should be available (see p.12, supra, for an explanation of the four different viewpoints represented on the task force). With regard to ANI, the task force recommends enactment of federal legislation or adoption of appropriate FCC rules governing the dissemination of Information by 800 and 900 services. Specifically, such a law or regulation should provide that the telephone number and information derived from ANI should not be disseminated by the 800 or 900 service provider or user without the customer's informed knowledge and ability to prevent use of their number for marketing purposes. Some members of the task force did not support this recommendation. This approach was endorsed by the U.S. Privacy Protection Study Commission in 1977, and has been adopted in Federal legislation such as the Cable Communications Policy Act of 1984 (47 U.S.C. Section 551(c)(2)(C)) and the more recent Video Privacy Protection Act of 1988 (18 U.S.C. Section 2710(b)(2)(D)). It also is similar to the approach endorsed by the FCC for billing for nonadult services offered through 900 numbers. Cf. In re Regulations Concerning Indecent Communications by Telephone, 5 FCC Rcd 4926 (1990). There were some members of the task force who asserted that no use of the ANI data should be made without the affirmative consent of the calling party. Those task force members holding this view believed that an opt-out mechanism is an inadequate privacy safeguard. While all members of the task force agreed that some form of consent was necessary, there was disagreement over whether the consent should be opt-out or optin (affirmative), and what level of information was due to the customers. While enactment of a consent requirement would be a helpful step in giving consumers greater control over the dissemination of personal information, it would not solve the problem of consumer confusion about exactly what personal information is mechanically disclosed when using the telephone or electronic communications service. That problem is, if anything, exacerbated by the availability of call blocking for some services (e.g., Caller I.D.) when it is not available for others (e.g. blocking ANI to an 800 service). Those providing electronic communications services to the public bear a responsibility to adequately inform consumers about how the system works and how they can limit the disclosure and dissemination of personal information. Some members believed that the service provider should advertise that the calling party number information will be mechanically disclosed. Such a policy has been proposed in legislative form in the State of California. Customer prorietary network information Section 2703(c) of ECPA affirmatively permits any provider of electronic communication service or remote computing service to disclose "a record or other information pertaining to a subscriber or customer of such service" to any person other than a governmental entity. This provision specifically does not apply to the content of such communication. A provider may disclose such information to the government only upon receipt of a subpoena, warrant or with the consent of the subscriber or customer. Thus ECPA does not restrict the dissemination of transactional data about subscribers to nongovernmental entities. Section 2703(c) addresses only the release of subscriber information to the government when the government is not the subscriber to the service, but rather a third party. Under this circumstance, for example, a long distance carrier is restricted from providing the government with a list of persons who called an 800 number subscriber. However, when the government operates an "800" service, it may obtain the numbers of the calling parties without subpoena. Further, ECPA does not restrict the 800 number subscriber from releasing transactional information and identification of people who called the subscriber. The Regional Bell Operating Companies (RBOC's), and AT&T are subject to additional rules on the use and marketing of customer information. These rules have been established for competitive rather than privacy protection. The most significant of these rules are the Customer Proprietary Network Information (CPNI) restrictions which arose out of the Computer II and Computer III proceedings at the FCC. Under the FCC's rules, CPNI consists of a customer's service records and billing records. Service records include the customer's name, service location, billing address, telephone number and billing telephone number, and a description of all network services and features and the monthly charge for those services. The billing records are copies of the customer's actual telephone service bills. They include call detail for toll calls and for any local call detail services to which the customer subscribes. They also contain the number of message units a customer is charged, if message units are applicable within the customer's service area, and the number of local calls, if any, for which per-call charges are imposed. The FCC's CPNI regulations require that the RBOC's and AT&T annually notify multi-line business customers of their right to control RBOC/AT&T access to their CPNI for purposes of marketing CPE or enhanced services. In addition, the FCC has adopted regulations regarding an RBOC's use of "aggregated" CPNI (ACPNI). ACPNI includes any aggregated information contained in the regulated company's databases which does not identify an individual customer, which includes restricted records, and which is also not available outside of the company in commercial databases. These rules require the RBOC to make any ACPNI utilized by its enhanced service or customer premises equipment marketing personnel available to enhanced service providers (ESP's) or CPE competitors on equal terms and conditions. CPNI regulations apply only to the seven RBOC's and AT&T (there are no ACPNI requirements for AT&T). They do not apply to any of the more than 1000 independent telephone companies, cellular carriers, interexchange carriers other than AT&T, ESP's or other business concerns involved in telecommunications and information services. The rules were drafted to lessen the competitive advantages of the RBOC's and AT&T as they implemented CPE and enhanced services on an integrated basis. The CPNI rules are inconsistently applied in that they provide differing standards for telephone companies, for enhanced service providers, and for equipment vendors depending on whether the equipment or service is supplied by the RBOC's and AT&T or by any other entity. From a privacy perspective some members of the task force believe these are not meaningful distinctions which justify disparate treatment. New PCN technology could elevate concerns about CPNI. Because PCN allows communication on a roving national and potentially international basis, a CPNI dossier would be all the more invasive. With PCN, an electronic communication service provider could conceivably keep a record of the exact location of both the subscriber and the calling party, in addition to the information that is now collected. With PCN, the electronic communication service provider would know a subscriber's whereabouts at virtually all times, the identity of everyone with whom he communicates by phone (either as called or calling party), his credit history, the information services he utilizes, and the 900 numbers he calls. The task force believes that CPNI-Ike customer Information held by all businesses involves sensitive personal data as well as competitively useful information. Members of the task force representing telephone companies believe that the existing CPNI rules are consistent with the privacy expectations of their customers. Customers expect the firm with which they are already doing business to be knowledgeable about which services they have selected and to keep them Informed of new services. These members are of the opinion that It is not necessary to limit further RBOC/AT&T unregulated affiliate access to CPNI, and point out that larger ESP's have access to vast quantities of customer information from their unrelated businesses and are unrestricted in their ability to use that information. Lastly, they note that, In the event that customers do want to restrict RBOC/AT&T access to their CPNI, the RBOC's and AT&T are obligated to accept and honor such a request. This group believes that no change should be made to the CPNI rules, that the current rules meet customers' expectations of privacy by allowing them to restrict use and release of the CPNI. Other members of the task force were of the view that from a privacy perspective all providers of communications services to the public, whether affiliated or unaffiliated with the RBOC's and AT&T, ought to be required to obtain the consent (see discussion of 800/900 numbers, p. 14, supra) of the telephone subscriber, including residential and single line businesses, before the CPNI about that subscriber Is used for purposes unrelated to telephone service. IV. ELECTRONIC MAIL AND PRIVACY RIGHTS In general, the Electronic Communications Privacy Act is serving well its purpose of providing privacy protection to electronic mail. The task force discussed various recent technical developments and policy issues, but does not suggest any change in the law relating specifically to electronic mail at this time. The issues discussed by the task force include the question of whether the law provides adequate privacy protection in the workplace, issues relating to the interconnection of various electronic mail systems, and the question whether nonpublic electronic mail service providers, such as an employer, should be obligated to give notice to affected users, such as employees, of the fact that the government has requested access to electronic mail files. There has been some controversy, lately, regarding the nature and extent of an employer's duty to respect the privacy of electronic mail sent within the workplace by employees. ECPA does not limit employer access to electronic mail sent in the workplace, for various reasons. First, workplace systems are typically not offered "to the public" and so are not covered by ECPA's prohibitions on disclosure. In addition, electronic mail messages sent in the workplace are sent to and received by employees acting on behalf of the employer, who may therefore have a legal right to consent to access and disclosure. In addition, the employer is typically the provider of the electronic communications service and, as a result, has a general right to set the terms for use, to consent to access and disclosure, to monitor for security purposes, and so forth. The task force recognized that access to employee electronic mail files are part of the larger issues of workplace privacy. The issues are complex but there is no strong justification to treat electronic mail fundamentally differently from many other means of communications and data storage used every day in the office. At the same time, the task force noted that in many circumstances there was a strong privacy interest in the content of an electronic message and that employees are increasingly making use of electronic mail systems that gateway to other users outside of the organization. In general, the terms on which employers can access electronic files will be the subject of policy manuals and employment agreements. In lieu of changes in ECPA at this time, the task force recommended that employers adopt clear policies on the use of electronic mail services and provide clear notice to employees about the circumstances where access to electronic mail may be obtained. Such notice provisions are likely to avoid misunderstandings between employers and employees regarding the appropriate use of the electronic mail service. Where possible, employers are encouraged to adopt basic procedural safeguards before conducting searches of employees' mail files. Such procedures are likely to avoid litigation where an employee feels that he or she has been aggrieved by the search. The growing use of electronic mail in the workplace, and the increasing interconnection between electronic mail systems, does pose a complex issue regarding the coverage of ECPA, however. ECPA's disclosure límitations apply to electronic communications services offered to the "public". As employers connect customers, suppliers, former employees and others, it may become more and more difficult to determine which systems are covered. In addition, messages originating on tightly controlled systems may make their way through "gateways" to electronic mail systems with far less rigorous controls on access, without adequate notice to the users of the systems. Another hybrid case posing special problems will be "private" electronic mail service accounts provided on large public systems for employees of a particular company at the employer's expense. In all these situations, it may become more and more difficult to determine whether a particular employer has the right to access and disclose messages sent by employees. But there is no evidence that this uncertainty is chilling the use of electronic mail or that it cannot be dealt with adequately by giving higher levels of protection to any messages as to which the outcome is in doubt. Accordingly, no change in law was recommended by the task force. Because ECPA is centrally concerned with protection against unreasonable searches and seizures by the government, because electronic mail usage in the workplace is growing rapidly, and because the statutory language now restricts disclosure only on public systems, there is some question whether the statute ought to be amended to provide greater protection of employee rights in the event that the government seeks access to electronic mail records. Right now, an employer whose electronic mail system is not offered to the public is not under an obligation even to inform the employee of the fact of a government inquiry. To be sure, there may be circumstances, such as those in which the employee is suspected of criminal action with an impact on the employer, where a requirement of notice would be inappropriate. And perhaps the government should in any event have the right to require nondisclosure in light of various showings, such as a substantial risk of destruction of evidence. Nevertheless, the group agreed that there may be some need for additional consideration of provisions that would require notice to employees, in some circumstances, when the government seeks access to contents of electronic mail sent or received by a particular employee. This latter issue also relates closely to the question of whether current restrictions on the disposition of transactional records generated in the course of electronic communications are adequate, a subject deserving discussion in its own right. Dossier building In various contexts, members of the task force raised concerns about the proliferation of records automatically generated by electronic communications and electronically facilitated transactions. ECPA does not limit use and disclosure of such records, other than to the government. Such records, collected initially for legitimate reasons and lawfully possessed and used for various purposes, might nonetheless be used to compile detailed dossiers that, if published to third parties, could create a threat to privacy akin to that created by targeted surveillance coupled with invasive publicity. The task force received an initial proposal for consideration of an amendment that would directly address the potential problem posed by such electronically generated dossiers. The task force did not, however, have enough time to consider thoroughly the complex issues that would be raised by any such proposal. Because the potential use of automatically generated electronic records to produce and publish unduly detailed data regarding the activities of an individual will likely remain a key privacy concern in the future, various members of the task force intend to continue to discuss proposals for dealing directly with this issue and may submit additional suggestions for consideration by the Judiciary Committee at a later time. V. GOVERNMENT MONITORING The task force reviewed a proposal currently pending before the Senate Judiciary Committee which directs electronic communications service and equipment providers to aid law enforcement officials in obtaining the plain text of voice or electronic communications where an appropriate warrant has been issued. The proposal is contained in two bills: S. 266, the Comprehensive Counter-Terrorism Act of 1991, and S. 618, the Violent Crime Control Act of 1991. It is stated as follows: It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text of contents of voice, data, and other communications when appropriately authorized by law. The text of the resolution could be read to address three distinct issues or problems which could be faced by law enforcement officials in the future, as the network makes a transition from analog to digital transmission. First, digital transmission will make it easier for network service providers to enhance security and privacy by transmitting information with encryption, modulation, or other security enhancing features. Second, as the network goes digital and more information is switched in packets into a larger information stream, the ability to isolate individual communications at a central office switch becomes more technically challenging. Finally, the advent of powerful personal computers and off-the-shelf software gives the person originating the communication the ability to encrypt or otherwise enhance the privacy and security of a communication before it enters the network. Based on discussions between Judiciary Committee staff and law enforcement officials, it appears that the intent of the resolution was to deal only with the first two issues, i.e. privacy and security features that are added by design features of the network. Addressing those narrow issues and seeking cooperation from service providers would be consistent with the current structure and text of ECPA which in 18 U.S.C. Sections 2511 and 2707 provides immunity for service providers, landlords, and others who comply with facially valid warrants by aiding law enforcement officials in conducting electronic surveillance. Clearly Congress contemplated and courts often direct communications service providers to provide technical assistance to law enforcement in placing taps. Stripping the encryption or security features which the service provider has added or helping law enforcement isolate a specific communication in the information stream would clearly be appropriate where a Title Ill warrant has been obtained. The task force raised serious concerns, however, about several aspects of the drafting of the proposal. First, the proposal lacked a clear procedural standard that has always been present in any matter involving communications surveillance. Absent such a standard, specifying the circumstances when the service provider was required by law to assist the law enforcement agent, there is opportunity for misunderstanding, error, and abuse. Second, the provision could discourage or effectively prohibit the use of privacyenhancing features, such as cryptography. Such features are increasingly available with the widespread use of digitized transmission. Third, there was no record established to support this change in current policy regarding Title III searches. Absent such a showing, the task force was unable to determine whether such a change was necessary at this time. Finally, the task force recognized that there are specific areas of technological innovation that are important for communications privacy which require further discussion and evaluation. In particular, the task force recommended the examination of encryption technology and its potential impact on enhancing the privacy, security, and authenticity of electronic communications. Conclusion: The task force felt that without a full record or understanding of the need for the proposed resolution, it could not make specific recommendations. The task force does urge the Judiciary Committee to establish a full record about the need for and impact of the resolution before consideration by the full Senate. APPENDIX MEMBERS OF THE PRIVACY AND TECHNOLOGY TASK FORCE Chair: John D. Podesta, Esq., Podesta Associates, Inc. Ms. Debra Berlyn, Executive Director, National Association of State Utility Consumer Advocates. Mr. Jerry Berman, Information Technology Project of the American Civil Liberties Union. Ms. Martina Bradford, Vice President, Government AT&T. John J. Byrne, Esq., Federal Legislative Counsel, American Bankers Association. David Johnson, Esq., Wilmer, Cutler & Pickering. Mr. Elliot Maxwell, Assistant Vice President for Policy and Issues Management, Pacific Telesis. Mr. Thomas Mills, Director of Public Affairs, New England Telephone-Vermont. Michael Nugent, Esq., Associate General Counsel and Vice President, Citicorp/ Citibank. Ronald Plesser, Esq., Piper & Marbury. Marc Rotenberg, Esq., Computer Professionals for Social Responsibility. Mr. James Sylvester, Director-Infrastructure Issues, Bell Atlantic. Representative EDWARDS. Thank you very much, Mr. Berman. There seems to be a discrepancy, Director Freeh, in the estimates as to future costs. Why is there a discrepancy? How do you respond to that? Mr. FREEH. Again, not to fall back on the GAO report, but I think it is agreed and there is a consensus that without having even initiated either the standards-setting procedure or the engineering of that standards into telecommunications switching and other equipment, getting, as was pointed out, not just the carriers involved but the equipment manufacturers, I just think there is a very, very difficult block to fill with respect to estimating that cost. We certainly know what the cost would be of not proceeding in terms of crime, destruction. I think the best and wisest way to approach it is how the bill now drafted approaches it, and that is to begin a standards-setting procedure, to have the industry design and upload the necessary software that is going to be required, and to address on a priority basis the things that most need to be done. I wish I could give you an answer to that question. We know what it will cost not to do this, and if we make the decision that it is worth doing, which is certainly my recommendation, I think we proceed with a flexible-enough mechanisms, which are in the statute, for your oversight. If we reach a point where the cost estimates have been so far amiss by everyone involved, you can certainly intervene. The industry can intervene. A court can intervene. A district court judge could say that in his or her view, compliance is not necessary because the cost is not reasonable. I think there are a lot of mechanisms already built into that process. Not knowing the exact cost cannot be a reason for not going forward. Representative EDWARDS. Thank you. |