"Proposed Privacy Guidelines for the NREN"

Statement of Marc Rotenberg,
Washington Director
Computer Professionals for Social Responsibility (CPSR)

Open Forum on Library and Information Service's Roles in the
National Research and Education Network (NREN)

National Commission on Libraries and
Information Science (NCLIS)
Washington, DC
July 21, 1992

Thank you for the opportunity to testify today before
the National Commission on Library and Information Science
(NCLIS). My name is Marc Rotenberg and I am the Director of
the Washington Office of Computer Professionals for Social
Responsibility (CPSR). CPSR is a national organization of
professionals in the computing field.
I would like to speak with you about privacy protection
and the future of the NREN. This is item 6 identified in the
NREN research agenda. Richard Civille will speak with you
next about CPSR's work to promote Local Civic Networks.
During the past few years CPSR has coordinated several
national efforts to promote privacy protection for network
communication. From cryptography to Caller ID, we have
sought to ensure that the rapid developments in the
communications infrastructure do not diminish the privacy we
all value. We believe that the future of network
communications depends largely on the ability to make certain
that sufficient privacy protection is available for all users
of the network.
In this effort we have worked closely with the library
community. It became clear to us that library organizations
have a special appreciation for the importance of privacy
protection. For many, privacy is the critical safeguard that
protects intellectual freedom and promotes the open exchange
of information. The American Library Association, the
Association of Research and other library organizations have
all shown their support for privacy protection through codes
of conduct, policy statements, and research conferences.
We have also worked closely with telecommunication
policy makers in the United States and around the world.
The New York state Public Service Commission issued a policy
on telecommunication privacy which set out several principles
for network communications. These recommendations have been
followed in several states. More recently, the Minister of
Communications in Canada issued a series of principles on
communications policy. Meanwhile, the Commission of the
European Communities has put forward a draft directive on
Data Protection in Telecommunications.
The European Commission made a critical point about
future network development. It said that "the effective
protection of personal data and privacy is developing into an
essential precondition for social acceptance of new digital
networks and services." This view is shared by agencies in
other countries that have looked at the implications of
advanced networking services. For example, the Ministry of
Posts and Telecommunications in Japan recently concluded a
study on the protection of personal data in the
telecommunications business and recommended a series of
privacy guidelines to accompany the introduction of new
network services.
In the United States, however, we find ourselves in the
midst of the greatest privacy debate in a generation. In the
absence of a coherent federal policy to protect privacy,
consumers have been left to fend for themselves, and the
response is not encouraging. From Pennsylvania to
California, telephone companies now face widespread and well-
founded consumer opposition to new telephone services. Part
of the reason for this is that there has been little effort
in the United States at the federal level to develop privacy
principles for new network services.
CPSR would like to see an agency in the United States
take on the task of developing and promulgating privacy
principles for network services. We have already recommended
the creation of a data protection board which could, among
other tasks, develop appropriate principles for network
communications. There is a proposal before Congress to
establish such an agency, but is unclear whether it will be
enacted this year.
Meanwhile, the Federal Communications Commission (FCC)
has been unwilling to address the privacy implications of new
network services. We are also somewhat disappointed that
neither the Computer Science and Technology Board (CSTB) of
the National Research Council or the Office of Technology
Assessment (OTA) has addressed privacy concerns for network
users. Both the CSTB and the OTA are well qualified to
tackle this problem.
In the interim, NCLIS could take a leadership role, and
help develop and promulgate privacy principles for the
emerging communications infrastructure. It is clearly in the
interest of the library and information science community to
ensure adequate privacy protection, but unless some agency
takes on this responsibility it appears unlikely that the
work will be undertaken.
CPSR believes that it is in the long-term interest of
our country and of computer users around the world to ensure
protection for networked communication. The failure to
develop such policy may impose very high costs on all network
users, and may ultimately reduce greatly the value of the
network to users.
Speaking academically, the absence of adequate
protection for electronic communication is a substantial gap
in NREN policy that should soon be addressed if the full
potential of the infrastructure is to be realized. Speaking
practically, if we don't get some good policy soon, we may
all be buried in a blizzard of electronic junkmail the likes
of which we have never known.
I would like now to make three points about the current
state of privacy protection for NREN, and then propose a
series of principles for privacy protection. These
principles may help "get the ball rolling" and encourage the
development of other initiatives. I hope that NCLIS will
recommend that the Office of Science and Technology Policy
(OSTP) give these principles full consideration.

FINDING 1:
Commercialization of the NREN will exacerbate
existing privacy problems. Without a clear mechanism
to protect privacy, user concerns will increase.
Much of the discussion surrounding the NREN today
focuses on the opportunity to develop commercial services and
to provide network access for private carriers. We do not
oppose efforts to provide commercial services. Clearly, there
is an important opportunity to develop new services and to
offer products through the network. At the same time, it is
apparent that the commercialization of the NREN will create
new pressures on privacy protection.
In the current network environment, made up primarily of
researchers and scientists, there is little incentive or
opportunity to gather personal data, to compile lists, or to
sell personal information. This is likely to change. Once
commercial transactions begin to take place on the net, the
information environment will resemble a hybrid of credit card
and telephone call transactions. Records of individual
purchases will be available and will possess commercial
value. The NREN community will face a whole new set of
privacy issues.
We anticipate that there will be three different types
of privacy problems as the NREN continues to evolve. First,
as commercial organizations become users of the network, they
will gather personal data, and wish to sell lists. The
address files for list servers could be sold, and users may
find themselves "subscribed" to lists they have no interest
in. These activities will raise traditional privacy concerns
about the restrictions on disclosure and secondary use, the
opportunity for users to obtain information held by others,
and the need to minimize the collection of personal
information.
Second, efforts to promote competitiveness in the
delivery of network services may also lead to the disclosure
of network data which will compromise user privacy.
This problem is already apparent in the current rules
for the operation of the telephone network. The Federal
Communication Commission requires telephone companies to
provide records of customer phone calls to other companies so
that competing companies may analyze calling patterns and
sell their services. Large companies objected to the
disclosure of this sensitive information. As a result the
FCC required that telephone companies obtain authorization
before releasing these numbers. But this restriction only
applies to telephone customers with more than 20 lines.
The disclosure of Customer Proprietary Network
Information (CPNI) has already surprised many telephone
customers who now receive calls from companies with whom they
have no prior relationship. These companies are able to
describe the customer's telephone calling habits in great
detail. Users of NREN services are also likely to object to
the disclosure of network information.
The third problem is that law enforcement agencies are
likely to make "greater demands" on communication service
providers to turn over records of electronic communications
to the government and to provide assistance in the execution
of warrants. I say "greater demands" with some reservation
since the recent proposal from the Federal Bureau of
Investigation to require that all communications equipment in
the United States be capable of wiretapping seems about the
greatest demand conceivable. Still, we should anticipate
that the government demands for access to the contents and
records of NREN communications are likely to increase.

FINDING 2:
Current privacy protections are inadequate
Electronic communications are provided some protection
against unlawful interception by the Electronic
Communications Privacy Act (ECPA) of 1986. This law extends
the very important guarantees contained within the 1968
wiretap statute to digital communication and stored
electronic mail. But this protection now appears inadequate.
As a general matter, the wiretap law protects the contents of
an electronic message against unlawful disclosure; it does
not protect the record of the transaction against disclosure.
ECPA also does not appear to protect critical personal
information, such as a person's telephone number, from
improper disclosure. For example, the Calling Number
Identification (CNID) service is probably a violation of the
wiretap statute and clearly a violation of the wiretap law of
several states. Nonetheless, the service has been offered
over the objection of consumer groups, technical experts, and
legal scholars.

FINDING 3:
Technical safeguards provide only a partial
solution
There are some in the network community who believe that
technology will provide a solution to these emerging privacy
problems. New techniques in cryptography provide ways to
protect the contents of an electronic message and even to
protect the identity of the message author. An article that
will appear next month in Scientific American titled
"Achieving Electronic Privacy" describes in more detail how
it may be possible through technical means to recapture some
privacy.
CPSR has supported many efforts to improve technical
means for privacy protection. In fact, CPSR has been of the
leading proponents of the widespread us of cryptography to
protect electronic communications. We have opposed
restrictions by both the National Security Agency and the
Federal Bureau of Investigation on the use of cryptography.
We have also supported the development of privacy-enhancing
technologies, such as telephone cards which are widely used
in Europe and Japan, and recommended that policy makers
explore technical means to protect information.
Nonetheless, we do not believe that technical safeguards
will provide sufficient protection for networked
communications. Our right of privacy is based on
Constitutional principles and our national history, and
reflects our commitment to certain political ideals. The
protection of privacy is ultimately a policy decision that
must be resolved through our political institutions.
Clearly, technology provides useful developments that we
should incorporate into future networks, but it would be a
mistake to assume that technology alone will provide
sufficient protection.
This point was made two decades ago by former White
House Science Adviser Jerome Wiesner who also served as
president of MIT. In testimony before Congress on the privacy
implications of databanks, Professor Wiesner said:

"There are those who hope new technology can redress
these invasions of personal autonomy that information
technology now makes possible, but I don't share this
hope. To be sure, it is possible and desirable to
provide technical safeguards against unauthorized
access. It is even conceivable that computers could be
programmed to to have their memories fade with time and
to eliminate specific identity. Such safeguards are
highly desirable, but the basic safeguards cannot be
provided by new inventions. They must be provided by
the legislative and legal systems of this country. We
must face the need to provide adequate guarantees for
individual privacy."
We believe that the development of NREN privacy policy
should be conducted in this spirit: looking for opportunities
to incorporate technical safeguards while recognizing that
the ultimate decisions are policy-based.

PRIVACY GUIDELINES
Before discussing the proposed privacy principles, I
would like to say a few words about the desirability of
developing these principles. Privacy protection in
electronic environments is a particularly complex policy
problem. There is legal jargon and technical jargon. There
are rapid changes. And there are certainly a wide range of
opinions about how best to achieve privacy, even about what
privacy means.
Privacy principles have helped to clarify goals and to
convey objectives in non-technical terms. Well developed
polices are "technology neutral" and are adaptable as new
technologies emerge. Professional organizations have made
widespread use of such principles for codes of ethics and for
public education.
There are a number of such polices in the privacy realm.
Some of these polices have been extremely influential in the
development of public policy, national law, and international
agreements. For example, the Code of Fair Information
Practices was the basis for the Privacy Act of 1974, the most
extensive privacy law in the United States. The Code was
developed by a special task force created by the Secretary of
Health, Education, and Welfare in 1973. Other codes have
formed the basis for data protection law in Great Britain.
All of these codes seek to establish certain
responsibilities for organizations that collect personal
information, and to create certain rights for individuals.
In developing these telecommunication privacy
guidelines, we examined existing codes and particularly the
principles developed by the Organization for Economic and
Cooperative Development (OECD) in 1981. We also incorporated
several additional principles that we believe are necessary
to protect personal information in communication
environments.
Taken as a whole, the principles are intended to improve
privacy protection for network communications as the NREN
continues to evolve.

RECOMMENDATION 1:
The confidentiality of electronic communications
should be protected.
The primary purpose of a communication network is to
ensure that information can travel between two points without
alteration, interception, or disclosure. A network that
fails to achieve this goal will not serve as a reliable
conduit for information. Therefore the primary goal should
be to guarantee the confidentiality of electronic
communications.

RECOMMENDATION 2:
Privacy considerations must be recognized
explicitly in the provision, use and regulation of
telecommunication services.
The addition of new services to a communications
infrastructure will necessarily raise privacy concerns.
Users should be fully informed about the privacy implications
of these services so that they are able to make appropriate
decisions about the use of services.

RECOMMENDATION 3:
The collection of personal data for
telecommunication services should be limited to the
extent necessary to provide the service.
Users should not be required to disclose personal data
which is not necessary for the rendering of the service. In
particular, the use of the Social Security number should be
avoided. In no instance, should it be used as both an
identifier and authenticator.

RECOMMENDATION 4:
Service providers should not disclose information
without the explicit consent of service users.
Service providers should be required to make known
their data collection practices to service users.
Service providers have a responsibility to inform users
about the collection of personal information and to protect
the information against unlawful disclosure. Personally
identifiable information should not be disclosed without the
affirmative consent of the user.

RECOMMENDATION 5:
Users should not be required to pay for routine
privacy protection. Additional costs for privacy
should only be imposed for extraordinary protection.
The premise of the federal wiretap statue is that all
users of the public network are entitled to the same degree
of legal protection against the unlawful disclosure of
electronic communications. This principle should be carried
forward into the emerging network environment. Segmented
levels of privacy protection are also likely to introduce new
transaction costs and create inefficiencies. Where special
charges are imposed for privacy, it should be for "armored
car" service.

RECOMMENDATION 6:
Service providers should be encouraged to explore
technical means to protect privacy.
Service providers should pursue technical means to
protect privacy, particularly where such means may improve
the delivery of service and reduce the risk of privacy loss.

RECOMMENDATION 7:
Appropriate security polices should be developed
to protect network communications
Security is an element of privacy protection but it is
not synonymous with privacy protection. Appropriate security
policies should be put in place to protect privacy. However,
it should be recognized that some security measures may
compromise privacy protection. Network monitoring, for
example, or the collection of detailed audit trail
information will raise substantial privacy concerns.
Therefore, security policies should be designed to serve the
larger goal of privacy protection.

RECOMMENDATION 8:
A mechanism should be established to ensure the
observance of these principles.
Good principles without appropriate oversight and
enforcement are insufficient to protect privacy. This has
been the experience of the United States with the Privacy Act
of 1974 and of the European countries with the OECD
principles of 1981. In both instances, fine principles
lacked sufficient oversight and enforcement mechanisms.

Additional principles may be appropriate and these
principles may well need modification. But we hope that they
will provide a good starting point for a discussion on
communications privacy for the NREN.

[Attachments: "Protecting Privacy," Communications of the
ACM, April 1992; "Communications Privacy: Implications for
Network Design," Proceedings of INET '92, Kobe, Japan)]

=============================================================
CPSR Washington Office, 666 Pennsylvania Ave., SE, Suite 303
Washington, DC 20003 202-544-9240 (tel) 202-547-5481 (fax)
rotenberg@washofc.cpsr.org