From: iia.ipo@his.com Organization: Heller Information Services, Inc., Rockville MD Date: Wed, 04 May 94 11:25:42 Subject: INFORMATION POLICY ONLINE - MAY 1994 iiiiii iiiiii a INFORMATION POLICY ONLINE ii ii aaa ii ii aaa An Internet Newsletter ii ii aaa published by the ii ii aaaaaaaaa Information Industry Association ii ii aaa 555 New Jersey Ave., N.W. ii ii aaa Washington, DC 20001 ii ii aaa Internet: iiiiii iiiiii aaaaaaa Volume 1, Number 3, May 1994 ----------------------------------------------------------------- ***************************************************************** IN THIS ISSUE: [1] House Okays Broader Access to DMV Records [2] Industry Gives NTIA Its Perspective on Privacy [3] International Opposition Mounts to U.S. Government Information Security Initiative [4] NII Priorities: A Sampling of Views from the NII Advisory Council [5] Information Industry Views on Customer Proprietary Network Information [6] Information Industry Endorses Senate Telecommunications Bill [7] Health Care Reform Legislation Will Have Critical Impact on Future Information Policy and Practices [8] Should the Federal Government Establish a U.S. Data Protection Commission? [9] About "Information Policy Online" and the Information Industry Association ***************************************************************** [1] HOUSE OKAYS BROADER ACCESS TO DMV RECORDS On April 20, the House of Representatives approved the Driver's Privacy Protection Act (DPPA) as an amendment to omnibus anti-crime legislation. The amendment, offered by Rep. James Moran (D-Va.), incorporates significant changes to the Senate-passed version of the DPPA, many of which had been called for by industry [See IIA-IPO, March 1993]. The Moran amendment takes the same basic approach as the version passed by the Senate without any hearings: a federal requirement that states cut off public access to personal information about any individual obtained in connection with a motor vehicle record. The difference is that the House-passed version sets out much broader exceptions to this access ban than those approved by the Senate. These include: access by government contractors as well as government agencies; broader access by a business to verify information submitted to it; more expansive rules for access in connection with (or anticipation of) litigation; a specific exception for survey research and statistical reports; access by self-insured entities for claims investigation or antifraud use; and use by licensed private investigators. The legislation also provides for states to set up two "opt-out" systems that would allow individuals to remove their names from marketing lists and/or block otherwise unpermitted access to individual records. The records of those not "opting out" would remain accessible for these purposes. Finally, the Moran amendment would allow states to specifically authorize other access for the purpose of public safety or vehicle operation. The House version could be enforced by criminal or civil litigation, but the criminal offenses are much narrower than in the Senate version, and are limited to those who knowingly misuse, or who lie to obtain, personal information from a motor vehicle record. Many information companies currently depend on access to state department of motor vehicle (DMV) records to provide valuable information products and services. The House version of the DPPA would be far less disruptive of these uses than the Senate-passed version. But industry expressed a broader concern about the precedent that could be set by a federal law that orders states to close off access to traditionally public records. In response to this concern, both Rep. Moran and Rep.Don Edwards (D-Cal.), chair of the Civil and Constitutional Rights Subcommittee, placed statements in the Congressional Record when the Moran amendment was adopted. The Moran statement stressed the "key differences" between DMV records and other public records, asserting that the latter "are not vulnerable to abuse in the same way," and underscoring that the DPPA "does not apply to any other system of public records maintained by states or local governments." Rep. Edwards was even more emphatic, referring to "the need to maintain the public record character" of public records beyond the DMV, and acknowledging that "broad public access to such [other] records remains enormously important to our society." While floor statements are not ordinarily accorded a great deal of weight in determining Congressional intent, they are more significant when, as in the case of the DPPA, the normal legislative procedures have been circumvented, and no committee in either House has issued a formal report explaining the legislation. With House passage of the omnibus crime bill on April 21, the scene now shifts to a House-Senate conference committee, which must resolve the differences between the House and Senate versions not only of the DPPA, but of the dozens of other titles contained in the anti-crime package. ************************************************************** [2] INFORMATION INDUSTRY GIVES NTIA ITS PERSPECTIVE ON PRIVACY The information industry's diverse companies use personally identifiable information in a wide variety of ways, but with the common goals of developing and distributing innovative products and services to the public, while respecting individuals' privacy interests. Whether information flows through conventional channels, or in new ways in an advanced National Information Infrastructure, this corporate responsibility to maintain fair information practices remains. Speaking for its member companies in comments filed March 30 with the National Telecommunications and Information Administration (NTIA), IIA declared its commitment to assisting information companies to fulfill this responsibility in an efficient, comprehensive, and balanced way. IIA's comments came in response to a sweeping Notice of Inquiry (NOI) issued by NTIA, a Commerce Department agency, in February. NTIA's focus is "privacy issues relating to private sector use of telecommunications-related personal information," a broad category which includes many information services offered by information industry companies. The NOI places many of the most salient questions off-limits, by excluding questions about the privacy impact of government access to personal information. "In fact," IIA noted, "these are precisely the issues that are most prominent in much of the media coverage about privacy in the NII." IIA particularly cited the digital telephony and "Clipper chip" escrowed encryption initiatives. IIA used the filing of comments as an opportunity to introduce its newly approved Fair Information Practices Guidelines [See IIA-IPO, April 1994]. The comments noted that the guidelines drafting process, which included examination of a wide variety of guidelines, policy statements, and other proposals, from corporate, government and consumer organizations, both in the U.S. and abroad, underscored "the difficulties of devising clear rules designed for general applicability across the broad spectrum of information products and services." IIA told NTIA that there is unlikely to be "one size" of regulatory approach that "fits all" types of, and uses for, personally identifiable information. IIA's comments also addressed First Amendment limitations on government regulation of private sector information practices, and the impact of technological changes. "Successful policies should focus on the core interests of the information content, rather than on particular media or technology. The surest route to policy failure is to reflexively treat technology as the enemy." Considering the importance of continuity in information policy, neither public records -- intended to be broadly accessible -- nor a company's customer lists -- which generally fall outside the scope of government regulation -- change their essential character and purpose when new technologies are used to compile or manipulate them. Technology can also provide powerful tools for protecting the privacy and security of the content of information distributed in an advanced National Information Infrastructure. Policy makers should consider three general guidelines: - First, any regulatory actions should seek to preserve, to the greatest extent possible, the benefits offered by maximizing the flow of information. - Second, any regulatory model should seek to maximize informed customer choice. - Third, policy makers should take into account the full spectrum of means for achieving desired information practices, including market forces, expanded public education, and self-regulatory efforts by industry and other groups. The development and implementation of sound, balanced company policies on the collection, use and disclosure of personally identifiable information can play a major role in resolving the policy issues addressed by the NOI. As more companies adopt specific policies, and make these known to the public, customers and consumers become better informed and better able to choose intelligently among competing products, based, to whatever degree the individual finds appropriate, on privacy factors. The information industry urges the U.S. government to adhere to the long-standing U.S. approach to privacy issues, whose many strengths include a respect for First Amendment principles; a focus on restraining the intrusive activities of government; and a pragmatic, sectoral approach. ***************************************************************** [3] INTERNATIONAL OPPOSITION MOUNTS TO U.S. GOVERNMENT INFORMATION SECURITY INITIATIVES The Clinton Administration has experienced virtually unanimous opposition from public interest and industry groups to the "Clipper Chip" escrowed encryption initiative for computer security. Now international organizations are also weighing in with opposition to Clipper and to the Digital Signature initiative. International businesses are demanding communication networks in which information can flow freely and securely. As businesses consider connecting to the National Information Infrastructure -- or, if you prefer, the Global Information Infrastructure (GII) -- security is critical to intra- and inter-corporate communications and transactions. Hackers and unauthorized parties continue to violate the privacy and security of unprotected communications systems. The International Chamber of Commerce, long a champion of the need for secure communications networks, recently criticized the Clipper initiative as "a national approach to cryptography [which] seems to conflict with the needs of international business." The ICC also noted that Clipper's key escrow feature "would still be unacceptable to international companies because one government, in this case the U.S. government, would hold the keys. Digital signatures are also vital to the success of the emerging NII/GII. An international standard, RSA, is accepted in the private sector for digital signatures, but apparently not by the U.S. Administration. A couple of years ago, the Administration announced its Digital Signature Algorithm (DSA) as the proposed federal standard for digital signatures. The DSA proposal was also almost unanimously opposed by business, academia, and public interest groups. Part of the opposition was an assertion that DSA infringed certain patents. Last summer, the Administration announced a proposed patent cross-license for DSA, under which the government could use the algorithm royalty-free, but the private sector would have to pay patent royalties to do digital signatures. Needless to say, this "solution" did not quell opposition to DSA from non-governmental sources. On February 4, 1994, the Administration announced its intent to achieve a digital signature algorithm that would be free from patent license royalties. While no specifics were provided, one option is to design a new algorithm for digital signatures. Meanwhile, RSA continues to gain acceptance as the worldwide digital signature system. The Information Technology Advisory Expert Group, representing European standards organizations, recently called for RSA to be the standard used in Europe. So even if the Administration's goal of freeing DSA from patent royalties can be achieved, this alone will not make DSA accepted in the international marketplace. Regardless of continued Administration campaigning for Clipper and DSA, the private sector worldwide continues to embrace different implementation: the digital encryption standard (DES) and RSA. ***************************************************************** [4] NII PRIORITIES: A SAMPLING OF VIEWS FROM THE NII ADVISORY COUNCIL At its first meeting, the U.S. Advisory Council on the National Information Infrastructure asked its members to prepare short papers on the major issues that should be addressed. Here are excerpts from a few of the submissions. ESTHER DYSON, EDventure Holdings, Inc. The priorities we should address are: ...a definition of universal access (desirable) and universal service (controversial). It clearly includes interoperability of all systems, and the ability of content providers (organizations and individuals) to disseminate content as well as of individuals and organizations to receive it... ...the need for privacy -- ranging from technical means such as robust encryption to laws guaranteeing individuals' ownership and right to control information about themselves.... ...recommendations concerning freedom of speech, common carrier rights and obligations, and other constitutional issues. Note: Ms. Dyson has been asked to co-chair the Advisory Council's working group on privacy and intellectual property issues. CRAIG FIELDS, Microelectronics and Computer Technology Corp. The Council is uniquely positioned to clarify the national intent for universal service....Many questions have not been fully answered:...How will we pay for these universal services selected from the national information supermarket -- do we need an equivalent of food stamps?... If the Federal Government seeks to accelerate the enrichment of the NII over the coming years, how can the taxpayer tell if it is succeeding? Can we identify just a few specific goals for the NII over the next, say, seven years, in terms of information services available to Americans; and lay out a road map of how to get to there from here -- required technological accomplishments, if any; needed regulatory reform; or whatever? STANLEY S. HUBBARD, Hubbard Broadcasting Inc. There are many individuals and many organizations across the country that have predicted new and innovative communications systems for use within the NII. Some of the ideas are practical and economically feasible and some are not. In order to determine what will and will not work, what people want or do not want, the marketplace must be totally free from any restraints by which the government would pick "winners and losers." MITCHELL KAPOR, Electronic Frontier Foundation The character of the NII is best seen in what it enables, not what it is, for the NII is no more about fiber optics, than modern painting is about paint. - The technical design of the NII will determine more about its public usefulness than anything else. We have a choice to make the NII open to a diversity of applications, information sources and services, or to keep it closed to all but those who own and operate the networks. - The NII may be a platform for the rich varieties of individual expression, for the transaction of commerce, and for exchange of ideas, or it may be nothing but 500 channels of least common denominator programming entertainment. We must take steps to ensure that the NII is more than just a repetition of the failures and shortcomings of mass media today. DELANO LEWIS, National Public Radio ...Without sound financial incentives, private sector players will be reluctant to provide the investment dollars needed to make the NII a reality. [The Council should] identify and articulate the economic incentives that need to be in place to encourage completion of the NII without creating an artificial bias for or against particular technologies or transmission media. The protection of intellectual property rights is an important concern that has both usage and financial implications. But if the terms of access to our Nation's information resources -- and the content of those resources themselves -- were to be determined on the basis of financial incentives alone, I believe that all of us, in the long run, would be the poorer for it.... The Council must also plan to address the ways in which non-commercial entities can continue to contribute to the wealth of information that the NII will make accessible, and continue to have access to that information on reasonable -- and, in some cases, even preferential -- terms. ALEX MANDL, AT&T The evolving NII may require a new definition of "universal service." ...Any discussion of a new definition needs to be led by consumers, government and industry. It must be a public debate to balance the many stakeholders involved with public subsidies. New approaches to providing "widespread access" for underserved populations need to be explored. For instance, libraries, community centers and schools, which have long been places where people acquire information and develop skills, are examples of locations at which a reasonable selection of information appliances and access to NII communications services and information resources could be made available. VANCE OPPERMAN, West Publishing Co. The NII must be defined by two strong guiding principles: It must be Universal, Accessible, and Affordable. True to the American ideal of equality, the NII must connect all of us with one another -- regardless of place, regardless of race -- regardless of disability or non-disability, age or income.... It must be Information Rich.... The NII is only useful when it is chock full of information -- information put there by, and used by, people who are confident that they are guaranteed: - First Amendment Free Speech; - Copyright and Intellectual Protections. Creative expression, and the incentive to create, are protected and encouraged not only by the First Amendment, but also by society's guarantee that the products we create are respected as ours. And we are entitled to be compensated for creative efforts. - Privacy. Americans don't want millions of digital neighbors and government gumshoes reading our mail or clucking over our cholesterol counts. ************************************************************** [5] I NFORMATION INDUSTRY VIEWS ON CUSTOMER P ROPRIETARY NETWORK INFORMATION When the Federal Communications Commission asked for public comments on rules governing telephone companies' use of customer proprietary network information (CPNI), the information industry's response concentrated on three key issues: (1) privacy concerns in regard to CPNI; (2) the competitive nature of such information; and (3) the ramifications of CPNI availability under current rules at a time when telephone companies are partnering with or acquiring competitive information providers. While acknowledging that some restrictions on dissemination of personal information may be necessary, the information industry supports the "maximum practical availability of information such as CPNI because of its substantial value for information product development and for the provision of better service to the public. Consider the competitive nature of CPNI: "It simply cannot be the case that this information is so valuable to the mass market for information services that exchange carriers must be given access to it, but so insignificant that it will not create a major competitive dislocation if it is not provided to other competitors on equal terms." Finally, regarding the use of CPNI in partnering arrangements between carriers and competitive information providers, "so long as the carrier collects CPNI by virtue of its government-granted monopoly status, it must not be permitted to transfer that advantage to its partners or joint venturers and thus frustrate the goal of achieving competitive equity with regard to access to CPNI." ************************************************************** [6] INFORMATION INDUSTRY ENDORSES SENATE TELECOMMUNICATIONS BILL Speaking on behalf of its member information companies, IIA wrote to every member of the U.S. Senate to encourage their support for S. 1822, the Communications Act of 1994, introduced earlier this year by Senator Fritz Hollings, Chairman of the Senate Commerce Committee. Although the Association takes no position on the bill's provisions governing long-distance or equipment manufacturing, S. 1822 is the most comprehensive and workable plan [currently before Congress] for advancing a competitive environment for both the telecommunications and information industries. Information industry support for the bill is based on S. 1822's approach on many issues of key importance to the industry. Especially praiseworthy are the legislation's provisions calling for (1) the unbundling of local network functions and instituting cost-based pricing; (2) enhancing the technological capabilities of telecommunications networks for advanced digital offerings; (3) creating strong structural safeguards for the provision of a broad range of electronic publishing activities; and (4) establishing cross-subsidy protections for the provision of information (enhanced) services. The bill also assures equal treatment for information services providers in access to CPNI and in preempting state public utility regulation of information services. The Senate Commerce Committee is continuing with hearings on S. 1822, with mark-up tentatively planned for later this spring. In the meantime, Chairman Jack Brooks of the House Judiciary Committee and Chairman John Dingell of the House Energy and Commerce Committee are reportedly working on a new, joint draft of H.R. 3626, passed by both Committees last month, to be brought to the House floor. The House hopes to have comprehensive telecommunications legislation completed shortly before or after the Memorial Day recess. ************************************************************** [7] HEALTH CARE REFORM LEGISLATION WILL HAVE CRITICAL IMPACT ON FUTURE INFORMATION POLICY AND PRACTICES Members of Congress have introduced numerous bills to implement health care reform, including one by Senate Majority Leader George Mitchell. One House subcommittee with primary jurisdiction -- the House Ways and Means Subcommittee on Health -- has completed action on reform legislation, and several other Senate and House committees have been holding closed-door meetings to work out compromises on the bills. While the major proposals differ greatly in the scale and approach for health care delivery, all have provisions for administrative simplification. To achieve this goal, the bills envision a fully automated system of collection and dissemination of information. This system would allow information about doctors, patients, billings and claims to be transferred electronically anytime and anywhere in the nation. Included within the major bills are: standard setting mechanisms for information collection; requirements that data be collected and transmitted electronically; outlines of the official source for the data; requirements for privacy protection of data; and listings of entities responsible for collecting and compiling information about the value of health care delivery systems. These provisions could become the de facto standards for all government information collected in the future. In addition to the major health care reform proposals, several bills which focus only on health care information collection have been introduced. The Health Information Modernization and Security Act, H.R. 3137 and S. 1494, address only health care collection and privacy protection. H.R. 4077, the Fair Health Information Practices Act, outlines specific requirements for the privacy protection of individually identifiable health care records (see IIA-IPO, April 1994). Many people are predicting that Congress will not enact a comprehensive health care reform proposal this year. However, in an election year, members will be anxious to adopt some type of reform. Because health care information collection policy has not been in the Congressional or public spotlight, it is possible that it could be adopted without much public discussion. Information professionals need to watch vigilantly lest Congress codify health care policies without fully examining the ramifications for information policy. ************************************************************** [8] SHOULD THE FEDERAL GOVERNMENT ESTABLISH A U.S. DATA PROTECTION COMMISSION? Is there a need in the United States for a single oversight body -- within the Federal Government -to monitor how private sector information companies protect the privacy of individuals? If so, what authority should that body have? In what federal agency should it be housed? What type of guidelines would it follow? How would its members be selected? Does private industry have a stake in this? These questions are being discussed by several federal government critics as well as by Congress. The Clinton Administration's National Information Infrastructure Task Force's (NIITF) Privacy Working Group will soon release a report that is likely to prescribe some type of federal government oversight in this area. Senator Paul Simon has introduced legislation (S.1735) that would establish a U.S. Data Protection Commission. Rep. Gary Condit (H.R.4077) has introduced legislation to protect the privacy of individually identifiable information in health care records. Both the Census Bureau and the Internal Revenue Service have established internal task forces to examine the issue of privacy and data protection. ************************************************************** [9] ABOUT "INFORMATION POLICY ONLINE" INFORMATION POLICY ONLINE (IIA-IPO) is an online newsletter published on the Internet by the Information Industry Association and distributed free of charge. The purpose of the Newsletter is to inform readers of events and activities affecting information policy, and to present an information industry viewpoint concerning these events and activities. IIA-IPO is copyrighted by the Information Industry Association; however, IIA-IPO is distributed without charge and may be freely reproduced and redistributed. Please acknowledge IIA-IPO as the source of the information when quoting or redistributing the newsletter. TO SUBSCRIBE TO IIA-IPO: Send the message "subscribe" to . ARCHIVES. IIA-IPO is archived. To get archived copies, ftp to with the message "GET FILENAME." Individual monthly issues are archived with file names "iia0394.zip" for March 1994, "iia0494.zip" for April 1994, etc. ----------------------------------------------------------------- ABOUT THE INFORMATION INDUSTRY ASSOCIATION THE INFORMATION INDUSTRY ASSOCIATION represents leading organizations involved in the generation, processing, distribution and use of information. IIA is home base for businesses offering the innovative products and services that make up the information marketplace. IIA fosters a responsive and responsible forum for promoting a competitive and growing information marketplace. ----------------------------------------------------------------- ----------------------------------------------------------------- President of the IIA: Kenneth B. Allen Editor of Information Policy Online: Steven J. Metalitz, IIA Vice President and General Counsel Consulting Editor: J. Timothy Sprehe, Sprehe Information Management Associates For messages to IIA-IPO: Voice: (202) 639-8262. Fax: (202) 638-4403. ----------------------------------------------------------------- *****************************************************************