From: John Young <jya@pipeline.com>
Date: Mon, 28 Apr 1997 05:12:07 -0700 (PDT)
To: cypherpunks@toad.com
Subject: New USG Privacy Initiative
Message-ID: <1.5.4.32.19970428121019.006ea670@pop.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


The Administration has issued today for public comment a 
major new paper on privacy:

"Options for Promoting Privacy on the National Information 
Infrastructure"

Opening paragraphs:

This Options Paper explores the growing public concern 
about personal information privacy. The paper describes 
the status of electronic data protection and fair 
information practices in the United States today, 
beginning with a discussion of the Principles for 
providing and using personal information issued by the 
Information Infrastructure Task Force in 1995. It then 
provides an overview of new information technologies, 
which shows that personal information is currently 
collected, shared, aggregated, and disseminated at a 
rate and to a degree unthinkable just a few years ago. 
Government is no longer the sole possessor of extensive 
amounts of personal information about U.S. citizens; in 
recent years the acquisition of personal information by 
the private sector has increased dramatically.

We next consider in more detail the laws and policies 
affecting information privacy in four specific areas: 
government records, communications, medical records, and 
the consumer market. This examination reveals that 
information privacy policy in the United States consists 
of various laws, regulations and practices, woven together 
to produce privacy protection that varies from sector to 
sector. Sometimes the results make sense, and sometimes 
they do not. The degree of protection accorded to personal 
information may depend on the data delivery mechanism 
rather than on the type of information at issue. Moreover, 
information privacy protection efforts in the United States 
are generally reactive rather than proactive: both the 
public and the private sector adopt policies in response 
to celebrated incidents of nonconsensual disclosure 
involving readily discernable harm. Sometimes this 
approach leaves holes in the fabric of privacy protection.  

We then turn to the core question: in the context of the 
GII, what is the best mechanism to implement fair 
information practices that balance the needs of government, 
commerce, and individuals, keeping in mind both our interest 
in the free flow of information and in the protection of 
information privacy? At one end of the spectrum there is 
support for an entirely market-based response. At the other 
end of the spectrum, we are encouraged to regulate fair 
information practices across all sectors of the economy. 
In between these poles lie a myriad of options. 
 
In response to public concern, both government and private 
industry seem to be taking a harder look at privacy issues. 
As government and consumers become more aware of the GII's 
data collection, analysis and distribution capabilities, 
demand could foster a robust, competitive market for 
privacy protection. This raises the intriguing possibility 
that privacy could emerge as a market commodity in the 
Information Age. We recognize ongoing efforts to enhance 
industry self regulation to carry out the IITF Privacy 
Principles. We also discuss ways this self regulation might 
be enforced, and discuss a number of ways that government 
could facilitate development of a privacy market. 
 
We then consider a number of options that involve creation 
of a federal privacy entity. We discuss some of the many 
forms that such an entity could take and consider the 
advantages and disadvantages of the various choices. We also 
consider the functions that such an entity might perform, 
as well as various options for locating a privacy entity 
within the federal government.  

This paper presents a host of options for government and 
private sector action. Our ultimate goal is to identify 
the means to maintain an optimal balance between personal 
privacy and freedom of information in the digital 
environment. The next step is to receive and respond to 
public comment on the report in order to develop consensus 
regarding the appropriate allocation of public and private 
sector responsibility for implementation of fair 
information practices. 

---------

   http://www.iitf.nist.gov/ipc/privacy.htm  (216K)

We've mirrored it at:

   http://jya.com/privacy.htm