CDT POLICY POST Volume 8, Number 12, May 16, 2002

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:

(1) Capitol Hill "Busy Season" Brings Wave of Internet Proposals

(2) Privacy Legislation Approved by Senate Committee

(4) Bills Would Loosen Standards on Government Access to E-Mail

(5) Several New Bills Affect Internet Domain Names

(1) CAPITOL HILL "BUSY SEASON" BRINGS WAVE OF INTERNET PROPOSALS

In both the Senate and the House of Representatives, a number of bills under active consideration have important consequences for civil liberties online. In this Policy Post, we summarize some of the most notable Internet-related legislation recently introduced in Congress and moving through its Committees.

For regularly updated information, see CDT's bill-tracking pages at http://www.cdt.org/legislation/.

(2) PRIVACY LEGISLATION APPROVED BY SENATE COMMITTEE

On May 16, the Senate Commerce Committee marked-up S. 2201, the Online Privacy Protection Act, introduced by Senator Ernest Hollings (D-SC). "Marking up" a bill means amending it in a formal Committee session where Members or Senators offer amendments, debate them and vote on them. Often at mark-up many amendments are rolled into a single "substitute" offered by the bill's sponsor. That is what happened in the May 16 mark-up of S. 2201. Normally, a mark-up concludes with a vote to "report" the bill to the full House or Senate with a recommendation calling for its consideration and passage. That did *not* happen on May 16. Due to procedural maneuvering most Senators themselves did not fully understand, the Committee was barred from reporting the bill on the 16th.

As of this writing, the Committee was expected to meet at 9:30 on the morning of Friday, May 17 to finish its work and report out the bill as amended.

The Hollings bill addresses the collection, use and disclosure of personally identifiable information online, requiring --

notice of data collection and use practices;
opt-in consent for collection and sharing of sensitive personally identifiable information;
opt-out for nonsensitive information;
consumer access to information held about them.

The bill would pre-empt state law regulating Internet privacy, and would provide for a private right of action for persons whose sensitive information has not been treated in accordance with the bill's provisions.

The substitute approved on May 16 preserved all of these elements while making many changes designed to clarify the bill or assuage various concerns. Among other things, the substitute required some form of authentication for consumers to access their data held by businesses.

The Committee also approved three other amendments: one, offered by Sen. Brownback, establishes a "safe harbor" for small businesses; another, by Sen. Allen, makes it clear that the access provision does not require companies to disclose proprietary information; and the third, by Sen. Nelson, requires each covered entity to designate some employee responsible for compliance.

The Committee rejected an amendment offered by Sen. John McCain (R-AZ) that would have extended the bill to cover offline as well as online data collection. The McCain amendment was of concern because it would have broadened the bill without taking account of the differences between the online and offline worlds.

Instead, the substitute included language from Sen. Barbara Boxer (D-CA) that would require the Federal Trade Commission to write rules for the offline world within 6 months of the law's enactment and submit them to Congress for evaluation, with the rules taking effect 13 months after that unless Congress rejected them or adopted new ones. This approach would create an incentive for lawmakers to make general privacy protection a major issue for the next Congress.

The Committee also rejected amendments to remove the private right of action and to preempt state common law privacy rules (privacy rights established over many years in judicial decisions).

Several Senators indicated that they had additional concerns with the bill that they would raise with amendments offered when it reaches the full Senate.

The Hollings bill as introduced, CDT's analysis of it, and the text of the amendments adopted on May 16 are all available at http://www.cdt.org/legislation/107th/privacy/hollings.shtml.

(3) JUNK E-MAIL LIMITS GAINING MOMENTUM

Also on May 17, the Senate Commerce Committee is scheduled to mark up S. 630, the "Controlling the Assault of Non-Solicited Pornography and Marketing" ("CAN-SPAM") Act. The measure, introduced by Sens. Conrad Burns (R-MT) and Ron Wyden (D-OR) , would impose various requirements on senders of commercial e-mail (also known as spam), some backed up by criminal penalties, others by civil fines enforced by the Federal Trade Commission or the state Attorneys General, and would authorize lawsuits by ISPs against spammers.

The latest version of the Burns-Wyden bill would:

Define commercial e-mail as any message whose primary purpose is "the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)."
Make it a crime to send unsolicited commercial e-mail with header information that is materially false or misleading.
Make it a civil offense to send any commercial e-mail with header information that is materially or intentionally false or misleading.
Make it a civil offense to send any commercial e-mail with a deceptive subject heading.
Require all unsolicited commercial e-mail to include a functioning return e-mail address that enables recipients to opt-out of future e-mail.
Prohibit sending unsolicited commercial e-mail to those who have requested not to receive it.
Require all unsolicited commercial email to include, in addition to an opt-out address, an "identification" that the message is an advertisement or solicitation and a valid physical postal address of the sender.

CDT believes that the general approach of the Burns-Wyden bill, while not a complete solution to the problem, represents a positive and constitutional response to one of the most irritating annoyances Internet users face. Requiring truthful header information, a valid return address, and opt-out in commercial speech are reasonable measures, and in our view they should be constitutional so long as they allow for anonymity. As we read the bill, it is not a violation of the bill's requirement to use an anonymous or pseudonymous email address, and we are urging Sens. Burns and Wyden to make that clear.

CDT is concerned, however, with three provisions:

The "identification" requirement, which is a form of mandatory labeling and thus a form of compelled speech that is unconstitutional in the absence of a compelling governmental interest and a showing that it is narrowly tailored to serve that interest. It is also certain to be ineffective, since the bill does not specify the form or location of such identification - it could be buried in the text of a message - and thus is unlikely to be useful for end-user filtering of e-mail.
The provision that would require truthfulness in the subject line of e-mail. This standard, especially as applied to advertising, seems so subjective that it would be arbitrarily applied and could chill normal commercial speech. There is already a law against deceptive advertising, backed up by decades of judicial interpretation; the bill, by seeming to create a new rule just for e-mail based advertising, could sow confusion, while adding no new protection to consumers.
The requirement that all unsolicited commercial e-mail include a valid physical address for the sender could affect the right to anonymity and privacy, especially of small business owners or individuals engaged in commercial activity out of their homes.

In addition, we believe the definition of commercial e-mail could be further clarified to avoid sweeping in e-mail linking to websites whose primary purpose is not commercial.

The Senate Commerce Committee is expected to take up the spam bill when it reconvenes on Friday, May 17.

The Burns bill is available through Thomas at http://thomas.loc.gov/cgi-bin/bdquery/z?d107:s630:.

(4) BILLS WOULD LOOSEN STANDARDS ON GOVERNMENT ACCESS TO E-MAIL

Provisions of two new bills -- one to increase online "cybersecurity," the other to aid in the prosecution of online child pornography -- would remove statutory protections that safeguard personal data in the hands of Internet Service Providers (ISPs).

Current law protects the privacy of electronic communications by prohibiting ISPs from disclosing to the government their customers' e-mail without a court order. The two new bills open loopholes in that protection by creating broad new categories of "voluntary" disclosure. If such disclosures are permitted, then the government could gain access to users' private information without receiving a judge's approval, and without notice to the users themselves.

H.R. 3482, the "Cyber Security Enhancement Act," would lower the standard under which the government could gain access to e-mail in emergency situations. It would allow ISPs to disclose data without a court order whenever the ISP believes in good faith that there is an emergency involving risk of death or serious bodily injury to someone. This means that the government can come to an ISP, claim that there is an emergency, and the ISP, in good faith believing the government agents, can disclose the data.
The provision does not require that the government agents have to be acting in good faith. Nor under the new language, does the danger have to be immediate. There is no need to seek review by a judge, even after the emergency has passed, and there is no requirement to notify the customer that his email has been disclosed. There is no time limit on how many days or months of e-mail can be disclosed.

H.R. 3482 was marked up and reported by the House Judiciary Committee on May 8.
H.R. 4623, the "Child Obscenity and Pornography Prevention Act," is intended to overturn the Supreme Court's April 16, 2002 decision on virtual child pornography, by making it a crime to produce, disseminate or possess computer-generated child pornography images that appear virtually indistinguishable from images produced with actual children.
However, the bill includes an unrelated provision that would make it easier for the government to read private e-mail. Currently, ISPs are required to disclose data without a court order, but only if a child pornography violation is "apparent," meaning if the ISP finds on its own child pornography images.

Under the new provision, disclosure would be permitted if the government informally tells an ISP that a violation "may have occurred or will occur." This dispensing with the court order requirement is not even limited to emergency situations where the government does not have time to get a court order. As with the disclosure that would be permitted under H.R.3482, the disclosure in child porn cases would not be subject to court review , nor would targets improperly investigated ever be notified of their ISPs' actions.

The text of the bills and related material can be found at http://www.cdt.org/legislation/107th/wiretaps/.

CDT's testimony on H.R. 3482: http://www.cdt.org/testimony/020212davidson.shtml.

(5) SEVERAL NEW BILLS INTRODUCED AFFECTING INTERNET DOMAIN NAMES

In recent weeks, there has been a wave of activity concerning Internet domain names -- the addresses, such as www.cdt.org, used to identify resources on the Internet.

H.R. 4640, introduced by Reps. Howard Coble (R-NC) and Howard Berman (D-CA), would make it a federal felony to provide, "with intent to defraud," misleading false contact information in registering for a domain name. Given the way the domain name registration system is currently operated, CDT is concerned that the bill would seriously jeopardize the privacy and free speech rights of Internet users.
The bill affects the database of domain name owners' names, addresses, telephone numbers, and e-mail addresses known as the Whois database. The Whois database is publicly accessible worldwide, and is a tool for law enforcement, copyright holders and others with legitimate interests in identifying the owners of domain names.

Although the Whois database has many legitimate uses, its managers have never found a way to balance the legitimate uses of the information against the risks to privacy and anonymity. For many individuals, registering a domain name for personal or political use means making a home address, home phone number and/or personal e-mail address publicly available in the Whois database.

Today, Whois is currently wide open to anyone for any purpose. This allows it to be used for undesirable activities ranging from spam and unwanted telemarketing to felony crimes. Since Whois currently offers no protection for individual users' privacy, some users have taken matters into their own hands by entering false or incomplete information into the Whois database. The Coble bill could make such actions a federal crime carrying up to five years in prison. CDT questions whether exposing millions of Internet registrants to such potential criminal liability is appropriate, especially without further clarification of the law and added privacy protections for personal and non-commercial domain names.

The House Judiciary Subcommittee on the Internet and Intellectual Property has scheduled a hearing on the Whois database of May 22.
H.R. 3833, the "Dot Kids Implementation and Efficiency Act of 2002," would instruct the company administering the .us Internet domain to create a new .kids.us domain that would contain only material appropriate for children below the age of thirteen. Such a domain, however, is likely to be difficult and expensive to maintain, and may not provide significant protection for children. CDT remains wary of the "slippery slope" involved when applying content standards to the Internet.
H.R. 3833 was approved by the Commerce Committee on March 10 and awaits consideration by the full House of Representatives.
S. 2137, the "Family Privacy and Security Act of 2002," introduced by Sen. Mary Landrieu (D-LA), would instruct ICANN -- the Internet Corporation for Assigned Names and Numbers, which administers the global domain name system -- to create a top-level Internet domain expressly for material "harmful to minors." The bill would require any commercial web site that has as its principal or primary business the making available of material that is "harmful to minors" to register in that domain.
CDT has grave reservations about this approach to protecting children online. Mandatory categorization of content is a form of forced speech raising serious constitutional concerns. The provision would enmesh the domain names industry, online publishers and courts in endless debates about what is and what is not harmful to minors. Moreover, it is hard to see how the proposal could be implemented on the global Internet where there is no international agreement on what is "harmful to minors."

CDT will continue to point out to legislators that passing new laws like this is not nearly as effective as non-legislative means of child protection such as education of parents and children, parental installation of filters, and school and library acceptable use policies.

Links to these bills are at http://www.cdt.org/legislation/107th/dns/.

Detailed information about online civil liberties issues may be found at http://www.cdt.org/.

This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_8.12.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org