Date: Thu, 21 Apr 94 09:20:51 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#055
Computer Privacy Digest Thu, 21 Apr 94 Volume 4 : Issue: 055
Today's Topics: Moderator: Leonard P. Levine
FEDGOVT: Request for comments: privacy and the NII (long)
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: "Arthur R. McGee" <amcgee@netcom.com>
Date: 20 Apr 1994 20:09:32 -0700 (PDT)
Subject: FEDGOVT: Request for comments: privacy and the NII (long)
---------- Forwarded message ----------
Date: Wed, 20 Apr 1994 13:18:42 -0400
From: CMATTEY@ntia.doc.gov
Subject: privacy and the NII
The National Telecommunications and Information Administration is
seeking comments on issues relating to privacy and the National
Information Infrastructure. The attached files are a press
release and full text of NTIA's Notice of Inquiry and Request for
Comments.
CONTACT: Larry Williams NTIA EXTENDS NOTICE OF
(202) 482-1551 INQUIRY ON PRIVACY ISSUES
TECHNICAL NEWS ADVISORY
The National Telecommunications and Information
Administration (NTIA) has extended the deadline for filing
comments in its privacy Notice of Inquiry (NOI) to May 23, 1994.
On February 11, 1994, NTIA published a Notice of Inquiry and
Request for Comments in the Federal Register entitled "Inquiry on
Privacy Issues Relating to Private Sector Use of
Telecommunications-Related Information." 59 FR 6842.
NTIA has received comments from 30 parties in this
proceeding. Those comments can be reviewed in NTIA's Openness
Room, U.S. Department of Commerce, Room 4092, 14th St. and
Pennsylvania Ave., N.W., Washington, D.C. 20230, between the
hours of 9:00 am - 5:00 pm. For further information about NTIA's
Openness Room, contact Norbert Schroeder at (202)482-6207.
Since the comment deadline date, NTIA has received several
requests for extension of time to file comments. In the interest
of fairness to all potentially interested parties, and to provide
an additional opportunity to develop the record in this
proceeding, NTIA will allow additional time in which to file
comments.
Additional comments should be filed on or before May 23,
1994, to receive full consideration. Please submit seven copies
to the Office of Policy Analysis and Development, NTIA, U.S.
Department of Commerce, Room 4725, 14th St. and Pennsylvania
Ave., N.W., Washington, D.C. 20230. Comments also may be
submitted electronically via Internet to cmattey@ntia.doc.gov.
For further information, please contact Carol Mattey or Lisa
Leidig, Office of Policy Analysis and Development, NTIA, at (202)
482-1880.
April 19, 1994
------------------- NOIPRIV.DOS follows --------------------
[Billing Code: 3510-60]
DEPARTMENT OF COMMERCE
National Telecommunications and Information Administration
[Docket No. 940104-4004]
Inquiry on Privacy Issues Relating to Private Sector Use of
Telecommunications-Related Personal Information
AGENCY: National Telecommunications and Information
Administration (NTIA), Commerce
ACTION: Notice of Inquiry; Request for Comments
SUMMARY: NTIA is conducting a comprehensive review of
privacy issues relating to private sector use of
telecommunications-related personal information associated
with the National Information Infrastructure. Public
comment is requested on issues relevant to such a review.
After analyzing the comments, NTIA intends to issue a
report, which may make recommendations to the Information
Infrastructure Task Force and Congress in the area of
telecommunications and information policy, as appropriate.
DATES: Comments should be filed on or before March 30,
1994, to receive full consideration.
ADDRESS: Comments (seven copies) should be sent to the
Office of Policy Analysis and Development, NTIA, U.S.
Department of Commerce, 14th St. and Constitution Ave.,
N.W., Room 4725, Washington, D.C. 20230.
FOR FURTHER INFORMATION CONTACT: Carol Mattey or Lisa
Leidig, Office of Policy Analysis and Development, 202-482-
1880.
AUTHORITY: National Telecommunications and Information
Administration Organization Act of 1992, Pub. L. No. 102-
538, 106 Stat. 3533 (1992) (to be codified at 47 U.S.C.
SUPPLEMENTARY INFORMATION:
I. Introduction
1. Today, there is a thriving U.S. industry dealing in
personal information. Over 10,000 lists of data about
individuals are available for rent. According to one 1990
estimate, the business of selling personal information was a
$3 billion per year industry. Personal computers can be
used to access information services that provide a wealth of
information about individuals. Often such personal data
is being manipulated for purposes other than those
originally intended when collected, and the parties engaging
in such activities have no prior direct relationship with
the individual about whom the information pertains.
Moreover, many Americans have little idea of what
information is being collected about them or the many
possible uses of such information.
2. The National Information Infrastructure (NII) -- the
evolving seamless interactive web of communications
networks, computers, data bases, and consumer electronics in
the United States -- will accelerate this trend even
further. As the NII develops, Americans will be able to
access numerous commercial, scientific, and business data
bases, obtain government information and apply for
government benefits, select and customize entertainment
programming, engage in retail, banking, and other commercial
transactions, express their views to federal, state, and
local government officials, and engage in productive
employment, all from the comfort of their homes. With this
growth in the number of electronic transactions, the
accelerated collection of personal information, and the
increase in the interconnectivity of telecommunications
networks and information service providers, however, comes
increasing public concern about communications and personal
privacy.
3. On September 15, 1993, the Clinton Administration
announced the formation of a federal interagency task force
-- the Information Infrastructure Task Force (IITF) -- that
would work with Congress and the private sector to propose
policies and initiatives needed to accelerate the deployment
of the NII. One of the IITF's goals is to ensure that the
NII's operations are compatible with the legitimate privacy
interests of its users, while recognizing the legitimate
societal need for the flow of information.
4. One of the agencies participating in the IITF is the
National Telecommunications and Information Administration
(NTIA), which is the Executive Branch agency principally
responsible for developing and articulating domestic and
international telecommunications policies. As the principal
advisor to the President on telecommunications policies,
NTIA conducts studies and makes recommendations regarding
telecommunications policies, activities, and opportunities,
and presents Executive Branch views on telecommunications
matters to the Congress, the Federal Communications
Commission (FCC), state and local governments, and members
of the public.
5. NTIA is undertaking this proceeding to examine the
privacy implications associated with private sector use of
personal information associated with the NII. Consistent
with NTIA's communications and information policy function,
we focus our inquiry on potential uses of information
generated by interactive multimedia and by telephone usage
and transactions utilizing the telephone, known as telephone
transaction generated information (TTGI). We ask whether
any overarching principles can be developed that would apply
to all firms in the telecommunications sector. Moreover, we
consider the issues that arise when such telecommunications-
related information is used to create and disseminate
detailed dossiers about individuals. We then address the
role of industry self-regulation for providers of
telecommunications and information services. Finally, we
solicit comment on other countries' actions to ensure the
privacy of information transmitted over telecommunications
networks, and how any U.S. policies in this area will affect
the international arena. The record developed in this
proceeding will be used to develop recommendations in the
area of communications and information policy for
presentation to the IITF and Congress, as appropriate.
II. Privacy in a Changing Environment
6. A critical question is what exactly should the right to
privacy entail in today's information economy. In a
seminal law review article in 1890, Samuel Warren and Louis
Brandeis defined the right of privacy as "the right to be
left alone." In more recent years, privacy has been
defined by one academic as "the claim of individuals,
groups, or institutions to determine for themselves when,
how, and to what extent information about them is
communicated to others."
7. There is no single privacy law in the United States;
rather, U.S. privacy law is a patchwork of constitutional,
statutory, regulatory, and common law protections. While
the Supreme Court has held that the Fourth Amendment
restricts the ability of government to collect information
from places in which an individual has a reasonable
expectation of privacy, there is no constitutional right to
be free from analogous intrusions by private sector parties.
Tort law limits intrusive collection of private information,
penalizes unwarranted disclosure of such information, and
protects against disclosure of erroneous information about
individuals. A number of statutes, at both the federal and
state level, protect individuals from governmental misuse of
personal information, while other statutes adopt "fair
information principles" for private sector record keepers in
specific industries.
8. In 1974, Congress established the Privacy Protection
Study Commission to undertake a broad study of whether
privacy rights were being adequately protected in the
emerging information society. In its final report,
issued in 1977, the Commission concluded that federal
privacy laws should advance three concurrent policy goals --
- To minimize intrusiveness by creating a proper
balance between what an individual is expected to
divulge to a record-keeping organization and what
he or she seeks in return;
- To maximize fairness by opening up record-keeping
operations in ways that will minimize the extent
to which recorded information about an individual
is itself a source of unfairness in any decision
about him or her; and
- To create legitimate, enforceable expectations of
confidentiality by creating and defining
obligations with respect to the uses and
disclosures that will be made of recorded
information about an individual.
9. Today, more than fifteen years later, there have been
further advances in telecommunications and information
technology. Given the proliferation of computerized data
collection and the prospect of converging technologies --
computers, telephones, and mass media -- it is time to
reconsider what privacy means in developing electronic
communities.
10. The Administration has a broad vision of a future NII
that will enable people in their homes, schools, places of
business, and elsewhere to benefit from improved
communications and access to information resources. In such
a world, the collection and dissemination of information can
serve many useful social and economic purposes. At the same
time, each new communications and information service
potentially affects the privacy interests of individuals and
businesses. What are the First Amendment implications of
regulating the dissemination of information by individuals
or businesses?
11. What technology is available now, or in the foreseeable
future, that could have an impact on the privacy
expectations of telecommunications users? Should the
ability of technology to enhance, or threaten, privacy have
a bearing on what expectations of privacy are deemed
"reasonable"? Can privacy laws or policies be developed
that are technology-neutral? How can we ensure that
whatever privacy protections that are in place apply equally
to all Americans that use the NII, both younger and older,
the wealthy, the middle class and the disadvantaged, and the
technologically literate and the uneducated?
12. As the components of the NII develop, it may become
increasingly difficult to define the rights and
responsibilities of stakeholders. Today, one set of privacy
requirements applies to traditional cable operators; other
rules apply to telecommunications common carriers (with even
more specialized rules that apply to the Regional Bell
Operating Companies and AT&T); and other firms that provide
telecommunications and information services are subject to
no restrictions on how they use personal information. Are
there any overarching principles that can be extended across
specific services in the telecommunications sector? Given
the convergence of different industries within this sector,
is there a need for a more comprehensive approach to privacy
regulation? Can "fair information principles" be extended
to interactions between individuals in an electronically
wired nation?
III. Multimedia Transactions
13. The NII could ultimately provide access to interactive
multimedia, integrated digital streams of video, audio,
text, and graphics that will allow an instantaneous dialogue
between the user and the system for the transmittal of
information. Interactive multimedia encompasses such
services as video on demand, participatory television,
electronic publishing, interactive video games,
teleshopping, telebanking, videoconferencing, remote medical
testing and evaluation, and distance learning. For
example, using devices with the attributes of a telephone, a
television, a camcorder, and a personal computer, students
ultimately may be able to browse through the collections of
any library in the country and collaborate on research
projects with others hundreds of miles away, individuals may
be able to experience special family events like a
christening or wedding even though they cannot attend in
person, and citizens may be able to participate in
electronic town meetings. In addition, small businesses as
well as large may take advantage of the latest in computer
technology to design products and provide useful services,
and consumers may be able to shop for the best prices in
town on groceries, furniture, clothing, or other consumer
items.
14. Of necessity, usage of such multimedia services may
create the electronic equivalent of a paper trail capturing
many details of a person's life. Moreover, as more and more
everyday interactions take place on-line, it will become
even easier to compile, package, and sell information about
individuals than presently is the case. The existence of
more extensive transactional data may enable both large and
small firms to conduct more effective targeted advertising
and market research, which could facilitate the ability of
individuals to access the products and services they desire.
At the same time, people may be uncomfortable with the
notion that "someone" may be keeping track of every
interaction they engage in with the outside world.
A. Existing Legal Framework
15. Several laws are relevant to the use of transactional
records associated with communications media. Three of
these laws -- the 1984 Cable Act, the Cable Television
Consumer Protection Act of 1992 (1992 Cable Act), and the
Video Act -- in essence adopt "fair information principles"
for the use of cable subscriber data and video cassette
rental and sale data. In contrast, the Electronic
Communications Privacy Act of 1986 (ECPA) imposes no
restrictions on private sector use of transactional data.
16. The 1984 Cable Act precludes cable operators or third
parties from monitoring the viewing habits of cable
subscribers. Under the subscriber privacy provisions of
that Act, cable operators are required to inform their
subscribers at the time of entering into a contractual
arrangement, and annually thereafter, of the nature of the
"personally identifiable information" they collect about
subscribers, their data disclosure practices, and subscriber
rights to inspect and correct errors in such data. Cable
operators are prohibited from using the cable system to
collect personally identifiable information about their
subscribers, except that which is necessary to render cable
service, without subscriber consent, and are generally
barred from disclosing such data to third parties without
written or electronic consent. Cable operators may sell
their mailing lists to third parties only if they have given
their subscribers an opportunity to limit such disclosure,
and the disclosure does not reveal the viewing habits or
other transactions of the subscriber.
17. The 1992 Cable Act extended the protections of the 1984
Cable Act to new wire and radio services that may be
provided over cable facilities, such as personal
communications services (PCS). It also requires cable
operators to take actions necessary to prevent unauthorized
access to personal information by persons other than the
subscriber or cable operator.
18. The Video Act protects the privacy of video cassette
rentals and sales. Among other things, the law prohibits
disclosure of the fact that individuals have rented specific
videos. Congress enacted this law in part in reaction to
the well-publicized disclosure of Robert Bork's video rental
history when he was under consideration for the Supreme
Court. The law prohibits video tape service providers from
disclosing to anyone the titles of video cassettes rented or
purchased by a particular individual without the customer's
consent, although they may release customer mailing lists
and the subject matter (but not specific titles) of customer
selections if the customer has been given the opportunity to
object to such disclosure.
19. ECPA was enacted in 1986 to address new technologies
not anticipated by the 1968 federal wiretap law. While
that law generally prohibits eavesdropping and the
interception of the content of electronic mail, radio
communications, data transmissions, and telephone calls
without consent, it imposes no restrictions on the internal
use by providers of an "electronic communication service"
of transactional records pertaining to such
communications. As a consequence, such service providers
are free to make any use of the identity of the parties to
the communication or the fact of the communication.
Moreover, while the ECPA specifies standards and procedures
for court authorized electronic surveillance by government
entities, and government access to stored electronic
communications, it does not restrict the dissemination of
transactional data that is maintained in electronic storage
to non-governmental entities. Indeed, a service provider is
expressly permitted to disclose transaction information
concerning a subscriber to any person, for any purpose,
without notice or subscriber consent.
B. Areas of Inquiry
20. NTIA solicits comment on the extent to which the
foregoing laws would apply to multimedia services that will
be delivered over the NII, and if not, how they provide a
useful model for new legislation. Commenters are
specifically asked to provide a legal analysis of whether
the cable subscriber privacy protections of the 1984 Cable
Act, as amended by the 1992 Cable Act, would apply to
telephone companies delivering multimedia services over
switched broadband networks. Commenters also are asked to
provide a legal analysis of whether firms that provide video
on demand would be considered "video tape service providers"
as defined in the Video Act, 47 U.S.C. � 2710(a)(4).
21. As a policy matter, what principles should apply to the
handling of transactional records associated with multimedia
services delivered over the NII? Should multimedia service
providers be required to obtain affirmative consent from NII
users for the collection and dissemination of personal
information, and how should this type of presumptively
restricted information be defined? What should the user be
deemed to consent to by subscribing to or ordering NII
multimedia?
22. Without consent, should any secondary uses of personal
information derived through the use of NII multimedia be
permissible? As a technical matter, is there any way a user
could monitor subsequent usage of personal information to
ensure that such usage is consistent with his or her
expectations? Should there be a requirement that
transactional records be destroyed after some designated
period of time? How will these requirements be enforced,
and what right of redress will individuals have?
23. Should the ECPA be amended to impose restrictions on
the use of transactional records associated with electronic
communications services? What costs would such restrictions
place on businesses, and what impact would restrictions on
information collection and dissemination have on
individuals?
IV. Telephone Transaction Generated Information
24. Existing telecommunications networks generate a vast
amount of personal information about telephone usage and
transactions related to telephone service, which is likely
to increase as more advanced services are offered. There
are many forms of TTGI: white pages information, yellow
pages information, new telephone service orders, aggregate
telephone traffic information, calling number
identification, other network information, call detail
records, and billing and credit information. Today, some
telephone companies are subject to restrictions on the use
and disclosure of telephone transactional data, while other
firms that have access to such information are subject to no
restrictions at all. Given that the networks of
telecommunications carriers are part of the backbone of the
NII, NTIA is interested in determining what policies, if
any, should govern the secondary use of telephone
transaction generated information. In the discussion below,
we focus on two forms of TTGI: Customer Proprietary Network
Information (CPNI) and Automatic Number Identification
(ANI).
A. Existing Legal Framework
1. Customer Proprietary Network Information
25. When initially establishing telephone service for a
customer, telephone companies obtain information such as the
subscriber's name, billing address, and desired network
services. Over time, telephone companies maintain service
records and billing records, which include the monthly
charges for network services, call detail for toll calls,
and, if applicable, call detail for local calls. Such
information, known as CPNI, is one form of telephone
transaction generated information.
26. Currently, there are no federal statutes governing the
secondary use of such information, but there are FCC rules
governing use of CPNI by AT&T and the Bell Operating
Companies (BOCs). Those rules prohibit the BOCs and AT&T
from transferring the CPNI of customers with more than
twenty lines to affiliated personnel engaged in the
marketing of customer premises equipment (CPE) or
unregulated enhanced services unless they have the
customer's permission. BOCs and AT&T are allowed to make
any use of the CPNI of smaller business and residential
customers without customer authorization. Upon customer
request, the BOCs and AT&T are required to release CPNI to
unaffiliated CPE vendors or enhanced services providers
(ESPs) on the same terms and conditions as made available to
their affiliates.
27. The FCC's CPNI rules apply only to the seven BOCs and
AT&T. Those rules were adopted largely to address
competitive concerns based on the potential advantage the
BOCs and AT&T might have when they provide unregulated
enhanced services or terminal equipment and regulated
"basic" telecommunications services on an integrated
basis, rather than to protect customer privacy
concerns. There are no restrictions on the use of CPNI
by the more than 1,000 independent telephone companies,
nonwireline cellular carriers, interexchange carriers (IXCs)
other than AT&T, ESPs, or other businesses engaged in the
provision of telecommunications and information services.
2. Automatic Number Identification
28. According to the Direct Marketing Association, on a
typical business day in 1993, approximately 60 million toll
free telephone calls were placed on the 1.8 million 800
numbers in the United States. According to one estimate,
more than 274 million calls were placed to 900-number
services in 1991, with over 14,000 pay-per-call programs
being offered by approximately 5,000 pay-per-call service
providers.
29. Interexchange carriers offering 800-number and 900-
number services provide their customers -- that is, firms
with 800 and 900 numbers -- with monthly statements
providing call detail for all calls billed to them,
including the telephone number of the calling party. In
addition, interexchange carriers provide real-time Automatic
Number Identification to those 800- and 900-number customers
that choose to subscribe to this feature. Firms that
subscribe to 800- and 900-number services use ANI for
billing and routing, account management, and security
purposes. For instance, mail order retailers can expedite
transactions by retrieving the account information of a
repeat customer as soon as the call is received, while these
and other businesses can use such services to route large
customers to their assigned account executive.
30. There are no FCC restrictions on the use or sale of ANI
data gathered from interstate calls. The FCC received
comments on ANI in 1992 in its Caller ID proceeding, but
has taken no further action to date.
31. The only state that regulates the use or sale of ANI
data of which NTIA is aware is New York. New York's Public
Service Commission has issued terms and conditions
concerning intrastate ANI, which became effective in
December 1992. Under these terms and conditions, ANI
information associated with an intrastate service in New
York cannot be used to establish marketing lists or to
conduct marketing calls. Firms may not resell or disclose
ANI information to third parties unless there is prior
written consent from the subscriber. Firms are allowed to
gather ANI, however, for billing and collection, routing,
screening, to ensure network performance, to complete a
telephone subscriber's call or transaction, and for services
directly related to the telephone subscriber's original
call.
B. Proposed law
32. Rep. Edward Markey, Chairman of the House Subcommittee
on Telecommunications and Finance of the House Committee on
Energy and Commerce, has introduced the Telephone Consumer
Privacy Protection Act of 1993 (H.R. 3432), which would
regulate the usage of CPNI and ANI data. The bill would
amend the Communications Act to bar all local exchange
carriers from using CPNI (1) to provide any service other
than telephone exchange or telephone toll service, (2) to
identify or solicit potential customers for services other
than that from which the information is derived, or (3) to
provide customer premises equipment. LECs would be
prohibited from disclosing CPNI to affiliates or other
persons that are not employees of the carrier, unless
required by law or requested by the customer. The
legislation would prohibit LECs from discriminating between
affiliated and unaffiliated service or equipment providers
in providing access to individual and aggregate CPNI. The
bill also would require LECs to provide subscriber list
information (e.g., subscriber name and address) on
nondiscriminatory and reasonable terms to any person upon
reasonable request.
33. The Telecommunications Infrastructure Act of 1993
(S. 1086) has a similar provision governing the use of CPNI.
S. 1086 would apply the restriction more broadly, however,
to all telecommunications carriers, rather than to local
exchange carriers. Moreover, S. 1086 would give subscribers
the power to limit the disclosure of subscriber list
information.
34. H.R. 3432 also would amend the Communications Act to
bar persons that use ANI (i.e., providers of 800 and 900
services) from reusing or selling the telephone number or
billing data provided through ANI without first orally
notifying the calling party and providing that party the
option of limiting or prohibiting such reuse or sale.
Otherwise, such information may only be used to perform the
services or transactions intended by the original call, or
for other limited uses, such as ensuring network security
and performance. However, firms with 800 and 900 numbers
would be permitted to use ANI to offer customers with whom
they have an established customer relationship a product or
service directly related to that previously acquired by that
customer. Common carriers would be required to report
violations of these provisions to the FCC, and the FCC would
be authorized to order the termination of ANI service to the
offending party.
35. A bill that is pending in the Senate (S. 612) would
impose similar restrictions on the use of ANI by amending
the federal wiretap statute. However, unlike the House
bill, S. 612 specifies that ANI recipients may use such
information for any lawful purpose if per call blocking at
no charge (or per line blocking in states that have adopted
such a requirement prior to the act's enactment) is
available to the calling party. S. 612 also would impose
civil penalties on parties that use information in violation
of the statute's ANI requirements.
C. Areas of Inquiry
36. NTIA solicits comment on how CPNI will evolve as the
NII develops, and how should its treatment evolve. Is it
correct to assume, as the FCC did when it adopted the
current CPNI rules for provision of enhanced services in
1991, that there are no significant privacy concerns when
CPNI is made available to different divisions within a
single integrated company? To what extent do the competing
rationales associated with regulating access to CPNI --
maintaining competitive equity between the BOCs and AT&T and
unaffiliated ESPs, protecting customer privacy, and
permitting efficient marketing and provision of enhanced
services -- apply to other types of carriers, such as
competitive access providers, IXCs, cellular telephone
service providers, and cable companies, that will be part of
the NII? We note in this regard that rationales for
regulating use of CPNI based on competitive concerns suggest
a focus on "dominant" providers (i.e., those with market
power), while customer privacy rationales would seem to
suggest a broader application of such regulatory
protections.
37. When consumers purchase goods or services through an
800 number, they ordinarily orally disclose their name,
telephone number, credit card number, billing address, and
other information necessary to complete the transaction.
Similarly, individuals that call 900 numbers are aware that
a charge for that call will appear on their telephone bill.
How is individual privacy additionally threatened by the
potential passage of ANI to firms with 800 and 900 numbers?
Is it reasonable to allow NII service providers to use ANI
information to market new products or services to
established customers? Should the answer to this question
differ, depending on whether the individual has previously
disclosed his or her telephone number to the called party,
either orally or in writing? Should firms that offer 800-
and 900-number services be required to notify callers at the
outset of the conversation that their telephone number has
been recorded? Do states, other than New York, have
restrictions on the intrastate use and sale of ANI data, and
is there a need for federal legislation in this area?
38. Does H.R. 3432 strike an appropriate balance between
telephone subscriber privacy interests, and the desire of
information gatherers to use customer information to provide
services over the NII? Should NII users have easy access to
some forms of TTGI (such as white page directory
information), but not others? Should the burden be on the
telephone subscriber to direct that transactional
information not be used (the so-called opt-out approach), or
on the party that gathers the information to obtain consent
for the use of such information (the opt-in approach), and
what specific consent mechanism should be used in either
case? What costs would such restrictions impose on
businesses? As a matter of policy, should any restrictions
on the use of TTGI apply to all telecommunications carriers,
rather than LECs?
39. NTIA solicits comment on whether NII network operators
and service providers should be required to inform their
customers, at the time service is initially established and
periodically thereafter, what TTGI is accumulated about
them, and how that information is used or disseminated to
third parties. How would compliance with such rules be
enforced, and what body should enforce them? If the end
result of such restrictions is that less information is
collected and disseminated in our society, what impact would
that have on individuals, businesses, and the NII?
V. Development of Personal Profiles
40. Enhanced information and computing technology, and the
greater interconnectivity of telecommunications networks,
will allow greater access to a broad range of record systems
containing health, financial, academic, government,
employment, telephone and other information that may be of a
highly sensitive and personal nature. Easy and often
anonymous access to such information raises concerns that
anyone will be able to download information about
individuals from different data bases and compile that
information into detailed personal dossiers.
A. Existing Legal Framework
41. In order to create a personal profile, a two-step
process is required -- accessing the information and
"matching up" the information for each individual. The
Privacy Act of 1974 and a 1988 amendment to that Act --
the Computer Matching and Privacy Protection Act of 1988
(Matching Act) -- provide federal guidelines governing
the compilation, use, and dissemination of personal
information gathered by government agencies.
42. The Privacy Act's matching provisions regulate the
conditions under which federal agencies may match personal
information held in their data bases with data stored in
other data bases. Such matching often is done in order to
verify the eligibility of individuals for federal benefits.
For example, a government agency may "match" its employee
list with a list of persons receiving public assistance.
The match would identify persons who are earning an income
and improperly receiving public assistance at the same time.
Such matching, without regulation, may result in
indiscriminate swapping of data files.
43. Under the Matching Act, matching takes place under the
"routine use" exception to the Privacy Act's limitation on
use of personal information. Agencies are required,
before matching, to enter into written, inter-agency
agreements specifying the purpose of the match, the records
to be matched, and a cost/benefit analysis of the match.
The Matching Act creates an important procedural framework
of notice to individuals, the right to a hearing before
government benefits are cut off or denied, and mandatory
reporting requirements for agencies that match records.
44. No federal or state laws regulate private sector
matching of personal information. However, some existing
federal and state laws restrict the accessibility of certain
types of personal information. For instance, as previously
discussed, federal law restricts disclosure of cable
subscription and video tape rental or sale information.
Such restrictions, when coupled with similar restrictions on
the release of other types of personal information such as
credit ratings and credit card usage, to some extent
limit the information that can be used to create personal
profiles. The existing legal framework, then, addresses
only the first step of the matching process in the private
sector by limiting access to information.
B. Areas of Inquiry
45. NTIA solicits comment on whether existing federal laws
would adequately deter invasions of personal privacy
resulting from the compilation of telecommunications-related
data, such as records of interactive media and telephone
usage, obtained through the NII. Should federal legislation
restrict private sector computer matching of such data? If
so, for what purposes would the Matching Act serve as a
useful model? Does computer matching create new information
that should be subject to greater privacy restrictions than
those applicable to each separate piece of information used
in the match? Is privacy threatened by the act of gathering
information about an individual from several different
sources, or only when the resulting personal profile is used
for purposes beyond the individual's knowledge and ability
to control?
46. Market forces have an impact on the actions of
businesses and consumers. For instance, Lotus Development
Corporation and one of the nation's largest credit reporting
bureaus, Equifax, abandoned plans to market a data base on a
CD-ROM called "Marketplace: Households" in the face of
widespread public criticism. In 1990, New York Telephone
abandoned plans to rent directory information such as name,
address, and telephone number from 4.7 million listings to
retailers, telemarketers, and others selling products and
services in the face of 800,000 requests to be excluded from
such lists. Will consumer concern about the existence of
personal profiles deter companies from developing such
profiles? If so, what impact would that have on individuals
and society?
VI. Role of Self-Regulation
47. In response to growing customer concern about privacy
issues, many companies are developing their own corporate
privacy codes and other initiatives to bolster customer
confidence in their services. In the telecommunications
area, Pacific Bell, one of the Regional Bell Operating
Companies, issued a comprehensive telephone customer privacy
code in December 1992. MCI as a matter of policy does
not sell or rent its customer lists or information about
customers to third parties. Among information providers,
Prodigy, one of the largest commercial on-line services, has
a formal policy governing its use of personal information
about subscribers. NTIA solicits comment on what other
companies in the telecommunications and information field
are doing to address their customers' privacy concerns.
What has been the experience to date of companies that have
privacy policies? Should companies be required to provide
their customers with notice of their internal practices and
policies regarding collection and use of personal
information? To what extent can we expect that marketplace
forces will adequately resolve conflicts over privacy
interests, and how will this occur?
48. Many non-commercial networks have informally developed
norms for conduct that are voluntarily adhered to by users.
Users that engage in unacceptable behavior may be "flamed"
by other users. On many bulletin boards, the system
operator retains discretion to banish users who post
offensive messages. Is such self-regulation in electronic
communities adequate to protect the individual's right to
privacy over the NII?
VII. International Issues
49. The NII will be part of evolving global networks and
therefore must be coordinated with international
requirements in order to facilitate the competitiveness of
U.S. firms. Many of our major trading partners in Europe,
for instance, have formal data protection commissions that
oversee implementation of national laws governing the
information practices of both public sector and private
sector parties. Thus, the United States needs to evaluate
how the policies regulating the privacy of personal
information transmitted over telecommunications networks in
other countries will affect individuals and commerce in the
United States, and vice versa.
A. International Privacy Guidelines
50. International interest in advancements in
computerization and related privacy issues began in the late
1960s. Since then, different nations have followed varying
approaches to privacy. As previously noted, U.S. privacy
law is a patchwork of constitutional, statutory, regulatory,
and common law protections, and voluntary self-regulation.
The European approach to the privacy of electronic
information has been to favor omnibus data protection
regulations that apply to both the public and private
sectors and are overseen by state-controlled privacy boards.
The Organization for Economic Cooperation and Development
(OECD), whose membership consists of twenty-four
industrialized countries, including the United States,
Canada, most Western European countries, and Japan, has
adopted guidelines for the protection of personal data that
permit both the U.S. and European approaches. African,
South American, and Central American countries have not yet
adopted any data protection laws, but some are studying the
issue.
51. In the discussion that follows, we focus on the major
international instruments pertaining to privacy adopted by
the OECD and the Council of Europe (COE), and under
consideration by the European Community (EC), rather than
the laws of specific countries. These international
agreements -- which generally recognize that the free flow
of information is critical to transborder economic activity
-- provide a framework for adoption of domestic legislation
by member nations.
1. Organization for Economic Cooperation and Development
52. The OECD has been active since the 1970s in considering
the impact of computers and telecommunications technologies
on the international flow of data. In 1978, it instructed a
"Group of Experts" to develop a set of basic guidelines to
govern transborder data flow and the privacy of personal
data. The Group of Experts adopted "Guidelines on the
Protection of Privacy and Transborder Data Flows" in
1980. All twenty-four OECD member countries have
accepted the OECD Guidelines, which are strictly voluntary.
In the United States, over 175 corporations have provided
written statements of support for the OECD Guidelines.
2. Council of Europe
53. In 1980, the Council of Europe, whose membership
consists of the twelve EC countries and nineteen other
European countries, adopted "fair information practices"
similar to those of the OECD regulating the collection,
storage, and automated processing of personal data, and
transborder data flow. Those principles, set forth in the
"Convention for the Protection of Individuals With Regard to
Automatic Processing of Personal Data" which was opened for
signature in 1981, establish standards that must be
enacted into domestic law by signatory countries. Twenty of
the thirty-one Council of Europe members have signed the
convention, and thirteen have ratified it. Ten of the
twelve EC member states have ratified the convention and
enacted domestic data protection laws. The COE
Convention permits, but does not mandate, signatory
countries to refuse to transfer data to other countries that
do not provide equivalent data protection.
54. The Council of Europe continues to respond to new
privacy issues brought about by technological innovation.
Its Committee of Experts on Data Protection has studied a
number of areas that pose challenges to privacy, including
telemetry (the use of remote cameras, sound detectors, and
other means to collect personal data without the consent, or
even the knowledge, of the data subject), interactive media,
and electronic mail.
3. European Community Directives
55. In 1990, the EC proposed a new directive that would
create another set of international privacy guidelines,
which would be mandatory for all EC Member States. Among
other provisions, the 1990 Proposed Directive adopted an
"opt-in" approach requiring companies to notify and obtain
consent from each individual regarding the use of personal
data pertaining to them. This directive would have allowed
Member States to block the transborder flow of data to any
country whose privacy regulations are determined to be
inadequate.
56. U.S. businesses objected to the 1990 Proposed Directive
because it would place potentially costly, bureaucratic
restrictions on the collection, use, alteration or transfer
of personal data files. The United States government argued
that this directive would potentially hinder the ability of
U.S. companies to communicate with their subsidiaries and
customers in Europe. The German, U.K., and French
governments also spoke out against the directive.
57. In 1992, the EC proposed a revised privacy directive
that has not yet been adopted, but addresses some of the
major concerns of U.S. industry. In particular, the
revised proposal is less restrictive than the original with
respect to transborder data flow. In determining whether
the destination country affords a sufficient degree of
privacy protection, nations may consider the specific
circumstances of each data transfer on a case-by-case basis,
rather than on an overall country assessment, taking into
account the nature of the data, the purpose and duration of
processing, and professional rules.
58. The 1992 Privacy Directive would require EC member
countries to have independent supervisory authorities for
the protection of personal data. These advisory bodies
would monitor implementation of national laws adopted as a
result of the EC privacy directive and would have the power
to bring action against infringements of the law.
59. The 1992 Privacy Directive also acknowledges
contractual provisions that protect data subjects' rights,
but still does not recognize voluntary self-regulation,
practiced widely by U.S. industry. It considers
intracorporate data transfers between and among a company
and its overseas subsidiaries and affiliates to be
communications to a third party and subject to privacy
regulations. Member States therefore still would be able to
block the transborder flow of intracorporate data, if the
privacy regulations in the country receiving the data are
determined to be inadequate. The 1992 Privacy Directive has
not been ratified due to remaining concerns within the EC
business community over such issues as how to determine the
adequacy of foreign data protection laws.
60. In addition to the 1992 Privacy Directive, the EC is
considering a proposed directive that would harmonize
regulations in Member States designed to protect the privacy
of telephone subscribers. Generally, the proposed ISDN
Directive would allow telephone companies to collect and
store only that information that is necessary to provide
requested services, require subscriber's consent to provide
such information to third parties, guarantee adequate
protection against unauthorized access, and require
telephone companies to provide a call blocking option for
calling line identification.
4. Areas of Inquiry
61. NTIA solicits comment on whether U.S. industry believes
that the OECD Guidelines and the COE Convention are adequate
instruments to protect individuals' right to privacy over
telecommunications networks. Should there be any change in
U.S. international privacy policy beyond individual firms'
support for voluntary OECD guidelines related to transborder
data flows? What impact would ratification of the EC's 1992
Privacy Directive or ISDN Directive have on the NII? Would
the United States need to adopt additional privacy laws
applicable to the private sector to ensure that, as the NII
develops, it is not excluded from exchanging personal
information with the EC? Could problems arise for
international calls originating in the United States if the
EC requires specific technologies or policies to be
implemented that are different from those in use in the
United States? For example, deployment of SS7 is necessary
in order for calling parties to block transmittal of their
telephone number to called parties. Different standards
exist for technological solutions to privacy concerns such
as encryption. To what extent does international network
configuration have an impact on privacy considerations?
What privacy policies have been adopted by individual
countries that could serve as useful models for the United
States as it develops its privacy policies for the NII?
B. International Trade Agreements: GATT/NAFTA
62. Issues relating to privacy will continue to be a
growing international trade issue as other countries and
regions develop their own information networks. The
protection of individual privacy is mentioned in both the
GATT Telecommunications Annex and the telecommunications
chapter of the North American Free Trade Agreement (NAFTA).
Both documents focus on the right of users and service
providers to access and use the public telecommunications
network on a nondiscriminatory basis. However, under both
GATT and NAFTA, laws or regulations that protect privacy of
individuals in the processing and dissemination of personal
data are permissible so long as they are not applied in a
discriminatory manner or as a disguised restriction on
trade. Will such provisions adequately limit the ability
of a signatory country to impose its own privacy framework
on other signatory countries, while allowing for a free flow
of information? Given that the telecommunications networks
that are part of the NII extend across U.S. borders into
Canada and Mexico, will the United States need to consider
how those countries address privacy issues as we develop our
policies in this area?
VIII. Conclusion
63. NTIA hereby requests comments in this inquiry to be
filed on or before March 14, 1994.
DATED: February 7, 1994
Larry Irving
Assistant Secretary of Commerce
for Communications and Information
------------------------------
End of Computer Privacy Digest V4 #055
******************************
.