when deploying telecommunications instruments. Under the current ECPA structure, however, such radio-based PBX systems would probably fall within the exception for cordless telephones, and therefore, a business or individual utilizing this technology could be legally unprotected from unauthorized interception of their communications. The task force Is of the view that such legal protection should be afforded.

Wireless Data Communications: Computer companies are experimenting with, and seeking FCC licenses for, "wireless" modems which can transmit data between computers without the computers being wired together, either directly or through phone lines. Such modems will have applications in several environments including the transmission of data from remote sites (a kind of cellular laptop computer) as well as within an office environment (wireless local area network or LAN). Under ECPA, the answer to the question whether such communications will be legally protected from unauthorized interception will depend on where, within its regulatory structure, the FCC decides to allocate spectrum for these uses and whether the communication is encrypted or the digital means used for such communications qualifies for protection under Section 2510(16)(B) relating to modulation techniques that are not readily accessible to the general public. Under current FCC proceedings, there is a likelihood that such communications will not be protected unless the user goes to the expense of full data encryption. The task force recommends appropriate amendments to legally protect digital communications of this type from unauthorized Interception.

secure.

Cordless Telephones: The discussion of these newer technologies led the task force to a lengthy discussion of the premise of the 1986 Act that "the radio portion of a cordless telephone communication that is transmitted between the cordless telephone handset and the base unit * * *” should be exempt from coverage of the Act. The task force first considered some newer technological developments which make communication carried on cordless telephones somewhat more Cordless phones have reduced the transmission power so that the phenomenon of having calls blast through on an FM radio receiver has been eliminated. Cordless phones also have begun to utilize technology which permits the call to be carried between the handset and base unit on more than one frequency. This feature can and is available to add security and privacy to the phone call. The next generation of phones will utilize digital transmission technology which will make unauthorized interception more difficult.

"

Perhaps the most important change since 1986, though, is not technological but societal. The cordless phone, far from being a novelty item used only at "poolside,' has become ubiquitous. A leading telephone equipment supplier now sells as many cordless telephone units as wired sets. It is projected that cordless phones will be in use in 68 percent of American households by the end of the decade. More and more communications are being carried out by people in private, in their homes and offices, with an expectation that such calls are just like any other phone call. Given such technological changes and under such societal circumstances, the task force concluded that to relieve the government of the duty to obtain a warrant before monitoring such communications is to vitiate much of the protection which should be afforded to communications privacy by the federal wiretap law and the Fourth Amendment. Therefore, the task force recommends that consideration be given to elimination of the exemption for cordless phones, while preserving an exception for unintentional or accidental private party interception.

In recommending both the maintenance and extension of legal protection for "wireless" radio communications, the task force is aware that inexpensive, widely available scanners and other devices are available that make it possible to intercept radio communications. The task force strongly believes that such technologies should not defeat citizens' reasonable expectation of privacy against government intrusion and that government agents should conduct electronic surveillance of the technologies described above only under appropriate court authorization. At the same time, criminal sanctions could be overbroad in criminalizing inadvertent and unintentional interceptions of radio communications by persons with access who legally possess and use scanner and other devices that intercept radio communications. The existence of monitoring devices makes it difficult to rely solely on legal protection against third-party eavesdropping. The task force is aware that legal protections may not go far enough in affording citizens real privacy protection against intentional but undetected private surveillance. For example, concerns were expressed by a number of task force members that technical privacy enhancing features for radio-based systems should be more rapidly deployed by manufacturers and service providers.

To rectify this situation, the task force does not want to overcriminalize in this area, i.e., penalize unintentional conduct. The task force Is of the view that the

rights of private citizens using radio scanners can appropriately be addressed by clearly setting forth specific intent requirements in the Act, by tying the criminal penalty to targeted surveillance of specific communications and by further adjusting the civil and criminal penalty structure of the Act, rather than exempting whole categories of telephone technologies and thus making them fair game for monitoring by government agents without a warrant, corporate spies, or just plain snoops.

Second, in order to ensure that citizens both understand the vulnerability of particular radio technologies to private, intentional, illegal interception and to encourage industry to develop and market communications devices that are less vulnerable to intrusion, the task force endorses the concept that ECPA should be amended in such a way as to encourage the placement of warnings and notice of the vulnerability of customer premises telephone equipment on specific CPE and that manufacturers be encouraged to make consumers aware of the technical levels of privacy on different types of equipment. The task force believes this will encourage industry to compete with each other in developing devices which are more secure. The task force believes Congress should work with the FCC, Industry, and technical experts to further explore ways to enhance the security of different types of equipment and to further explore ways to enhance consumer awareness of the security of different types of equipment and laws pertaining to communications privacy. In particular, the task force recommends the examination of encryption technology and its potential impact on enhancing the privacy, security, and authenticity of electronic communications. The task force further encourages communications service providers to continue to explore the incorporation of encryption and other privacy enhancing features in new communications services, so as to improve communications privacy.

II. OUT-OF-BAND SIGNALLING

Telephone transactional information caller I.D.

Prior to 1976, telephone calls were processed between telephone company offices using signaling information on the same trunk as the voice or talk path between the offices. This type of signaling is referred to as "in-band" because it is an inherent part of the path on which the call is carried. Part of the information contained in this signaling is Automatic Number Identification (ANI), which allows the automatic identification of a calling station for billing purposes. The use of ANI allows telephone subscribers to dial directly a toll call without operator involvement.

However, transmitting signaling information over voice circuits is inefficient. In order to improve network efficiency, a new interoffice signaling technology called Common Channel Interoffice Signaling (CCIS) was introduced. CCIS was the precursor of today's Common Channel Signaling 7 (CCS7). Instead of processing interoffice calls using a common path for both signaling and voice, the CCS7 network allows signaling information to be sent through a separate high speed data network before calls are connected between offices. This type of signaling is known as “outof-band" because it does not utilize the same facilities for the transmission of call processing information as are used for connecting the call. CCS7 signaling information contains routing information (where does the call go?), translations (does the dialed number equate to something else?, as is the case with an 800 number), billing, and calling party information (where did the call come from?). The calling party information is similar to ANI in that the calling party's number is automatically identified. However, unlike ANI, because the information is part of a data stream, CCS7 also has the capability to provide a "privacy indicator" to flow along with the other call processing information in the data stream. The privacy indicator makes it technically possible for calling parties to block the release or display of information outside the network. However, the information blocked can still be used within the network for billing and routing purposes.

CCS7 has the capability to provide blocking in two ways: per-call or per-line (also known as subscription blocking). Per-call blocking allows the calling party to dial a code, before a call is placed, to indicate that, for a particular call, the Calling Party Number (CPN) should not be disclosed to the called party. If per-line blocking is available, the calling party need not dial a code prior to the call; CPN is automatically withheld from the called party. Both options prevent CPN from being disclosed to the called party, but neither prevents delivery of billing information to the interexchange carriers (whether via ANI or CPN).

As CCS7 began to be deployed, phone companies began to offer a service known as Caller I.D., Caller I.D. allows telephone subscribers to see the telephone number of the person calling before they answer the phone. In order to have the number displayed, telephone company offices must be equipped with CCS7, customers must subscribe to the service, and customers must buy either a number display unit to connect to their existing telephone or a special Čaller I.D. telephone. When a call

is delivered to the called party, the telephone number of the calling party is displayed on the screen.

ECPA prohibits "trapping and tracing" of information regarding the origination of electronic communications. A trap and trace device is defined (18 U.S.C. Section 3126(4)) as "a device which captures the incoming electronic or other impulses which identify the originating number of an instrument or device from which a wire or electronic communication was transmitted." This prohibition has three exceptions.

Trapping and tracing is permitted in order to operate, maintain, and test the communications service; to record the beginning and end of communications for billing or other similar functions; and, in those instances "where the consent of the user of that service has been obtained." (18 U.S.C. 3121(b)).

There is a sharp division of views among task force members on whether Caller I.D. is a trap and trace device as defined in ECPA. The only court to rule on this question is the Commonwealth Court of Pennsylvania which held that Caller I.D. constituted a trap and trace device under state law which paralleled ECPA. There is a further division of views on the question of whether the customer or the service provider may employ a trap or trace device where the consent of the user has been obtained.

As phone companies began to market Caller I.D., privacy and consumer advocates argued that the right to control the disclosure of a subscriber's phone number should not be transferred to the telephone company. They said that the service violated ECPA, and they advised policy makers to require that phone companies provide free "blocking," on either a per-line or per-call basis.

Initially the Caller I.D. debate took place before state public utility commissions, as phone companies sought authorization to provide Caller I.D. through tariff actions. The policy decisions have varied widely from state to state. New Jersey permits phone companies to offer Caller I.D. without any call-blocking service. Neighboring New York is considering a PUG regulation which would require that all customers with unpublished numbers automatically be given a blocked line. D.C. permits Caller I.D. but requires that per-call blocking be made available to the calling party at no charge. California has enacted legislation authorizing Caller I.D. but requiring that per-call blocking be offered to calling parties.

In Pennsylvania, the Commonwealth Court found that Caller I.D. violated both the state wiretap statute, a law virtually identical to ECPA, and the state constitutional right to privacy. The Court also found that the proposal to provide a blocking service to particular phone subscribers lacked minimal due process standards and was therefore unconstitutional. (Barash v. Pennsylvania Public Utility Commission, Commonwealth Court of Pennsylvania No. 2270, May 30, 1990). That case is on appeal to the Pennsylvania Supreme Court.

The task force recognized that there were privacy interests of both calling and called parties that any public policy on Caller I.D. must recognize. The task force noted, however, that in calls to 800 and 900 subscribers, the called parties had no such privacy interest.

Consumer and privacy advocates said that Caller I.D. would undermine privacy as the right to control the disclosure of personal information was transferred from the phone subscriber to the phone company. They said that the benefits of Caller I.D. for residential phone subscribers had been greatly overstated, that answering machines were a less expensive, less intrusive, but far more effective way to screen incoming calls. They also said that the Call Trace service provides all the safety benefits of Caller ID. without placing the subscriber in the dangerous position of responding directly to harassing phone callers. They said that "balancing" the privacy rights of call originators and call recipients was a false characterization of the service since the privacy rights of both parties could be easily accommodated.

Opponents of blocking, such as Bell Atlantic, believe that if Caller I.D. is available without blocking, it will achieve the greatest deterrent impact on anonymous, obscene, harassing, and threatening calls. Bell Atlantic has presented congressional testimony supporting the deterrent value in the availability of Caller I.D., a benefit which accrues even to those who do not subscribe to Caller I.D.. Bell Atlantic states that Caller I.D. broadly serves the public's right to be let alone and gives recipients of telephone calls the same information that callers have the number of the person to whom they are speaking. They further argue that there are ways other than blocking to address the unique needs of groups with a need to prevent identification, i.e., domestic violence and law enforcement agencies, etc., and telephone companies have worked with these groups and have successfully provided alternatives, other than blocking.

The task force was split among four different viewpoints. The first group was comprised of some of the consumer and privacy rights advocates. This group was of the

89-499-95 - 7

opinion that, taken as a whole, the Caller I.D. service would greatly reduce the privacy rights of all phone subscribers and should not be encouraged. This group believes that phone subscribers should not take any additional steps to protect their current expectation of privacy, and that therefore free, per-line blocking should be available and that should be the rule unless the calling party chooses to disclose his number.

The second group was comprised of other consumer and privacy advocates, as well as those members who generally represent businesses that are not telephone companies but which use the telecommunications network for marketing and other purposes. This group is of the opinion that provision of per-call blocking should be mandatory and that there should be federal legislation establishing this protection as a floor. Some advocates of per call blocking believe that federal preemption may be desirable in order to have a national standard that would minimize customer confusion. They believe that per line blocking may well inhibit the development and deployment of new services and encourage caller rejection schemes, reducing the utility of the telecommunications network.

The third group, comprised of a number of phone company representatives, holds the view that per-call blocking is the appropriate policy option, but that no federal legislation is necessary, that this issue is being adequately handled by the states. The fourth group, comprised of the remaining phone company representatives, favor unrestricted Caller I.D. because they believe that it restores full accountability when using the public telephone network. Some are of the view that federal legislation is not appropriate because each state should be free to adopt the regulatory policies which it believes are best suited to the needs of its residents, and that in fact Caller I.D. has been offered successfully in five states without blocking. Studies based on those experiences show that it reduces unwanted calls for all customers, not just those who subscribe to the service. Others have the view that if Congress decides to adopt blocking legislation, then per-call is preferable, with federal preemption of stricter state regulation.

Conclusion: The task force studied the new signaling technologies, discussed the issue in depth, examined the law, yet was unable to reach any consensus on what, If any, legislative change is necessary.

III. 800 AND 900 SERVICES

The task force was particularly concerned about the use of services that disclose Calling Party Number in the commercial setting, such as the use of ANI for 800 and 900 services. The task force noted that while an 800 or 900 service has a business interest in the calling party number (from both a financial and productivity perspective), it also has an obligation to respect the privacy of the calling party. The task force further recognized that few consumers were aware that a call to an 800 or 900 service would result in the electronic disclosure of the caller's identity.

Some consumer advocate members of the task force were of the view that there was no necessary business reason for the compelled disclosure of the caller's identity since this information could be obtained, with the knowledge of the caller, by simply asking for it.

Various members of the task force observed that services provided through 800 and 900 numbers may differ in significant respects (such as who pays for the call) and, accordingly, that some distinctions might appropriately be made with respect to the relative need of providers of such services for information regarding the identity of the calling party.

The task force spent considerable time discussing privacy concerns raised by the disclosure of the calling party's number to businesses and services utilizing 800 and 900 telephone number technology. Many 800 and all 900 line service users lease lines from inter-exchange carriers. When a call is completed by some interexchange carriers to an 800 or 900 service, the call may be handed off to the service with information necessary for call completion, i.e. either CPN or ANI. The calling party's number is thus mechanically disclosed to the 800 or 900 number service, where it can be used for billing and routing, account management and security purposes. The task force's discussion focused on the appropriateness of 800 and 900 services using that information disclosed for one purpose (call completion and billing) for other purposes (generally marketing) without the consent of the calling party. In the future, CSS7 will allow the caller's identity and his privacy preference to be disclosed. As signalling system 7 (SS7) is implemented through the country, by both local exchange and inter-exchange carriers, Calling Party Number and the ability to block will be available for long distance and 800 and 900 numbers. Task force members have a wide variety of opinions on whether, and under what conditions, blocking

should be available (see p.12, supra, for an explanation of the four different viewpoints represented on the task force).

With regard to ANI, the task force recommends enactment of federal legislation or adoption of appropriate FCC rules governing the dissemination of Information by 800 and 900 services. Specifically, such a law or regulation should provide that the telephone number and information derived from ANI should not be disseminated by the 800 or 900 service provider or user without the customer's informed knowledge and ability to prevent use of their number for marketing purposes. Some members of the task force did not support this recommendation.

This approach was endorsed by the U.S. Privacy Protection Study Commission in 1977, and has been adopted in Federal legislation such as the Cable Communications Policy Act of 1984 (47 U.S.C. Section 551(c)(2)(C)) and the more recent Video Privacy Protection Act of 1988 (18 U.S.C. Section 2710(b)(2)(D)). It also is similar to the approach endorsed by the FCC for billing for nonadult services offered through 900 numbers. Cf. In re Regulations Concerning Indecent Communications by Telephone, 5 FCC Rcd 4926 (1990).

There were some members of the task force who asserted that no use of the ANI data should be made without the affirmative consent of the calling party. Those task force members holding this view believed that an opt-out mechanism is an inadequate privacy safeguard.

While all members of the task force agreed that some form of consent was necessary, there was disagreement over whether the consent should be opt-out or optin (affirmative), and what level of information was due to the customers.

While enactment of a consent requirement would be a helpful step in giving consumers greater control over the dissemination of personal information, it would not solve the problem of consumer confusion about exactly what personal information is mechanically disclosed when using the telephone or electronic communications service. That problem is, if anything, exacerbated by the availability of call blocking for some services (e.g., Caller I.D.) when it is not available for others (e.g. blocking ANI to an 800 service). Those providing electronic communications services to the public bear a responsibility to adequately inform consumers about how the system works and how they can limit the disclosure and dissemination of personal information. Some members believed that the service provider should advertise that the calling party number information will be mechanically disclosed. Such a policy has been proposed in legislative form in the State of California.

Customer prorietary network information

Section 2703(c) of ECPA affirmatively permits any provider of electronic communication service or remote computing service to disclose “a record or other information pertaining to a subscriber or customer of such service" to any person other than a governmental entity. This provision specifically does not apply to the content of such communication. A provider may disclose such information to the government only upon receipt of a subpoena, warrant or with the consent of the subscriber or customer. Thus ECPA does not restrict the dissemination of transactional data about subscribers to nongovernmental entities.

Section 2703(c) addresses only the release of subscriber information to the government when the government is not the subscriber to the service, but rather a third party. Under this circumstance, for example, a long distance carrier is restricted from providing the government with a list of persons who called an 800 number subscriber. However, when the government operates an "800" service, it may obtain the numbers of the calling parties without subpoena. Further, ECPA does not restrict the 800 number subscriber from releasing transactional information and identification of people who called the subscriber.

The Regional Bell Operating Companies (RBOC's), and AT&T are subject to additional rules on the use and marketing of customer information. These rules have been established for competitive rather than privacy protection. The most significant of these rules are the Customer Proprietary Network Information (CPNI) restrictions which arose out of the Computer II and Computer III proceedings at the FCC. Under the FCC's rules, CPNI consists of a customer's service records and billing records. Service records include the customer's name, service location, billing address, telephone number and billing telephone number, and a description of all network services and features and the monthly charge for those services. The billing records are copies of the customer's actual telephone service bills. They include call detail for toll calls and for any local call detail services to which the customer subscribes. They also contain the number of message units a customer is charged, if message units are applicable within the customer's service area, and the number of local calls, if any, for which per-call charges are imposed.