CRS-2

6

9

7

executive branch, courts, businesses, privacy advocates, Web sites and Internet service providers, and professional organizations 10 continue to confront many other issues associated with the security and privacy of information.

BACKGROUND

Privacy has become a "broad, all-encompassing concept that envelops a whole host of human concerns about various forms of intrusive behavior, including wiretapping, surreptitious physical surveillance, and mail interception. Individuals claim a right of privacy for an enormously wide range of issues from the right to practice contraception or have an abortion to the right to keep bank

to

6 See, Federal Trade Commission, Staff Report: Public Workshop on Consumer Privacy on the Global Information Infrastructure (December 1996). Available: http:www.ftc.gov/bcp/conline/pubs/privacy/privacy.htm. In June of 1997, the FTC held four days of hearings on technology tools and industry self-regulation regimes designed enhance personal privacy on the Internet. Available: http://www.ftc.gov/bcp/privacy2/index.html. U.S. Govt. Information Infrastructure Task Force, Information Policy Committee, Options for Promoting Privacy on the National Information Infrastructure (April 1997). Available: http://www.iitf.nist.gov/ipc/privacy.htm. Board of Governors of the Federal Reserve System, Report to the Congress Concerning the Availability of Consumer Identifying Information and Financial Fraud (March 1997). Available: http:// www.bog.frb.fed.us/boarddocs/RptCongress/privacy.pdf. U.S. Congress, Office of Technology Assessment, Information Security and Privacy in Network Environments, OTA-TCT-606 (Sept. 1994) and Issue Update on Information Security and Privacy in Network Environments (June 1995). Social Security Administration, Privacy and Customer Service in the Electronic Age (September 1997). Available: http://www.ssa.gov.

7 Privacy and American Business, Handbook of Company Privacy Codes Vol. 3

(1996).

8 See, American Civil Liberties Union, Take Back Your Data Campaign (July 1997). Available: www.aclu.org/action/tbyd.html. Center for Democracy and Technology, CDT Privacy Demonstration. Available: http:www.cdt.org/privacy. Electronic Frontier Foundation, Privacy Archive. Available: http://www.eff.org/pub/Publications/CuD/Privacy. Electronic Privacy Information Center, Surfers Beware: Personal Privacy and the Internet (June 1997). Available: http:www.epic.org/reports/surfer-beware.html.

9 Netscape Comm., Netscape, Firefly and Verisign Propose Open Profiling Standard (OPS) to Enable Broad Personalization of Internet Services: More Than 60 Companies and Organizations Support Uniform Architecture that Protects Users' Privacy (May 27, 1997). Available: http://search.netscape.com/newsref/pr/newsrelease411.html. World Wide Web Consortium (W3C), Platform Privacy Preferences (P3) Project (June 1997). Available: http://www.w3.org/P3/overview.html.

10 Direct Marketing Association, Guidelines for Personal Information Protection. Available: http:www.the-dma.org, Interactive Services Association, Protecting Your Privacy When You Go Online. Available: http://www.isa.net/project-open/priv-broch.html.

CRS-3

records confidential."11

12

Some advocate the expansion of this concept to include the right to "information privacy" for online transactions and personally identifiable information.' The term "information privacy" refers to an individual's claim to control the terms under which "personal information" information that can be linked to an individual or distinct group of individuals (e.g., a household) is acquired, disclosed, and used.13 The right to privacy has also been characterized as the "the right to be let alone." There is a perception among many that in our information driven society this right is under attack. The potential harm that can occur from unauthorized disclosures of such information has been well documented. 16

-

#14

Individuals and businesses increasingly rely upon computers and computer networks to transact business and to access the Internet. There are estimated to be over 9,400,000 host computers worldwide, of which approximately 60 percent are located within the United States, and are estimated to be linked to the Internet. This count does not include the personal computers people use to access the4 Internet using modems. In all, reasonable estimates are that as many as 40 million people around the world can and do access the Internet. This figure is expected to grow to 200 million Internet users by the year 1999.16 Computers are used for many transactions today: electronic uniform product code (UPC) scanners, telephones, email, Caller ID, ATMs, credit cards, electronic tolls, video surveillance cameras, health insurance filings, catalog shopping, pharmacy records, and Internet access. The use of computers and computer networks for personal and business transactions has resulted in the creation of vast amounts of information. Information stored or transmitted via computers includes credit and financial information, health information, tax information, employment information, business information, trade secrets, proprietary information, and customer information.

Online users may voluntarily disclose personally identifying information, for example, to an online service provider for registration or subscription purposes, to a Web site, to a marketer of merchandise, in a chat room, on a

11 See, David Flaherty, Protecting Privacy in Surveillance Societies, University of North Carolina Press, Chapel Hill, 1989.

12 See, Joel R. Reidenberg, Privacy in the Information Economy: A Fortress or Frontier for Individual Rights?" 44 Fed. Comm. L.J. 195 (1992).

18 See, U.S. Govt. Information Infrastructure Task Force, Information Policy Committee, Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information, Commentary ¶ 2 (1995). Available: http://www.iitf.nist.gov/ipc/ipc-pubs/niiprivprin_final.html.

14 Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting).

16 See, J. Rothfeder, Privacy for Sale: How Computerization Has Made Everyone's Private Life an Open Secret 175-95 (1992).

16 ACLU v. Reno, 117 S. Ct. 2329, 2334 (1997).

CRS-4

bulletin board, or to an email recipient." Information about online users is also collected by Web sites through technology which tracks traces and portraits of every interaction with the network.18

19

When a person accesses a Web site, the site's server requests a unique ID from the person's browser (e.g., Netscape, Microsoft Internet Explorer). If the browser does not have an ID the server delivers one in a "cookie" file to the user's computer. This process is called "passing a cookie." Cookies are similar to the Caller ID feature on phone systems. Web sites can use cookies to track information about user behavior." Web sites contend that the primary purpose for the use and collection of user data is so that the computer receiving the data can send the information file requested by a user to the user's computer, to permit Web site owners to understand activity levels at various areas within sites, and to build new Web applications tailored to individual customers. One widely criticized feature of "cookies" is that this activity is generally invisible to the user, and often occurs without user consent.

Information that is stored electronically often can be linked by use of the same key, such as the social security number. The widespread use of the social security number for secondary purposes (e.g., credit, financial, motor vehicle licensing, health insurance, etc.) has contributed to this phenomenon. A person's social security number, by itself, may have little value since it in and of itself does not convey information about a person's characteristics, interests, buying habits, etc. It may be useful though to a credit card company (to help verify an applicant's identity) and also to a direct marketer (to ensure that a solicitation is sent to the right person).

17 A report by the National Telecommunications and Information Administration (NTIA) addressed the private sector collection, use, and dissemination of telecommunications-related personal information (TRPI) created in the course of an individual's subscription or use of a telecommunications service, and concluded that as the cost of digitally storing personal information becomes less expensive, the accumulation of personal information from disparate sources will become more costeffective for users. U.S. Dept. of Commerce, National Telecommunications and Information Administration, Privacy and the NII: Safeguarding TelecommunicationsRelated Personal Information (1995). Available: http://www.ntia.doc.gov/ntiahome/privwhitepaper.html.

18 A recent survey of the current practices of 70 federal agency web sites regarding the use of personal information collected from online users found that 31 federal agencies collect personal identifying information primarily from guest books, comment forms, or feedback forms. It found that 11 of the 31 agencies that collect personally-identifiable information reportedly give notice of use on their sites. See, OMB Watch, 'A Delicate Balance: The Privacy and Access Practices of Federal Government World Wide Web Sites," (Aug. 1997). Available: http://ombwatch.org/ombw/info/balance.html.

19

See, Vanderbilt University Owen Graduate School of Management, Commercialization of the World Wide Web: The Role of Cookies. Available: http://www2000.ogsm.vanderbilt.edu/cb3/mgt565a/group5/paper.group5.paper2.htm.

CRS-5

Technologies like data-mining software facilitate the use of this information for commercial, unauthorized, and unlawful purposes. Because of the power of computer networks to quickly and inexpensively compile, analyze, share, and match digitized information, electronic information is potentially much more invasive. Computers make information multi-functional as vast amounts of consumer information are collected, generated, sorted, and disseminated electronically, and perhaps then sold, with or without consent. A wealth of personal information about individuals can be harvested. How valuable the information is depends in part on how descriptive it is and how it can be used. One result of these technological advances has been the rapid growth and expansion of the information industry.

INFORMATION INDUSTRY

20

Basically, there are three participants in the information industry government entities (federal, state, local), direct marketers, and reference services. Generally each of them gathers and distributes personally identifying information. The information may be gathered for one purpose, and sold for another.

Examples of public records held by government entities that contain personally identifying information such as name, address, and social security number are: driver's licenses', driving records, marriage and divorce records, motor vehicle title and registration, vital statistics, voter registration records, political contribution records, firearm permits, property tax records, land records, SEC filings, court and law enforcement records, postal service address records, boat and aircraft records, financial and ethics disclosures, occupational and recreational licenses. Government records are generally available to anyone, and often represent significant sources of revenue for government agencies.

To determine who should be solicited for a particular product, service, or fund raiser, direct marketers rely on lists designed to target individuals who are likely to respond to solicitations. The list may be obtained from consumer surveys, warranty or response cards, and customer purchase data. The lists may also be merged with other lists or with information from other sources, such as public records and magazine subscriptions. Frequently, they rent preexisting lists from list brokers who group information such as similar interests, characteristics, and purchasing habits. The cost of renting a list varies depending upon the number of addresses on the list and the amount of information given.

20

The section is derived from the report of the Board of Governors of the Federal Reserve System, Report to the Congress Concerning the Availability of Consumer Identifying Information and Financial Fraud (March 1997). Available: http:// www.bog.frb.fed.us/boarddocs/RptCongress/privacy.pdf.

CRS-6

Reference services gather information from a variety of sources, compile it, and then make it commercially available." Common users of reference services include law firms, private investigators, and law enforcement officials. There are generally no federal laws on who can access information through a reference service. The service may require users to subscribe. The price of the information depends on how detailed the information is, how quickly it can be provided, and how frequently the subscriber uses the service.

Consumer reporting agencies are a source of a great deal of information about the consumer's finances: employer, credit card and loan account numbers, amount of available credit, amount of outstanding debt, payment histories, and default, judgment and bankruptcy information.

FAIR CREDIT REPORTING ACT

The Fair Credit Reporting Act (FCRA) regulates the credit reporting industry, places certain responsibilities on users of consumer reports, limits the circumstances in which consumer reporting agencies may disclose consumer reports, and requires consumer reporting agencies to investigate and report information the consumer claims is inaccurate or incomplete." Under the FCRA consumer reporting agencies are prohibited from disclosing consumer reports to anyone who does not have a permissible purpose. FCRA defines "consumer report" as:

"any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under § 1681b." 23

There are three key elements. First, the information must be reported by a consumer reporting agency. Second, the information that is collected must be used, or must be expected to be used, or collected in whole or in part for the purpose of serving as a factor in determining the consumer's eligibility for consumer credit or insurance, employment, or for another permissible purpose.

21 See, The Lexis-Nexis P-TRAK Service, Library of Congress, Congressional Research Service Rep. No. 96-795A by Gina Marie Stevens, Sep. 30, 1996.

22

Extensive amendments were made to the FCRA in September 1996, which generally become effective September 30, 1997. Pub. L. No. 104-208, §§2401-2422, 110 Stat. 3009 (1996).

28 15 U.S.C. § 1681a(d)(1).