From: editor@cdt.org (Bob Palacios)
Date: Sat, 8 Jun 1996 15:26:02 +0800
To: cypherpunks@toad.com
Subject: CDT Policy Post 2.23 - Congress/FTC Focus on Online Privacy Issues
Message-ID: <v02140b0badde8519e0ee@[204.157.127.16]>
MIME-Version: 1.0
Content-Type: text/plain


-----------------------------------------------------------------------------
    _____ _____ _______
   / ____|  __ \__   __|   ____        ___               ____             __
  | |    | |  | | | |     / __ \____  / (_)______  __   / __ \____  _____/ /_
  | |    | |  | | | |    / /_/ / __ \/ / / ___/ / / /  / /_/ / __ \/ ___/ __/
  | |____| |__| | | |   / ____/ /_/ / / / /__/ /_/ /  / ____/ /_/ (__  ) /_
   \_____|_____/  |_|  /_/    \____/_/_/\___/\__, /  /_/    \____/____/\__/
   The Center for Democracy and Technology  /____/     Volume 2, Number 23
----------------------------------------------------------------------------
      A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
 CDT POLICY POST Volume 2, Number 23                         June 7, 1996

 CONTENTS: (1) Congress/FTC Focus on Online Privacy Issues - Solutions Differ
           (2) Text of EFF, CDT, PFAW, VTW Letter to Rep. Franks (R-NJ)
                on impact of "Children's Privacy" Bill
           (3) Join Senator Burns Live Online June 11, 10pm ET
           (4) How to Subscribe/Unsubscribe
           (5) About CDT, contacting us

  ** This document may be redistributed freely with this banner in tact **
        Excerpts may be re-posted with permission of <editor@cdt.org>
-----------------------------------------------------------------------------

  ** UPDATE: DECISION IS NEAR IN FIGHT TO SAVE FREE SPEECH ONLINE **

  An announcement from the Court is expected any time. Be sure to visit
     http://www.cdt.org/ciec/ for the latest news and information!

-----------------------------------------------------------------------------
(1) CONGRESS/FTC FOCUS ON ONLINE PRIVACY - OFFER DIVERGENT SOLUTIONS

The increasing use of the Internet by children, combined with the ease of
collecting personal information online, raise serious privacy issues.
However, while there is broad consensus on the goal of giving people more
control over the collection and use of personal information online, some of
the solutions being offered may have far-reaching, though perhaps
inadvertent, impact on the free flow of information in interactive media.

Over the past several months, concerns about the availability and use of
personal information in the online world, particularly with respect to the
collection and use of information about children, have prompted the
Congress and the Federal Trade Commission (FTC) to seriously consider this
important issue.

The approaches to this issue fall broadly into two distinct categories:

* Create Criminal Penalties For The Collection And Use Of Personal
  Information About Kids Without Parental Consent.

* Encourage The Development And Use Of Technologies That Enable Users
  and Parents To Limit The Amount Of Personal Information They and Their
  Children Reveal Online.

Legislation designed to restrict the collection and use of personal
information about children without parental consent was recently introduced
by Rep Bob Franks (R-NJ). The bill has sparked concerns from cyber-rights
advocates that it may end up increasing the collection of personal
information online and result in restrictions on the free flow of
information (see the attached letter from EFF, People for the American Way
Action Fund, VTW, and CDT below).

Recent hearings before the FTC emphasized the broad consensus about the need
to give individuals more control over the collection and use of personal
information. The FTC hearings highlighted the availability of technologies
which empower users and parents to exercise more control over the collection
and use of such information, and the possibility that existing methods,
including the PICS standards, can be enhanced to enable users to express
preferences about how and to what extent they are willing to have personal
information reused (although much work needs to be done before this is fully
implemented).

In addition, Rep. Ed Markey (D-MA), a long time champion of privacy issues,
told the FTC panel that he would like to encourage the development of
technologies that enable users to control the amount of personal
information they reveal online. Markey also emphasized that Congress should
consider legislation in this area if such technologies are not developed or
are not effective.  Markey told the FTC:

 "We should see if there are technological tools that can empower
  consumers. Where they don't exist, or where a particular industry
  refuses to embrace this code of electronic ethics in a way that solves
  this problem, then the government is obliged to step in and do
  something."

Markey also announced that he intends to introduce legislation soon to give
consumers the right to know that information is being collected about them,
notice that personal information may be reused or sold, and the right to
say "no" to the reuse or sale of their personal information.  Markey's
legislation would also commission a study of existing online privacy
practices (The full text of Rep. Markey's statement is available at CDT's
privacy issues web page URL below.)

The FTC hearings illustrated that there is broad concern about the
collection and use of personal information online. There was also great
substantial support expressed for technological solutions to address this
issue.  As a result, the FTC has requested that the industry report back to
the Commission in 6 months on progress towards developing technologies that
enhance user control over the collection and use of personal information
online.

CDT is encouraged that Congress and the FTC have taken such strong interest
in the issue of online privacy, and we look forward to working with all
interested parties to ensure that solutions give users control over the
collection and use of personal information and do not adversely affect the
free flow of information online.

More information, including CDT's testimony before the FTC panel and Rep.
Markey's statement, and a demonstration illustrating the amount of personal
information collected during the normal course of surfing the Web, can be
found at CDT's Privacy Issues page:

   http://www.cdt.org/privacy/

-----------------------------------------------------------------------

(2) Letter from EFF, PFAW Action Fund, VTW & CDT to Rep. Bob Franks
    Regarding "Children's Privacy" (HR 3508) Bill

The following letter was sent last week to Representative Bob Franks (R-NJ)
regarding the "Children's Privacy Protection and Parental Empowerment Act"
(HR 3508) from the Electronic Frontier Foundation, People for the American
Way Action Fund, the Voters Telecommunications Watch, and the Center for
Democracy and Technology.

Among other things, the groups expressed concern that, as currently
drafted, the bill raises some of the same privacy and free flow of
information issues raised by the Exon/Coats "Communications Decency Act" to
the extent that it is extremely difficult to know whether or not a person
visiting a web site is or is not a child without requiring all visitors to
identify themselves.

While commending Rep. Franks for his efforts and expressing support for the
goal of his legislation, the letter outlines several concerns about the
impact of the bill on the Internet.  The groups pledged to work with Rep.
Franks and other interested members of Congress to explore technological
solutions which empower users and parents to control the use of personal
information and preserve the free flow of information.

The Franks bill enjoys broad support from a number of conservative
"pro-family" groups such as the Christian Coalition, Enough Is Enough!, and
the National Law Center for Children and Families, as well as privacy
groups such as EPIC, Privacy Times Publisher Evan Hendricks and Privacy
Journal Publisher Robert Ellis Smith.

The text of HR 3508 is available at: http://www.cdt.org/privacy/children/

The full text of the letter from EFF, PFAW Action Fund, VTW and CDT follows:

----------
June 4, 1996

Representative Bob Franks
429 Cannon House Office Building
Washington, DC 20515

Dear Representative Franks:

We are writing to commend your efforts to protect children's privacy.
We are pleased that you have begun a process to put these important issues
at the center of the political debate. We believe, however, that the
solutions recommended in your bill, -- the "Children's Privacy Protection
and Parental Empowerment Act" (HR 3508) -- particularly as they relate to
the exchange of information on the Internet, will not only increase the
collection of information about children in certain circumstances but will
also criminalize behavior in a vast array of unintended situations, thereby
compromising the free flow of information online.

With the rising popularity of the Internet and commercial online
services, concerns regarding the vulnerabilities of unsupervised children's
activities online must be addressed. Indeed, although the Internet offers
children unprecedented and important new educational and recreational
opportunities, the medium also may offer access to inappropriate material,
or exposure to unfair marketing or information collection practices.
 Solutions to these problems must be carefully analyzed and should take into
account both the unique nature of the Internet, as well as the multitude of
First Amendment and privacy rights at stake for all who seek to read,
communicate, and associate with others in the online environment. In fact,
the Federal Trade Commission (FTC), whose responsibility it is to police the
existence and proliferation of unfair or deceptive advertising and
information practices has scheduled hearings for June 4 and 5 to look at
these very issues as they apply to the Internet.

Because your bill was drafted to apply to all media we are concerned
that its application in the Internet context may lead to unintended
consequences. We ask that you examine, together with the FTC, the unique
qualities of the Internet and the problems that result from regulating
activity at the information publisher or Web site operator end.

In its application to the Internet, the Children's Privacy Protection
and Parental Empowerment Act is both over-inclusive, covering virtually all
who participate in the Internet, and ineffective, in that it leaves
substantial loopholes for those who engage in the behavior at which the bill
is targeted.

The term "personal information," the basic regulatory target of the
bill, is defined in such as way that it may include nothing more than an
electronic mail address which by its nature, gives no indication of the age
or physical location of a user.  Furthermore, the term "list broker," is
drafted to cover any entity which exchanges personal information in the
course of its operation. The vast majority of World Wide Web site operators,
as well as anyone who operates a listserv, mailing list or other information
distribution mechanism, all collect, store, and may well exchange, email
addresses. Then, unless Web site operators obtain parental consent before
collecting information, they risk criminal penalties for violation of
section (a)(4).

The difficulty in compliance is two-fold. First, information providers
on the Internet have no way of distinguishing children from adults.  In
fact, compliance with the bill could well lead to an increase in the
collection of information about children and adults, only compounding
privacy risks. Even with the imposition of an unacceptably intrusive
national ID system (a system that none of us support), it would still be
essentially impossible for an information publisher or Web site operator to
establish the age of the user visiting the providers site. Second, the
requirement to disclose the source of personal information about children to
parents creates unclear new obligations on Internet information providers.
In fact, many of the information providers who would be covered by your
bill do not keep track of the source of their information and thus may not
have the ability to comply with the statute.  Compliance with this section
could well lead to an increase in the overall collection of personal
information about Internet users, thereby compounding privacy risks.

Imposed identification procedures applied to the World Wide Web under
the threat of criminal penalties would limit all Internet users' ability to
read, speak, receive information and interact online under
constitutionally-protected conditions of anonymity. Further, requiring
parental consent in all instances or requiring providers to disclose
information to parents collected from children fails to acknowledge the
distinction between young children and teenagers and their rights under the
Constitution.

Finally, section (a)(6) which criminalizes any distribution or receipt
of personal information where the receiver has knowledge or "reason to
believe that the information will be used to abuse the child or physically
harm the child" is well-intentioned, but potentially so broad as to cover
anyone who receives and discloses personal information about a child. The
bill establishes no clear standard of care or level of knowledge necessary
to meet this requirement, leaving everyone on the Internet in doubt about
whether or not they may be violating this new crime. Schools and
organizations who publish directories as well as newspapers who publish the
identity of a child in a news story could be subject to prosecution because
they had "reason to know" that the information may end up in the possession
of bad actors.

Given all of these difficulties in applying your bill to the Internet,
and given the importance of addressing children's privacy issues, we suggest
that examination of alternatives is in order. Empowering parents to protect
their children's privacy with existing technological tools and fair
information practices by the industry will help ensure that the Internet
continues to grow and thrive for both commercial and noncommercial
endeavors. For example, software already on the market such as Cyberpatrol,
as well as industry-standard technologies such as the Platform for Internet
Content Selection (PICS) enable people -- including parents and their
children -- to restrict access to sites which practice objectionable
marketing and information collection techniques.

At present, PICS technology, along with other innovative products,
allows parents to filter and block-out materials that contain objectionable
content or block access to sites with inappropriate or abusive marketing
practices. Current technology can enable parents to:

* prevent their children from accessing Web sites with inappropriate
  information practices -- as defined by the parent or a consumer or privacy
  organization of the parent's choice;

* prevent their children from revealing personal information such as name,
  address, and e-mail address to others;

* install security measures such as passwords that prevent their child from
  changing rules about Web site access or information disclosure, collection
  and use that the parent has established.

The Internet community is already considering extensions to the PICS
specifications which will enable individual users and parents to block the
transmission of their personal information to Web sites they visit and to
express a preference about how and to what extent they are willing to have
personal information reused. PICS, Cyberpatrol and other technologies can
help eradicate the deceptive and inappropriate practices your bill seeks to
address without compromising the rights of users or content providers.

Several of us have had the opportunity to talk with you and your staff
about this legislation. We appreciate your willingness to discuss these
issues and look forward to working with you in this important area in the
hopes that technological alternatives combined with better industry
practices and much more narrowly crafted legislation will help protect this
nation's children in the online world, consistent with First Amendment and
privacy principles.

Sincerely,

The Center for Democracy and Technology
The Electronic Frontier Foundation
People For the American Way Action Fund
Voters Telecommunications Watch
----------
----------------------------------------------------------------------------
(3) Join Senator Conrad Burns Live Online to Discuss Encryption Policy The
    Night Before His Subcommittee Holds a Hearing On the Issue!

 --> Visit http://www.hotwired.com/wiredside/ for details <--

In what is becoming the newest way for Congress to read the net.community's
opinion on issues, Senator Conrad Burns (R-MT) will be on HotWired on June
11th @ 10pm EST to discuss the encryption issue with all attendees. The
next day, Senator Burns will chair the first of two scheduled hearings on
the encryption issue with industry luminaries.

Never before has the public had this much access to legislators without
geographical proximity.  Cheaper than teleconferencing, and more direct
and unfiltered than the traditional press, online chats allow the public
to directly question and hear the answers of Congress.

Have a question about encryption policy that you've never been able to find
out from the government?  Come to the HotWired chat and ask Senator Burns
to be your advocate to press the witnesses and the White House on these
issues.

The online chat is at 10pm EDT (7pm PDT) on Tuesday June 11, the night
before the first hearing. HotWired's WiredSide chat is at:

     http://www.hotwired.com/wiredside/

Next Tuesday's forum is another in a series of planned events, and is part
of a broader project coordinated by CDT and the Voters Telecommunications
Watch (VTW) designed to bring the Internet Community into the debate and
encourage members of Congress to work with the Net.community on vital
Internet policy issues.

The transcript from last week's discussion with Congressman Rick White is
now available -- for information about the transcript, previous events with
other members of Congress, and upcoming events, please check CDT's newest
Issues Page, "Congress and the Net":

     http://www.cdt.org/net_congress/

------------------------------------------------------------------------
(4) SUBSCRIPTION INFORMATION

Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list.  CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
more than 9,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.

To subscribe to CDT's Policy Post list, send mail to

     policy-posts-request@cdt.org

with a subject:

     subscribe policy-posts

If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:

     unsubscribe policy-posts

-----------------------------------------------------------------------
(5) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US

The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.

Contacting us:

General information:  info@cdt.org
World Wide Web:       URL:http://www.cdt.org/
FTP                   URL:ftp://ftp.cdt.org/pub/cdt/

Snail Mail:  The Center for Democracy and Technology
             1634 Eye Street NW * Suite 1100 * Washington, DC 20006
             (v) +1.202.637.9800 * (f) +1.202.637.0968

-----------------------------------------------------------------------
End Policy Post 2.23                                             6/7/96
-----------------------------------------------------------------------