attempt to articulate what our common goal is, before addressing how to reach that goal. Moreover, these principles are continuing to evolve as we continue to work with the project participants.

The two developments that have led us to release the draft principles at this time are both statements by leading cable operators of their own sets of principles to govern open access on their cable systems. First, in December of 1999, AT&T and the ISP Mindspring sent a joint letter to Chairman William Kennard of the Federal Communications Commission, outlining a set of principles that AT&T stated would guide its dealings with unaffiliated ISPs seeking to provide broadband service over AT&T's cable networks (Attachment B). Second, and what of course prompts this hearing, is the announced merger of AOL and Time Warner, and the "Memorandum of Understanding" that those two companies released earlier this week (Attachment C).

Both of these corporate statements of principles represent very significant and positive steps towards open access. CDT offers its draft principles in the hope that they may assist this Committee and other policymakers in assessing AOL Time Warner's Memorandum of Understanding, as well as the AT&T/Mindspring statement of principles. A summary and side-by-side comparison of the three sets of principles are offered below. Although the sets of principles use different words, many of the points are common to all three sets.

CDT’s DRAFT OPENNESS PRINCIPLES	AOL TIME WARNER 2/29/00 MEMORANDUM (the "MOU")	AT&T/MINDSPRING 12/6/99 LETTER TO FCC (the "Letter")
Choice Among Competing Internet Service Providers (ISPs)
A broadband facility owner should permit both affiliated and unaffiliated ISPs to offer broadband service. (See CDT Principle L)	Yes. (See MOU Paragraph 2)	Yes. (See Letter first and seventh bullet points)
A broadband user should be able to obtain service from an unaffiliated ISP without having to also pay anything to an affiliated ISP. (CDT O)	Yes. (MOU Paragraph 2)	Yes. (Letter second bullet point)
A broadband facility owner should permit any qualified ISP to offer service, constrained only by legitimate technical limitations on the number of ISPs supported. (CDT M)	Unclear. The MOU only states that AOL Time Warner will support "multiple" ISPs, and that users will have a "broad choice" of both national and local ISPs. (MOU Paragraphs 2, 4, 8)	Unclear. The Letter only states that AT&T will support "multiple" ISPs. (Letter page 1)
If the number of ISPs supported is subject to technical limitation, facility owners and the industry should work to maximize the ISPs that can be supported. (CDT M)	Unclear. The MOU is silent on this point.	Unclear. The Letter is silent on this point.
A broadband facility owner should offer service to unaffiliated ISPs on a nondiscriminatory basis with regard to (at a minimum) (a) financial terms, (b) technical functionality, and (c) operational support systems. (CDT N)	Generally yes. The MOU states that financial terms and functionality will not be discriminatory (MOU Paragraph 5), but is silent on support systems.	Generally yes. The Letter states that financial terms and functionality will be reasonably "comparable" (Letter sixth and seventh bullet points), but is silent on support systems.
An unaffiliated ISP should not be required to utilize the Internet backbone services of the facility owner. (CDT P)	Yes. (MOU Paragraph 7)	Yes. The Letter indicates that any connections directly into AT&T’s facilities shall be provided by AT&T (Letter eighth bullet point), but in subsequent discussions AT&T has clarified that this paragraph does not require the use of AT&T backbone services.
A facility owner should not permit an ISP to offer service only to select portions of a community served by the facility. (A desirable point that is not included in principles prepared by CDT)	Yes. (MOU Paragraph 8)	Unclear. The Letter is silent on this point, but to our knowledge this issue has not yet been raised to AT&T for any reaction.
A facility owner should allow an ISP to control the billing relationship for all Internet services ("last mile" access and ISP services). (A desirable point that is not included in principles prepared by CDT)	Yes. (MOU Paragraph 9)	No. The Letter indicates that AT&T intends to bill users for the "last mile" access services that it provides. (Letter tenth bullet point)
A facility owner should attempt to modify existing exclusive contractual relationships to permit open access as soon as possible. (A desirable point that is not included in principles prepared by CDT)	Yes. (MOU Paragraph 11)	No. The Letter indicates that AT&T intends to provide open access after its current exclusive contractual arrangements expire (Letter page 1)
Access to Internet Content
A broadband facility owner should not restrict users’ ability to access constitutionally protected content on the Internet. (CDT C, D)	Probably yes. The MOU is silent on this point, but in other contexts AOL Time Warner has made clear commitments that access to content should not be restricted by a service provider.	Yes (Letter fourth bullet point).
The Internet industry should maximize the ability of users to access a diverse range of broadband content. (CDT E, F)	Unclear. The MOU is silent on this point.	Unclear. The Letter is silent on this point.
Ability to Speak on the Internet
A broadband facility owner should not restrict users’ ability to speak or post constitutionally protected content on the Internet. (CDT G, H)	Probably yes. The MOU is silent on this point, but AOL Time Warner have in the past supported users’ ability to speak on the Internet.	Probably yes. The Letter is silent on this point, but AT&T has in the past supported users’ ability to speak on the Internet..
The Internet industry should maximize the ability of a diverse range of broadband speakers to distribute broadband content widely and at reasonable cost. (CDT I, J).	Unclear. The MOU is silent on this point.	Unclear. The Letter is silent on this point.
Ability to Use the Internet to its Fullest
A broadband facility owner should not impose any limits on the functionality that an ISP can offer to its users, unless technically required and equally applied to all ISPs. (CDT A)	Unclear. The MOU commits to non-discrimination on this point, and to allow streaming video (MOU Paragraphs 5, 6) In testimony before the Senate Judiciary Committee, AOL Time Warner committed to allowing ISPs to offer IP telephony over the broadband facility.	Unclear. The Letter (Letter sixth bullet point) commits to non-discrimination on this point, but is silent on possible restrictions on the use of the facility. The Letter does commit to allow unaffiliated ISPs to offer "advanced applications" over the facility. (Letter eleventh bullet point)
The industry should work to remove any current technical limitations on broadband users’ ability to use the Internet. (CDT B)	Unclear. The MOU is silent on this point.	Unclear. The Letter is silent on this point.

C. Moving Forward on Open Access: The Next Steps

As the above comparison suggests, the AOL Time Warner Memorandum of Understanding represents a very positive step towards open access. AOL Time Warner has made a positive commitment on many, but not all, of the points articulated in CDT's draft principles. A number of key points remain unclear, including, for example, the number of ISPs that will be supportable on a typical Time Warner cable system. As AOL Time Warner acknowledges, the Memorandum of Understanding is only the first step toward open access. Looking at both AOL Time Warner and the broadband industry more broadly, there are at least three critical and independent steps toward open access that policymakers must consider:

1. A set of open access principles and goals must be refined and further articulated. No matter which set of principles serves as the starting point (CDT's, AOL Time Warner's, AT&T's, or another set), there must be further discussions and, hopefully, consensus on what exactly will be necessary for a broadband facility to be considered "open." Consensus on these key threshold principles and goals must include policymakers, the public interest community, and the Internet industry.
2. The entire U.S. cable industry (beyond AT&T and Time Warner) must be brought into these discussions about open access principles, and ultimately must undertake to implement open access on their systems. Even if all currently pending mergers are approved and AOL Time Warner and AT&T both implement open access on their systems, there are many major cable systems that have not yet made a commitment to open their cable systems.
3. Finally, any set of open access principles must be fully and effectively implemented. As is often the case with policy and technology, the devil will be in the details. This is all the more true given the significant technical complexity that will be inherent in any implementation of open access on a cable system. Open access commitments by AOL Time Warner and AT&T are certainly positive developments, but until actual contracts are signed with unaffiliated ISPs and open access is actually implemented, there will unavoidably be uncertainty and concern about the true prospects for open access.

From CDT's perspective, the most significant problem with the idea of a government mandate of open access is that such action would lead (and in some cases already has led) to extensive litigation and, ultimately, prolonged delay. With the recent movement toward open access by AT&T and Time Warner, it appears possible that the cable industry as a whole is in fact moving on its own towards open access. CDT believes that these efforts toward consensus and voluntary implementation of open access should be given an opportunity to succeed.

Critically, however, the details of open access cannot be determined and implemented without direct and continuing public interest involvement in the decisions. The public interest advocates are correct in concluding that free speech and democracy on the Internet are critically important, and require public participation in the development and evolution of the Internet. The Internet industry has frequently sought to keep government out and allow the industry to solve problems without governmental mandate. In most situations, this voluntary approach is desirable, but for it to succeed when free speech and the First Amendment are at stake, there must be a way for public interest voices to take part in the network and infrastructure design decisions that will be necessary to implement open access in the broadband Internet.

There may also be a role short of legislation that Congress can and should play. Hearings of this type serve to focus attention -- attention of the industry, the media, and the public -- on the issues raised here. If the industry is going to succeed in addressing the critical issues of open access, it should do so with the participation and input of policymakers at all levels of government. Ultimately, however, if this effort fails to address these critical issues and fails to implement meaningful open access, the government may at that time need to take action.

II. PRIVACY

As with the open access issue, the critical starting point on the privacy questions is the current state of privacy (and citizens' expectations of privacy) and the ways in which the evolution of the Internet may threaten privacy principles. As many of you know, the Center for Democracy & Technology has long been an advocate for protecting privacy on the Internet, and we have previously had the privilege of addressing this Subcommittee on privacy issues. [ 5 ] We will only briefly summarize our analysis of privacy issues on the Internet, and then consider how the proposed AOL Time Warner merger might impact the privacy issue.

CDT believes that a key privacy consideration should be individuals' long-held expectations of autonomy, fairness, and confidentiality, and policy efforts should ensure that those expectations are respected online as well as offline. These expectations exist vis-�-vis both the public and the private sectors. By autonomy, we mean the individual's ability to browse, seek out information, and engage in a range of activities without being monitored and identified. Fairness requires policies that provide individuals with control over information that they provide to the government and the private sector. In terms of confidentiality, we need to continue to ensure strong protection for e-mail and other electronic communications.

As it is evolving, the Internet poses both challenges and opportunities to protecting privacy. The Internet accelerates the trend toward increased information collection that is already evident in our offline world. The trail of transactional data left behind as individuals use the Internet is a rich source of information about their habits of association, speech, and commerce. When aggregated, these digital fingerprints could reveal a great deal about an individual's life. The global flow of personal communications and information coupled with the Internet's distributed architecture presents challenges for the protection of privacy.

The proposed merger of AOL and Time Warner does highlight both the increased risks for privacy problems as the Internet evolves, and the great potential for self-regulatory efforts to enhance privacy protection. Both AOL and Time Warner have access to significant amounts of personal data about their subscribers. For AOL, this includes for example, information about online service subscribers, AOL.COM portal users, and ICQ and instant messaging users. Time Warner has access to information about ranging from cable subscriber usage to magazine subscriptions. The specter of the merged companies pooling all of their information resources, and then mining those resources for marketing and other purposes, should be cause for concern.

Fundamentally, however, the AOL Time Warner merger does not alter the equation for a privacy solution. Protecting privacy on the Internet requires a multi-pronged approach that involves self-regulation, technology, and legislation.

On self-regulation, we must continue to press the Internet industry to adopt privacy policies and practices, such as notice, consent mechanisms, and auditing and self-enforcement infrastructures. We must realize that the Internet is global and decentralized, and thus relying on legislation and governmental oversight alone simply will not assure privacy. Because of extensive public concern about privacy on the Internet, the Internet is acting as a driver for self-regulation, both online and offline. Businesses are revising and adopting company-wide practices when writing a privacy policy for the Internet. Efforts that continue this greater internal focus on privacy must be encouraged.

On the technology front, while the Internet presents new threats to privacy, the move to the Internet also presents new opportunities for enhancing privacy. Just as the Internet has given individuals greater ability to speak and publish, it also has the potential to give individuals greater control over their personal information. We must continue to promote the development of privacy-enhancing and empowering technology, such as the World Wide Web Consortium's Platform for Privacy Preferences ("P3P"), which will enable individuals to more easily read privacy policies of companies on the Web, and could help to facilitate choice and consent negotiations between individuals and Web operators.

Finally, we must adopt legislation that incorporates into law Fair Information Practices -- long-accepted principles specifying that individuals should be able to "determine for themselves when, how, and to what extent information about them is shared." [ 6 ] Legislation is necessary to guarantee a baseline of privacy on the Internet, but it is not one-size-fits-all legislation. Privacy legislation must be enacted in key sectors such as privacy of medical records. For consumer privacy, there needs to be baseline standards and fair information practices to augment the self-regulatory efforts of leading Internet companies, and to address the problems of bad actors and uninformed companies. Finally, there is no way other than legislation to raise the standards for government access to citizens' personal information increasingly stored across the Internet, ensuring that the 4th Amendment continues to protect Americans in the digital age.

In all of these areas, the positions of AOL and Time Warner are and will be critical to achieving increased privacy protection. Both American Online and Time Warner have strong privacy policies, have generally been quick to respond if lapses or violations are identified, [ 7 ] and have been strong supporters of P3P and other privacy-enhancing technology. CDT welcomes the acknowledgement by AOL CEO Steve Case (before the Senate Judiciary Committee earlier this week) that some legislation will be necessary to incorporate best privacy practices on the Internet.

In evaluating the merger, it will be critical to ensure that the merged company will continue a strong commitment to privacy. Just as in the broadband area AOL Time Warner committed to requiring arms length negotiations between different business units within the merged company, the business units of the merged company should continue to maintain their subscriber information separately and in conformance with clearly stated privacy practices.

The history of the Internet, and the history of telecommunications reform in general, is that policy regimes are first created by consensus among a broad cross section of the community. CDT is committed to participating in any process that helps to build a new social contract embodying democratic values in the emerging broadband world.

1. American Civil Liberties Union v. Reno, 929 F. Supp. 824, 844 (E.D. Pa. 1996), aff'd, Reno v. American Civil Liberties Union, 521 U.S. 844 (1997).

2. Id. at 882 (Dalzell concurring).

3. Id. at 877 (Dalzell concurring).

4. Until the announcement of its proposed merger with Time Warner, American Online also advocated government action. Since the merger announcement, however, AOL and Time Warner have adopted the approach taken by AT&T in December, by effectively asking everyone to trust them and allow them to implement open access voluntarily, without government fiat.

5. See, e.g., Testimony of Deirdre Mulligan, Staff Counsel of the Center For Democracy & Technology, Before the Subcommittee on Communications of the Senate Committee on Commerce, Science, and Transportation, July 27, 1999.

6. Alan Westin. Privacy and Freedom (New York: Atheneum, 1967) 7. The Code of Fair Information Practices as stated in the Secretary's Advisory Comm. on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, U.S. Dept. of Health, Education and Welfare, July 1973:

• There must be no personal data record-keeping systems whose very existence is secret.
• There must be a way for an individual to find out what information about him is in a record and how it is used.
• There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.
• There must be a way for the individual to correct or amend a record of identifiable information about him.
• Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

1. Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
2. Data quality: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
3. Purpose specification: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
4. Use limitation: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the "purpose specification" except: (a) with the consent of the data subject; or (b) by the authority of law.
5. Security safeguards: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
6. Openness: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
7. Individual participation: An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him:
   • within a reasonable time;
   • at a charge, if any, that is not excessive;
   • in a reasonable manner; and,
   • - in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and, (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified completed or amended.
8. Accountability: A data controller should be accountable for complying with measures which give effect to the principles stated above.

7. See Testimony of Deirdre Mulligan, Staff Counsel of the Center for Democracy & Technology, before the Subcommittee on Courts and Intellectual Property of the House Committee on the Judiciary, March 26, 1998, at 11-13 (concerning disclosure of subscriber information to the U.S. Navy).