STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER

Mr. ROTENBERG. Thank you very much, Mr. Chairman, and thank you for the opportunity to be here this morning. I would also like to thank the subcommittee for your work in support of Representative Goodlatte's legislation, the Safe Bill, which for many users on the Internet is very important to us.

These issues of privacy on the Internet at times appear very complicated, new software, new techniques, browsers, Cookies, and it seems as if there are no clear lines. Why should the government regulate if the technology is changing so quickly or if the expectations are so unclear.

But in fact privacy policy and privacy law is based on a simple set of principles. It is that when you give up personal information you gain certain rights, and when organizations acquire your information they take on certain responsibilities. This is true with your bank, with your telephone company, with your doctor and with the Federal Government.

These practices, these policies are generally referred to as "codes of Fair Information Practices," and they can be found in every privacy law in the United States and around the world. They give rights to individuals, and they establish responsibilities for organizations that hold information.

None of this has changed with the Internet. When a company sets up a business on the Internet and acquires your information they have responsibilities, and those responsibilities to be effective need to be backed up, as they have always been, by a right in law to seek redress when a harm occurs.

But what has changed with the Internet in this new era of technology is the opportunity to use technology to protect privacy. You see, much of our law is based on the view that technology is a threat to privacy, that Big Brother will be able to use these big databases to keep track of all our private activities. But we also see that there are now ways with techniques, such as encryption, to protect our communications and to protect our identity. So, the second critical aspect of privacy on the Internet is to make available these techniques so that people can protect their privacy.

Now Ambassador Aaron testified on the earlier panel that encryption was not widely used and was not particularly significant, and I have to disagree with him on this point. In the past week I have purchased a book online at Amazon.com. I entered my credit card number at my keyboard to make that purchase possible and, fortunately, the software that I was using provided by Netscape encrypted that link, that communication between me and the online merchant so that my credit card number would not be disclosed to others.

And yesterday I helped my wife change her user ID with our local service provider. I went in through Internet Explorer. (We are bipartisan with browser software as we are in politics.) And, fortunately, Microsoft has provided encryption so that when I was communicating her user ID across the Internet and the password it would not be available to others. My experience is the same experience as millions of people using the Internet today. They need these new techniques to protect their privacy.

59-923 00-3

Cutting to the bottom line, the problem is that our current privacy policy, the policy that is reflected today in the position of the White House and the Administration is exactly backward. Where we need to step aside and let these new techniques develop and let free market ingenuity and innovation do what they do well the government is trying to impose controls. They don't want strong encryption, they don't want anonymous payment schemes, they don't want telephone services that can't be wiretapped. That is the wrong approach.

But where government help is needed because privacy rights aren't being enforced, because there isn't redress for consumers, and because we haven't extended fair information practices to new services the government is standing on the sidelines and saying you all figure it out. The problem with this policy can be seen when you compare our current policy with what is taking place in other countries today as well as with our own history.

Let me propose for you, for example, to consider the significance of the date October 1998, just a few months from now. In Europe that is the date where a comprehensive privacy law goes into force. It's not a perfect law. Like most laws it has got some problems, but it does reflect a fundamental commitment to protect the rights of citizens and their privacy.

In the United States in October we're going to put in place the digital telephony bill which requires that all telephone networks be capable of police surveillance. We are promoting surveillance. Other countries are wrestling with the issue of how to protect privacy. This is an urgent issue. We have to change course. Privacy today is the No. 1 concern of Internet users, and without strong safeguards people will not use the Internet.

We think we have a common interest in solving this problem, and I very much appreciate the chance to be here this morning. Mr. COBLE. Thank you, Mr. Rotenberg.

[The prepared statement of Marc Rotenberg follows:]

PREPARED STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER

SUMMARY

Public opinion polls show that privacy is the number one concern of Internet users. Everyone is aware that a great deal of personal information is collected, and that virtually no meaningful protections are in place.

In the McVeigh-AOL case, a person almost lost his job because of information that was improperly disclosed by an online service provider. An amendment to Electronic Communications Privacy Act could help prevent similar incidents in the future. But the example is just one of the many privacy risks that people using the Internet today face.

The Internet lacks adequate privacy protection. A survey by the Electronic Privacy Information Center in 1997 of the 100 top web sites found that less than half had privacy policies, and those with policies offered little real protection. Still, anonymity plays a critical role in online privacy as it gives individuals the ability to control the disclosure of their identity.

Even though the Internet is a very new communications environment, the commitment to establish privacy protection by law in the United States is long-standing. The US developed important legal safeguards to protect the privacy of communications and established the fundamental approach to the protection of personal information generally described as “Fair Information Practices"-that make clear the responsibilities of organizations that collect data and the rights of individuals who give up personal information.

But our policies US have not kept up to date. The absence of new legal protections for privacy coupled with government efforts to restrict the use of new privacy enhancing techniques, such as encryption, have produced a privacy policy that is almost exactly backward. This becomes particularly clear if you contrast our current policy with our own history of privacy protection and current developments in other parts of the world.

Several steps must be taken to set our privacy policy back on course. First, enforceable Fair Information Practices should be applied to the Internet. This is best done by legislation. The self-regulatory approach is not working. Second, techniques to protect privacy and anonymity should be encouraged and restrictions on encryption should be lifted. Finally, a privacy agency should be established to develop additional recommendations for privacy protection and to provide permanent leadership within the federal government on this important issue.

We are at the beginning of a long and difficult period for the protection of privacy in this country. Technology is racing ahead. Our laws and institutions are lagging far behind. The level of public concern about privacy is growing. There is much work to be done.

My name is Marc Rotenberg. I am the Director of the Electronic Privacy Information Center, a non-partisan research organization in Washington, DC. I am an adjunct professor at Georgetown University Law Center and Senior Lecturer at the Washington College of Law. I am also editor, with Philip E. Agre, of Technology and Privacy: The New Landscape (MIT Press 1997).

I appreciate the opportunity to testify before the Subcommittee today. I'd like to thank the Subcommittee for holding this hearing and also for your ongoing work in support of Representative Goodlatte's SAFE bill that would help reform our nation's policy on encryption.

McVeigh-AOL Case

The growing concern about the loss of privacy on the Intenet was made clear earlier this year when the Navy began discharge proceedings against a decorated sailor based on personal information about the sailor disclosed by America Online. A Navy investigator, suspecting that Mr. McVeigh might be in violation of the "Don't Ask, Don't Tell" policy, obtained information that linked Mr. McVeigh's “screen name,' which was not his actual identity, with his real identity. Once the connection was established, the discharge proceeding began.

The McVeigh-AOL case raised a complicated set of legal issues. The AOL Terms of Service agreement specifically prohibited this disclosure. But a civil action against the company would not mean reinstatement by the Navy. The disclosure also appeared to violate the Electronic Communications Privacy Act, but the statute is ambiguous about the remedies available to victims of such disclosure.

Mr. McVeigh filed suit against Navy Secretary John Dalton in federal court. Judge Stanley Sporkin found that the Navy had violated the "Don't Ask, Don't Tell policy" when it pursued the investigation. In the course of the decision, Judge Sporkin also considered whether the Navy violated the Electronic Communications Privacy Act.2 The opinion is a little less clear on this point. Judge Sporkin said the investigation undertaken by the Navy was "likely illegal" under the ECPA because the Navy investigator failed to obtain a warrant before he sought personal information from America Online about Mr. McVeigh. The government contended that the obligation to comply with ECPA fell not on the government actor but rather on the online service provider.3

Judge Sporkin said that the statute read as a whole made clear the intent to regulate the conduct of government agents. He found that even if the relevant provision did not apply to the actions of government (18 USC § 2703), "it is elementary that information obtained improperly can be suppressed where an individual's rights have been violated." Judge Sporkin concluded "in these days of 'big brother,' where through technology and otherwise the privacy interests of individuals from all walks

1 America Online, Terms of Service Agreement and Rules of the Road:

"Our policy is not to disclose identity information to third parties that would link a Members screen name (s) with a Members actual name, unless required to do so by law or by legal process served on AOL, Inc. (e.g., a subpoena). AOL, Inc., at its sole discretion, reserves the right to make exceptions to this policy in extradordinary circumstances (such as a bomb or suicide threat, or instances of suspected illegal activity) on a case-by-case basis."

5(BXiii) Privacy Policy-Member Identity and Billing Information.

218 U.S.C. §82501, et. seq. (West 1997).

3 Tucker v. Waddell, 83 F.3d 688 (4th Cir. 1996) ( Section 2703(c)(1)(B) only prohibits the actions of online providers, not the government).

of life are being ignored or marginalized, it is imperative that statues explicitly protecting these rights be strictly observed."

The McVeigh case is critical for several reasons. First, it makes clear that privacy violations have real consequences. Mr. McVeigh's life was forever changed by the decision of America Online to disclose personal information about him to his employer. Second, the case shows the shortcomings of contractual solutions. Even with a very clear contract provision detailing when personal information may be disclosed, the Navy investigator was still able to obtain personal information about Mr. McVeigh. Third, the case shows that we are all becoming increasingly dependent on these new services to safeguard our privacy. America Online today has more than eleven million subscribers.

Mr. McVeigh's case, because the improper disclosure of information was so well documented, received national attention. But there are many other people in this country who face similar privacy risks, whose names will never be known. Indeed, they themselves may never know that information about them was improperly disclosed.

What is Privacy?

In some respects, the McVeigh case appears complicated. AOL didn't actually disclose personal information about Mr. McVeigh, such as an unlisted phone number or a Social Security Number. Rather, the company disclosed information that linked his actual identity to an assumed identity. The Internet raises many privacy issues that seem novel or unusual:

• Search engines allow people to find information all across the Internet but can also store the identity of the user and the inquiry the person made. Should this information be saved, should it be disclosed or sold, or used for marketing?

• Copyright management systems will record the individual use of digital works such as books sold online and newspapers read over the Internet. Should personally identifiable information be collected or should techniques to protect anonymity be pursued?

• Internet software makes it possible to track the web sites that a user visits and the pages he or she views. Should advertisers compile individual preferences to customize ads or place products on web displays?

Operators of web sites can easily collect a great deal of information from individuals, far more than would be available in a typical commercial transaction. Should companies collect this information, use it, or it?

• Marketers are developing one-to-one marketing techniques specifically designed to target young people. Are special privacy safeguards necessary for children?

• Internet Service Providers provide a critical gateway to the on-line world. Should they have a special obligation to protect privacy and be subject to legal rules?

As complicated as these examples may seem, the basic privacy analysis is not so difficult. The premise that virtually all privacy law and policy is based on is the belief that when individuals give up personally identifiable information to organizations, the organizations take on some obligation and the individuals are granted some rights. We call these responsibilities and rights "Fair Information Practices." The critical elements of Fair Information Practices include:

• Distinguishing personally information from other information. Demographic data and aggregate data generally do not raise privacy concerns, but data that can be a linked to a specific, identifiable individual does raise a privacy issue.

• Articulating the responsibilities of data collectors, such as the responsibility to limit disclosure of personal information, to ensure that it is used for the purpose collected, and to provide adequate security to protect that data

• Articulating the rights of data subjects, such as the right to inspect and correct data, to seek redress, and to receive damages

You will find this approach to privacy protection in virtually all of the privacy laws in the United States, including many of the recent statutes that address new technologies, such as the subscriber privacy provision in the Cable Act of 1984, the Electronic Communications Privacy Act of 1986, the Video Privacy Protection Act of 1998 (video tape rentals), the Telephone Consumer Protection Act of 1991 (auto-dial

ers and junk faxes), and even the CPNI rules contained in the Telecommunication Reform Act of 1996 (customer billing information).

To be effective, Fair Information Practices must be enforced and must provide redress. It is not enough to say what a policy is without providing a means to enforce the policy. That is why voluntary guidelines, professional standards, and codes of conduct that are based on Fair Information Practices do not necessarily provide significant privacy protection.

There are also some novel issues.4 One very interesting and very important policy question is brought about by the development of new technologies that make it possible to protect privacy in ways we had not previously imagined. Traditionally, we understood that technology was a threat to privacy and that it was the proper role of government to restrict the use of techniques that might intrude on privacy. But now we see in such techniques as public key encryption and anonymous payment schemes the opportunity to develop new means to limit the disclosure of personal information.

The critical question then becomes what role government should play in promoting, regulating, or restricting techniques such as encryption that allow individuals to protect personal information. In the United States this debate has largely been framed in terms of the need to balance the interests of privacy and commerce against the concerns of law enforcement and national security. But in most other parts of the world that have looked at this issue, there is a very different view. Many governments believe that these new technologies should be promoted and that efforts to impose controls for law enforcement purposes are short-sited and will ultimately prove futile.5

In my view, privacy in the information age means both the extension of Fair Information Practices to new information environments and the active promotion of techniques, often based on encryption, to protect the disclosure of personal information. This is the fundamental policy goal.

Understanding the Problem of Privacy on the Internet

To understand the problem of privacy on the Internet in more detail, EPIC conducted a survey of the top 100 web sites in the summer of 1997.6 It was the first comprehensive survey of Internet privacy. We looked at the policies and practices actually in place on the most popular web sites. For each site, we checked whether personally identifiable information was collected, whether a notice describing privacy polices was displayed, whether the policy was adequate, and similar questions. We found that about half of the sites that we surveyed collected personal information. This was typically done for on-line registration, surveys, user profiles and order fulfillment. Seventeen sites had privacy notices or statements, but the policies were often not easy to locate and some policies we could only find after we registered at the site.

We believed it was important to look not simply at whether the site had a privacy policy. It is critical that a privacy policy explain the responsibilities of organizations collecting data and rights of the person who provides data. We found that few of the sites provided adequate protection. A critical question for the future of Internet privacy will be whether there is a means to enforce Fair Information Practices.

One of the most interesting findings in our survey was that anonymity was largely respected by the websites. Most websites allow users to visit and receive information

about products, or news, or almost anything else you can find on the Internet without collecting personal information.

In the conclusions of our report we said that:

• Webs sites should establish a privacy policy that is easy to find

• Policies should state clearly what personal information is collected and how it will be used

• Web sites should make it possible for individuals to access their own data

• Cookies transactions should be more transparent

• Anonymity should be encouraged

4P. Agre and M. Rotenberg, Technology and Privacy: The New Landscape (MIT Press 1997). 5 Organization for Economic Cooperation and Development, Cryptography Policy Guidelines (1997) [http://www.oecd.org/dsti/iccp/crypto-e.html].

6 Electronic Privacy Information Center, "Surfer Beware: Personal Privacy and the Internet," (June 1997) [http://www.epic.org/reports/surfer-beware.html].