Computer Professionals for Social Responsibility (CPSR)
Open Forum on Library and Information Service's
Roles in the National Research and Education Network (NREN)
National Commission on Libraries and Information Science (NCLIS)
Washington, DC July 22,1992
Thank you for the opportunity to testify today before the National Commission on Library and Information Science (NCLIS). My name is Marc Rotenberg and I am the Director of the Washington Office of Computer Professionals for Social Responsibility (CPSR). CPSR is a national organization of professionals in the computing field. I would like to speak with you about privacy protection and the future of the NREN. This is item 6 identified in the NREN research agenda.
Richard Civille will speak with you next about CPSR's work to promote Local Civic Networks. During the past few years CPSR has coordinated several national efforts to promote privacy protection for network communication. From cryptography to Caller ID, we have sought to ensure that the rapid developments in the communications infrastructure do not diminish the privacy we all value.
We believe that the future of network communications depends largely on the ability to make certain that sufficient privacy protection is available for all users of the network. In this effort we have worked closely with the library community. It became clear to us that library organizations have a special appreciation for the importance of privacy protection. For many, privacy is the critical safeguard that protects intellectual freedom and promotes the open exchange of information. The American Library Association, the Association of Research and other library organizations have all shown their support for privacy protection through codes of conduct, policy statements, and research conferences.
We have also worked closely with telecommunication policy makers in the United States and around the world. The New York state Public Service Commission issued a policy on telecommunication privacy which set out several principles for network communications. These recommendations have been followed in several states. More recently, the Minister of Communications in Canada issued a series of principles on communications policy. Meanwhile, the Commission of the European Communities has put forward a draft directive on Data Protection in Telecommunications.
The European Commission made a critical point about future network development. It said that "the effective protection of personal data and privacy is developing into an essential precondition for social acceptance of new digital networks and services." This view is shared by agencies in other countries that have looked at the implications of advanced networking services. For example, the Ministry of Posts and Telecommunications in Japan recently concluded a study on the protection of personal data in the telecommunications business and recommended a series of privacy guidelines to accompany the introduction of new network services.
In the United States, however, we find ourselves in the midst of the greatest privacy debate in a generation. In the absence of a coherent federal policy to protect privacy, consumers have been left to fend for themselves, and the response is not encouraging. From Pennsylvania to California, telephone companies now face widespread and well-founded consumer opposition to new telephone services. Part of the reason for this is that there has been little effort in the United States at the federal level to develop privacy principles for new network services.
CPSR would like to see an agency in the United States take on the task of developing and promulgating privacy principles for network services. We have already recommended the creation of a data protection board which could, among other tasks, develop appropriate principles for network communications. There is a proposal before Congress to establish such an agency, but is unclear whether it will be enacted this year.
Meanwhile, the Federal Communications Commission (FCC) has been unwilling to address the privacy implications of new network services. We are also somewhat disappointed that neither the Computer Science and Technology Board (CSTB) of the National Research Council or the Office of Technology Assessment (OTA) has addressed privacy concerns for network users. Both the CSTB and the OTA are well qualified to tackle this problem.
In the interim, NCLIS could take a leadership role, and help develop and promulgate privacy principles for the emerging communications infrastructure. It is clearly in the interest of the library and information science community to ensure adequate privacy protection, but unless some agency takes on this responsibility it appears unlikely that the work will be undertaken.
CPSR believes that it is in the long-term interest of our country and of computer users around the world to ensure protection for networked communication. The failure to develop such policy may impose very high costs on all network users, and may ultimately reduce greatly the value of the network to users.
Speaking academically, the absence of adequate protection for electronic communication is a substantial gap in NREN policy that should soon be addressed if the full potential of the infrastructure is to be realized. Speaking practically, if we don't get some good policy soon, we may all be buried in a blizzard of electronic junkmail the likes of which we have never known.
I would like now to make three points about the current state of privacy protection for NREN, and then propose a series of principles for privacy protection. These principles may help "get the ball rolling" and encourage the development of other initiatives. I hope that NCLIS will recommend that the Office of Science and Technology Policy (OSTP) give these principles full consideration.
In the current network environment, made up primarily of researchers and scientists, there is little incentive or opportunity to gather personal data, to compile lists, or to sell personal information. This is likely to change. Once commercial transactions begin to take place on the net, the information environment will resemble a hybrid of credit card and telephone call transactions. Records of individual purchases will be available and will possess commercial value. The NREN community will face a whole new set of privacy issues.
We anticipate that there will be three different types of privacy problems as the NREN continues to evolve. First, as commercial organizations become users of the network, they will gather personal data, and wish to sell lists. The address files for list servers could be sold, and users may find themselves "subscribed" to lists they have no interest in. These activities will raise traditional privacy concerns about the restrictions on disclosure and secondary use, the opportunity for users to obtain information held by others, and the need to minimize the collection of personal information.
Second, efforts to promote competitiveness in the delivery of network services may also lead to the disclosure of network data which will compromise user privacy. This problem is already apparent in the current rules for the operation of the telephone network. The Federal Communication Commission requires telephone companies to provide records of customer phone calls to other companies so that competing companies may analyze calling patterns and sell their services. Large companies objected to the disclosure of this sensitive information. As a result the FCC required that telephone companies obtain authorization before releasing these numbers. But this restriction only applies to telephone customers with more than 20 lines.
The disclosure of Customer Proprietary Network Information (CPNI) has already surprised many telephone customers who now receive calls from companies with whom they have no prior relationship. These companies are able to describe the customer's telephone calling habits in great detail. Users of NREN services are also likely to object to the disclosure of network information.
The third problem is that law enforcement agencies are likely to make "greater demands" on communication service providers to turn over records of electronic communications to the government and to provide assistance in the execution of warrants. I say "greater demands" with some reservation since the recent proposal from the Federal Bureau of Investigation to require that all communications equipment in the United States be capable of wiretapping seems about the greatest demand conceivable. Still, we should anticipate that the government demands for access to the contents and records of NREN communications are likely to increase.
ECPA also does not appear to protect critical personal information, such as a person's telephone number, from improper disclosure. For example, the Calling Number Identification (CNID) service is probably a violation of the wiretap statute and clearly a violation of the wiretap law of several states. Nonetheless, the service has been offered over the objection of consumer groups, technical experts, and legal scholars.
CPSR has supported many efforts to improve technical means for privacy protection. In fact, CPSR has been of the leading proponents of the widespread us of cryptography to protect electronic communications. We have opposed restrictions by both the National Security Agency and the Federal Bureau of Investigation on the use of cryptography. We have also supported the development of privacy-enhancing technologies, such as telephone cards which are widely used in Europe and Japan, and recommended that policy makers explore technical means to protect information.
Nonetheless, we do not believe that technical safeguards will provide sufficient protection for networked communications. Our right of privacy is based on Constitutional principles and our national history, and reflects our commitment to certain political ideals. The protection of privacy is ultimately a policy decision that must be resolved through our political institutions. Clearly, technology provides useful developments that we should incorporate into future networks, but it would be a mistake to assume that technology alone will provide sufficient protection.
This point was made two decades ago by former White House Science Adviser Jerome Wiesner who also served as president of MIT. In testimony before Congress on the privacy implications of data banks, Professor Wiesner said:
"There are those who hope new technology can redress these invasions of personal autonomy that information technology now makes possible, but I don't share this hope. To be sure, it is possible and desirable to provide technical safeguards against unauthorized access. It is even conceivable that computers could be programmed to have their memories fade with time and to eliminate specific identity. Such safeguards are highly desirable, but the basic safeguards cannot be provided by new inventions. They must be provided by the legislative and legal systems of this country. We must face the need to provide adequate guarantees for individual privacy."
Privacy principles have helped to clarify goals and to convey objectives in non-technical terms. Well developed polices are "technology neutral" and are adaptable as new technologies emerge. Professional organizations have made widespread use of such principles for codes of ethics and for public education.
There are a number of such polices in the privacy realm. Some of these polices have been extremely influential in the development of public policy, national law, and international agreements. For example, the Code of Fair Information Practices was the basis for the Privacy Act of 1974, the most extensive privacy law in the United States. The Code was developed by a special task force created by the Secretary of Health, Education, and Welfare in 1973. Other codes have formed the basis for data protection law in Great Britain.
All of these codes seek to establish certain responsibilities for organizations that collect personal information, and to create certain rights for individuals. In developing these telecommunication privacy guidelines, we examined existing codes and particularly the principles developed by the Organization for Economic and Cooperative Development (OECD) in 1981. We also incorporated several additional principles that we believe are necessary to protect personal information in communication environments. Taken as a whole, the principles are intended to improve privacy protect ion for network communications as the NREN continues to evolve.
Additional principles may be appropriate and these principles may well need modification. But we hope that they will provide a good starting point for a discussion on communications privacy for the NREN.