Personal tools


CFP'91 - Jacobson

Legislation & Regulation

Wednesday, March 27, 1991

Jerry Berman

Paul Bernstein

Bill Julian

Elliot Maxwell

Steve McLellan

Craig Schiffries

Bob Jacobson, Chair

Copyright (c) 1991 IEEE. Reprinted, with permission, from The First Conference on Computers, Freedom and Privacy, held March 26-28, 1991, in Burlingame, California. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the IEEE copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Institute of Electrical and Electronics Engineers. To copy otherwise, or to republish, requires a fee and specific permission.

Published in 1991 by IEEE Computer Society Press, order number 2565. Library of Congress number 91-75772. Order hard copies from IEEE Computer Society Press, Customer Service Center, 10662 Los Vaqueros Circle, PO Box 3014, Los Alamitos, CA 90720-1264.

JACOBSON: Thank you for coming this afternoon. It's often said that those who come after lunch are the most determined. We're going to press on with some important issues, particularly the question of, "What's to be done?"

I will introduce the panel in a moment. As moderator, one of the downsides _ is that you're somewhat eliminated from the discussion. And, since I was appointed moderator and didn't ask to be, I'd just like to make my own little brief statement.

_ In a sense this conference is a commencement for me, a culmination of eight years of my career working in the field of privacy and information policy, and the commencement for you and the people at the panel who have also been working in the field to continue on with the struggle. Last week I was at a futures meeting of telephone-company executives and I read a long statement to them, a short part of which I'd like to say to you.

"The quality of our inner life is as precious as our physical well- being in the material world. Technologies that make it easier to unilaterally take personal information [are] of great commercial value, but they threaten to rob our souls. Great discipline is required in their use. The resentment against technology or the resignation _ that these inventions may engender will be one of the crucial social themes of the next three decades."

Unfortunately, I don't think that got much of a rise. Now I work in the field of virtual-worlds technology and, without making our discussion here overly complicated, I will tell you there are sincere discussions going on about the civil liberties that might be violated when you choose to inhabit another person's body. [some laughter]

I would like to also summarize my career, which will put in context [a] bit of what these people are working on, in four very short statements. Actually, items in time:

[In] 1982 the Legislature in California published a book that I wrote called, Access Rights to the Electronic Marketplace.

Five years later, in 1987, I sat in a room with an assembled group from the California District Attorneys Association [CDAA] where the Constitution of the State of California - not to mention me personally and the person for whom I was working - were raked over the coals substantially. It was literally a mad-dog pack. It was an embarrassment to me and an insult to the people of the State of California. I'm glad to say that Don Ingraham was not invited to that meeting by the CDAA. The discussion was how we could amend the Constitution to include a right of free speech, and electronic free speech, and also a right of privacy for data that might be stored on one's personal computer or elsewhere.

Item in 1988: Getting agreement among a group of 35 lobbyists representing conceivably every commercial interest in the State of California on a data-audit bill that would permit you, as a consumer, to have access to _ information about you. And, two companies in _ the credit-information business sabotaged an agreement that was worked out over three hours amongst 35 people and five consultants from the state Legislature.

Item in 1989: A telemarketing bill was passed by both houses of the state Legislature in California which would allow you to opt-out of the population of people who are annoyed and harassed by telemarketers. It was vetoed by the governor at the request of the Direct Marketing Association and the telephone companies.

Finally, an item of very personal meaning: Sitting at the computer, having bought a subscription to Superbureau, about to do a download on someone else's life as an item to show in a hearing about how vulnerable we all are, and feeling for that one moment a terrible responsibility and sense of moral outrage - and not being able to press the return key. Nor anybody in my staff, or my legislator being able to press the return key, for which I'm very proud. But for those who have pressed the return key, I'm very sorry.

We won't talk about 16 inches of printouts that were done eavesdropping on BBS systems that was laid in my office one day by a law-enforcement official, completely unofficial, not affiliated with any law investigation I know of. Nor about the ACLU allegation of police "red-squad BBSs" which are out there, as well as the criminal crackers. That's the context within which people like these try to do good things by the people for whom they are working.

Without further ado, I'll introduce the panel. They'll all speak for a short time. Our purpose is to engage you in a discussion on the issue of legislation, regulation and freedom of electronic information and privacy. Each of them is eminent in their field, and _ also very good people, to a person.

We have Jerry Berman from the ACLU. We have Craig Schiffries from the Senate Judiciary Committee, U. S. Congress. We have my former colleague and close friend, Bill Julian sitting in for Gwen Moore, for whom we both worked. Bill is the chief consultant at the California Assembly Utilities and Commerce Committee.

Next to him, another good friend, a new friend from my new home of Washington state, Steve McLellan, who's advisor to chairwoman Sharon Nelson of the Washington State Utilities and Transportation Commission, one of the more progressive commissions in the United States.

Next to him, another good friend - I don't know, I didn't pick these people but they all ended up on the same panel - Elliot Maxwell, who was considered at one time to be the "philosopher of the FCC" [Federal Communications Commission] and now holds that role at Pacific Telesis Corporation.

And finally, at the end, Paul Bernstein, who is doing many, many things with the legal community and BBSs generally; an editor, an operator of BBSs [including the LawMUG BBS], and a commentator on the legislative process.

And without further ado, I'll turn it over to Jerry.

BERMAN: Thank you. I guess I've been working on legislation that affects the electronic frontier for many years without having been on the frontier, and that may have caused some problems along the way. But increasingly I'm being brought into the net. It was in 1984 that Marc Rotenberg got me to convert from Selectrics to a KayPro. And now I'm going on the Internet through a node somewhere in my office in Washington, D.C., so you can all keep track of me in Washington.

But anyway, when I start talking about the electronic frontier to other audiences, I say that, increasingly, all of us are living on the electronic frontier, and that it's a realm of electronic, social, economic and political communication and interaction occurring within a diverse and converging telecommunications infrastructure.

Today, all of us create, process, disseminate information electronically. We use the computer rather than a pen, teleconferencing rather than face-to-face discourse, facsimile and e-mail rather than postal mail, computer databases instead of filing cabinets. And all of us who live on this electronic frontier share a common goal. It's to ensure that the laws and policies which govern the electronic frontier are consistent with and supportive of fundamental constitutional and democratic values.

Now one of the problems, and I think it was reflected in the whole discussion this morning, is you have to recognize that - while it is a frontier that you're on - it is a highly regulated and legislated frontier. It has scores of laws, procedures, rules, regulations, and it's inhabited by some of the largest corporations and forces in this country.

And when law enforcement - and I work a lot with law enforcement because we have to reach agreement on legislation - when law enforcement tells you that you don't need to do anything except tinker around with the law, that it's all fine, you've got to stop and pause. [some laughter]

Yesterday Professor Tribe, at the end of his dissertation, suggested that we needed no less than a constitutional amendment to accomplish our goals. While I agree with this goal, I profoundly disagree with the strategy. It is a strategy, I submit, which is designed to vest the development and arbitration of frontier issues and disputes to the judicial branch of government. _ But isn't it the judicial branch _ and the courts which have _ [failed] to wrestle adequately with changing technologies and constitutional values that [are] at the core of our problem?

It is the Court that has saddled us with the Fourth Amendment doctrine of "reasonable expectation of privacy," which is little or no protection against the reasonable conclusion that evolving computer and communication technologies give us little expectation of privacy.

It is the Court which has not recognized the fundamental public "right to know," even in government information. And that that right is recognized instead by a statute, the Freedom of Information Act, and open-government laws around the country.

It is the courts, in crazy-quilt fashion, who've allowed electronic speech to be granted lesser rights than the published word. That is the danger and the crisis.

And I submit that _, in an age of conservative judiciary and complex technologies, _ we need to enact new laws to embody our constitutional principles. It is the citizenry, acting through politics, who must constitutionalize the electronic frontier. And it will require a very broad coalition, made up of all of the constituencies represented in this room - from the computer users to the computer professionals, from the information industry to the telecommunications firms to the civil liberties and privacy advocates. And it can be done.

In 1986, Congress, not the courts, passed landmark legislation which we discussed this morning - the Electronic Communications Privacy Act, which was designed to protect the privacy of the contents of our private communications regardless of the communications media. Data, voice, video are protected against government intrusion, whether carried by wire, microwave or cellular.

In two weeks [from March, 1991], Senator Leahy of the Senate Subcommittee on Law and Technology will introduce legislation to update the Freedom of Information Act, to ensure that we have access not only to public information in published formats but in electronic as well. Today it is the electronic version of public information which citizens need - to use with their PCs, to process and analyze - to hold government accountable. And the law can and should be updated.

In the Video Privacy Act that Janlori Goldman talked about yesterday, that was worked on by CPSR and the ACLU, and the Electronic Communications Privacy Act, and the Privacy Protection Act which protects newsrooms against searches and overturned the Supreme Court decision, citizens are working together to establish legal expectations of privacy in records and communications, regardless of whether technology makes it "reasonable,"_ because it's consistent with our constitutional principles.

_ We must bring the First Amendment to the electronic frontier by working towards the goal that all citizens have access to a communications network which is rich in voice, data [and] video; a fiber- optic network which reaches everyone across the country.

We can begin with legislation which is pending before the Congress right now.

There is the Gore bill, which is designed to create a National Research and Education Network [NREN] on top of the existent Internet, which can serve as a test-bed and prototype for developing the high-end service of the future, not only to connect the super-computers for research but to develop the digital library of the future; to develop the addressing schemes to make sure that electronic mail is a service available to all of us; to work with technology and encryption to ensure privacy goals; to experiment with interactive education and learning, so we can begin to create a demand for [that] and meet the needs of our society.

And then, ultimately - this will involve rewriting of the Telecommunications Act of 1934, which governs our phone system - the public-switch phone network must come to operate under common-carrier principles and to carry all speech regardless of its controversial content. And it must deliver to all citizens the high-end data, voice and video communication network that we need.

There is a large agenda, and it requires citizen participation. The debate on these measures is going on now. If you go to a telecommunications hearing - which is where large telecommunications firms are dividing up the electronic frontier that you are on, and setting the rules and regulations - the room is packed from here to there with pinstriped suits, people representing telecommunications firms.

You're on the outside, largely, of that debate, and that can no longer go on. You have to join together, you have to find ways to use the technology to connect together, to work with the Electronic Frontier Foundation and CPSR and the ACLU to build a coalition to have an impact on these laws.

Because the electronic frontier is ours to win, and it's certainly ours to lose. Thank you. [applause]

SCHIFFRIES: I work for Senator Patrick Leahy on the staff of the Subcommittee on Technology and Law of the Senate Judiciary Committee. I am not _ an attorney, however. I'm a scientist, the only scientist serving on the subcommittee. And I am serving _ in the capacity as a congressional science fellow under the auspices of the American Association for the Advancement of Science. So I bring a slightly different perspective to some of these issues than most judiciary staffers.

The subcommittee was created in 1987 to study new technologies and their impact on civil liberties. Its goal is to ensure that American law keeps pace with new technology. Its mission is to preserve our fundamental liberties while promoting innovative technologies. The subcommittee arises out of Senator Leahy's work on the Semiconductor Chip Protection Act, which established a new form of intellectual property, the Electronic Communications Privacy Act, and the Freedom of Information Act.

The subcommittee's current work tends to fall into the areas of electronic communications, computer privacy, high-tech crime, high-tech intellectual property and, as always, the Freedom of Information Act.

I will just discuss several of the recent legislative initiatives in the subcommittee, to update our federal laws, to keep pace with changes in computer technology. Let me begin with the Electronic Communications Privacy Act. Recently, Senator Leahy formed a Privacy and Technology Task Force to explore new communications technologies arising in the context of this Act and to determine whether the law needs to be revised.

A number of industry representatives and privacy advocates, including CPSR, Jerry Berman, and others in this room, are serving on the task force to help explore issues, including cordless and cellular phones, electronic mail, caller ID and FBI proposals to amend the Act. The task force typifies Senator Leahy's approach of bringing a broad range of experience and knowledge to a set of complex technical issues. I won't comment on the substance of their deliberations. They'll be reporting to Senator Leahy in the near future.

Let me now move to Senator Leahy's Computer Abuse Amendments Act, which clarifies provisions of the 1986 Computer Fraud and Abuse Act. This bill was unanimously approved by the Senate in the last Congress, but the house did not consider the bill before Congress adjourned. Senator Leahy plans to reintroduce the bill in the 102nd Congress.

In crafting this legislation, he sought to balance clear punishment for destructive conduct on the one hand with the need to encourage legitimate experimentation and the free flow of information on the other hand. Under the current statute, prosecution of computer-abuse crimes must be predicated upon the violators getting, quote-unquote, "unauthorized access" to a federal-interest computer. Senator Leahy's bill focuses on harmful intent and resultant harm rather than on the technical concept of computer access.

As a scientist, my initial instinct was to focus on a technical solution to a technical problem, rather than on _ an approach which is based on motive or intent. But the courts have been dealing with determinations of criminal intent for centuries, and the approach seems to have worked pretty well.

Technical approaches quickly become outdated and commonly introduce new problems and new ambiguities. When drafting these laws, we have been careful not to overreact to widely publicized events such as the Internet worm. Senator Leahy's bill is the product of two years of careful work by the Subcommittee on Technology and Law, drawing consultation from CPSR, a variety of industry representatives and federal- agency representatives.

In contrast, there have been attempts to introduce legislation without consulting some experts in the field. And some of this legislation would have outlawed nearly every piece of software that is used in the country. So we in Congress continue to need the input from experts in these areas. As the previous speaker noted, Senator Leahy will, in the next couple of weeks, introduce the Freedom of Information Improvements Act of 1991. This legislation would address _ electronically stored government information.

We've seen over the last few years that some federal agencies work with users and deliver electronic information in electronic format. However, other _ agencies have asserted that FOIA does not guarantee access to electronic information. There appears to be a wide range of behavior, and this may be to the detriment of requesters and to the detriment of the free flow of information.

Agencies clearly lack a standard approach and the government lacks a consistent policy on disclosure of electronic information. Senator Leahy's bill would clarify that, regardless of format, FOIA's presumption of disclosure applies.

I just want to say a few remarks about the Computer Security Act of 1987, which mandates that the National Institute of Science and Technology [NIST] rather than the National Security Agency [NSA] is responsible for adopting standards needed to assure the security and privacy of sensitive information in federal computers. It is important to determine whether NIST is providing adequate leadership in this area and to determine what improvements, if any, are needed. Are federal agencies complying with the Computer Security Act of 1987?

I'd like to relate to you the latest horror story, which was given in some dramatic testimony in the house last Thursday. Mr. Howard Rhile of the Government Accounting Office testified that the Department of Justice sold surplus computer equipment without first erasing highly sensitive information that was stored in the computers. [audience noise]

It might be a laughing matter were it not for the fact, according to the GAO, that this error may have put some confidential informants, some federally protected witnesses and certain undercover agents in, quote unquote, "life and death situations." The GAO says the error was not an isolated event but part of a continuing pattern of similar breeches of computer security.

The GAO states, quote, "Our investigation leads to the unmistakable conclusion that, at present, one simply cannot trust that sensitive data will be safely secured at the Department of Justice." If this GAO report is true it raises very serious concerns for all of us.

I just wanted to close by saying that we don't have all the answers and we need to continue to rely on the people in this room and the entire computer community for advice in our legislation. Thank you. [applause]

JACOBSON: _ Next is Bill Julian, who's chief _ counsel to Assemblywoman Gwen Moore, who'll be speaking on the state legislative situation.

JULIAN: I do want to convey Assemblywoman Moore's regrets. She _ has been in New Orleans dealing with cable-TV issues and couldn't get a flight back to San Francisco in time to make this panel.

So I get the pleasure of trying to fill Bob Jacobson's shoes. Bob was the telecommunications, privacy, information-technology expert for the state Legislature for a number of years, and I had the pleasure of being his colleague. Most of what I have to say will probably reflect his views more than the views of the committee or of Assemblywoman Moore.

I want to echo something that Jerry Berman said that I think is critical. That is, the _ development of a privacy constituency is absolutely essential for the development of coherent public policy in this area in the state and, frankly, in the country. Jerry's point was that the locus of decision-making may very well be shifting to the courts but it ought to be in the deliberative process in state legislatures or in the legislative branch of government - state and federal.

The state Legislature in California has been relatively active over the years in the privacy area. Nevertheless, I would say that its activity has been characterized by essentially two elements.

First, we've been very episodic and reactive in the way that we have dealt with privacy issues. Privacy issues have been presented; we seem to get a new one every year for the last eight to ten years. We have dealt with them as effectively as we can, and in a number of cases we've been several years ahead of the rest of the country. But nevertheless, the fact of the matter is that we are reactive and we are episodic. There is no over-arching, coherent privacy framework or privacy-policy matrix that we implement.

So, for example, with telemarketing, the legislation which Bob referred to earlier that was vetoed by Governor Deukmejian, we attempted to establish a "don't call me" database, which _ telephone customers could opt-in to and which telemarketers would be required to respect. That approach contrasts with the approach that we took to "junk fax," another bill which was vetoed by the governor, in which we simply said that unauthorized faxed messages would be illegal and would be the basis either for criminal prosecution or for a civil action by the involuntary recipient. [There is a] much different set of policy assumptions underlying those two types of intrusive telephone calls, and, frankly, it's difficult to find a thread which harmonizes them.

Caller ID: We passed legislation which was signed into law two years ago, which, in the view of the author and the Legislature who passed it would require per-line blocking. The language, however, is sufficiently ambiguous that the phone company is making the argument, which the PUC apparently is listening to, that per-call blocking could be authorized on an experimental or temporary basis. We've introduced legislation to attempt to clarify that, AB 314 - there's a copy of it outside. _ It has an uncertain _ fate in the face of strong legislative opposition.

The episodic nature of the way that the issues get presented to us, and that we deal with those issues, is compounded by the fact that a lot of the fundamental decisions, the infrastructural decisions, have been privatized. With deregulation, we have less public input into some of the basic investment decisions about technology deployment than we've had in the past.

So with caller ID, for example, the basic decision to invest in _ a particular configuration of Signaling System 7 was made without any public scrutiny or public input. One of the services which Signaling System 7 makes available is caller ID. We tend to deal with caller ID in a reactive mode. We have the same thing with privacy implications of electronic mail, possibly. [Common Channel Signaling System 7 (CCS7) are the new-generation telecomm switchiing systems being installed, nationally, expected to be completed around 1995. Network World of July 1, 1991, reported that the January, 1990, AT&T crash and two summer, 1991, regional phone outages were due to malfunctions traced to these new systems. -JW]

Several years ago we attempted to address this problem by proposing a proceeding at the California Public Utilities Commission, called a "Certificate of Public Convenience and Necessity" [CPCN] proceeding, governing the introduction of new services and the deployment of new technologies.

The idea here was that before an investment decision gets made there are public processes where you or other interested parties could have a public opportunity for comment on the merits and the demerits of deployment of particular technology, and where there would be an explicit public weighing of the economic benefits versus some of the other tradeoffs, including impacts on privacy. That legislation was so unpopular that it didn't even get a hearing in it's initial committee, which is Assemblywoman Moore's, but the idea is out there.

_ I can report the Public Utilities Commission has taken enough note of privacy issues that the PUC has instituted a rule-making proceeding on privacy, which will be a forum, _ I assume, for ongoing discussion of privacy issues as they arise. Not exactly our CPCN, but better than _ the status quo, or better than nothing.

A second over-arching approach to attempt to get out of this reactive mode is the legislation that Bob described in his opening remarks, the Personal Information Integrity Act, which was AB 539, 1987 and '88, and has been reintroduced as AB 1168.

This would create a right _ on the part of every citizen to be informed of the existence of electronically maintained files and of transactions involving _ personal information in those files, and would give the subject of the files the opportunity to correct _ the information in the file.

There are a number of issues, not the least of which are a number of First Amendment issues that have been raised by the publishers of this information, which will be raised as this information proceeds.

But underlying this kind of legislation is a different _ philosophical notion of privacy. There's privacy as an integral element of one's public persona, which is violated when data is created and appropriated for commercial or other use without the permission or consent of the subject of the information. It's _ a notion of privacy that is somewhat different than a notion of a space or a sphere which is to be free from outside intrusion. It's a notion of personal integrity that should be free of appropriation or unauthorized use.

JACOBSON: Thank you. [applause] Steve McLellan from Washington Utilities and Transportation Commission.

McLELLAN: Thank you. I've known Bob for really almost eight years, ever since I worked on the staff of the Washington Legislature's Telecommunications Committee. And I haven't admitted this before now, but the way we used to do our bill research was call Bob, have him send up whatever they were doing down here, retype it on our own paper and toss it in. So he's responsible for our telecommunications policy as well as his. [some laughter] I don't know why they invited me.

I'd like to suggest that public utility commissions are a forum that have a role to play in the privacy debate, and one you should pay attention to. Our jurisdiction is limited. There are only certain things we can do, but as this embryonic debate takes shape some of the rules that we come up with and some of the issues we address may set the tone for the debate in other areas. The rules are embryonic but important. Where we first got involved, of course, was caller ID - the question of blocking, the question of deployment.

In our state, we currently have legislation going through the Legislature authorizing caller ID. It currently is perceived to be a "trap and trace," and the phone companies are pursuing legislation to authorize it. The commission has announced publicly that it will not approve any caller-ID tariffs unless they allow the caller to block display of the number on both a per-call or per-line basis, free, at the discretion of the customer. [applause] That is an approach I think you will actually see spread as people start to realize what the caller-ID technology does.

Some other commissions are also taking some important steps. The Colorado commission is looking at some rules on the use of utility information. Utilities know more about you than just about anyone. And how that information, personal information, is used and disseminated outside the utility is very important. So I'd also suggest looking at those types of rules.

The most important thing, I think, is educating the policymakers, and that's a role that folks here can play. We went on the road for caller-ID hearings around the state, and we found the level of education among the public and policymakers was extremely low. Generally, people had a fairly voyeuristic, tabloid definition of privacy. They wanted to know as much as they could about others but wanted to give up nothing about themselves. That's probably not terribly surprising. At a gut level, however, people generally did recognize the privacy interest.

The companies have chosen, to date - at least in Washington state - to pitch caller ID as a way to deal with obscene telephone calls. Legislators tend to be very susceptible to this pitch. They're one of the largest recipients of crank calls. They're in the book, [some laughter] and it's true. I mean we've had more legislators come in and say, "I got crank calls during the campaign. This will help."

They don't perceive the rest of the issue, the marketing issues or the other use of the information.

Our media also suffers from the same _ myopia. One of the papers in our state has written a number of editorials, and generally they're wonderful on technology issues. But this one they missed rather badly. We had a pen-register bill going through at the same time which would have allowed the police to use pen registers in many circumstances. This paper editorialized against that bill, calling it the "jack boots of big brother on the doorstep." [A pen register is a device that attaches to a telephone line and records all numbers called. -JT]

Later they chastised us for ordering blocking of caller ID because this would help with obscene calls. Still later, they editorialized saying, "Well, maybe you ought to deal with this marketing issue and make sure people can't use this data for anything but looking to who's answering the phone" - not even perceiving the issue that that may really gut the service of what it's really intended for.

_ There's a lot of educational work that needs to be done. We also have a number of other proceedings that deal with the downstream use, and one of the reasons I suggest you take a look at the regulatory commission, to get involved, is it is a much easier process in many states for people to get involved. There often are public advocates you can work through.

We operate in a record with public hearings. Our calendars aren't necessarily as compressed as those of the Legislature. So I think it's a place where you can make a difference.

_I'd like to suggest four principles that we are using at the commission as we try to work our way through this issue. And I think they might serve as principles for other policymakers to consider.

The first is recognizing the debate is not really about anonymity but rather it's about confidentiality. In the area of telecommunications, you have really not been anonymous. The phone companies and others have known who you are, they know when you call - not necessarily on a real-time basis. Caller ID changes that. You need to give people protection from the disclosure of that information that is being collected. We don't think you should force a person to have to be anonymous in order to protect their privacy.

The second is that the individual has to control the disclosure. It's the choice of the individual, and we like the analogy of a privilege. When you give information to a lawyer, you control how much information and how far that information goes. But it needs to be the individual who controls how much information is known about them.

Third is fair use, that when you give information for one purpose it shouldn't be used for another purpose without the consent - and that should be active consent, not just passive consent.

And fourth is access to information. There should be no secret systems. You should know what's collected about you, where it resides, and you should have the right to inspect and correct that information. So, thank you. [applause]

JACOBSON: Thank you, Steve. Sorry to hear that my errors of my ways follow me to my new home. The next speaker is Elliot Maxwell from Pacific Telesis Corporation.

MAXWELL: I think some of the other speakers have identified some of the issues that people face. I should say that I speak not for Pacific Telesis but sort of my own views about these things. What's remarkable, it seems to me, in reading the papers that have been submitted and in listening to some of the statements so far is the sort of enormous commonality of certain parts of the principles that were set out for dealing with this kind of information.

But I have a couple of hypotheses about dealing with it that I also want to raise.

One is that, given the pace of technological change, there are new privacy challenges that will emerge. We're not sort of fixed in time or in technology, and the best solution for today's problems may not be apparently the best solution for tomorrow's problems. And _ one of the issues that we have to face is how will this evolve over time, and whether we can establish principles that will be appropriate in the future.

The second, and it's particularly true in the field of telecommunications, is that the growing diversity and number of participants in the telecommunications and information industries make it difficult to have simple or specific rules that are consistently useful across all situations and appropriately applicable to all players.

That point, I think, goes to the question about what _ [is] the best mechanism for dealing with these issues. _ I remain curiously optimistic about ways of dealing with this. There are appropriate roles for the legislator, there are appropriate roles for the courts, for the executive branch, for regulators, individual companies, industry groups and other interested parties.

But all of them have particular interests and particular procedural issues associated with them that make it important for you to try to figure out which one would be the best vehicle for a particular problem.

As Bill points out, in the Legislature in California there was _ a lot of activity over the last ten years about privacy, some of which has a kind of continuing applicability and has set the tone for the way people deal with information in the telecommunications and information industry.

But it is episodic. That doesn't strike me as unusual if one looks at any kind of legislative activity. They tend to be episodic and there's not this sort of over-arching piece that responds to problems. And when you are successful in identifying these problems, the legislatures act. And that is a way of saying what the baseline values of the society are.

Jerry, in his opening remarks, said, "Listen, you have to make your views known because it's not a question of the reasonable expectation of privacy, it's the expectation that you want the society to have of privacy, and the Legislature tends to state that."

Courts will act on particular disputes. The executive branch will make its views known. Regulators, in the case of telecommunications, examine these issues and will continue to do that. But they're limited in their jurisdiction, and they're limited in whom they're empowered to act upon and they're limited in what they can in fact do, either with the firms that are regulated, or with other people who are entering into the field of, in this case, telecommunications.

Industry groups are places in which people can act and can make, sort of, industries aware. And one of the reasons I'm optimistic about these activities is, in fact, sometimes companies learn things. Pacific Bell was involved in an incident some time ago in which there was a proposal to rent a list of customers. There was a lot of concern raised about that. What it did was to say, to Pacific Bell, we don't want that to happen. We have certain expectations about how you deal with information about us. And, in fact, what happened is that the policy was changed at Pacific Bell, and it, I think, learned _ more about what its relationship was with customers and what it should be in the future.

There's a question that I think will be important for us to address over time, and that is: Is there a way of establishing a kind of over-arching set of principles which will be appropriate over a longer term than simply a particular incident around a service or a new technology, but will be sort of able to sustain us over time? And I'm pleased about the convergence that's demonstrated in the papers and what's been talked about so far.

One of the things that I think we will need to look at, as our views about privacy evolve, as the technology evolves, as we seek to change people's expectation about privacy, is that privacy is one of the factors that will be involved in balancing different kinds of issues, and not the only factor.

This conference is a conference about trying to elevate the importance of that factor, I think. But we will have to try to struggle with the privacy interests of various parties in various kinds of interchanges, and with the costs and gains from trying to affect the privacy role. And I'm hopeful that we can continue the kinds of discussions that have happened so far in doing that, and find a mechanism where that can be extended over time for these kinds of interchanges and for better understanding of all the parties about interests of privacy and service development. Thank you. [applause]

JACOBSON: Before I introduce our last speaker, I want to reflect on something before I forget it, which I think you may be noticing - which is the unfortunate disjunction between this morning's panels (which dealt with what's a crime and what's not a crime and how do we prosecute crime and how do we prevent criminal prosecutors from getting out of hand) and the whole notion of extending this sphere of personal freedom (which is really the way that we've typified most of the legislative arguments today). It's rather curious, and I think something that needs to be repaired.

The last speaker is Paul Bernstein, and he's going to talk about the grass-roots position on legislation and regulation. Then we'll take questions.

BERNSTEIN: Thank you, Bob. I run a one-line electronic-bulletin-board system in Chicago, the first board run by an attorney anywhere in the world that I'm aware of. And [I] also run an on-line system, so come to this with a number of disciplines.

We live in unbelievable times, in my opinion. The world has gotten smaller, and all of a sudden we have participatory democracy almost here. My personal belief is that there should be no compromise with our rights to privacy. We do need legislation in certain areas but I think one of the things that ought to be done is that the legislators, the committees, the people involved with these processes, should use the mediums that exist - the electronic-bulletin-board systems, the Internets, the WELLs, the Prodigies, whatever capabilities exist - to get the word out and to give all of us an opportunity to participate in the development of the issues, to discuss the problems and to help fashion the laws.

The medium is here to do it and there's no reason that we can't do it. In case government or large corporations think we the people don't have power, one need look only to last week or so, with Lotus Development and Equifax withdrawing their CD-ROM-based product [Lotus MarketPlace]. _From what I saw, [it was] the bulletin-board community and the on-line world that caused the withdrawal, because all of us said to each other, "Send in your name and request that you be taken off that CD-ROM product," something I'm not sure how they would do once, let alone 30,000 times.

We do have power, and one of the things I would like to get across as my part of this program is to ask the indulgence of the legislators, be they at the state level and particularly at the federal level, to reach out and start to communicate with those of us who are out there on the frontier, dodging the arrows, taking the chances, planting new seeds and plowing new ground. We're taking certain risks, but we like to minimize them.

Let's talk about a number of problems and how we might minimize them. And I want to draw a quick parallel that I really don't have too much time to talk about. But think about the Motion Picture Association of America [MPAA], the great rating system that talks about X-rated films and R-rated films, and whatever else they do. That organization was created to protect the motion-picture industry from censorship and government regulation. And, by God, it worked. Whether we like it or not, it worked.

I think there's an opportunity, particularly with Mr. Kapor's leadership and the Electronic Frontier Foundation, and many things that are going on where we, the people - those of us who are involved, whether you're 13 or 10 or 92 - have an opportunity to forge rules of conduct, to forge what will be the proper custom and usage in all the things we do, and I'll address myself to a very few of them.

Perhaps we can, as the MPAA did, cause those customs and usages and those methods and methodology to rise to a level where, when we're confronted in court and cite our codes and cite our regulations and cite what is generally agreed upon by the user community, that they may have the full force and effect of law. And the MPAA has done that very, very effectively.

I want to mention a few concerns of sysops [bulletin-board system operators] that have not been addressed. Jerry Berman and I served on a committee at the John Marshall Law School in Chicago in 1985. And these issues still remain dormant and, I suggest, yell out for immediate legislative action.

Defamation of character: I put up a message on my bulletin board that defames whoever, clearly defamatory. It's ported by somebody else to the WELL. Through the WELL it gets on to the Internet. Are we publishers like newspapers and magazines? Well, if all of us are, then we're all guilty of publishing defamatory information and we're all going to get hit with a lawsuit and we may all be liable.

What about copyright infringement? Somebody uploads Lotus 1- 2-3 on my board and I don't look at anything and it's ported all over. Am I liable for copyright infringement? Some of us think we might be.

Obscenity: [I] won't dwell [on] some of the recent events there, but [if] there are obscene things on my board am I going to get closed down?

Viruses: Product liability law in this country says that if you're in the stream of commerce and food is defective or medicine is defective or whatever that you can be sued whether you were the one who contaminated it or whatever. Are we going to be in the stream of commerce from a product-liability standpoint, so if somebody downloads a virus from my board I'm going to get sued as well?

All these things and more, which I don't have time to get into, [cry] out for legislative action or a code of responsibility.

Now, last point - and I'll go a little bit over because everybody else has gone a lot over, so I can go a little over I guess - [some laughter] we are the masters of this medium. One of the questions [that] pervades this whole program is [that] this is a fantastic and wonderful program that we're all participating in [but] what's going to happen Thursday at 5 o'clock?

Are we all going to wait 'til next year, this time, to take up these issues and talk again? The answer should be that starting Thursday night we should have worked out the mechanics so that all of us, and _ all of those who could not be here today, have an opportunity to communicate by electronic mail and teleconferencing by selecting one or more on-line systems to participate in this program.

And, if I may, another hat I wear is I'm a member of the Electronic Networking Association. Some of us may want to talk to Margaret Chambers. The Electronic Networking Association, ENA, lives and has its proceedings in this virtual community. And in my opinion, although Margaret would be a better judge of that than I am, [it] is ready, willing and able to provide the methods and methodology to host conferences. Because what I want to do is be able to talk to all of these gentlemen, and all of you, starting this coming weekend, about all of these issues [so] the wonderful momentum that we've built up or are now building up in these few days will continue and so that we can be a part of this program, so that we can be effective, so that our voices can be heard, and so that what happens reflects the input and attitudes and concerns of all of us, not just some of us. Thank you. [applause]


JACOBSON: _ We're going to take questions. Before I do I want to say there's one group that's not here, some of the staunchest advocates of privacy rights. Those are people who represent abused women and people who are victims of gender crimes. I think it's a shame they're not here.

There are reasons for it, having to do with the financing of the conference. I hope we can take steps next year to prevent that from happening. Because they're the ones who are at all the commission hearings and at all the committee hearings. It's not all the intellectuals. [applause] Let's go on to some questions. The panel decided they'd prefer not to take written questions. They would like to have a dialogue with the people who have questions to ask. So, if you'll divvy yourselves up amongst the three mikes, _ we'll go down the order as _ the last panel did. John.

JOHN GILMORE: Actually _ I had three questions. Maybe I could go in rotation here, with some other people. The first question is about the Assembly Bill 1168. I guess - are you the right person? _ Bill Julian _ OK. I read over the bill. _ Looks to me like it defines a list of types of people or companies who are allowed to collect information about people, and it doesn't allow any other member of the general public to collect information. And from reading the bill, it looks like things like voting records of politicians, newspaper clipping files and things like that are things that ordinary people like me, or a political organization or whatever, are not allowed to keep, under that bill.

BILL JULIAN: No, I think there's a long list of entities which are exempt from the requirements of the bill. Those entities are entities which are covered by other privacy laws, more specific privacy laws, or who were successful, in the process that we went through in 1987-88, in convincing Assemblywoman Moore that they had a particular need to be free of the _ overall requirements.

The bill is not a restriction on anyone's ability to compile public information, voting records, newspaper clippings, whatever. _ And the bill is not a restriction on anyone's power either to collect it or to disseminate it. What it does is to give persons who are the subject of files the right to know that the file exists, through a notice process, and the right to impact the accuracy of the information in the file.

GILMORE: So if I collect the voting records of a politician, say from newspaper reports, I have to send in letters to the politician saying I'm collecting your voting record now?

JULIAN: No. If you disseminate it on a commercial basis, then you would, yes. But not if you're_.

JACOBSON: Let me be more precise about this since I wrote the bill. Bill's trying to fill in for me, and, you know, he's coming to it somewhat new. The bill specifies explicitly these are commercial transactions and data. And they're commercial transactions for which there is a price paid to a third party for the transaction and data.

The idea was to provide you with a data audit, just like we spoke about yesterday. And annually you would be notified of information about you that had been collected, in one of several ways which are specified in the bill, and you would then be able to go and check that data for accuracy if you so desired. I don't think that "voting records of politicians" is one of the things that would be specified in that bill.

GILMORE: It said anything you could use to judge the character of someone.

JACOBSON: No, that's _ an incomplete reading of the bill. It is, I know, because I've gone over it about a thousand times. The second mike?

BRETT GLASS: What's the most effective way for us as individuals to fight against the commercial interests who would love to have everything about us be public so they can categorize us and collect us and do all sorts of things with us? Somebody already mentioned that _ the idea that caller ID is the only way to prevent obscene phone calls is a bit of a fraud. And people are - and commercial interests are - promoting this and saying, "Wow, you can get rid of your obscene phone calls," so that _ they can collect information on us and get our phone numbers.

Another example is Equifax and other organizations like that which _ are only restrained from revealing information about us if it's part of a credit report. But they can still give it away for direct marketing and everything else. What can we do to keep them from defeating legislation and otherwise keep us from being able to assert our rights?

BERMAN: I think part of the answer [with] Equifax _ was citizen action and, as [has] been pointed out, largely by people through the network reaching Equifax. I think that there is a powerful tool here, but it's used episodically. _ There's no systematic organizing _ of a lobby which stands for certain principles on the frontier and which watchdogs state legislatures and federal legislatures to keep track of bills - [to] make sure that you get to see them - and regulatory proceedings.

And you have a network to inform me that caller ID is coming down and the PUC is meeting in this state and this state and this state, and that you gotta get there. And you can trade testimony back and forth over this net. I mean it's a wonderful tool. It has to be, but there's gotta be an organizing center to it that pulls it together and helps to network it.

GLASS: Do such exist now, or _ are they forming? Should we know about how to get in touch with these organizations? _ What's available now, or do we have to start something?

BERMAN: I do not think there is [a central group]. We're segmented. The ACLU is a constituency organization. CPSR is an organization of computer professionals. The Electronic Frontier Foundation, which I'm proud to be on the board of, is thinking about _ where it should go - whether it should become a membership organization. _ But there is no organization that's taking these electronic principles and frontier and putting them together. It doesn't exist. You know that. That's why you're here.

BERNSTEIN: As a trial attorney who has not, admittedly, done an exhaustive and terribly intense research job, I would just make one other observation. It seems that we, all of us here, in thinking about Equifax, Lotus and TRW, assume that there is no "right of privacy" unless there is legislation. Suppose there is a right of privacy that has always existed, that Equifax has violated. Now they've got a record of 120 million people that contains some information about us. Query, you know, is some creative member of Association of Trial Lawyers of America going to file a national class action against Equifax for violating the rights of privacy that a lot of us think we all have?

JACOBSON: Thank you. Can we move on to the third mike?

PETER NEUMANN: OK, Peter Neumann here. I'd like to return to the comment Bill Julian made about trying to put through legislation that would outlaw unauthorized faxes, and point out that there is no concept of authorization required in sending a fax. So that's patently unworkable. It goes back to the comments that Mark Rasch and Ken Rosenblatt and I had before the previous panel, talking about the fact that there was no authorization required in the Internet worm for the send-mail-debug option, the "finger" use [allows net users to identify users on other systems], the dot-R host, and the copying of an encrypted password file, all of which require no authorization. My question is, is there not some mileage to be gotten out of the intent rather than in continuing to try and belabor this point of making _ misuse of authorization illegal when there is no authorization required?

JULIAN: The argument of the persons who supported that legislation was that fax is unlike other involuntary communications because it involves use of the receiving party's paper and time. That made it different _ from _ unsolicited telephone communications or unsolicited mail communications.

There were discussions about _ permitting a one-page faxed request, which could be returned to the sender, which would constitute a form of formal authorization. In the wisdom of the Legislature that approach, which would have permitted a form of authorization, was not adopted and the approach that was adopted - and which was vetoed by the governor - was simply to forbid the sending of an unauthorized fax of even one page.

There are other ways of _ obtaining authorization. You can call the person up, you can send them a letter and say I want to fax you material, etc. And that apparently was sufficient in the mind of the legislators who passed the bill.

JACOBSON: It's not uncommon in any one year of the Legislature to have 200 conflicting bills passed, in which the intents are quite opposite and the language may be completely incompatible. But it's a big place and lots of things go on simultaneously. It's not a bill that we were actually carrying so then we can't speak to what its full intent was. But you should understand the fact that most of the legislation that goes through is representative [of] interests other than the small person. Yeah.

MELANIE WOLF-GREENBERG: This is directed to Paul Bernstein. How can you say that we live or almost live in a participatory democracy when only a small minority of the population are computer literate and have access to computer and electronic technology?

BERNSTEIN: It certainly hasn't totally arrived yet, but we've come a heck of a long way. Again, I'm submitting that if the bulletin-board and on-line community can have the overwhelming results that it has had with the Lotus Marketplace product and with the FCC when they wanted to raise modem-user's rates, and there are other notable examples in Illinois._ Illinois Bell wanted to raise the rates that modem users would pay and it was the on-line community that forced them to back down with massive outrage and massive faxes and massive attendance at meetings.

We are getting there. As the hardware prices keep coming down, as the software for telecommunications gets much easier, and as the likes of Prodigy and CompuServe keep hitting all of us on national TV with these wonderful national ads that tell us that we can't live without them, it is expanding the universe. _ And I can't predict when it's going to happen - whether it's two years or ten years away - but I think we're getting very close to the point where the on-line community, instead of being ignored as citizens of the world and of this country, [is] collectively going to have such a fast and efficient means of communication and to determine how we think and what we want to say and agree on it and come out in force.

We may not be there today. If I said that then I would happily be corrected by your question. But I think we are rapidly approaching that day and we're going to be a force and are a force to be reckoned with.

BERMAN: I think the woman's point is appropriate. I think that _ while there's a lot of talk about privacy, and privacy is part of the legislative package, there are lots of other principles _ that have to be out here on the electronic frontier.

And the core has to be to make this technology accessible to the citizens at large. That's why I focus on the First Amendment side and the need to link this data network and expand this constituency. That has to be the public-policy goal, or we're going to have a society of ins and outs.

This is a _ "haves" audience. And if it stays segmented this way, and _ becomes an association only thinking about its own interests on the frontier and doesn't broaden that to the community at large, we will lose the Equifax fights and we will lose control over this frontier. Because we will not have the constituency or the power or the vision to make it a democratic end. Thank you. [applause]

McLELLAN: I _ agree with Jerry. I just wanted to say in the short term the participatory democracy isn't necessary to influence these issues. The interest-group democracy, using the tools to organize these groups as interest groups with effective means of participation, is already there and we've already seen it. When the FCC was considering access charges, they almost got shut down by the number of complaints being generated over the net.

Tom Mandel yesterday, you'll remember, talked about how _ this essentially gives people a huge lever for a fairly small number of folks to communicate and network instantly. It changes the nature of political organizing. And those who recognize that can prosper in the political environment.

So I think that's where people need to get comfortable with these tools and begin to network. You look at groups like EcoNet and PeaceNet. Up in Olympia, Washington, where I am, the influence of those national groups is enormous, because there are activists in the community who spend their time, get off their butt, go to their computer, download stuff and disseminate it through the community. So I think that the move toward participatory democracy has real appeal. But in order to be effective in the current political environment there are tools that are already available.

MAXWELL: I wanted to add on to something that Jerry said. In California, there was a task force that was brought together called the Intelligent Network Task Force, which tried to look at what was going to be required in terms of network services for people who are not presently in the "have" community. [It was] largely made up of public-interest activists who said, "These are the kinds of things that we will need to be thinking about in terms of planning for network services and planning for an environment in the future in which people are not excluded because they fail to have access to electronic tools." For people who are interested in getting a copy of that _ my address is in the program. It's kind of interesting to have that vision at the same time people are thinking about how the tools can be used now.

JACOBSON: The apocryphal figure is that point-seven percent [0.7% or .007] of the populous contacts the Legislature over its lifetime. Point- seven percent. And you better get your sword sharpened because - one thing yesterday just reminded me of this - the whole question of organization: I've never heard such BS [thumps podium] as the stuff by John Baker about, "Put forward a presentation and we'll consider it." I mean we've put forward presentations and they were considered [and] roundly defeated. They didn't get serious consideration ever. If you're not organized the debate is not balanced; there will not be action. Second mike.

AUDIENCE MEMBER: _ What is _ Senator Leahy's _ bill? What's the number of it?

SCHIFFRIES: I'm not sure. I've mentioned several pieces of legislation. The FOIA bill has not yet been introduced so there's no bill number. And the same is true for the Computer Fraud and Abuse Act. There's a number for the last Congress, that's S 2476, but it will be reintroduced with a new bill number in the current Congress. _

AUDIENCE MEMBER: I'd like to address this to Paul Bernstein, and I'm afraid that you inadvertently left a time bomb in your last statement as regards to your movie-ratings reference. You see, in the 1920s or '30s, I believe, there was a certain powerful special interest group in the United States that had certain opinions on politics, sexual behavior and which drugs are OK to use. A commission called the Hayes Commission, I believe it was, was formed to censor movies.

So, you know, you had to be in separate beds if you were married, or have one leg out and that kind of thing. And the ratings board that is now in place was an attempt, I believe, to get an end-run around that kind of censorship. It ended up basically just branding adult material as pornography. And that is a problem that the rating system really has. So I think that the rating system has actually _ been able to avoid the real confrontation of free speech and its implications. And that has to be confronted in maybe a different way than that. _

Can't you see that as being the end _ problem? Do you want _ to have an X-rated or lefties-only bulletin board? You see, do you want us being branded like that? Because movies were being branded. This is the problem we're having with the rating system as it is.

BERNSTEIN: I'm an expert on the MPAA because I sued them about 25 years ago and lost so quickly in the circuit court of appeals in Chicago it was unbelievable. What I found in that experience was that their trade association, which is what I would call it, was able to do for themselves remarkable things. Whether you like it or don't like it, they were able to do things for their own constituency.

The only parallel I was drawing and would continue to draw is that I don't believe, with all due respect to all the panelists and all we've heard, that the governmental institutions or the telephone companies of the world are going to look out for my best interests, or your best interests.

And we have the means and capability of associating together, formulating our own rules and regulations. And I think if we can effectively do that in sufficient numbers, and establish custom and usage in our own industry - and I'm not talking about any improper purposes or whether I'm for or against pornographic pictures floating around the cyberspace. But I think if we can effectively do that, then we have an opportunity to be the masters of our own destiny. And I think that's important.

JOHN GILMORE: All right, this is a combination question for Steve McLellan and Elliot Maxwell, and it's about the conflict between anonymity and confidentiality. I think Steve said _ that _ he's learned that the issue is not anonymity, it's confidentiality. But he also said the individual should control how far the information goes. And the question to Steve is, "Why can't the individual decide that the information does not go beyond their own head? Why can they not be anonymous?"

Now the end for Elliot is, "Why doesn't the phone company offer anonymous access to the phone network?" I've actually tried to get telephones and ended up being sent off to the, quote, "Positive ID Bureau," unquote, so that they could check my IDs before they would offer me phone service.

McLELLAN: I saw you shaking your head vigorously as I mentioned that, in the audience. And I don't disagree. I mean we do say it should be the individual's choice. I don't think you want to posit that as a matter of public policy the individual has to choose to be anonymous in order to protect their privacy. A lot of times the advocacy we'll hear about caller ID, is that if _ people want to protect their privacy and be anonymous they can go to a pay phone, or they can do something like that.

I don't think that's a reasonable imposition to put on people in order to participate in society. I mean you could be anonymous in your financial transactions if you always chose to pay cash. Or if we had a good cryptographic system I suppose that might solve the problem as well.

But I'm not sure that as a matter of public policy you want to require people to be anonymous in order to protect their privacy. That doesn't mean that necessarily you can't get people who choose to remain anonymous for that higher level of privacy, that choice.

But I just don't think that you should say as a general matter of course that you basically have to drop out of transactions in order to be anonymous. Now maybe some technological solutions will help that. That's just the dilemma as I see it right now, as it's started to pose itself. And maybe Elliot can talk about why technologically [that] can or can't work.

MAXWELL: Well, I think _ that the first issue about whether you can be anonymous sort of runs up against a kind of baseline issue, which is eventually the commercial entity with which you're having a transaction would like to be able to bill you. Now _ if you want to change your name to X and they can bill you as Mr. X that's perfectly fine.

The question is whether _ the blurring of the issue between anonymity and confidentiality was simply to let people know that, in fact, for billing purposes people had to be able to identify some person or some entity which would be responsible for paying for a service. Now there one can imagine a situation in which one can use public-key cryptography to establish all these things. And that's something that may in fact occur in the future.

At the moment, with 14-million access lines in California, the phone company was not, I think, probably oriented toward establishing a system to deal with the desire for anonymity of individuals and it would, in fact, establish a commercial relationship with people.

BERNSTEIN: I think, if I can interject, here's a good example where _ the interaction between people who know the technology and people who are dealing with these important legal and social issues is absolutely vital. Some of the teleconferencing software that exists today in the market allows you to take on an anonymous name.

Now that has nothing to do with billing. You know, the _ people who run the system still know who you are, and if it's a per-minute or per- hour system they know how to charge you. But I can come on with whatever name I want, and there's a legitimate purpose served in many instances of my being able to remain anonymous.

For example, one quick, easy one, is if my boss, whether it's a private network or he's participating in conference on the WELL, is talking about company policy and I violently disagree. If I am not anonymous, I may choose to say nothing and my contribution never is there. If I can be anonymous and still be billed by the WELL for my time on-line, then there's a valid purpose to my being able to have anonymity. And I think part of the perception on the part of government is if you want to be anonymous you must be a crook, you must be evil, you must have criminal intent, and it's furthest from the truth.

GILMORE: In my particular case with the phone company, I was buying a leased line with absolutely fixed charges, paid every month in advance. So there's no case in which I could get service out of them that wasn't already paid for, since if I didn't pay a given month they could just shut the line off. But they weren't set up to handle that. They had already made this trade-off that said, "We will offer you confidentiality by _ letting you have unlisted numbers or whatever, but we _ trade against that that you cannot be anonymous." And I don't think that's a trade that should be forced on people.

JACOBSON: I don't think Elliot is going to respond differently the second time than he did the first. That's their policy, and it's an issue for regulation, of course. Evan, at the second mike.

EVAN HENDRICKS [Privacy Times]: Just a quick reminder. We're talking about not having an organization that can effectively advocate better privacy protection. This afternoon, we are going to _ discuss the formation of the U.S. Privacy Council, to be the first organization that's dedicated to privacy as its sole purpose and mission, and I invite people who want to be a part of that organization [to attend] - and be part of, I think, an historic effort.

The purpose will be to advocate stronger legal protections and follow campaigns like the Lotus Marketplace campaigns on the industry side.

JACOBSON: I have a question, Evan, in that regard, because I know the panelists have the same question: How do you _ restrict entry to a privacy conference that has a specific lobbying goal when in fact people here have total antithetical goals to it, too, and will want to be part of your organization?

HENDRICKS: Well, I think you have to base it on principles. That's one of the things we'll be here to discuss. But the purpose of the organization is to be an advocate, and those people who want to be an advocate for the stronger legal protections that we need will be invited to participate, and we'll be throwing out the principles that that will be based upon.

TED NELSON [Xanadu Project]: First a comment and then I will questionize it after the manner of the game of Jeopardy. I am mystified by the obsession of this conference with staying off mailing lists, which seems to me the least important issue of privacy and freedom. [applause] I'm especially concerned with the right of freedom of speech and the right of the free press, which we have always had in this country.

The things I am hearing proposed as legislation, whose intent seems to be so people can keep off mailing lists, seem extremely threatening to the right of free speech and publication. Specifically I can now, using a [copy] machine, publish anything I like with any names in it, making any allegations I choose, taking of course the risks of defamation, libel and all of those sorts of things as a publisher.

But if I make these notes electronically, it sounds as if, suddenly, I have to send out verification notices to all these people and get into all sorts of strange chains [of] counter evidence and argument, whereas in fact, under the First Amendment as I understand it, their right is to rebut under charges of libel. Now this is a very strange restriction because as we move into the electronic world publication will no longer mean paper. It will mean deposit of documents. So my question is, "What does the panel think?" [laughter and applause]

JACOBSON: I'll call on Bill with the proviso that none of the legislation we talked about does what Ted says it does. OK, Bill?

NELSON: Yes it does.

JACOBSON: Well, actually, it doesn't. If you read the last part, you'll see it doesn't deal with mailing lists at all.

JULIAN: Yeah, _ I think that _ the balancing of privacy and First Amendment free-speech rights goes to the heart of the problem _ of AB 1168, AB 539. The balance that the legislation attempts to strike at this point is not to restrain or to prevent publication but _ to recognize the interest of the subject of the information first in having some degree of control over that information. _ Essentially I think the notion that's involved is that the

electronic data is a piece of the person. It's like a snapshot. It's like an article of their clothing. It's an aspect of their identity. And when it is appropriated for commercial purposes, it moves into a different context. That doesn't mean to say that _ appropriation or publication should be prevented.

But it does say that there is an interest that attaches that at least requires the person whose information is being appropriated and disseminated for commercial purposes know that that is occurring and have an opportunity to correct that information, to make sure that _ what is appropriated and converted to a piece of property is accurate and correct. A restraint_

NELSON: Is a published document a commercial enterprise? And if so, that seems to me in direct confrontation with the notion of freedom of the press.

JULIAN: _ I guess I would say that traditionally there have been restrictions on the ability of the press to appropriate the property of, including the image or the picture of, the subjects of their articles, Paparazzi [an aggressive photographer] cases, etc. That notion _ of converting a piece of a person into an article of property and trading it for commercial purposes is what underlies this notion. So we're not _ just talking about pure speech. We're talking about an appropriation of something that belongs to somebody else - namely their image, their personality - and its sale.

BERMAN: Nowhere _ have I endorsed the idea of commercial sale or control over all secondary uses of information. The ACLU has no such policy on that. We _ would have grave First Amendment concerns because of this. It's one thing when Alan Westin yesterday talked about _ the authorization for commercial use of your name for marketing purposes. And there may be some narrow niche there.

But it's very difficult for me, for example, to figure out the difference between the New York Times, which is a commercial enterprise when it publishes information, and some business use which is also commercial. And if _ the press has to get authorization to print books or to write stories _ based on secondary use of information which is now in the public domain, we will severely undermine the First Amendment. [applause]

JACOBSON: _. Without talking about specific legislation, we anticipated that argument. The California Association of Editorial Writers came up and presented it to us. In fact, there's an exemption for press use of information for legitimate press purposes. That's an established principle in American law. But the point I want to make that underlies what both these people are saying - some of you are shaking your heads this way and some are going that way - [there is] a very fine line for discussion tonight, obviously, between what is freedom for one person and impinging on privacy of another. Did you want to continue with that line of talk?

NELSON: Please. Because what I'm saying is that the very same document I can publish where I list people - who as a literary critic I want to characterize what these people say - or I want to _ give a report on some _ meeting I was at, I can freely use their names in this document if I publish on paper. Now if you're saying that, according to this new doctrine, to capture someone's name electronically is like _ the old doctrine of stealing their soul if you take their picture with a camera, you know, it somehow transforms it into a new realm.

But, in fact, it's the same document word for word. If this is placed in an electronic repository it becomes subject to new laws, and this virtually truncates the possibility of electronic publishing.

BERMAN: I don't think the laws are even written narrowly to cover electronic secondary uses. I mean, the proposal is sometimes much broader. It is secondary uses of personal information about you, about a person. I'm not ruling out that _ the over-commercialization of [the] marketing industry of private information raises privacy and fairness issues that ought to be addressed.

But I, again, come down with you and say that there is a serious problem here when you try to say, for example, "What's legitimate press?" So, I think it's something that needs to be debated, but that the _ paramount value is the First Amendment.

JACOBSON: _ I'd like to ask Jerry a question in that regard, and then we'll finish up here. What is the First Amendment? Because we've heard it referred to as both the freedom of speech and also the right to remain unspoken to, or the right of privacy. Do you want to discuss that?

BERMAN: Well, _ in NAACP v. Alabama, the court recognized - and it hasn't been extended very far - a right of anonymity under the First Amendment, and it was because the government was seizing lists of members of the NAACP. _ It wasn't a commercial seizure of information. _ I think what was at the heart of it was that the purpose of the government was to chill the free exercise of speech. It was a government intrusion, which is the key if the core value of privacy in the United States is against the government. They're the ones who use the information adversely. And so there is a very big distinction between their _ protection of the First Amendment: No law shall be made by government to impinge on the First Amendment rights of citizens - not whether a business or a newspaper or someone else publishes information.

AUDIENCE MEMBER: A very specific question about AB 1168. Some parts of it concern me very deeply. Specifically it refers to personal information, and it says an individual's telephone number " _ if the telephone number is published in a current telephone directory." Does that mean current when you receive the phone number? Current at any time in the future when it may be used?

That wording would essentially put out of business virtually any large database for anybody's business at all because you're not going to be able to check every phone number in the State of California, or anywhere else in the United States continually to see if somebody has removed their name _ and made it unlisted. I find it very, very frightening, the kind of things that are said in this bill. So who wants to respond _ about this bill?

BERMAN: Since he's not going to be able to answer: You're learning about this bill, you care about privacy. I don't know if you live in California but let's assume you do. This bill has been debated for how long? [voice: three years] And you're hearing about it for the first time and you're outraged by its potential impact. And yet, why is it, if you're a privacy advocate or _ a concerned citizen living in a democratic society, with or without a computer, haven't you done something _ about this bill?

JACOBSON: The bill 's been on-line. It was on the WELL, almost word for word, in '87, again in '88. It's been on the Internet. It's been everywhere. I think Jerry underlines the issue this question raises.

AUDIENCE MEMBER: The current phone book is only published once a year, so you only have to check it once a year. Not continually.

JACOBSON: _ This is the hard nitty-gritty of writing law. It's not the romance of cops and robbers, but it's something you shouldn't dismiss too easily. Thank you very much for your time. [applause]

Return to CFP'91 Index page.

Return to the CPSR home page.

Send mail to webmaster.

Archived CPSR Information
Created before October 2004

Sign up for CPSR announcements emails


International Chapters -

> Canada
> Japan
> Peru
> Spain

USA Chapters -

> Chicago, IL
> Pittsburgh, PA
> San Francisco Bay Area
> Seattle, WA
Why did you join CPSR?

Technology must be questioned! And the public and politicians are easily misled.