Statement of Marc Rotenberg, 
Washington Director 
Computer Professionals for Social Responsibility (CPSR) 
 
Open Forum on Library and Information Service's Roles in the 
National Research and Education Network (NREN) 
 
National Commission on Libraries and 
Information Science (NCLIS) 
Washington, DC 
July 21, 1992 
 

     Thank you for the opportunity to testify today before the 
National  Commission on Library and Information Science (NCLIS).  My 
name is Marc  Rotenberg and I am the Director of the Washington 
Office of Computer  Professionals for Social Responsibility (CPSR).  
CPSR is a national  organization of professionals in the computing 
field.  

     I would like to speak with you about privacy protection and the 
future of  the NREN. This is item 6 identified in the NREN research 
agenda.  Richard  Civille will speak with you next about CPSR's work 
to promote Local Civic  Networks.  

     During the past few years CPSR has coordinated several national 
efforts to  promote privacy protection for network communication.  
>From cryptography to  Caller ID, we have sought to ensure that the 
rapid developments in the  communications infrastructure do not 
diminish the privacy we all value.  We  believe that the future of 
network communications depends largely on the  ability to make 
certain that sufficient privacy protection is available for  all 
users of the network.  

     In this effort we have worked closely with the library 
community.  It  became clear to us that library organizations have a 
special appreciation  for the importance of privacy protection.  For 
many, privacy is the critical  safeguard that protects intellectual 
freedom and promotes the open exchange  of information.  The 
American Library Association, the Association of  Research and other 
library organizations have all shown their support for  privacy 
protection through codes of conduct, policy statements, and research  
conferences.  

     We have also worked closely with telecommunication policy 
makers  in the  United States and around the world.  The New York 
state Public Service  Commission issued a policy on 
telecommunication privacy which set out  several principles for 
network communications.  These recommendations have  been followed 
in several states.  More recently, the Minister of  Communications 
in Canada issued a series of principles on communications  policy.  
Meanwhile, the Commission of the European Communities has put  
forward a draft directive on Data Protection in Telecommunications.  

     The European Commission made a critical point about future 
network  development.  It said that "the effective protection of 
personal data and  privacy is developing into an essential 
precondition for social acceptance  of new digital networks and 
services."  This view is shared by agencies in  other countries that 
have looked at the implications of advanced networking  services.  
For example, the Ministry of Posts and Telecommunications in  Japan 
recently concluded a study on the protection of personal data in the  
telecommunications business and recommended a series of privacy 
guidelines  to accompany the introduction of new network services.  

     In the United States, however, we find ourselves in the midst 
of the  greatest privacy debate in a generation.  In the absence of 
a coherent  federal policy to protect privacy, consumers have been 
left to fend for  themselves, and the response is not encouraging.  
>From Pennsylvania to  California, telephone companies now face 
widespread and well-founded  consumer opposition to new telephone 
services.  Part of the reason for this  is that there has been 
little effort in the United States at the federal  level to develop 
privacy principles for new network services.  

     CPSR would like to see an agency in the United States take on 
the task of  developing and promulgating privacy principles for 
network services.  We  have already recommended the creation of a 
data protection board which  could, among other tasks, develop 
appropriate principles for network  communications.  There is a 
proposal before Congress to establish such an  agency, but is 
unclear whether it will be enacted this year.  

     Meanwhile, the Federal Communications Commission (FCC) has been 
unwilling  to address the privacy implications of new network 
services.  We are also  somewhat disappointed that neither the 
Computer Science and Technology Board  (CSTB) of the National 
Research Council or the Office of Technology  Assessment (OTA) has 
addressed privacy concerns for network users.  Both the  CSTB and 
the OTA are well qualified to tackle this problem.  

     In the interim, NCLIS could take a leadership role, and help 
develop and  promulgate privacy principles for the emerging 
communications  infrastructure.  It is clearly in the interest of 
the library and  information science community to ensure adequate 
privacy protection, but  unless some agency takes on this 
responsibility it appears unlikely that the  work will be 
undertaken.  

     CPSR believes that it is in the long-term interest of our 
country and of  computer users around the world to ensure protection 
for networked  communication.  The failure to develop such policy 
may impose very high  costs on all network users, and may ultimately 
reduce greatly the value of  the network to users.  

     Speaking academically, the absence of adequate protection for 
electronic  communication is a substantial gap in NREN policy that 
should soon be  addressed if the full potential of the 
infrastructure is to be realized.  Speaking practically, if we don't 
get some good policy soon, we may all be  buried in a blizzard of 
electronic junkmail the likes of which we have never  known.  

     I would like now to make three points about the current state 
of privacy  protection for NREN, and then propose a series of 
principles for privacy  protection.  These principles may help "get 
the ball rolling" and encourage  the development of other 
initiatives.  I hope that NCLIS will recommend that  the Office of 
Science and Technology Policy (OSTP) give these principles  full 
consideration.    

FINDING 1:  

     Commercialization of the NREN will exacerbate existing privacy 
problems.  Without a clear mechanism to protect privacy, user 
concerns will increase.  

     Much of the discussion surrounding the NREN today focuses on 
the  opportunity to develop commercial services and to provide 
network access for  private carriers.  We do not oppose efforts to 
provide commercial services.  Clearly, there is an important 
opportunity to develop new services and to  offer products through 
the network.  At the same time, it is apparent that  the 
commercialization of the NREN will create new pressures on privacy  
protection.  

     In the current network environment, made up primarily of 
researchers and  scientists, there is little incentive or 
opportunity to gather personal  data, to compile lists, or to sell 
personal information.  This is likely to  change.  Once commercial 
transactions begin to take place on the net, the  information 
environment will resemble a hybrid of credit card and telephone  
call transactions.  Records of individual purchases will be 
available and  will possess commercial value.  The NREN community 
will face a whole new set  of privacy issues.  

     We anticipate that there will be three different types of 
privacy problems  as the NREN continues to evolve.  First, as 
commercial organizations become  users of the network, they will 
gather personal data, and wish to sell  lists.  The address files 
for list servers could be sold, and users may find  themselves 
"subscribed" to lists they have no interest in.  These activities  
will raise traditional privacy concerns about the restrictions on 
disclosure  and secondary use, the opportunity for users to obtain 
information held by  others, and the need to minimize the collection 
of personal information.  

     Second, efforts to promote competitiveness in the delivery of 
network  services may also lead to the disclosure of network data 
which will  compromise user privacy.  

     This problem is already apparent in the current rules for the 
operation of  the telephone network.  The Federal Communication 
Commission requires  telephone companies to provide records of 
customer phone calls to other  companies so that competing companies 
may analyze calling patterns and sell  their services.  Large 
companies objected to the disclosure of this  sensitive information.  
As a result the FCC required that telephone  companies obtain 
authorization before releasing these numbers.  But this  restriction 
only applies to telephone customers with more than 20 lines.  

      The disclosure of Customer Proprietary Network Information 
(CPNI) has  already surprised many telephone customers who now 
receive calls from  companies with whom they have no prior 
relationship.  These companies are  able to describe the customer's 
telephone calling habits in great detail.  Users of NREN services 
are also likely to object to the disclosure of  network information.  

     The third problem is that law enforcement agencies are likely 
to make  "greater demands" on communication service providers to 
turn over records of  electronic communications to the government 
and to provide assistance in the  execution of warrants.  I say 
"greater demands" with some reservation since  the recent proposal 
>from the Federal Bureau of Investigation to require that  all 
communications equipment in the United States be capable of 
wiretapping  seems about the greatest demand conceivable.  Still, we 
should anticipate  that the government demands for access to the 
contents and records of NREN  communications are likely to increase.    

FINDING 2:  

     Current privacy protections are inadequate  

     Electronic communications are provided some protection against 
unlawful  interception by the Electronic Communications Privacy Act 
(ECPA) of 1986.  This law extends the very important guarantees 
contained within the 1968  wiretap statute to digital communication 
and stored electronic mail.  But  this protection now appears 
inadequate.  As a general matter, the wiretap  law protects the 
contents of an electronic message against unlawful  disclosure; it 
does not protect the record of the transaction against  disclosure.  

     ECPA also does not appear to protect critical personal 
information, such as  a person's telephone number, from improper 
disclosure. For example, the  Calling Number Identification (CNID) 
service is probably a violation of the  wiretap statute and clearly 
a violation of the wiretap law of several  states.  Nonetheless,  
the service has been offered over the objection of  consumer groups, 
technical experts, and legal scholars.    

FINDING 3:  

     Technical safeguards provide only a partial solution  

     There are some in the network community who believe that 
technology will  provide a solution to these emerging privacy 
problems.  New techniques in  cryptography provide ways to protect 
the contents of an electronic message  and even to protect the 
identity of the message author.  An article that  will appear next 
month in Scientific American titled "Achieving Electronic  Privacy" 
describes in more detail how it may be possible through technical  
means to recapture some privacy.  

     CPSR has supported many efforts to improve technical means for 
privacy  protection. In fact, CPSR has been of the leading 
proponents of the  widespread us of cryptography to protect 
electronic communications.  We have  opposed restrictions by both 
the National Securit  y Agency and the Federal Bureau of 
Investigation on the use of cryptography.   We have also supported 
the development of privacy-enhancing technologies,  such as 
telephone cards which are widely used in Europe and Japan, and  
recommended that policy makers explore technical means to protect  
information.  

     Nonetheless, we do not believe that technical safeguards will 
provide  sufficient protection for networked communications.  Our 
right of privacy is  based on Constitutional principles and our 
national history, and reflects  our commitment to certain political 
ideals.  The protection of privacy is  ultimately a policy decision 
that must be resolved through our political  institutions.  Clearly, 
technology provides useful developments that we  should incorporate 
into future networks, but it would be a mistake to assume  that 
technology alone will provide sufficient protection.  

     This point was made two decades ago by former White House 
Science Adviser  Jerome Wiesner who also served as president of MIT. 
In testimony before  Congress on the privacy implications of 
databanks, Professor Wiesner said:    "There are those who hope new 
technology can redress these invasions of  personal autonomy that 
information technology now makes possible, but I  don't share this 
hope.  To be sure, it is possible and desirable to provide  
technical safeguards against unauthorized access.  It is even 
conceivable  that computers could be programmed to to have their 
memories fade with time  and to eliminate specific identity.  Such 
safeguards are highly desirable,  but the basic safeguards cannot be 
provided by new inventions.  They must be  provided by the 
legislative and legal systems of this country.  We must face  the 
need to provide adequate guarantees for individual privacy."  

     We believe that the development of NREN privacy policy should 
be conducted  in this spirit: looking for opportunities to 
incorporate technical  safeguards while recognizing that the 
ultimate decisions are policy-based.    PRIVACY GUIDELINES  

     Before discussing the proposed privacy principles, I would like 
to say a  few words about the desirability of developing these 
principles.  Privacy  protection in electronic environments is a 
particularly complex policy  problem.  There is legal jargon and 
technical jargon.  There are rapid  changes.  And there are 
certainly a wide range of opinions about how best to  achieve 
privacy, even about what privacy means.  

     Privacy principles have helped to clarify goals and to convey 
objectives in  non-technical terms.  Well developed polices are 
"technology neutral" and  are adaptable as new technologies emerge. 
Professional organizations have  made widespread use of such 
principles for codes of ethics and for public  education.  

     There are a number of such polices in the privacy realm.  Some 
of these  polices have been extremely influential in the development 
of public policy,  national law, and international agreements.  For 
example, the Code of Fair  Information Practices was the basis for 
the Privacy Act of 1974, the most  extensive privacy law in the 
United States. The Code was developed by a  special task force 
created by the Secretary of Health, Education, and  Welfare in 1973.  
Other codes have formed the basis for data protection law  in Great 
Britain.  

     All of these codes seek to establish certain responsibilities 
for  organizations that collect personal information, and  to create 
certain  rights for individuals.  

     In developing these telecommunication privacy guidelines, we 
examined  existing codes and particularly the principles developed 
by the Organization  for Economic and Cooperative Development (OECD) 
in 1981.  We also  incorporated several additional principles that 
we believe are necessary to  protect personal information in 
communication environments.  

     Taken as a whole, the principles are intended to improve 
privacy protection  for network communications as the NREN continues 
to evolve.    RECOMMENDATION 1:  

     The confidentiality of electronic communications should be 
protected.  

     The primary purpose of a communication network is to ensure 
that  information can travel between two points without alteration, 
interception,  or disclosure.  A network that fails to achieve this 
goal will not serve as  a reliable conduit for information.  
Therefore the primary goal should be to  guarantee the 
confidentiality of electronic communications.    RECOMMENDATION 2:  

     Privacy considerations must be recognized explicitly in the 
provision, use  and regulation of telecommunication services.  

     The addition of new services to a communications infrastructure 
will  necessarily raise privacy concerns.  Users should be fully 
informed about  the privacy implications of these services so that 
they are able to make  appropriate decisions about the use of 
services.    RECOMMENDATION 3:  

     The collection of personal data for telecommunication services 
should be  limited to the extent necessary to provide the service.  

     Users should not be required to disclose personal data which is 
not  necessary for the rendering of the service.  In particular, the 
use of the  Social Security number should be avoided.  In no 
instance, should it be used  as both an identifier and 
authenticator.    RECOMMENDATION 4:  

     Service providers should not disclose information without the 
explicit  consent of service users.  Service providers should be 
required to make  known their data collection practices to service 
users.  

     Service providers have a responsibility to inform users about 
the  collection of personal information and to protect the 
information against  unlawful disclosure.  Personally identifiable 
information should not be  disclosed without the affirmative consent 
of the user.    RECOMMENDATION 5:  

     Users should not be required to pay for routine privacy 
protection.  Additional costs for privacy should only be imposed for 
extraordinary  protection.  

     The premise of the federal wiretap statue is that all users of 
the public  network are entitled to the same degree of legal 
protection against the  unlawful disclosure of electronic 
communications.  This principle should be  carried forward into the 
emerging network environment.  Segmented levels of  privacy 
protection are also likely to introduce new transaction costs and  
create inefficiencies.  Where special charges are imposed for 
privacy, it  should be for "armored car" service.    RECOMMENDATION 
6:  

     Service providers should be encouraged to explore technical 
means to  protect privacy.  

     Service providers should pursue technical means to protect 
privacy,  particularly where such means may improve the delivery of 
service and reduce  the risk of privacy loss.    RECOMMENDATION 7:  

     Appropriate security polices should be developed to protect 
network  communications  

     Security is an element of privacy protection but it is not 
synonymous with  privacy protection.  Appropriate security policies 
should be put in place to  protect privacy.  However, it should be 
recognized that some security  measures may compromise privacy 
protection.  Network monitoring, for  example, or the collection of 
detailed audit trail information will raise  substantial privacy 
concerns.  Therefore, security policies should be  designed to serve 
the larger goal of privacy protection.    RECOMMENDATION 8:  

     A mechanism should be established to ensure the observance of 
these  principles.  

     Good principles without appropriate oversight and enforcement 
are  insufficient to protect privacy.  This has been the experience 
of the United  States with the Privacy Act of 1974 and of the 
European countries with the  OECD principles of 1981.  In both 
instances, fine principles lacked  sufficient oversight and 
enforcement mechanisms.    

     Additional principles may be appropriate and these principles 
may well need  modification.  But we hope that they will provide a 
good starting point for  a discussion on communications privacy for 
the NREN.    [Attachments: "Protecting Privacy," Communications of 
the ACM, April 1992;  "Communications Privacy: Implications for 
Network Design," Proceedings of  INET '92, Kobe, Japan)]        &  




