We closed with the warning "surfer beware" because we concluded that there was simply too little privacy protection on the Internet for users to feel secure, and we hoped stronger privacy standards would be developed.

Several web operators wrote to us after Surfer Beware was released to say that they were developing privacy policies for their sites.7 The New York Times web site added a privacy policy a few days after our report came out. The response has been very good.

This month the Federal Trade Commission is conducting a similar survey of 1,200 web sites. I suspect that the FTC will find that a growing numbers of web sites do now have privacy polices. But whether those policies are meaningful or provide any redress to users of these services remains unclear. It is worth noting that America Online has one of the most comprehensive and detailed privacy policies of any company operating on the Internet today. And still Timothy McVeigh almost lost his job.

History of Communications Privacy

One of the great achievements of the American legal system has been our strong commitment to protecting the privacy of personal communications. You can trace this history back at least as far as Benjamin Franklin, who in establishing the national postal service recognized the need to enact federal law to protect the privacy of communications.9

But it was not until 1928 that the Supreme Court had its first brush with the question of whether our Bill of Rights, drafted in the eighteenth century, would apply to the new communications technologies of the twentieth century and beyond. The case concerned a highly successful bootlegging operation in the Pacific Northwest operated by Ralph Olmstead. Federal agents began an extensive surveillance operation that lasted for more than five months. They had no recording devices, so they wrote down what they heard. Sometimes they relayed their recollections of conversations to a stenographer. In the end, they compiled more than 775 pages that they brought to court. The issue was whether the Fourth Amendment warrant requirement would be applied to this new investigative technique. The trial court let the evidence in, over the objection of Mr. Olmstead, and the appeals court affirmed. 10

When the case finally reached the Supreme Court Chief Justice William Taft wrote a detailed opinion that focused on the absence of a physical search, of the type proscribed by the Fourth Amendment, and concluded that the evidence was admissible. The Court held that the Fourth Amendment simply did not apply to this new form of communication.11

But there were two important dissents. Justice Holmes called the matter a "dirty business" because the federal agents had violated a Washington state law that prohibited wiretapping to obtain the evidence. He voted to reverse.

12

Justice Brandeis also dissented. 13 His opinion was not so much about the illegal acts of federal agents; he was more interested in the question of how the Fourth Amendment and our Constitution generally, should apply to these new communication technologies. He wrote, in one of the most famous phrases in American law, that the makers of our Constitution "sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the Government, the right to be let alone the most comprehensive of all rights and the right most valued by civilized men." 14 Brandeis's dissent in Olmstead reminds us that the protection of privacy is at the heart of our system of ordered liberty and that that law is an evolving process.

The Supreme Court eventually adopted Justice Brandeis's view and decided in 1967 that the Fourth Amendment did indeed apply to telephone communications. 15 Following the Katz decision and a related case, Berger v. New York, 16 the Congress

7 See, e.g., note from Steve Jenckins, webmaster, Windows95.com ("We had previously been unaware of these privacy concerns, and thank you for bringing them to the attention of surfers across the 'Net, and to Webmasters of major sites.")

8 Federal Trade Commission News Release, "FTC Staff To Survey Consumer Privacy on the Internet" (Feb. 26, 1998) [http://www.ftc.gov/opa/9802/webcom2.htm].

9 David Seipp, "The Right to Privacy in American History," Program in Information Resources Policy, Harvard University (1977)

10 Alan Barth, Prophets with Honors: Great Dissents and Great Dissenters in the Supreme Court 54-79 (1975)

11277 U.S. 438, 455 (1928).

12 Id. at 469.

13 Id. at 471.

14 Id. at 473.

15 U.S. v. Katz, 389 U.S. 347 (1967).

16 388 U.S. 41 (1967).

set out in 1968 to establish a framework to allow electronic wiretapping only under the most limited circumstances. The Congress made clear at that time that wiretapping was to be an investigative means of "last resort."

While some have said that Title III makes clear that the police have the right to wiretap telephone communications when a court order is obtained, I believe the better view of the Act is that it ensured that electronic surveillance would be brought within strict Fourth Amendment requirements. In other words, our federal wiretapping statute was intended to limit this investigative technique to the narrowest circumstances.

Since 1967 there have been a number of significant developments in the law of communications privacy. In 1978 the Congress passed the Foreign Intelligence Surveillance Act to deal with the difficult problem of wiretapping of foreign agents. The Supreme Court had left open the question in the Katz case of whether the Fourth Amendment should apply to national security cases. The Congress resolved this question with the FISA in 1978, establishing a Title III-like framework, albeit with more secrecy and less accountability.17

In the mid-1980s the growth of the Internet and new communications services was apparent. People were using desktop computers and sending messages to one another by means of electronic mail. Questions about the appropriate standards for government searches were arising. In response, Congress amended Title III and enacted the Electronic Communications Privacy Act, which extended privacy protection to stored electronic communications.

The next significant development came in 1994 when Congress passed the Communications Assistance for Law Enforcement Act (CALEA), a measure commonly referred to as "digital telephony." CALEA gave the Department of Justice the authority to set technical standards for the nation's telephone system in an attempt to ensure the ongoing viability of wiretapping.

Many said at the time that the measure was considered that it was a mistake to pass such legislation, not only because it was a fundamental change in the law's approach to electronic surveillance and police powers generally, but also that the bill would be impractical and ultimately unworkable.

For better or worse, this predication seems now to be correct. The FBI and the telephone industry are mired in endless debates about implementing the legislation, the estimated costs are far beyond the initial authorization, the technology innovations continue, and the CALEA policy has slowed the adoption of technical methods, such as encryption, that could make our communications network more secure and reduce the risk of crime. Moreover, our government is now in the unfortunate position of urging other nations to develop more extensive surveillance capabilities.

I hope at some point in the future the Judiciary Committee will have the opportunity to revisit CALEA and to consider whether this is still a sensible policy initiative.

The Role of Government

The United States was for many years a leader in efforts to protect personal privacy. Justice Brandeis wrote a famous law review article on the right to privacy in the late nineteenth century that established the legal claim in this country and elsewhere.18 The privacy right came to be described as the "American tort."

Many other countries joined the US effort to firmly establish this right following the end of the Second World War. The Universal Declaration of Human Rights was adopted and the right of privacy was made explicit in the constitutions of many governments.

The United States continued to lead in the modern era of privacy protection with passage of the Fair Credit Reporting Act in 1970 and then with the Privacy Act of the 1974 that provided comprehensive privacy protection for records held by the federal government.

But our lead has slipped, and we are now viewed by many as falling behind in the effort to protect this critical right. The Administration's own record on privacy protection has been very poor. Not only has the White House resisted calls from long-time trading partners and allies to develop stronger privacy measures, it has actively opposed efforts by other governments to extend privacy rights to their own citizens. This combined with the Administration's attempt to extend techniques for electronic surveillance has placed the United States in the unfortunate position of promoting state surveillance as other governments are trying to establish privacy protection.

1750 U.S.C. §§ 1801-1811.

18 Warren & Brandeis, "The Right to Privacy," 4 Harv.L. Rev. 1 (1890).

The sharp contrast in our government's approach to privacy issues, when compared with other governments, can be understood by considering the significance of the date "October 1998.” In Europe that is the date when the European Data Directive goes into force. It is a comprehensive privacy measure that establishes rights for citizens and recognizes that privacy protection will remain critical for the information economy. It is the result of many years of hard work, negotiation, and commitment by lawmakers.

In this country, in October 1998, we will mark the date when the Communications Assistance for Law Enforcement Act is expected to be operational. That is the law, as I have noted, that requires telephone companies to try to protect electronic interception in the nation's telephone system. We are pursuing elaborate and expensive policies for national communications surveillance as other countries are struggling with the issue of how to protect the privacy rights of their citizens.

We are today not only behind the curve in developing sensible privacy polices, but we are largely out of step with the rest of the world. Lacking the formal means to develop privacy policies and to respond to public concerns, we have left the law enforcement community and the marketing industry to determine how much privacy there will be in the future. The result is not surprising there is growing public concern about the loss of privacy and a widening gap between the problems we face and the solutions we should pursue.

Simply stated, our policy is backward. We impose government controls on techniques to protect privacy, where market-based solutions are preferable. And we leave privacy problems to the market, where government involvement is required. Recommendation

Today the calls for government action to protect privacy are unambiguous. The most recent Harris poll found that a majority of those polled found that privacy is the main reason that people are staying off of the Internet. They want legislation now to protect privacy on the Internet. 19 According to the BusinessWeek/Harris poll, 53% believe that "Government should pass laws now for how personal information can be collected and used on the Internet." Of those polled, 23% said “government should recommend privacy standards for the Internet but not pass laws at the time." Only 19% believe that the government "should let groups develop voluntary privacy standards but not take any action now unless real problems arise."

The Harris/Business Week poll is consistent with other polls that have asked similar questions about privacy and the Internet. Contrary to the popular view that Internet users oppose all form of government action, when it comes to matters of privacy, they believe new laws are necessary.20

Much is also said about the desirability of “self-regulation" for the Internet. There are, indeed, many areas where the government can do the most by doing the least. This is particularly true with matters of speech and content, where our strong First Amendment tradition cautions against any attempt by government to regulate what people may say, read, or watch. But self-regulation has not helped protect privacy on the Internet. It has in fact made it harder for us to focus on the larger questions of a coherent privacy policy. It has also led to erosion in our basic understanding of privacy protection.

For example, the concept of Fair Information Practices-the common thread of all privacy law and policy that clearly places responsibilities on organizations and gives rights to individuals-is now being revised to suit the needs of organizations rather than to protect the interests of individuals. Where once there was an understanding that individuals should have the right to get access to their own data, to inspect it, and to correct it, now those who favor self-regulation believe it is necessary only to provide access to a privacy policy.

Where once individual consent was central to the disclosure of personal information, now the focus is on individual choice for a range of disclosures. Where privacy techniques focused on the means to protect identity, now the focus is on means to obtain information. Many of the techniques that are put forward as "technical solutions"-such as the Open Profiling Standard, the P3P and Trustee will make it easier, not more difficult, to obtain information from individuals using the Internet. Something is clearly amiss.

It is time to reestablish support for Fair Information Practices, to make clear that organizations that collect information have responsibilities, and that individuals

19 BusinessWeek, “A LITTLE NET PRIVACY, PLEASE: Netizens want immediate action from industry and government as consumer-data gathering exceeds the comfort zone." (Mar. 16, 1998) [http://www.businessweek.com/1998/11/b3569104.htm].

20 GVU 8th WWW Survey. [http://www.gvu.gatech.edu/user-surveys/survey-1997–10/

who give up information have rights. The principles are well established in our legal tradition. Privacy protection should not end where the Internet begins.

Amend the Electronic Communications Privacy Act

Congress should specifically consider expanding the scope of privacy provided to subscriber information under Section 2703 of ECPA. Currently, the statute only prohibits the disclosure of such data to "governmental entities" unless they obtain legal process authorizing the disclosure. This prohibition should be extended to the disclosure of subscriber information to any third party. One of the reasons why the Navy was able to obtain information concerning Mr. McVeigh from AOL is that ECPÅ places no restrictions on service providers unless the requester identifies himself as a government agent, which the Navy investigator failed to do. Further, the current statutory regime fails to recognize that significant harm can result from the disclosure of personal information to non-governmental actors. Had Mr. McVeigh been a private sector employee, ECPA would have provided absolutely no protection, despite the fact that he could have lost his job in much the same way. Any requester should be required to provide legal authorization before receiving personal information from a service provider.

With respect to governmental access, ECPA should be amended to prohibit the use as evidence of information obtained in violation of Section 2703, in the same way that Section 2515 prohibits the use of illegally obtained wire or oral communications. Finally, the civil action provision contained in Section 2707 should be amended to make clear that a cause of action will lie against a governmental entity that obtains information in violation of Section 2703.

Support Passage of Internet Privacy Bill and the Children Privacy Bill

The Consumer Internet Privacy Protection Act of 1997 (HR 98) would prevent an "interactive computer service" from disclosing to a third party a subscriber's personal information without that individual's written content. This is a good starting point but will leave uncovered many areas that should receive protection. Representative Franks bill, the Children Privacy Protection and Parental Empowerment Act also provides important safeguards.

Establish a Privacy Agency

In 1973 the Department of Health, Education and Welfare established a special panel to study privacy issues arising from the growing use of automated date processing equipment.21 That report led to the development and passage of the Privacy Act of 1974, perhaps the most important privacy law in our country. But that report also made clear, as have subsequent reports, that the cornerstone of an effective federal policy is a permanent privacy agency.

It is critical today that a privacy agency be established. We simply do not have the expertise, commitment, or understanding in the federal necessary to develop the policies necessary to address the enormous challenges that we are facing. Many of the decisions that are made with significant consequences for privacy protection lack adequate representation of privacy concerns.

In countries across the world, efforts are underway to address these privacy concerns. The European Union is moving forward on the implementation of extensive privacy directive that will establish legal rights for all citizens in the European Union countries. Non-EU countries, including Japan and Canada, are pursuing comprehensive privacy polices. Techniques for anonymity are being promoted in Germany, the Netherlands and elsewhere. Strong medical privacy legislation is in place in New Zealand.

In the United States, even with the efforts of the Federal Trade Commission, there is little sense that we are making progress. Privacy concerns are rising. The public is not persuaded by the current policy. BusinessWeek put it well in an editorial earlier this month:

Time is running out for the Net community. The public does not trust its promises for self-regulation to ensure privacy. The polls show that people don't believe that these voluntary standards are working. Any spot check of Web sites shows that few make any serious effort to protect privacy. It's no wonder that the public wants the government to step in immediately and pass laws on how personal information can be collected and used. Even Silicon Valley libertarians who believed in voluntary standards for years are no longer so sure.

As the economy shifts increasingly from an industrial to an information base, an individual's private data take on an economic utility unknown in the past. So, too, does a person's economic behavior in the electronic realm. Future

21 Records, Computers, and the Rights of Citizens (1973).

22

growth depends on the security of that data and the comfort level for that behavior. Both civil society and economic growth depend increasingly on privacy.2 The United States has long been a beacon of individual liberty and a champion of individual rights. Our greatest challenge today is to carry forward that tradition into the information age. For Internet users today and into the future, that will mean protecting the right of privacy.

References

P. Agre and M. Rotenberg, eds., Technology and Privacy: The New Landscape (MIT Press 1997)

J. Cohen, "A Right to Read Anonymously: A Closer Look at Copyright Management in Cyberspace," U. Conn.L. Rev. (1996)

W. Diffie and S. Landau, Privacy on the Line: The Politics of Wiretapping and Encryption (MIT Press 1997)

S. Friewald, "Uncertain Privacy: Communication Attributes After The Digital Telephony," 69 S. Cal. L. Rev. 949 (1996)

International Working Group on Data Protection, Data Protection and Privacy on the Internet, Data Protection and Privacy on the Internet (1996) [http:// www.datenschutz-berlin.de/diskus/13-15.htm]

National Information Infrastructure Task Force, Information Policy Committee, "Options for Promoting Privacy on the National Information Infrastructure" (1997)

Organization for Economic Cooperation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) [http:// www.oecd.org/dsti/sti/it/secur/prod/PRIV_EN.HTM]

Organization for Economic Cooperation and Development, Cryptography Policy Guidelines (1997) [http://www.oecd.org/dsti/iccp/crypto-e.html]

P. Regan, Legislating Privacy: Technology, Social Values, and Public Policy (University of North Carolina Press 1995)

M. Rotenberg, "Communications Privacy: Implications for Network Design," Communications of the ACM (1995)

M. Rotenberg, “Data Protection in the United States-A Rising Tide?” The Computer Law and Security Report 38-40 (January-February 1998)

M. Rotenberg, “In Support of a Privacy Protection Agency in the United States," Government Information Quarterly (Winter 1991)

P. Schwartz and J. Reidenberg, Data Privacy Law (Michie 1996)

B. Schneier and D. Banisar, The Electronic Privacy Papers (John Wiley 1997)

22 BusinessWeek, "Privacy: The Key to the New Economy," p. 128 (Mar. 16, 1998).