Statement of Marc Rotenberg, Washington Director Computer Professionals for Social Responsibility (CPSR) Open Forum on Library and Information Service's Roles in the National Research and Education Network (NREN) National Commission on Libraries and Information Science (NCLIS) Washington, DC July 21, 1992 Thank you for the opportunity to testify today before the National Commission on Library and Information Science (NCLIS). My name is Marc Rotenberg and I am the Director of the Washington Office of Computer Professionals for Social Responsibility (CPSR). CPSR is a national organization of professionals in the computing field. I would like to speak with you about privacy protection and the future of the NREN. This is item 6 identified in the NREN research agenda. Richard Civille will speak with you next about CPSR's work to promote Local Civic Networks. During the past few years CPSR has coordinated several national efforts to promote privacy protection for network communication. >From cryptography to Caller ID, we have sought to ensure that the rapid developments in the communications infrastructure do not diminish the privacy we all value. We believe that the future of network communications depends largely on the ability to make certain that sufficient privacy protection is available for all users of the network. In this effort we have worked closely with the library community. It became clear to us that library organizations have a special appreciation for the importance of privacy protection. For many, privacy is the critical safeguard that protects intellectual freedom and promotes the open exchange of information. The American Library Association, the Association of Research and other library organizations have all shown their support for privacy protection through codes of conduct, policy statements, and research conferences. We have also worked closely with telecommunication policy makers in the United States and around the world. The New York state Public Service Commission issued a policy on telecommunication privacy which set out several principles for network communications. These recommendations have been followed in several states. More recently, the Minister of Communications in Canada issued a series of principles on communications policy. Meanwhile, the Commission of the European Communities has put forward a draft directive on Data Protection in Telecommunications. The European Commission made a critical point about future network development. It said that "the effective protection of personal data and privacy is developing into an essential precondition for social acceptance of new digital networks and services." This view is shared by agencies in other countries that have looked at the implications of advanced networking services. For example, the Ministry of Posts and Telecommunications in Japan recently concluded a study on the protection of personal data in the telecommunications business and recommended a series of privacy guidelines to accompany the introduction of new network services. In the United States, however, we find ourselves in the midst of the greatest privacy debate in a generation. In the absence of a coherent federal policy to protect privacy, consumers have been left to fend for themselves, and the response is not encouraging. >From Pennsylvania to California, telephone companies now face widespread and well-founded consumer opposition to new telephone services. Part of the reason for this is that there has been little effort in the United States at the federal level to develop privacy principles for new network services. CPSR would like to see an agency in the United States take on the task of developing and promulgating privacy principles for network services. We have already recommended the creation of a data protection board which could, among other tasks, develop appropriate principles for network communications. There is a proposal before Congress to establish such an agency, but is unclear whether it will be enacted this year. Meanwhile, the Federal Communications Commission (FCC) has been unwilling to address the privacy implications of new network services. We are also somewhat disappointed that neither the Computer Science and Technology Board (CSTB) of the National Research Council or the Office of Technology Assessment (OTA) has addressed privacy concerns for network users. Both the CSTB and the OTA are well qualified to tackle this problem. In the interim, NCLIS could take a leadership role, and help develop and promulgate privacy principles for the emerging communications infrastructure. It is clearly in the interest of the library and information science community to ensure adequate privacy protection, but unless some agency takes on this responsibility it appears unlikely that the work will be undertaken. CPSR believes that it is in the long-term interest of our country and of computer users around the world to ensure protection for networked communication. The failure to develop such policy may impose very high costs on all network users, and may ultimately reduce greatly the value of the network to users. Speaking academically, the absence of adequate protection for electronic communication is a substantial gap in NREN policy that should soon be addressed if the full potential of the infrastructure is to be realized. Speaking practically, if we don't get some good policy soon, we may all be buried in a blizzard of electronic junkmail the likes of which we have never known. I would like now to make three points about the current state of privacy protection for NREN, and then propose a series of principles for privacy protection. These principles may help "get the ball rolling" and encourage the development of other initiatives. I hope that NCLIS will recommend that the Office of Science and Technology Policy (OSTP) give these principles full consideration. FINDING 1: Commercialization of the NREN will exacerbate existing privacy problems. Without a clear mechanism to protect privacy, user concerns will increase. Much of the discussion surrounding the NREN today focuses on the opportunity to develop commercial services and to provide network access for private carriers. We do not oppose efforts to provide commercial services. Clearly, there is an important opportunity to develop new services and to offer products through the network. At the same time, it is apparent that the commercialization of the NREN will create new pressures on privacy protection. In the current network environment, made up primarily of researchers and scientists, there is little incentive or opportunity to gather personal data, to compile lists, or to sell personal information. This is likely to change. Once commercial transactions begin to take place on the net, the information environment will resemble a hybrid of credit card and telephone call transactions. Records of individual purchases will be available and will possess commercial value. The NREN community will face a whole new set of privacy issues. We anticipate that there will be three different types of privacy problems as the NREN continues to evolve. First, as commercial organizations become users of the network, they will gather personal data, and wish to sell lists. The address files for list servers could be sold, and users may find themselves "subscribed" to lists they have no interest in. These activities will raise traditional privacy concerns about the restrictions on disclosure and secondary use, the opportunity for users to obtain information held by others, and the need to minimize the collection of personal information. Second, efforts to promote competitiveness in the delivery of network services may also lead to the disclosure of network data which will compromise user privacy. This problem is already apparent in the current rules for the operation of the telephone network. The Federal Communication Commission requires telephone companies to provide records of customer phone calls to other companies so that competing companies may analyze calling patterns and sell their services. Large companies objected to the disclosure of this sensitive information. As a result the FCC required that telephone companies obtain authorization before releasing these numbers. But this restriction only applies to telephone customers with more than 20 lines. The disclosure of Customer Proprietary Network Information (CPNI) has already surprised many telephone customers who now receive calls from companies with whom they have no prior relationship. These companies are able to describe the customer's telephone calling habits in great detail. Users of NREN services are also likely to object to the disclosure of network information. The third problem is that law enforcement agencies are likely to make "greater demands" on communication service providers to turn over records of electronic communications to the government and to provide assistance in the execution of warrants. I say "greater demands" with some reservation since the recent proposal >from the Federal Bureau of Investigation to require that all communications equipment in the United States be capable of wiretapping seems about the greatest demand conceivable. Still, we should anticipate that the government demands for access to the contents and records of NREN communications are likely to increase. FINDING 2: Current privacy protections are inadequate Electronic communications are provided some protection against unlawful interception by the Electronic Communications Privacy Act (ECPA) of 1986. This law extends the very important guarantees contained within the 1968 wiretap statute to digital communication and stored electronic mail. But this protection now appears inadequate. As a general matter, the wiretap law protects the contents of an electronic message against unlawful disclosure; it does not protect the record of the transaction against disclosure. ECPA also does not appear to protect critical personal information, such as a person's telephone number, from improper disclosure. For example, the Calling Number Identification (CNID) service is probably a violation of the wiretap statute and clearly a violation of the wiretap law of several states. Nonetheless, the service has been offered over the objection of consumer groups, technical experts, and legal scholars. FINDING 3: Technical safeguards provide only a partial solution There are some in the network community who believe that technology will provide a solution to these emerging privacy problems. New techniques in cryptography provide ways to protect the contents of an electronic message and even to protect the identity of the message author. An article that will appear next month in Scientific American titled "Achieving Electronic Privacy" describes in more detail how it may be possible through technical means to recapture some privacy. CPSR has supported many efforts to improve technical means for privacy protection. In fact, CPSR has been of the leading proponents of the widespread us of cryptography to protect electronic communications. We have opposed restrictions by both the National Securit y Agency and the Federal Bureau of Investigation on the use of cryptography. We have also supported the development of privacy-enhancing technologies, such as telephone cards which are widely used in Europe and Japan, and recommended that policy makers explore technical means to protect information. Nonetheless, we do not believe that technical safeguards will provide sufficient protection for networked communications. Our right of privacy is based on Constitutional principles and our national history, and reflects our commitment to certain political ideals. The protection of privacy is ultimately a policy decision that must be resolved through our political institutions. Clearly, technology provides useful developments that we should incorporate into future networks, but it would be a mistake to assume that technology alone will provide sufficient protection. This point was made two decades ago by former White House Science Adviser Jerome Wiesner who also served as president of MIT. In testimony before Congress on the privacy implications of databanks, Professor Wiesner said: "There are those who hope new technology can redress these invasions of personal autonomy that information technology now makes possible, but I don't share this hope. To be sure, it is possible and desirable to provide technical safeguards against unauthorized access. It is even conceivable that computers could be programmed to to have their memories fade with time and to eliminate specific identity. Such safeguards are highly desirable, but the basic safeguards cannot be provided by new inventions. They must be provided by the legislative and legal systems of this country. We must face the need to provide adequate guarantees for individual privacy." We believe that the development of NREN privacy policy should be conducted in this spirit: looking for opportunities to incorporate technical safeguards while recognizing that the ultimate decisions are policy-based. PRIVACY GUIDELINES Before discussing the proposed privacy principles, I would like to say a few words about the desirability of developing these principles. Privacy protection in electronic environments is a particularly complex policy problem. There is legal jargon and technical jargon. There are rapid changes. And there are certainly a wide range of opinions about how best to achieve privacy, even about what privacy means. Privacy principles have helped to clarify goals and to convey objectives in non-technical terms. Well developed polices are "technology neutral" and are adaptable as new technologies emerge. Professional organizations have made widespread use of such principles for codes of ethics and for public education. There are a number of such polices in the privacy realm. Some of these polices have been extremely influential in the development of public policy, national law, and international agreements. For example, the Code of Fair Information Practices was the basis for the Privacy Act of 1974, the most extensive privacy law in the United States. The Code was developed by a special task force created by the Secretary of Health, Education, and Welfare in 1973. Other codes have formed the basis for data protection law in Great Britain. All of these codes seek to establish certain responsibilities for organizations that collect personal information, and to create certain rights for individuals. In developing these telecommunication privacy guidelines, we examined existing codes and particularly the principles developed by the Organization for Economic and Cooperative Development (OECD) in 1981. We also incorporated several additional principles that we believe are necessary to protect personal information in communication environments. Taken as a whole, the principles are intended to improve privacy protection for network communications as the NREN continues to evolve. RECOMMENDATION 1: The confidentiality of electronic communications should be protected. The primary purpose of a communication network is to ensure that information can travel between two points without alteration, interception, or disclosure. A network that fails to achieve this goal will not serve as a reliable conduit for information. Therefore the primary goal should be to guarantee the confidentiality of electronic communications. RECOMMENDATION 2: Privacy considerations must be recognized explicitly in the provision, use and regulation of telecommunication services. The addition of new services to a communications infrastructure will necessarily raise privacy concerns. Users should be fully informed about the privacy implications of these services so that they are able to make appropriate decisions about the use of services. RECOMMENDATION 3: The collection of personal data for telecommunication services should be limited to the extent necessary to provide the service. Users should not be required to disclose personal data which is not necessary for the rendering of the service. In particular, the use of the Social Security number should be avoided. In no instance, should it be used as both an identifier and authenticator. RECOMMENDATION 4: Service providers should not disclose information without the explicit consent of service users. Service providers should be required to make known their data collection practices to service users. Service providers have a responsibility to inform users about the collection of personal information and to protect the information against unlawful disclosure. Personally identifiable information should not be disclosed without the affirmative consent of the user. RECOMMENDATION 5: Users should not be required to pay for routine privacy protection. Additional costs for privacy should only be imposed for extraordinary protection. The premise of the federal wiretap statue is that all users of the public network are entitled to the same degree of legal protection against the unlawful disclosure of electronic communications. This principle should be carried forward into the emerging network environment. Segmented levels of privacy protection are also likely to introduce new transaction costs and create inefficiencies. Where special charges are imposed for privacy, it should be for "armored car" service. RECOMMENDATION 6: Service providers should be encouraged to explore technical means to protect privacy. Service providers should pursue technical means to protect privacy, particularly where such means may improve the delivery of service and reduce the risk of privacy loss. RECOMMENDATION 7: Appropriate security polices should be developed to protect network communications Security is an element of privacy protection but it is not synonymous with privacy protection. Appropriate security policies should be put in place to protect privacy. However, it should be recognized that some security measures may compromise privacy protection. Network monitoring, for example, or the collection of detailed audit trail information will raise substantial privacy concerns. Therefore, security policies should be designed to serve the larger goal of privacy protection. RECOMMENDATION 8: A mechanism should be established to ensure the observance of these principles. Good principles without appropriate oversight and enforcement are insufficient to protect privacy. This has been the experience of the United States with the Privacy Act of 1974 and of the European countries with the OECD principles of 1981. In both instances, fine principles lacked sufficient oversight and enforcement mechanisms. Additional principles may be appropriate and these principles may well need modification. But we hope that they will provide a good starting point for a discussion on communications privacy for the NREN. [Attachments: "Protecting Privacy," Communications of the ACM, April 1992; "Communications Privacy: Implications for Network Design," Proceedings of INET '92, Kobe, Japan)] &