IP: CDT Policy Post 6.24: Roundup of Congressional Action in 2000

[Dave Farber <farber () cis upenn edu>]

CDT POLICY POST Volume 6, Number 24, December 29, 2000

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:
(1)  WITH A FEW EXCEPTIONS, MAJOR INTERNET ISSUES DEFERRED BY CONGRESS
(2)  CONGRESS PUTS OFF DATA PRIVACY LEGISLATION
(3)  CYBERCRIME AND CRITICAL INFRASTRUCTURE LEGISLATION STALLS
(4)  ROUNDUP OF OTHER ISSUES: DIG SIGS, SPAM, GAMBLING, LEAKS

_____________________________________________________________

(1)  WITH A FEW EXCEPTIONS, MAJOR INTERNET ISSUES DEFERRED BY CONGRESS

The 106th Congress, which came to a close on December 15 with the adoption
of final funding legislation for the federal government, left behind a
mixed and largely inconclusive record on Internet civil liberties.  There
was one major defeat for Internet freedom, as Congress required all schools
and libraries that receive federal funding to install filtering software
on their computers.  There was one affirmative victory for privacy offline,
the expansion of the Drivers Privacy Protection Act.  Beyond that, major
issues were left hanging and are likely to be back in 2001, with a new
Congress and a new President.

We already examined the filtering mandate in CDT Policy Post No. 22:
http://www.cdt.org/publications/pp_6.22.shtml.  Below is our year-end
summary of other issues in the 106th Congress.

_____________________________________________________________

(2)  CONGRESS PUTS OFF DATA PRIVACY LEGISLATION

*  E-Commerce Privacy

Over a dozen major bills were introduced addressing issues of online
privacy.   Leading Members of Congress, including Senate Commerce Committee
Chairman John McCain (R-AZ), concluded that federal legislation was needed
to address the growing concerns of consumers about the collection and
disclosure of personal information via the Internet.  To greater or lesser
degrees, the bills sought to codify the basic principles of fair
information practices - notice, choice, access, and security - but they
diverged widely in their specifics, presenting different approaches to
the hard issues of opt-in versus opt-out, enforcement, consumers' access
to information about themselves, and preemption of state privacy laws.
Consensus on meaningful, workable solutions could not be achieved in an
election year.  Several Senators and Representative have said that privacy
legislation will be a key priority early in 2001, but the longrunning
Presidential election contest and the delay in completing the federal
budget deferred any efforts at real consensus-building.

*  Privacy Study Commission

H.R. 4049, the Privacy Commission Act, introduced by Rep. Asa Hutchinson
(R-AR), was considered by the full House under a special procedure
requiring two-thirds approval, but fell short and was not brought up
again.  The bill, which would have created a privacy study commission,
was criticized by some on the ground that it would have merely delayed
more substantive action.  The vote against the bill was an odd coalition
of Members who thought it was a delay tactic and those who preferred to
do nothing.

*  Privacy of Driver's License Information

One provision that was enacted represented a small but notable victory for
privacy offline: Sen. Richard Shelby (R-AL) further strengthened the 1994
Driver's Privacy Protection Act (DPPA), to forbid (with certain narrow
exceptions) state motor vehicle departments from selling or disclosing
driver's license photos, Social Security numbers and medical information
without an individual's express consent (i.e., "opt-in"). Sec. 309 of the
Transportation Appropriations Act, H.R. 4475, Pub. L. 106-346, amending
18 USC 2721.

The DPPA initially required that states give drivers a chance to opt-out of
the sale or disclosure of personally-identifiable information such as name
and address in response to requests for specific records ("individualized
look-up") or for marketing purposes.  Last year, Sen. Shelby tightened the
act by requiring states to obtain the express consent of a driver before
disclosing any information in response to such requests.  He also included
a one-year rider prohibiting the sale or disclosure of "highly restricted
personal information" - defined as an individual's photograph or image,
Social Security number, or medical or disability information - for almost
all purposes without consent.  This year, Sen. Shelby amended the act again,
making permanent the strict limits on disclosure of highly restricted
information.

  *   Social Security Numbers

Other legislation on Social Security numbers (SSNs) fell by the wayside.
A proposal by Sen. Judd Gregg (R-NH) would have banned certain displays
of SSNs without an individual's consent, but also would have allowed many
other uses and would have preempted the ability of states to provide
stronger protections.   Sen. Gregg's amendment had been added to an
appropriations bill but it was stripped out at the last moment in the
face of a veto threat from the Clinton Administration and opposition
from privacy advocates who saw it as an anti-privacy proposal.

*  Cookies

In response to revelations that federal agencies were using cookies to
collect information about visitors to government Web sites, Congress
prohibited agencies from collecting, or entering into an agreement with a
third party to collect,  personally identifiable information regarding an
individual's access to or use of any Federal government Internet site. The
provision has several exceptions, however, including "law enforcement,
regulatory or supervisory purposes, in accordance with applicable law" and
"a system security action taken by the operator of an Internet site [that]
is necessarily incident to the rendition of the Internet site services or
to the protection of the rights or property of the provider of the Internet
site."  Sec. 501 of H.R. 5394, incorporated by reference into H.R. 4475,
which became Pub. L. 106-346.   In a separate provision, Congress also
required the Inspectors General of each agency to submit to Congress a
report disclosing any activity relating to the collection of personally
identifiable data about individuals who access government Web sites.
Sec. 646 of H.R. 5658, incorporated by reference into H.R. 4577, the
Consolidated Appropriations Act, 2001.

*  Financial Privacy

S. 2513, the Financial Information Privacy Protection Act of 2000, was the
Clinton Administration's proposal to give consumers control over the use
and disclosure of their financial and health-related information held by
financial institutions.  S. 2513 and other financial privacy bills never
received serious consideration.

*  Medical Privacy

Likewise, Congress failed to give serious consideration to comprehensive
medical privacy legislation. In the absence of Congressional action, the
Administration acted earlier this month by issuing sweeping privacy rules
for the health care industry.

A list of major data privacy bills that were introduced, with summaries
and reference to hearings or other action, can be found at
http://www.cdt.org/legislation/106th/privacy/

CDT's Congressional testimony in 2000 on privacy issues is at
http://www.cdt.org/testimony/

_______________________________________________________________

(3)  CYBERCRIME AND CRITICAL INFRASTRUCTURE LEGISLATION STALLS

Following the January release of the White House's "National Plan" for
critical infrastructure protection and the denial of service attacks on
major commercial Web sites in February, legislation was introduced to
amend the federal computer crime law and expand government surveillance
authority.  The leading bill was S. 2448, introduced by Senate Judiciary
Committee chairman Orrin Hatch (R-UT) and Sen. Charles Schumer (D-NY).

At the same time, in response to the growing recognition that the privacy
protections in federal surveillance laws had been outpaced by technology,
legislation was introduced to heighten the privacy constraints on
surveillance.  Sen. Patrick Leahy (D-VT) took the lead with his E-RIGHTS
bill, S. 854, but the surveillance privacy bill that got the farthest was
H.R. 5018.  Introduced in the House by Rep Charles Canady (R-FL), H.R. 5018
would have strengthened the pen register and trap and trace law, established
a probable cause requirement for government access to wireless phone
location information, and prohibited use in court of illegally intercepted
email.

The Clinton Administration failed to engage formally with the issue until
late in the year, and the Justice Department vigorously opposed many of the
privacy enhancing provisions of H.R. 5018 and the Leahy bill.  In the end,
neither pro-law enforcement nor pro-privacy legislation passed.  A
stripped-down version of S. 2448 passed the Senate as an amendment to H.R.
46, and H.R. 5018 was approved by the House Judiciary Committee by a vote
of 20-1, but there was neither time nor sufficient interest on the part
of the Administration to develop a consensus bill that balanced law
enforcement and privacy interests.

Another measure that failed to move was the Cyber Security Information Act,
H.R. 4246, introduced by Reps. Tom Davis (R-VA) and Jim Moran (D-VA) with
the intent of facilitating information sharing about computer security
vulnerabilities between the public and private sectors.

Proposals to allow secret searches of homes and offices, which showed up
in various versions of legislation on methamphetamine and bankruptcy,
never went through.

On a largely offline issue, the bill H.R. 3048 passed, giving the Secret
Service authority to issue "administrative subpoenas" in investigating
threats against the President or his family.  An administrative subpoena
is an extraordinary legal document, issued by an investigative officer
with no judicial approval and served on a record custodian (including an
ISP, a portal or a Web site operator) with no notice to the individual
whose records are being procured. The House of Representatives deleted a
Senate amendment that would have authorized using administrative subpoenas
investigations in all fugitive cases.  We can expect to see other
administrative subpoena proposals crop up next year.

Congress authorized or appropriated funding for a number of computer
security and surveillance initiatives, including:

*  The General Services Administration received $8 million for the critical
infrastructure protection initiative, money that will presumably fund
implementation of the Federal Intrusion Detection Network (FIDNet).

*  The FBI received $30.5 million for Digital Storm, its program to replace
analog wiretap and other signals collection devices with digital technology,
allowing rapid manipulation and examination of intercepts in near-real time,
as well as a little over $100 million ($20.7 million in new funding plus
$80 million in carryover funds) for its technology upgrade plan, variously
referred to as e-FBI or the Information Sharing Initiative.

*  The defense appropriations act (Pub. L. 106-259) included a net increase
of over $150,000,000 for information assurance initiatives, including
$35,000,000 to purchase hardware and software applications to monitor
computer networks for suspicious activity; $18,600,000 to accelerate the
DOD's Public Key Infrastructure (PKI) program; $16,400,000 for information
security awareness, education and training; $15,000,000 for the Information
Security Scholarship Program; $5,000,000 to examine the use of information
operations against certain critical target sets; and $26,000,000 for
"USARPAC C4I and Information Assurance."

*  In the Veterans Affairs-HUD bill, Congress appropriated $11.2 million
to the National Science Foundation for the Scholarship for Service program,
which will provide scholarship money to students pursuing degrees in
information security in exchange for work at federal agencies after
graduation.

*  The Computer Crime Enforcement Act, H.R. 2816, sponsored by Rep. Matt
Salmon (R-AZ) and Sens. Leahy (D-VT) and DeWine (R-OH), passed, authorizing
$25 million for Department of Justice grants to help state and local law
enforcement agencies investigate and prosecute hacking, computer viruses
and other cybercrimes, educate the public on identifying and preventing
computer violations and share information with other agencies.

For more information on cybercrime and cybersecurity bills, see
http://www.cdt.org/wiretap/legislation.shtml and
http://www.cdt.org/legislation/106th/wiretaps/

____________________________________________________________

(4)  ROUNDUP OF OTHER ISSUES: DIG SIGS, SPAM, GAMBLING, LEAKS

*  Digital signatures law enacted

A law intended to boost e-commerce by promoting the acceptance of digital
signatures was signed (digitally) on June 30, 2000.  Pub. L. 106-229.  Its
impact, including whether it will adversely affect consumer protection or
privacy, remains unclear. See http://www.cdt.org/legislation/106th/digsig/

Other measures that failed to be enacted this year:

*  Spam

Of several proposals in the House and Senate to regulate spam, HR 3113,
sponsored by Rep. Heather Wilson (R-NM), got the farthest, passing the
House, but it stalled in the Senate.  Rep. Wilson has said she intends to
reintroduce her bill in the next Congress. For more information, see
http://www.cdt.org/legislation/106th/junkmail/

*  Internet gambling

The proposal by Rep. Bob Goodlatte (R-VA) to ban Internet gambling drew
widespread concern.  CDT was worried that "notice and takedown" provisions
in the original bill improperly enlisted Internet Service Providers as
enforcers of government content controls without adequate due process.
The bill went through numerous revisions and in the process there seemed
to have emerged a wider understanding of the dangers in the notice and
takedown approach.  Despite these changes, the ban still did not generate
sufficient support.  Rep. Goodlatte is likely to introduce some version
of his gambling bill next year.

*  Official Secrets Act

It wasn't an Internet issue per se, but the Constitution was spared a
serious blow when President Clinton vetoed an "official secrets act," an
amendment included in the intelligence agencies authorization bill that
would have made it a crime to disclose or print classified information even
if done without intent to harm or any actual harm to the national security.
CDT was among the groups urging a veto. After Clinton's veto, Congress
passed a new intelligence authorization bill, H.R. 5630, without the
"leaks" provision.  House Intelligence Committee chairman Rep. Porter
Goss (R-FL) promised to revisit the issue in 2001.

Happy New Year from all of us at CDT!


----------------------------------------------------------------------

Detailed information about online civil liberties issues may be found at
http://www.cdt.org/.

This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/pp_6.24.shtml.

Excerpts may be re-posted with prior permission of ari () cdt org

Policy Post 6.24 Copyright 2000 Center for Democracy and Technology




---------------------------------------
CDT Policy Post Subscription Information

To subscribe to CDT's Policy Post list, send mail to majordomo () cdt org In
the BODY of the message type "subscribe policy-posts" without the quotes.

To unsubscribe from CDT's Policy Post list, send mail to majordomo () cdt org
In the BODY of the message type "unsubscribe policy-posts" without
the quotes.

Detailed information about online civil liberties issues may be found at
http://www.cdt.org/



For archives see: http://www.interesting-people.org/