IP: TESTIMONY OF DAVID J. FARBER HOUSE COMMITTEE ON COMMERCE

[Dave Farber <farber () cis upenn edu>]

PREPARED TESTIMONY OF
DAVID J. FARBER
ALFRED FITLER MOORE PROFESSOR OF TELECOMMUNICATION SYSTEMS
OF THE UNIVERSITY OF PENNSYLVANIA
BEFORE THE
HOUSE FULL COMMITTEE ON COMMERCE
KICKOFF HEARING ON ELECTRONIC COMMERCE
APRIL 30, 1998




Introduction


Mr. Chairman and Members of the Committee, I’d like to thank you for giving
me the opportunity to share my thoughts with you today on the government’s
role in the development of electronic commerce.  I see this as a critical
issue to the continued growth and viability of the Internet, and I am
pleased that this Committee is taking such an active part in trying to
understand the proper role of the U.S. government in the administration of
key Internet issues such as this.


My interest in this issue, and others related to the health and growth of
the Internet, stems from my almost 30 years of involvement in information
technology issues.  I am the Moore Professor of Telecommunications at the
University of Pennsylvania, where I direct the Center for Communications &
Information Science & Policy.  In addition, I am a member of the
Presidential Advisory Committee on High Performance Computing and
Communications, Information Technology and Next Generation Internet.  I am
a long time member of  the Board of Directors of the Electronic Frontier
Foundation (EFF) and a member of the Board of Trustees of the Internet
Society (ISOC).  I am also a Fellow of the Center for Global Communications
of Japan (GLOCOM).


Even though I am a technologist, my long-term involvement in teaching
telecommunications, working with the Electronic Frontier Foundation, and
writing and publishing to the Internet community on technology, politics
and culture enable me to comment in detail about the societal and economic
implications of this new medium.  Therefore, I plan on focusing on three
points during my testimony.  First, the government should not do anything
to undermine the development of electronic commerce or technologies that
enhance privacy protections and the security of the networks.  Second, the
government should support self-regulatory methods for routine kinds of
marketing and consumer data.  And finally, the government should provide
legal protections for sensitive data such as medical records, Social
Security numbers, tax information, and for information that consumers have
been told would be kept private.


The government should not undermine the development of electronic commerce
or technologies that enhance privacy and make computer networks more secure.


The Internet has been a potent empowering tool for individuals and small
companies who traditionally have been disenfranchised from the government
and at a disadvantage in the national and global marketplaces.  Small
businesses in rural areas are now able to advertise their products and
ideas inexpensively and to wide audiences.  This has enabled these
businesses to grow, and, in turn, our economy benefits in substantial ways.


Government imposition of taxes at this stage of development of electronic
commerce could be devastating to these individuals and small businesses.
Aside from the obvious jurisdictional problems with trying to determine
which governing body can assess taxes, the financial burdens this would
place on the seller of goods to determine the physical location of
purchasers could also be devastating.  Congress should be hesitant to
impose any new tax burdens on electronic commerce until electronic commerce
has had a chance to grow and more information is available regarding its
benefits and vulnerabilities.


Congress should also refrain from enacting laws that make the Internet less
secure.  In general, the public is very concerned with privacy and security
of networks.  According to a recent Business Week/Harris poll, consumers
cite privacy as the primary inhibitor to their engaging in online
transactions.  A March 1997 study by the Boston Consulting Group for the
self-rating organization TRUSTe estimates that as much as $6 billion in
additional electronic commerce revenue could be generated by the year 2000
if consumers’ privacy concerns were addressed.  More than 70% of the
consumers surveyed were more concerned about the privacy of information
transmitted over the Internet than over the telephone and via postal mail.


Even more frightening, the President's Commission on Critical
Infrastructure Protection found that American security, economy, way of
life, and perhaps even survival are now dependent on the interrelated trio
of electrical energy, communications, and computers.  “Today, the right
command sent over a network to a power generating station's control
computer could be just as effective as a backpack full of explosives. . . .
 Our vulnerabilities are increasing steadily while the costs associated
with an effective attack continue to drop.”


But this doesn’t mean that there should be more government regulation.  In
fact, many of the problems associated with network security and privacy are
direct results of government regulation of secure encryption.


As this Committee is probably aware, encryption technologies are used to
scramble data so that it can only be deciphered by appropriate receivers.
Strong encryption must be built into networks to ensure security and to
protect privacy.  Without strong encryption, electronic commerce is
essentially crippled.  People cannot send credit card information over the
networks without there being a serious risk of that information being
compromised.  Digital cash, the equivalent of paper money with all the
advantages of being able to engage in electronic purchases without
identifying oneself, is slow to happen, because without worldwide
protection at a very secure level, users could tamper with the dollar
values in their accounts.  Users will be afraid to provide personal
information about themselves to vendors for fear that this information will
be used by others for other purposes.


Technologies to enable secure electronic transactions are being developed
and used as we speak.  But current U.S. export controls on encryption
forbid companies and individuals from sending research results or products
containing strong encryption overseas, in an attempt to protect classified
government wiretapping capabilities.  I believe the current controls are
unconstitutional, and last year a Federal District Court agreed with me.
The Clinton Administration and several bills in Congress attempt to “solve”
the export control problem with proposals such as key recovery, but none of
these proposals handles either the civil liberties issues or the network
integrity and security issues.  Key recovery simply adds another layer of
insecurity to the networks.  Anyone who can get access to the keys can get
access to the data, but key recovery requires that the keys be made
accessible to third parties without the knowledge or consent of the citizen
or network operator.  Rather than work in good faith to solve these issues,
the Administration has threatened further unconstitutional measures that
would extend the export controls by regulating the right to use encryption
technology in the U.S.


The United States government should pay attention to its own messages.  On
the one hand, the government issues reports describing the insecurity of
the networks.  On the other hand, the government’s own encryption controls
are causing this insecurity in the first place.  The government needs to
come to terms with the fact that its current export controls on encryption
are crippling the development of electronic commerce and must be repealed.


The government should support self-regulation for routine kinds of
marketing and consumer data.


Several self-regulating bodies have been developed over the past couple of
years to help Internet marketers establish fair information collection
policies and to provide consumers with notice about the information that is
being collected about them.  These organizations are making important
strides toward helping online marketers behave responsibly.  The government
should support these self-regulatory methods for routine kinds of marketing
and consumer data.


In addition, the government can provide leadership for discussion on
important issues, such as unsolicited electronic mail, without creating a
regulatory framework.  There should be no rush to regulate areas such as
these where there are no clear answers as to what is the best way to handle
problems.  Instead, the government should encourage creative private sector
solutions to help establish the best resolutions for these problems.
Governments seem to have a tendency, when faced with something new like the
Internet, to act to regulate or to slow it until they understand it.  While
there may be problems regarding laws and communities that must be
addressed, it is important that the United States government permit the
Internet to grow and avoid placing unnecessary restrictions on this
important new communications medium.


The United States government must also remember that the Internet is
international.  Any attempts to regulate commerce over the Internet should
take note of the complexities of a global marketplace.


The government should provide legal protections for sensitive data such as
medical records, Social Security numbers, and credit and tax records, and
for information that consumers have been told would be kept private.


While the government should refuse to regulate where no regulation is
needed, there are certain types of sensitive data that do require legal
protection.  For example, there should be laws protecting the privacy of
medical records, Social Security numbers, credit reports and tax records.
These types of data should not be subject to the whim of the marketplace.
Where there is no existing legislation, or where existing legislation is
inadequate, Congress needs to provide consumers with the ability to protect
these types of sensitive data.  For example, no matter what a given
company’s policy regarding the privacy of information it collects, it
should always be actionable for that company to release a consumer’s
medical records without explicit authorization from the consumer.  Any such
protection must also respect the intellectual property rights and civil
liberties of those who collected the data.


This is not just an issue here in the United States.  The European Union
has already passed privacy requirements that are far more stringent than
the federal laws that currently exist in the United States.  The European
Union’s directive forbids member countries from transacting with
noncomplying countries.  This could mean that many European countries will
avoid doing business with United States companies, which could be extremely
harmful to our electronic and physical commerce.  This is not to say that
we should be bullied into accepting privacy standards that are
unconstitutional or overly restrictive.  But in this global marketplace,
Congress must help American businesses remain competitive while respecting
the rights of citizens. The government also has an important role to play
in setting minimum standards of protection for the data of citizens.  When
a company does not voluntarily agree to provide protections, such as notice
of its privacy policies, to its users, the law should impose certain
minimal protections regarding data use.


The government also should create laws enabling consumers to bring civil
causes of action when companies that promise self-regulation fail to
deliver.  Many consumers provide sensitive information about themselves
because they receive assurances from the information collector that the
information will be used by specific entities for specific purposes.  A
company should not be able to collect information under one pretense and
then turn around and change its privacy policy, leaving the consumer with
no legal recourse.  Federal law supporting a consumer “expectation of
privacy” would go a long way in protecting consumers from these predatory
practices.


Furthermore, under our current bankruptcy and merger and acquisition laws,
this sensitive information loses its protection if the information
collector declares bankruptcy or is purchased by another company.  I am
including an article from the Washington Post that describes how the name,
logo, post office box and telephone number of the Cult Awareness Network
(CAN) were purchased by one of the organizations that it worked against
when CAN declared bankruptcy. There is a fear that CAN’s records of all
people that contacted it will be purchased by that same group.  Yet these
people believed that their inquiries were private and would be protected by
CAN.  There should be laws to protect consumers’ privacy interests when
sensitive information changes hands like this.


Conclusion


In conclusion, the United States government has an important responsibility
in fostering the development of electronic commerce.  The government should
avoid creating new tax burdens on this growing market. The government
should repeal the export controls on encryption and help the private sector
create the tools necessary for protecting the privacy and security of the
networks.  The government should then look to the private sector for
guidance on regulating routine pieces of information, such as marketing and
consumer data.  Finally, the government should focus on creating laws that
protect sensitive information, such as medical data, credit reports, and
tax information.  Consumers expectations of privacy should be protected
even when companies declare bankruptcy or are sold.


Once again, I would like to thank the Committee for giving me the
opportunity to share my thoughts with you today.  Please let me know if I
can provide you with any additional information as you consider this
important issue.




Attachment: Anti-Cult Group Dismembered As Former Foes Buy Its Assets


http://newslibrary.krmediastream.com/cgi-bin/document/wp_auth?DBLIST=wp96&DO
 CNUM=50801


Reference: President's Commission on Critical Infrastructure Protection
Report http://www.pccip.gov/report_index.html