CDT POLICY POST Volume 6, Number 24, December 29, 2000

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:
(1) WITH A FEW EXCEPTIONS, MAJOR INTERNET ISSUES DEFERRED BY CONGRESS
(2) CONGRESS PUTS OFF DATA PRIVACY LEGISLATION
(3) CYBERCRIME AND CRITICAL INFRASTRUCTURE LEGISLATION STALLS
(4) ROUNDUP OF OTHER ISSUES: DIG SIGS, SPAM, GAMBLING, LEAKS

(1) WITH A FEW EXCEPTIONS, MAJOR INTERNET ISSUES DEFERRED BY CONGRESS

The 106th Congress, which came to a close on December 15 with the adoption of final funding legislation for the federal government, left behind a mixed and largely inconclusive record on Internet civil liberties. There was one major defeat for Internet freedom, as Congress required all schools and libraries that receive federal funding to install filtering software on their computers. There was one affirmative victory for privacy offline, the expansion of the Drivers Privacy Protection Act. Beyond that, major issues were left hanging and are likely to be back in 2001, with a new Congress and a new President.

We already examined the filtering mandate in CDT Policy Post No. 22: http://www.cdt.org/publications/pp_6.22.shtml. Below is our year-end summary of other issues in the 106th Congress.

(2) CONGRESS PUTS OFF DATA PRIVACY LEGISLATION

• E-Commerce Privacy

  Over a dozen major bills were introduced addressing issues of online privacy. Leading Members of Congress, including Senate Commerce Committee Chairman John McCain (R-AZ), concluded that federal legislation was needed to address the growing concerns of consumers about the collection and disclosure of personal information via the Internet. To greater or lesser degrees, the bills sought to codify the basic principles of fair information practices - notice, choice, access, and security - but they diverged widely in their specifics, presenting different approaches to the hard issues of opt-in versus opt-out, enforcement, consumers' access to information about themselves, and preemption of state privacy laws. Consensus on meaningful, workable solutions could not be achieved in an election year. Several Senators and Representative have said that privacy legislation will be a key priority early in 2001, but the longrunning Presidential election contest and the delay in completing the federal budget deferred any efforts at real consensus-building.

• Privacy Study Commission

  H.R. 4049, the Privacy Commission Act, introduced by Rep. Asa Hutchinson (R-AR), was considered by the full House under a special procedure requiring two-thirds approval, but fell short and was not brought up again. The bill, which would have created a privacy study commission, was criticized by some on the ground that it would have merely delayed more substantive action. The vote against the bill was an odd coalition of Members who thought it was a delay tactic and those who preferred to do nothing.

• Privacy of Driver's License Information

  One provision that was enacted represented a small but notable victory for privacy offline: Sen. Richard Shelby (R-AL) further strengthened the 1994 Driver's Privacy Protection Act (DPPA), to forbid (with certain narrow exceptions) state motor vehicle departments from selling or disclosing driver's license photos, Social Security numbers and medical information without an individual's express consent (i.e., "opt-in"). Sec. 309 of the Transportation Appropriations Act, H.R. 4475, Pub. L. 106-346, amending 18 USC 2721.

  The DPPA initially required that states give drivers a chance to opt-out of the sale or disclosure of personally-identifiable information such as name and address in response to requests for specific records ("individualized look-up") or for marketing purposes. Last year, Sen. Shelby tightened the act by requiring states to obtain the express consent of a driver before disclosing any information in response to such requests. He also included a one-year rider prohibiting the sale or disclosure of "highly restricted personal information" - defined as an individual's photograph or image, Social Security number, or medical or disability information - for almost all purposes without consent. This year, Sen. Shelby amended the act again, making permanent the strict limits on disclosure of highly restricted information.

• Social Security Numbers

  Other legislation on Social Security numbers (SSNs) fell by the wayside. A proposal by Sen. Judd Gregg (R-NH) would have banned certain displays of SSNs without an individual's consent, but also would have allowed many other uses and would have preempted the ability of states to provide stronger protections. Sen. Gregg's amendment had been added to an appropriations bill but it was stripped out at the last moment in the face of a veto threat from the Clinton Administration and opposition from privacy advocates who saw it as an anti-privacy proposal.

• Cookies

  In response to revelations that federal agencies were using cookies to collect information about visitors to government Web sites, Congress prohibited agencies from collecting, or entering into an agreement with a third party to collect, personally identifiable information regarding an individual's access to or use of any Federal government Internet site. The provision has several exceptions, however, including "law enforcement, regulatory or supervisory purposes, in accordance with applicable law" and "a system security action taken by the operator of an Internet site [that] is necessarily incident to the rendition of the Internet site services or to the protection of the rights or property of the provider of the Internet site." Sec. 501 of H.R. 5394, incorporated by reference into H.R. 4475, which became Pub. L. 106-346. In a separate provision, Congress also required the Inspectors General of each agency to submit to Congress a report disclosing any activity relating to the collection of personally identifiable data about individuals who access government Web sites. Sec. 646 of H.R. 5658, incorporated by reference into H.R. 4577, the Consolidated Appropriations Act, 2001.

• Financial Privacy

  S. 2513, the Financial Information Privacy Protection Act of 2000, was the Clinton Administration's proposal to give consumers control over the use and disclosure of their financial and health-related information held by financial institutions. S. 2513 and other financial privacy bills never received serious consideration.

• Medical Privacy

  Likewise, Congress failed to give serious consideration to comprehensive medical privacy legislation. In the absence of Congressional action, the Administration acted earlier this month by issuing sweeping privacy rules for the health care industry.

  A list of major data privacy bills that were introduced, with summaries and reference to hearings or other action, can be found at http://www.cdt.org/legislation/106th/privacy/

  CDT's Congressional testimony in 2000 on privacy issues is at http://www.cdt.org/testimony/

(3) CYBERCRIME AND CRITICAL INFRASTRUCTURE LEGISLATION STALLS

Following the January release of the White House's "National Plan" for critical infrastructure protection and the denial of service attacks on major commercial Web sites in February, legislation was introduced to amend the federal computer crime law and expand government surveillance authority. The leading bill was S. 2448, introduced by Senate Judiciary Committee chairman Orrin Hatch (R-UT) and Sen. Charles Schumer (D-NY).

At the same time, in response to the growing recognition that the privacy protections in federal surveillance laws had been outpaced by technology, legislation was introduced to heighten the privacy constraints on surveillance. Sen. Patrick Leahy (D-VT) took the lead with his E-RIGHTS bill, S. 854, but the surveillance privacy bill that got the farthest was H.R. 5018. Introduced in the House by Rep Charles Canady (R-FL), H.R. 5018 would have strengthened the pen register and trap and trace law, established a probable cause requirement for government access to wireless phone location information, and prohibited use in court of illegally intercepted email.

The Clinton Administration failed to engage formally with the issue until late in the year, and the Justice Department vigorously opposed many of the privacy enhancing provisions of H.R. 5018 and the Leahy bill. In the end, neither pro-law enforcement nor pro-privacy legislation passed. A stripped-down version of S. 2448 passed the Senate as an amendment to H.R. 46, and H.R. 5018 was approved by the House Judiciary Committee by a vote of 20-1, but there was neither time nor sufficient interest on the part of the Administration to develop a consensus bill that balanced law enforcement and privacy interests.

Another measure that failed to move was the Cyber Security Information Act, H.R. 4246, introduced by Reps. Tom Davis (R-VA) and Jim Moran (D-VA) with the intent of facilitating information sharing about computer security vulnerabilities between the public and private sectors.

Proposals to allow secret searches of homes and offices, which showed up in various versions of legislation on methamphetamine and bankruptcy, never went through.

On a largely offline issue, the bill H.R. 3048 passed, giving the Secret Service authority to issue "administrative subpoenas" in investigating threats against the President or his family. An administrative subpoena is an extraordinary legal document, issued by an investigative officer with no judicial approval and served on a record custodian (including an ISP, a portal or a Web site operator) with no notice to the individual whose records are being procured. The House of Representatives deleted a Senate amendment that would have authorized using administrative subpoenas investigations in all fugitive cases. We can expect to see other administrative subpoena proposals crop up next year.

Congress authorized or appropriated funding for a number of computer security and surveillance initiatives, including:

• The General Services Administration received $8 million for the critical infrastructure protection initiative, money that will presumably fund implementation of the Federal Intrusion Detection Network (FIDNet).

• The FBI received $30.5 million for Digital Storm, its program to replace analog wiretap and other signals collection devices with digital technology, allowing rapid manipulation and examination of intercepts in near-real time, as well as a little over $100 million ($20.7 million in new funding plus $80 million in carryover funds) for its technology upgrade plan, variously referred to as e-FBI or the Information Sharing Initiative.

• The defense appropriations act (Pub. L. 106-259) included a net increase of over $150,000,000 for information assurance initiatives, including $35,000,000 to purchase hardware and software applications to monitor computer networks for suspicious activity; $18,600,000 to accelerate the DOD's Public Key Infrastructure (PKI) program; $16,400,000 for information security awareness, education and training; $15,000,000 for the Information Security Scholarship Program; $5,000,000 to examine the use of information operations against certain critical target sets; and $26,000,000 for "USARPAC C4I and Information Assurance."

• In the Veterans Affairs-HUD bill, Congress appropriated $11.2 million to the National Science Foundation for the Scholarship for Service program, which will provide scholarship money to students pursuing degrees in information security in exchange for work at federal agencies after graduation.

• The Computer Crime Enforcement Act, H.R. 2816, sponsored by Rep. Matt Salmon (R-AZ) and Sens. Leahy (D-VT) and DeWine (R-OH), passed, authorizing $25 million for Department of Justice grants to help state and local law enforcement agencies investigate and prosecute hacking, computer viruses and other cybercrimes, educate the public on identifying and preventing computer violations and share information with other agencies.

For more information on cybercrime and cybersecurity bills, see http://www.cdt.org/wiretap/legislation.shtml and http://www.cdt.org/legislation/106th/wiretaps/

(4) ROUNDUP OF OTHER ISSUES: DIG SIGS, SPAM, GAMBLING, LEAKS

• Digital signatures law enacted

  A law intended to boost e-commerce by promoting the acceptance of digital signatures was signed (digitally) on June 30, 2000. Pub. L. 106-229. Its impact, including whether it will adversely affect consumer protection or privacy, remains unclear. See http://www.cdt.org/legislation/106th/digsig/

Other measures that failed to be enacted this year:

• Spam

  Of several proposals in the House and Senate to regulate spam, HR 3113, sponsored by Rep. Heather Wilson (R-NM), got the farthest, passing the House, but it stalled in the Senate. Rep. Wilson has said she intends to reintroduce her bill in the next Congress. For more information, see http://www.cdt.org/legislation/106th/junkmail/

• Internet gambling

  The proposal by Rep. Bob Goodlatte (R-VA) to ban Internet gambling drew widespread concern. CDT was worried that "notice and takedown" provisions in the original bill improperly enlisted Internet Service Providers as enforcers of government content controls without adequate due process. The bill went through numerous revisions and in the process there seemed to have emerged a wider understanding of the dangers in the notice and takedown approach. Despite these changes, the ban still did not generate sufficient support. Rep. Goodlatte is likely to introduce some version of his gambling bill next year.

• Official Secrets Act

  It wasn't an Internet issue per se, but the Constitution was spared a serious blow when President Clinton vetoed an "official secrets act," an amendment included in the intelligence agencies authorization bill that would have made it a crime to disclose or print classified information even if done without intent to harm or any actual harm to the national security. CDT was among the groups urging a veto. After Clinton's veto, Congress passed a new intelligence authorization bill, H.R. 5630, without the "leaks" provision. House Intelligence Committee chairman Rep. Porter Goss (R-FL) promised to revisit the issue in 2001.

Happy New Year from all of us at CDT!

Detailed information about online civil liberties issues may be found at http://www.cdt.org/.

This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_6.24.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org

Policy Post 6.24 Copyright 2000 Center for Democracy and Technology