-----------------------------------------------------------------------------
_____ _____ _______
/ ____| __ \__ __| ____ ___ ____ __
| | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_
| | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/
| |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_
\_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/
The Center for Democracy and Technology /____/ Volume 2, Number 37
----------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
CDT POLICY POST Volume 2, Number 37 November 5, 1996
CONTENTS: (1) End of Session Wrap-Up of Online Privacy Issues
(2) P-Trak Update
(3) How to Subscribe/Unsubscribe
(4) About CDT, contacting us
** This document may be redistributed freely with this banner intact **
Excerpts may be re-posted with permission of <editor@cdt.org>
** This document looks best when viewed in COURIER font **
-----------------------------------------------------------------------------
(1) END OF SESSION WRAP-UP OF ONLINE PRIVACY ISSUES
With Congress adjourned and the campaign season behind us, we have a chance
to step back and look at online privacy issues. While there were some
disappointments during the year, there were also signs of progress. The
issue of personal privacy itself was consistently on the public radar screen
over the past year. The media's spotlight is increasingly focused on
information privacy. CDT's privacy demonstration site continues to receive
over 1000 hits a day, and a number or recent studies indicate growing public
concern with the loss of privacy.
Numerous federal agencies have launched privacy intiatives focused on the
impact of new technologies. Several members of Congress introduced
legislation on privacy issues ranging from the protection of medical
information, to the development of privacy-enhancing technology. The
Administration appears poised to create a yet-to-be-defined "privacy
entity" that would, at least, coordinate the Administrations' privacy
efforts or, at best, advocate on behalf of individual privacy.
In addition, there has been some market response to public outcries over the
loss of personal privacy --- forcing one company to revise a product and a
number of other companies to step forward with a policy to provide consumers
with a bit more control over their personal information.
Progress made in protecting personal privacy:
* LEGISLATION: Provisions in three recently passed laws begin to address
privacy concerns in personal information regarding individuals' telephone
usage, individuals personal health information, and personal information
held by credit bureaus.
CUSTOMER PROPRIETARY NETWORK INFORMATION (CPNI): A relatively
unknown part of the recently enacted Telecommunications Reform Act of
1995 is a win for personal privacy. The CPNI provisions limits the
use and disclosure of CPNI -- information which relates to the
quantity, technical configuration, type, destination, and amount of use
of a telecommunications service by a customer and is available to the
carrier solely by virtue of the carrier-customer relationship -- to the
telecommunications service for which the information was collected or
for other services that are necessary to or used in the provision of
that service. The law also provides individuals a legal right to access
their own CPNI.
The CPNI provisions are an important step forward in recognizing
an individual privacy interest in transactional information. Similar to
the provisions regulating law enforcement access to transactional data
under the Digital Telephony Bill (CALEA), the CPNI provisions recognize
that individuals have a privacy interest in transactional data, akin to
the privacy interest in the actual contents of their communications. In
addition, the CPNI rules set an important precedent by regulating the
private sectors use of transactional information. The Federal
Communications Commission (FCC) issued a proposed rule in June, 1996 and
received comments. The final rule on the implementation of this
provision should be issued shortly.
HEALTH INFORMATION: The recently-passed Kennedy-Kassebaum "Health
Insurance Portability and Accountability Act of 1996" included the first
guarantee of a federal policy to govern the privacy of health
information in electronic form. While provisions of the Act mandating
the speedy development and adoption of standards for electronic
exchanges of health information are troublesome given the lack of
strong, enforceable laws protecting patient privacy, the law contains a
mandate that privacy rules be enacted by either the Congress or the
Executive Branch within the next four years.
CREDIT INFORMATION: The public outcry over the sale of personal
information by Lexis-Nexis's P-Trak service prompted Congress to request
a Federal Reserve Board study examining the risk of fraud raised by the
disclosure of personal information. In addition, the P-Trak furor may
have played a roll in nixing an industry-backed exemption to the Fair
Credit Reporting Act (FCRA) which would have allowed credit reports to
be used to generate target marketing lists. This type of credit report
use is currently against FTC rules interpreting the FCRA.
Privacy-related bills introduced during the 104th Congress:
HEALTH INFORMATION: Late last year, Sen. Robert Bennett (R-UT) and
Sen. Patrick Leahy (D-VT) introduced S. 1360, the "Medical Records
Confidentiality Act". A complimentary bill was introduced by Rep. Jim
McDermott (D-WA), the "Medical Privacy in the Age of New Technologies
Act".
ONLINE PRIVACY: This past June, Congressman Ed Markey (D-MA)
introduced the "Communications Privacy and Consumer Empowerment Act".
This bill was designed to address concerns over the collection and use
of personal information generated and collected online. Late in the
session, Rep. Bruce Vento introduced "The Consumer Internet Privacy
Protection Act of 1996", also aimed at protecting the privacy of
information collected and generated during online activities.
CHILDREN'S PRIVACY: A hearing was held on Rep. Bob Frank's bill,
"The Children's Privacy Protection and Parental Empowerment Act of
1996." As noted by CDT, People For the American Way, the Electronic
Frontier Foundation, and Voters Telecommunications Watch, the CPPPEA
raises a number of privacy and First Amendment problems for the
Internet.
* GOV'T AGENCIES FOCUS ON PRIVACY: Federal agencies, such as the Federal
Trade Commission (FTC) and the NTIA (National Telecommunications and
Information Administration), have turned the spotlight on the impact of
technological advances on individual privacy. In June, the FTC held a
workshop on online consumer privacy. Privacy advocates, industry
representatives, and FTC officials gathered to discuss the privacy issues
posed by the evolving online world, and potential policy and technology
solutions.
* PUBLIC CONCERN AND NEWS COVERAGE: The mainstream media's coverage of
privacy issues has increased dramatically. The Lexis-Nexis P-Trak
controversy and the threats to medical records privacy garnered national
headlines. A number of recent reports, such as a Georgia Tech survey
and Louis Harris poll, point to a growing public concern with the loss of
personal privacy in and out of the online world.
* CDT PRIVACY DEMO AND CLEARINGHOUSE: Launched in June, CDT's Privacy
Demonstration and Privacy Policy Clearinghouse seeks to educate the
public about the extent to which personal information can be revealed
online. When an Internet user visits the Privacy Demo, it displays
information about the user such as the kind of web browser and type of
computer they use, even the user's location and e-mail address. The
Privacy Demo continues to receive an average of 1,000 hits a day.
* MARKET RESPONSES: In some instances, the market has responded to public
outcries over threats to personal privacy. This summer, information
service Lexis-Nexis was forced to revise a new online database, P-Trak,
suppressing social security numbers. A number of Internet companies,
including Four11, I/PRO, and Match.com, formed a group called "Privacy
Assured" -- the members of the group agreed to a set of privacy
principles relating to the personal information that is collected, used,
and disseminated at their web sites.
* FEDERAL GOV'T PRIVACY ENTITY: Last month, Sally Katzen, head of the
Office of Management and Budget's Office of Information Regulatory
Affairs, announced that the Administration was considering various
options for the creation of a federal privacy entity, or coordinating
function, within the Executive Branch. Pressure from privacy advocates
and the public, coupled with the European Union's Data Protection
Directive has created a climate where privacy issues may be given the
consideration and deliberation they deserve at the national deserve.
A report discussing the options will be made available for public
comment after the elections.
Privacy setbacks:
* HEALTH INFORMATION: The failure to enact comprehensive privacy
legislation to protect health information, such as the proposed
Bennett-Leahy "Medical Records Confidentiality Act", was a
disappointment. The push to automate our health information embodied
in the Kennedy-Kassebaum "Health Insurance Portability and
Accountability Act of 1996," raises the stakes in the battle to protect
personal health records.
* GOV'T COLLECTION OF PERSONAL INFORMATION: Despite growing public
concern over attacks on personal privacy, Congress passed legislation
that will escalate the collection of personal information by the
government. Pressure to prevent fraud, to more effectively allocate
sparse government dollars, and to ensure that people are who they claim
to be, led to the enactment of laws that track and monitor the behavior
of individuals in order to identify "dead-beat dads", illegal immigrants,
welfare cheats and others defrauding the public trust. Massive record
sharing, extension of existing data systems and the creation of new
highly-intrusive people tracking systems are core components of recently
passed welfare and immigration laws.
* CELLULAR PHONE TRACKING: A battle is being waged to ensure that our
nation's telecommunications system does not become the tracking device
of law enforcement. The FBI recently requested technical specifications
that would require cellular carriers to have the capability to track and
monitor the whereabouts of anyone carrying a phone -- whether it was in
use or not -- and provide location and other information to law
enforcement on demand. The proposed standards were rejected by the
cellular industry in September, but other battles over law enforcement's
desire to increase its wire-tapping capability continue, promising to
keep privacy advocates on the watch.
When Congress is sworn in this January, CDT will be ready to work with
other privacy advocates in building upon this past year's progress on
privacy issues. For more information and updates about these privacy
issues, please visit CDT's Privacy Issues Page:
http://www.cdt.org/privacy/
------------------------------------------------------------------------
(2) P-TRAK UPDATE
This past summer, information service Lexis-Nexis offered a new database
to its subscribers called P-Trak. For a per-use fee, subscribers can use
P-Trak obtain personal information about an individual that can include
name, current and prior addresses, maiden names, birth month and year, and
current telephone number. Social Security numbers were initally available
on P-Trak, however in June, Lexis-Nexis stopped displaying Social Security
numbers in response to complaints from consumers, privacy advocates, and
businesses.
As news about P-Trak spread over the Internet, more and more people
expressed concern over the availability of their personal information
online. In response to a September 20 letter from Senator Richard Bryan
(D-NV), the Federal Trade Commission (FTC) immediately recommended that
Congress take action to protect the privacy of personal information by
amending the Fair Credit Reporting Act (FCRA). The recommendations called
for strengthening the Fair Credit Reporting Act to limit disclosure of
information such as social security number, mother's maiden name, prior
addresses, and date of birth. (See CDT Policy Post 2.33)
Despite the recommendations, Congress adjourned without taking action on
them. However, Congress added an amendment to the Omnibus Appropriations
Bill which directs the Federal Reserve Board to examine whether the sale
of "sensitive consumer identification information" creates "an undue
potential for fraud". Although this is a half-hearted response to the
FTC's recommendations and the public's cry for action, it is a small tribute
to the power and importance of the Internet in turning public opinion into
action.
Following passage of the bill, Chairman of the Senate Committee on Commerce,
Science and Transportation, Sen. Larry Pressler (R-SD), ranking minority
member Senator Ernest Hollings (D-SC), and Senator Richard Bryan (D-NV),
sent a letter requesting the FTC to conduct a study of online and database
privacy issues.
While no legislation was enacted, the outcry over P-Trak proved useful in
two other areas. First, the P-Trak furor may have played a roll in
eliminating an industry pushed exemption to the FCRA which would have
allowed credit reports to be used to generate target marketing lists --
currently against FTC rules interpreting the FCRA. Second, the recent
announcement by "Privacy Assured", a group of Internet companies that
include Four11 and I/PRO, to voluntarily comply with a series of privacy
protective information practices is clearly tied to a desire to respond to
public concerns over individual privacy.
For more information, including the text of the Senators' letter to the FTC
and the text of the bill requesting the Federal Reserve study, please visit
the CDT Privacy Issues page:
http://www.cdt.org/privacy/
------------------------------------------------------------------------
(3) SUBSCRIPTION INFORMATION
Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list. CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
nearly 10,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.
To subscribe to CDT's Policy Post list, send mail to
policy-posts-request@cdt.org
with a subject:
subscribe policy-posts
If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:
unsubscribe policy-posts
-----------------------------------------------------------------------
(4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.
Contacting us:
General information: info@cdt.org
World Wide Web: URL:http://www.cdt.org/
FTP URL:ftp://ftp.cdt.org/pub/cdt/
Snail Mail: The Center for Democracy and Technology
1634 Eye Street NW * Suite 1100 * Washington, DC 20006
(v) +1.202.637.9800 * (f) +1.202.637.0968
-----------------------------------------------------------------------
End Policy Post 2.37 11/5/96
-----------------------------------------------------------------------
Return to the CDT Publications Page
Return to the CDT Privacy Issues Page
CDT Home Page