room and every table. But in the interest of liberty, we make a judgment call that such laws would not be appropriate. In fact, procedurally we place a number of obstacles before law enforcement officials wishing to eavesdrop.

I only raise this issue because in reviewing Ambassador Aaron's testimony, he presents many hopeful aspects, but the prospect for a hammer certainly is present. On the last page, quoting from the Ambassador's prepared testimony he said "We believe that private efforts of industry working in cooperation with consumer groups are preferable to government regulation. But if effective privacy protection cannot be provided in this way, we will reevaluate this policy." I know that based on your testimony that on July 1st a report is going to be prepared for the President relating to this subject.

Ambassador Aaron, or Mr. Medine, do you have any preliminary observations as to how industry might be faring in this regard prior to the publication of the July 1st report?

Mr. AARON. Yes, I think I can comment at least in part on that. Let me just say in response to some of the earlier discussion here that we have never felt that self-regulation was the only tool for ensuring privacy. It's our feeling that it really has to be a combination of measures that includes law, includes regulation and includes self-regulation where it is more appropriate, efficient or costeffective.

Mr. ROGAN. If I may interrupt just for a moment so I may follow you. Certainly the assumption in that comment is that if the standard that the Administration might like to see is not met, the other side of the scale begins to tip higher.

Mr. AARON. Well I wouldn't put it in those terms, but I would say that different circumstances require different measures. For example, we have seen the validity and importance of law and regulation in certain sectors. As I indicated earlier, the sectors include telecommunications, medical information and genetic information, financial sector, and so forth. I just want to make it clear that we're not just saying that self-regulation is the only answer.

It's really our judgment that the Internet, because it is so rapidly evolving and so multifaceted, that it is best to try to get the industry itself to embark on self-regulation. So far, to be frank, we are off to a slow start, but I think there is hope. There are some leading companies who are seeking to bring together other companies to adopt self-regulatory regimes that would be consistent with the kinds of criteria which I enunciated in my presentation, and we believe that by July 1 we should be in a position to report some substantial progress in that area.

I don't want to identify the companies. I want to let them go ahead and do their work. I think the picture is reasonable encouraging at this point, but it has take significant encouragement on the part of Secretary Daley and others to get to this point and we're going to need to continue that dialogue with industry.

I believe the Department has two different activities coming up. In May, the Department of Commerce is going to have a 2-day conference with industry, consumer groups and government officials to look at the issue of self-regulation and its enforcement and how effective it can be in protecting privacy. We will follow up that con

ference with meetings with industry and consumer groups in a variety of fashions prior to the July 1 deadline.

But as you point out, and I'm sorry I didn't get to that point because my little red light had gone on, the Administration does believe that private efforts of industry working in cooperation with consumer groups can be more effective and are preferable to government regulation, but if effective privacy protection cannot be provided in this way, we will reevaluate this policy.

Mr. ROGAN. Mr. Chairman, I see that my time has expired.

Mr. COBLE. Well if you have another question or two you are welcome to ask them. We're informal this morning.

Mr. ROGAN. Actually I had promised my friend from Virginia I would yield a minute to him. So I wonder if the committee would indulge me so as not to make a liar out of me in his eyes.

Mr. COBLE. Without objection.

Mr. ROGAN. I yield to my colleague from Virginia.

Mr. GOODLATTE. I thank the gentleman for yielding, and I also thank the gentleman from Massachusetts for his comments. He is one of a number of former prosecutors who recognized the difficulty that law enforcement has in dealing with encryption as I do, but nonetheless understands the nature of this problem and that the solution is not to keep encryption out of the hands of the good guys who can use it to protect themselves.

Ambassador Aaron, I just wanted to respond to a comment you made earlier asking if we wanted to have a situation where the FBI would no longer be able to use certain law enforcement techniques because of the existence of encryption, and I just want to dispute that. There is absolutely no question but that through both technological means and traditional law enforcement means there are a lot of other ways for law enforcement to address this problem. Will strong encryption be a problem for them? Absolutely. Whether my bill passes or not, it will be a significant problem for them, but they have the opportunity to work with the computer industry.

One of the provisions that was put into this legislation and one of the committees that dealt with it was a center for law enforcement to work with the high-tech industry to come up with a means of looking at this. This is not new either. Certain aspects of the law enforcement and intelligence communities have always engaged in that sort of activity to try to find the weak points in mathematical algorithms and use that. In addition, you have the opportunity to have undercover operations where somebody is given the key to the encryption by getting inside of an organization. Sometimes people inadvertently give the key out to other people.

You correctly noted that one of the problems in this whole area is the certificates of authority. How do you know whether the person you are communicating with is the person you think you're communicating with. There are a number of tools that law enforcement will have and will continue to use to deal with their lawful right under certain circumstances to intercept and decode communications.

So I don't want this issue to be at all polarized, and we are willing to look at a lot of different alternatives, but if one of those alternatives is the government mandating or even indirectly requiring certain activity of citizens that results in mandating, which is

what I believe our current export control laws effectively do, or having a key system where the gentleman from California correctly noted is the equivalent of the Congress requiring people to take the key to their home or their safe deposit box down to the police station and put it on deposit so that under certain circumstances the police can use it and come into their homes without their knowledge, that is a massive erosion of our Fourth Amendment rights and that's what we object to. Short of that there are a lot of things we can do and a lot of things we can and will in this legislation give to law enforcement to deal with the problem of encryption. I thank the gentleman for yielding. Mr. COBLE. I thank the gentleman.

The gentleman from Indiana, Mr. Pease.

Mr. PEASE. I thank the chairman and the members of the panel for being with us on this important subject, and I express my regret to the chairman and the members of the panel that multiple simultaneous duties have had me moving in and out, and because of that I think it's more appropriate that I waive my opportunity to question.

I do appreciate the written material and having reviewed it will probably be in touch, but thank you very much for your presentations.

Mr. COBLE. I thank the gentleman.

Gentlemen, we appreciate you being here. We may be in touch with you subsequently.

Now I may pay the price for having been so liberal on our time with the first panel because we're going to have a vote fairly imminently and I would like to be able to move this along. So I would ask the second panel if you all would adhere to the red light when it appears as your warning that the 5 minutes have elapsed.

Our first witness on the second panel is Fred Cate, who is a professor of law and Director of the Information Law and Commerce Institute at the Indiana University School of Law. Professor Cate is a recognized expert on information law and also the author of many articles addressing privacy, copyright and freedom of expression.

Our second witness is Mr. Marc Rotenberg, Director of the Electronic Privacy Information Center, a public interest research organization working to protect privacy, free speech and Constitutional values in the online world. Mr. Rotenberg is also an adjunct professor at Georgetown University Law Center.

Our third witness is Ms. Deirdre Mulligan. She is Staff Counsel at the Center for Democracy and Technology where she evaluates the impact of technology on individual privacy. Currently Ms. Mulligan is shepherding the Internet Privacy Working Group, a collaborative public interest/private sector working group, developing a framework for privacy on the Internet.

We had a fourth witness who because of personal problems could not appear, Ginlauri Goldman, who is the Director of Health Privacy Project at the Georgetown University Medical Center, and I would ask unanimous consent that her statement be made a part of the record as well as the statements of the members of the second panel.

Now, Professor Cate, we have a valued member of this subcommittee who is an alumnus of your School of Law, but I believe you look too young to have taught him. [Laughter.]

Am I correct about that?

Mr. CATE. Thank you very much, Mr. Chairman. I doubt if I could have taught the Member from Indiana anything at all.

Mr. FRANK. I had one other acknowledgement, Mr. Chairman. In the interests of full disclosure I should note that one of the witnesses has a connection. My first political event was held in his home. He was at the time I think about six. [Laughter.]

It was in 1972. Mr. Rotenberg's parents held my first political event in 1972. So I thought we should put that in the record. I do think he was probably of an age where he was certainly eligible to give personal information to various computer-generated businesses, but he was not himself I think a participant in the decision to host me, although I hope it is one he never later regretted.

Mr. COBLE. Mr. Rotenberg, we will hold you harmless for your past sins. That is said in jest of course. [Laughter.]

And I need to tell the gentleman from Indiana that I did not mean to imply that you looked that old, Mr. Pease. [Laughter.]

I'm getting in trouble. So having said that, Ms. Mulligan, why don't we start with you. And, again, folks, if you all could be ever mindful of the 5 minute time limit we will be appreciative.

STATEMENT OF DEIRDRE MULLIGAN, STAFF COUNSEL,
CENTER FOR DEMOCRACY AND TECHNOLOGY

Ms. MULLIGAN. Thank you very much. It's a pleasure to be here this morning to talk about this important issue.

While my mind and my nose were buried yesterday trying to finish my testimony, I neglected to read the Style Section of the Washington Post which I know is where most people start. As I was sitting around the living room last night with my friends and neighbors we started discussing the fact that, Kenneth Starr, went down to Kramer Books, and subpoenaed records of Monica Lewinsky's book purchases. I believe this is a good place to start my testimony.

We have entered a “Brave New World.” It's a world in which our words are not the only important records, but in fact data itself speaks. And the little pieces of data that we leave in our daily transactions, whether they're with the book store or they're with an online service provider or they're with a web site, can come back and bite us.

When Kenneth Starr goes and asks Kramer Books for records of Monica Lewinsky's purchases at the book store we must think about the information he may find. Will he find that Monica was perhaps fighting depression? Will he find that she was curious about a particular health ailment in her family? What may be revealed by the records of her book purchases?

Historically the actions of data collectors in the private sector were rarely the focus of our privacy policies. Generally they have focused on law enforcement access. This case highlights that the wall between the private sector collection and use of data and the government's use of data when it decides to bring its force and actions into this world in the area of privacy is a permeable one. I'm

very pleased that the committee has decided to focus on the important issue of privacy in the electronic medium.

Perhaps the next type of information that Kenneth Starr will seek will be information from a cellular phone company, which in fact might be able to a year or so down the line detail not only whether Monica was in the White House, but what part of town she was in, and perhaps next year it would be able to tell us which room Monica visited in the White House. Because in fact that is the type of detailed transactional data that this digital revolution in technology is bringing upon us.

Crafting proper privacy protections in the electronic realm has always been a very complex endeavor. It requires a keen awareness not only of changes in technology, but also changes in how that technology is entering our daily lives.

The last time that Congress revisited this issue seriously was in 1986. Due to privacy considerations arising from changes in technology, primarily wireless services and the growing use of e-mail, Congress adopted the Electronic Communications Privacy Act. ECPA began to grapple at the edges of this revolution in communications and computing medium. It started to realize that this transactional data, not necessarily the words we speak, but the digital fingerprints that we leave as we walk through this world were beginning to talk very loudly about our thoughts, our associations, our whereabouts and our acquaintances.

I would like to use two brief examples to talk about what that might mean in the future and why I think that these changes in both technology and the way in which this technology is being embedded in the fabric of our lives requires us to reexamine how we craft privacy policies, how we deal with privacy institutionally within the government, and how to move forward.

Individuals traditionally kept their diaries under their bed, in their drawer or perhaps on their desk. With the advent of digital desktop computing people began to store their diaries on their hard drives. As network computing, which is where we are today, continues to become more and more an integral part of our lives those intimate papers, those thoughts and reflections are actually moving out into remote locations. What this means is that rather than having the full Fourth Amendment protections when law enforcement comes to seize my diary they would if they were stored in the home, they might be able to access that information under a much weaker legal standard-perhaps a mere subpoena if that record was kept on a remote server somewhere. That diary is still my diary regardless of where it is. Yet the legal protections afforded it might be quite different.

This becomes I think perhaps even more troubling to individuals if we think about some of the sensitive records that are held by institutions. Congress is focusing specifically on the privacy protections afforded medical records. It is an area on which we need to focus. Hospitals, clinics and physicians are using network computing in their businesses, and as those personal records that reveal the most intimate pieces of our lives go from the doctor's file to the doctor's desktop to a shared computing environment where they are no longer under the purview of the doctor-forget about my