It is now my honor to present our lunch speaker. Esther Dyson is one of the most creative and influential people in the technology world. Most of us do things that we may feel are very exciting, but in the end, they are very solid. Esther really does exciting things when she's working in the world of technology. She's pushing the envelope geographically, time lines in every way imaginable. Esther is the chairman of Adventure Holdings, a small but diversified venture capital and publishing company focusing on emerging information technologies worldwide. And in particular, she's done remarkable work on the computer markets in Central and Eastern Europe. Esther has been very active in all kinds of industry affairs. She's a member of the Electronic Frontier Foundation, and is a member of the President's Export Council Subcommittee on Encryption. She's co-chaired the NII Information Privacy and Intellectual Property Subcommittee, and is now involved in advising various government leaders and organizations both in the US and elsewhere. I have a really, really long list of accomplishments that if I went through, I'm afraid that would be eating into the exciting talk that we're going to hear. So Esther, with your permission, I'm going to skip the rest of all the great things that we have from your biography and just simply introduce you as one of the most influential members of the whole information technology industry. Please welcome me in applauding Esther Dyson.

ESTHER DYSON

Thank you. What I'd like to do today is give what I hope to be an ideal lunch talk, which means one that won't require you to take any notes. That will be slightly provocative. And sets some of the context for what we're going to be talking about and what we have been talking about today.

And so what I wanted to do is take four words-slash-concepts and de-construct them, tear them apart, tell you why, this is almost going to be sort of a politically correct talk because I'm going to attack the very concept of self-regulation among other things. And tell you why privacy is probably the wrong word to use. And try to finish fairly quickly so that we can do Q&A and have some discussion.

So, the first word I want to take on is privacy itself. This conference is called a conference about privacy. But what is it? I may feel very private about, I don't know, my salary, but I don't care about details of my private life being put all over the place. My neighbors talk to one another all the time, I don't really, I like to come home and go to sleep. I don't have a home telephone. It's very, very hard to define what privacy means for anybody. And it's also very hard to deliver it.

If you sell privacy, you're going to end up disappointing a lot of people because you might not know what they mean. And so I think we should focus more on what we can deliver. Which is control of personal data. And rather than trying to sell people success or happiness or privacy, sell them something that it is possible to deliver which is what happens to their data, who has it, who controls it. And be kind of practical and concrete about this.

The essence of what's concerning people on the net is this uncertainty, this sense that you're out there, people are looking at you and don't know what they're seeing. I really believe most people are not that scared of what they know, it's what they don't know that they suspect. And so if we can be much more concrete and practical and actually specify what's going on, I think we're going to deal with a lot of these problems that are cast as privacy.

And if you listen to the surveys, people are really confused. They're confusing privacy with security. And if the confusion is that basic, let's not talk about privacy, let's talk about specifics and tangibles.

The second word is self-regulation. And this is the one that I think is the most fundamental problem. You've heard Ira Magaziner this morning, it's pretty clear something is going to happen. The government, in quotes, is upset. And I think the real way to describe is the government, just like everything else, is not a single thing. It's the FTC, it's the White House, it's the Department of Commerce, but there's this deadline of July first, which is slipping a little bit, but something is going to happen and the government is calling and the industry is offering self-regulation.

But I think that misses the point. What I would really like to see is consumer regulation, and not consumer regulation into one size fits all, but consumer regulation the way it regulates the toothpaste market. You get the size you want, you get the flavor you want, you get the particular brand of cavity fighting chemicals you want. And again, because privacy or data control is so specific to the individual, I think it's a flawed concept that either the government or bands of industry people gathering together can figure out what kinds of data practices really suit everybody.

And so what I would like to see is something where customers have choice. And they are the people who regulate the behavior of the merchants they deal with. Now, that is not as simple as it sounds. And this comes to the third little distinction I'd like to make which is technology versus systems. And you heard this morning a little bit about some of the technology that was kind of passed over briefly, and I'm certainly not going to go into this in great length, but what used to be called the open profiling standard is now incorporated into something called P3P. Which is the Platform for Privacy Preferences given to by the Worldwide Web Consortium otherwise known as W3C.

Even this little bit of technology really has two parts. There's the part where the user sets up his own profile of data about himself. And this is kind of the first step in what I talked about earlier, giving the user control over his own data. Using P3P, which is just about to be launched by the W3C, this is not out there yet, unfortunately. Using P3P, the user can look at the data about himself, can see what's in there. "Oh, there's my social security number. There's the kind of records I like. Here's all the transactions I had with this particular merchant."

The feeling that you know what the information is, I think, is almost the first emotional and tangible thing that we're talking about here. Then the user can specify what happens to the various kinds of data, to whom they can be given. And obviously, one of the problems here is well, I don't want to spend two hours every morning figuring out which merchant I'm going to give what data to. But the sense that you have this control is very important, and you can adjust things as you want.

Second, on the other side there are merchants who will then either meet or not meet the various criteria that the user sets up. And then you can do a number of things. You can automatically not do business with these merchants, you can negotiate, "Well, I'll let you keep these records if you give me a five percent discount, or if you agree not to give them to such and such people," or what have you.

But, the point here is to first allow and then ideally, to automate, the negotiation between the consumer and the merchant. Now, that's what the technology does. And then on the actual database management side, you have the requirement to tag the data as to what you can do with it, and what you cannot do with it. And this is one of the things that makes this whole issue so troubling to a lot of people. It's all very well to do this with data you gather off the Internet, if you've got a website.

But now suppose you're a merchant who also has 95 percent of your business that used to come in over catalogues or other ways, are you going to have to go back and apply the same data protections to the 95 percent of the data you gathered the other way? And so, like it or not, we're not talking here just about what happens on the web, we're talking about that web tail wagging the dog of non-e-commerce. And here you have a lot of push back to the government regulations.

Another thing the merchant needs to be able to do, ideally, is let the customer look at the records that the merchant has about this customer. Check your credit record. See what's going on. And a lot of this stuff, as Ira said this morning, is not free. There are real costs here.

So that's the technology side. Now you get to the systems side. I filled out my little profile. I've said what people can do with my data. How can I believe that that's what they will actually do? And there are really two versions of this.

One, the government makes it a law and so now the merchants are required by law to do what they say they will do or they have broader restrictions placed on them, so I can't specify what I allow them to do, the government specifies it. And to some extent, that makes it easier for a business. They don't need to be specific to individual customers. They know that their competition is going to be hampered by the same laws that restrict them, except for the really, really bad guys. And so in some sense, I think this is why you're seeing, delicately or not, the call for self-regulation or even government regulation. Make my life simple. Force me to do this because I want you to force my competition to do it as well.

And as a consumer, I don't want that. I want you guys out there, the merchants, to start being creative, to start tailoring things for me. To start listening to my specific needs rather than blindly following some law or some industry self-regulatory description of what it is you should be doing.

So, the systems that are needed are either some kind of government enforcement scheme, or some private enforcement schemes. And out there, kind of looming, looming is not the right word, let me use a more positive word there, appearing gracefully on the scene are things such as Trustee, what the Better Business Bureau would like to do, the AICPA's web trust program.

These vary in some of their details, and there's a newsletter outside that's called Release 1.0 which has all the gory details in it. But one way or another, they provide recourse mechanisms, or they will, so that if you go to a site where the seal of one of these organizations appears as a consumer, you know where you can go for recourse.

Now, it's not as simple as that. How am I to know that someone has got my data and is doing something bad with it until it's too late? And so all of these organizations also, either have or are developing monitoring systems to find out when data is being misused.

People in the direct mail business have been doing this for years. You have your database of names, you sell a one time use of it to somebody, and you stick your grandmother's name on there and if your grandmother gets two mailings, you know that the data has been misused.

There are also the other normal ways where an employee of some organization will call you up and tell you that the data has been misused. But those are the systems or the procedures that need to exist along with the technology to make these systems work.

And so there's not simply a technological fix here, there also need to be jurisdictions, is what I prefer to call them rather than regulatory organizations, but the Trustee seal means that you are now under the jurisdiction of Trustee. It doesn't matter whether you're in France or Germany or Singapore. And that's one of the advantages of these non-governmental organizations, they work across international borders.

We're still at the very beginning of this. Trustee is not quite as recognized a name as the government of Germany or France. But this is what we're looking at. I find an interesting example of this is the Securities and Exchange Commission of the United States. As Irving mentioned, I spend an awful lot of time in Central and Eastern Europe. And companies there that want to raise money, frequently come to the United States. And they voluntarily put themselves under the jurisdiction of the Securities Exchange Commission and NASDAQ. And it's not really because they like the Securities and Exchange Commission's rules it's because they want access to the investors who are in that same jurisdiction that the SEC controls.

And so I'm hoping to see the same kind of thing happen with privacy. Merchants who want to deal with consumers will voluntarily put themselves under the jurisdiction of the BBB, Trustee, AICPA's Webtrust, or what have you. And my personal hope is that there will be more than one of these organizations out there operating vigorously so that they will be competing to genuinely represent the needs of consumers and not become more hostage to the vendors that are also part of this organization.

And you could get into this further and talk to Steve Wollman about NASDAQ and how it has become something of a bureaucracy because there's always this challenge of how do you keep these organizations fresh? And how do you keep them operating in the interests of consumers? Because if you remember back 200 years, which was before any of us was born, the United States government was a self-regulatory organization. It was a bunch of guys who said to Britain, "Thank you, we'll regulate ourselves." And now, of course, many of us see it as the ultimate in encrusted bureaucracy. But it began as something that was revolutionary, and that's where that word comes from and contrary to existing authorities.

So, the final point I want to make is really that we need to think again about this blind distinction we make, either the government does it or business does it. Let's not forget the consumers. And this is a very interesting day today, this is the day that the Department of Justice has filed its lawsuit against Microsoft. And what we really have here is a battle of two monopoly powers, if you like.

Now, whether or not Microsoft is a monopoly and is abusing it, is not clear, but there's this kind of knee-jerk notion that business is good and government is bad in some circles, and that government is good and business is bad in other circles. And the real issue is power and abuse of power. And we have constraints on what the government can do. Every four years we throw it out that's incredibly inefficient. Imagine Bill Gates being put out of office after four years.

So the same kind of constraints we apply to government, it's not so much out of the question applying them to business. It needs to be done carefully. But we're seeing, because of the Internet, a lot of our notions being overturned. One is this business/government divide, another is that governments have jurisdiction over physical territory. Now we've got jurisdictions that cover a different kind of territory, they cover screens. And people choose them voluntarily.

So those are the things I wanted to bring forward to you right now. And now I'd like to take some questions. I've also, great, I've created a few of my own questions in case you didn't come up with any,

And unless you want to be private, if you can say who you are, that would be nice.

QUESTION

My name is Jim Loving, I'm with IBM. I wanted to ask you about the third constituent group. There have been things written about the consumer, taking control of this. What is the likelihood of that in the near term where some entrepreneurial affinity group of consumers would say that the information about me has value, set it up and sort of put it out there available for the merchants, because ultimately, that's what will happen.

ESTHER DYSON

The challenge is trying to look at consumers not as a group. Because the moment they become a group then you lose that element of individual choice. But let me give you two examples of what is happening. One oddly enough, is good old Microsoft, which recently acquired a company called Firefly. Firefly was one of the original developers of the open profiling standard, along with Netscape and Verisign, and they donated it to the Worldwide Web Consortium. And Firefly was known because they came from MIT and they were kind of cool and they did collaborative filtering. But they also have been very active in this area helping users to develop their own, personal profile. And manage and maintain it and share it carefully. Microsoft acquired Firefly and there are lots of conspiracy theories about Microsoft, and I may have contributed with the first part of this talk, but whatever you think, their basic business premise has been empowering consumers. They have been trying to empower corporate enterprises and scale up. But let's face it the real essence of that company has been individual tools for individual users on the desktop. And I believe that's truly what they are after. The challenge is going to be are they going to market that effectively. But the goal here is not for Microsoft to start some kind of consumer alliance. Which probably wouldn't play very well anyway but for them to sell the technology to individual users to do this for themselves. And in a sense, it's not clear what's going to happen the rest of this week, but Microsoft is a big power and they will not go away. In a sense, they have to do what Henry Ford did earlier this century in a different sphere, he virtually doubled his worker's salaries. And by so doing, he created a market not only for his own cars, but for other people's goods. He changed the equation. And if there's one good thing Microsoft could do with it's market's power, it is to change the equation here, to educate consumers that they have these individual choices and how to manage them. The people in Firefly have been invited en masse to move from Cambridge to Redmond. A fair number of them are going. And it all hangs up in the air. But those of you who have influence over Microsoft, one way or another, encourage them to do the right thing with this technology. And don't just react to the government. Move into this market with enthusiasm. Because there are real opportunities here. There's opportunities for experience to develop all kinds of complicated data processing so that they can offer better information back to consumers. There's a third party company called consumerinfo.com which will give you your credit record, and which, unfortunately, I don't know enough about them, I'm trying to find out. There's a real market here for selling directly to consumers, the tools, and the systems, the jurisdictions, and the services to make this happen. There's a real market for CPAs and for insurance companies to validate, design, build, and certify the systems that companies are going to use to meet these demands. And that's what I see happening. I'm slightly optimistic, but I see it coming from the marketplace, and coming in a decentralized way rather than being a mass movement. It's got to be a massive set of individual movements. I believe, to be effective.

Right in front, somebody is bringing you the mike. And even from here, I can't read your badge.

QUESTION

I'm Bob O'Hara from the Washington Post. And I think you're probably right about the marketplace and individuals bringing, voting with their dollar bills what kind of system they want. And it will be a multi-layered system. But what about the political pressures that government leaders are increasingly feeling, and the deadlines such as the European Directive, that appear to be coming into play very, very quickly? What kind of impact do you think that will have?

ESTHER DYSON

Well, I don't think the government is going to say, "Gee ..." Well, put it this way. I don't think we're going to have the Department of Commerce hold its conference where various industry players will show their wares and illustrate what they're doing to solve these problems and say, "Gee, that's okay." I think we probably are going to have some kind of legislation, some directives, whatever. And there's a number of reasons. One is to respond to the European union who, by in large, find it difficult to recognize anything that's not somehow government certified. There's this concept of legitimacy, which in many places applies only to things certified by a government. If you spend a lot of time in Russia, you get kind of cynical about governments, but that's the case. Second, I think there is a need for something somewhat broader and more directed, vis-a-vis, both medical information and how you deal with children. I mean, I'd like to think you could leave it all in the hands of parents, but that probably is not realistic. And third, something that I wouldn't mind seeing although it's going to end up with things like how high the print has to be on the screen. I think it would be reasonable and not too onerous for the government to require disclosure statements. And as Ira said this morning, these things cost money. But they're going to cost more money if they're mandated. And so if you mandate a disclosure statement, but you don't mandate what it is you have to disclose ... that seems to me to be fairly reasonable. When you get realistic, there is a sense that even businesses who sort of want to do the right thing feel constrained because they think their competition won't, and they don't want to bear these extra costs. And so to some extent, business is almost saying, "Please force us all to do the right thing." I hope it will not go further than mandatory disclosure statements. If you combined that with some kind of we'll revisit it again after another year that might reduce some of the pressure, and at the same time, put enough pressure so that this market would actually develop. The other thing that has to happen is the less formal thing of genuine consumer education. IBM's helping to start something called the Consumer Privacy Initiative. Microsoft may or may not say, "Where do you want your data today?" And make a big thing of that. But clearly, there need to be some broad things happening that the government can point to so that it doesn't seem to be number one, a sap to business interests, and number two, inactive in the face of consumer activists who are calling for something. So that's my best guess at what will happen. And it really depends a lot on what you people in this room, and your competition, do.

Susan Scott from Trustee.

QUESTION

Hi, Esther. I was just wondering, you talk to a lot of people out in the business community. And the time bomb is ticking, so to speak, to use that analogy, and as Ira Magaziner told us this morning, we're just about out of time as far as putting a good face forward for the industry. What are some of the reasons why this has not been addressed to date, or as far as your opinion, perhaps, would be a better indicator?

ESTHER DYSON

Well, let's take the example of American Express. Last week there was quite a commotion when it got about, incorrectly, that Amex was selling personal data to a third party. It happened not to be true. But the rumor alarmed people. Indeed, most people don't realize that this sort of stuff does go on with many other companies. There is a lot of personal data out there that is being sold, more than most people realize, to third parties. And let me personalize it by talking about Trustee. Trustee goes to a lot of companies and they say, "Here we are. We're Trustee." I need to disclose, I'm not formally involved with Trustee, but as the chairman of EFF, I was instrumental in its creation. But what I'm going to do right now is not really give you a commercial, so they go to these companies and they say, "Look, we've got this great system for labelling your website with a policy disclosure statement and we also have enforcement mechanisms and so forth and so on." Now, if they're American Express or somebody like that, and I'm not talking with intimate knowledge of any discussion, this is more hypothetical. They say, "Well, we don't really need this. Our customers trust us. And why should we sign up for something and support something that is really going to help the little guys compete with us? Because one of our advantages in the marketplace is that we're American Express, or we're Citicorp, or we're Lands End, and people trust us. So we don't really need this. And in fact, it's going to erode our distinction if we support it." Now, one or two companies that are large have supported it anyway, but the basic thing is the big, successful, already trusted outfits don't need it. And the little guys, who can afford it are interested, and the even littler guys say, "Well, we can't afford this, we keep our data in a shoebox. We're not going to do anything with it. But we maybe could pay your fee, which isn't very big, but we can't afford to have a CPA come in and audit us. This stuff is expensive." To which the answer is, from Ira Magaziner, if not from Trustee "Well, guys, you pay to have your taxes audited, you pay to get audited when you go public, maybe you should start considering privacy and privacy certification as one of the costs of doing business." To which people will say, "Well, when the competition does it, I'll do it." And so, again, this stuff is not cost free. And it's even more expensive if you want to have to give your customers information. I called up Delta Airlines in December, or January and said, "Could you please give me my statement for October? Because I think you missed a particular flight I took." And they said, "Well, it's going to take six weeks." For doing their own data mining, they can get it in two days, but to give it to me, the consumer... and so, you could argue that Delta should do a better job. But whether or not Delta should or shouldn't, it is expensive to maintain a consumer hotline. It's expensive to be responsive. And there are a lot of things businesses are busy trying to do. So privacy is something that, excuse me, data control is something that's further down the list. And the good guys don't really see why they should help the bad guys by doing this kind of thing. They just want to make themselves look trustworthy, but they don't really want to impose new costs on themselves. And so the challenge is rather than make those things appear as costs, make them appear as marketing advantages.

IRVING WLADAWSKY-BERGER

I just want to add to your point how privacy is different for everybody. A few weeks ago I got an e-mail from a car company asking me for all kinds of information including what kind of cars I had, what kind of cars I would want to buy. I gave it to them gladly because part of the deal is I was now in a raffle for two Eric Clapton tickets. And you know, that is actually a wonderful market deal, which is you want me to give you marketing information, what am I going to get for it? And I do a lot for hard to get Eric Clapton tickets. But, I'm wondering if when all is said and done, the reason all these issues are so interesting is because we are entering an era where individuals are becoming incredibly empowered as a result of all the things we can do. I mean, what you just said about not being able to get information about the airline, it won't be long before marketing-wise, that will be such a shame that no self-respecting airline would dare do that. And as you know, all that you need for that to happen is for one airline to do it, and everybody else will have to follow suit. And so what's going on here is the whole relationship between institutions and individuals is getting really fine as a result of the Internet. And we're going to see this play out over the next several years. I'd like to hear your comment.

ESTHER DYSON

Well, I thank you for that comment. I also wanted to add a little footnote to this Delta story which gives me great satisfaction. I was giving a talk at a group of Harvard alumnus who donate money, just two weeks ago. And I happened to be sitting next to the new president of Delta. So that's even better. And I think we're on our way to a resolution. But not everybody can do that. In a sense, what the net does, ideally, is it takes power away from these central authorities and it moves it to me as a consumer. But I want to, Marty has a question, but I just want to raise another issue here first, which is there's another issue that is not yet on the radar screen, but is coming at some point. Last October, I ran a conference in Amsterdam, and we had the head of the Swedish Post speaking there. And he's a guy who used to be a politician. He also hunts deer or moose or something. And he drinks, he's sort of a normal guy.

We were talking about this whole issue of ID cards and authentication and certificates. And he said, "Well, you know, two years ago I thought the concept of having your identification, your bank account, your health records, everything on a single card was just great. But now I think I was wrong." And this was a truly amazing statement coming from a Swedish quasi-government official. But it is, I think, going to be a big issue. There's this notion that you need one digital certificate and you can tie up your identity with this. I think there will be people who will do this and do it gladly. But I think more and more, you're going to have this notion of decentralized identity where people will have multiple certificates for multiple relationships. And even beyond that trusted vault that you saw earlier, I don't really want the guy granting me the mortgage to know all this stuff. What I want is the bank to certify that I can pay. And so the information is actually not even divulged, simply, I'm certified as having a certain capability, the information that provides that certification is kept secret. And so you can be certified as able to pay such and such an amount, you can be certified as being over 21, so you can visit a certain kind of website. You can certify as being covered, you might have to be certified to be a German citizen to go do something at a German website, that kind of thing. That's one point. And the second is you may be certified that way without even having an identity. You may wander the web as somebody who has such and such qualifications, but your identity is not known. And so we're going to see people decentralizing their own identity so that I can receive something possibly delivered to a P.O. box or a FedEx number, that then is physically delivered by FedEx to me. Now, at some point, you have to trust somebody. Whether it's the bank that certifies you to pay the mortgage, or FedEx that knows where you are physically located. But there will be ranges of call it paranoia or sensitivity, but there will be different levels of what people want. And I believe there will be marketplace solutions to many of those. This is all pretty far away, but there are people thinking about it. Did you still have a question? Marty Abrams from Experion.

QUESTION

Right. That's me. There's other identity you can have, but we have to discuss that and negotiate. But the question goes to what you did with Delta. One of the questions that we get in the private sector, at what point will a consumer say the privacy issue is so important to them that they will stop doing business with somebody. Now, I have an airline that's based in Fort Worth that I find their information policies egregious. I still fly them because I fly them 120,000 miles a year, I get free tickets, I get upgrades and all sorts of good things like that. Did you stop doing business with Delta because you felt their information policy was egregious?

ESTHER DYSON

No, but I did make a big fuss. I mean, you're right. The market doesn't work, it's not a binary thing. But if enough people start complaining, if there's enough and you're right, you don't usually pick an airline based on their privacy policies first. But, people do polling, there's a level of expectation in the marketplace, and so it becomes one factor, just as you don't fly that airline only because of its cute stewardesses, but that's part of the appeal and so forth. And so with any product proposition ends up being a selection of features, and let's just put data practices in there. Over there.

QUESTION

More of a comment than question. Perhaps to sort of de-mystify this area, you have been fairly vocal over the last year or two when talking about electronic commerce and the subject of transparency. I've heard you laud the Federal Expresses of the world for making it as easy for a customer to find out what's going on with their package as a FedEx employee. And by the same token, you've sometimes come down on banks for being sort of mysterious about information. Listening to you talk today, it strikes me that your approach towards privacy is really truly personal data in a same transparent fashion and getting the informed consent before anything untoward is done with it, but it's really consistent from your earlier views, I think, on e-commerce?

ESTHER DYSON

Yes. Totally. Who are you?

QUESTION Sorry, anonymous, Mark Green from IBM.

ESTHER DYSON

Thanks. I think there's a question over here. And one other thing, I wish we could enforce the same rules on government as well. We make voluntary transactions with businesses. We make involuntary transactions with governments. And that's why it's even more important, and I think more reasonable, to have broader disclosure laws vis-a-vis government than vis-a-vis business.

QUESTION

You were alluding to the possibility of basic capability, base certificates, just as the government will give me a certificate that says I'm over 21, I can go into a liquor store, whether or not I can drive. But when do you picture that such acceptable authorities will appear in society? Technologically we can do it tomorrow but the hard part is going to get them to believed and accepted.

ESTHER DYSON

Yeah. Well, to some extent, Verisign is starting down that path. The question is again, the technical capability, as you say, is there. But who am I going to trust to certify that such and such is true? And as you can guess, I'd rather not have it always default to being the government. But we need to build those kinds of things. Yeah, it's kind of a lame answer, but it's up to you guys. Thank you very much, and enjoy the afternoon.