LEXIS-NEXIS® Congressional Universe-Document

Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint

Document 62 of 261.

View Related Topics

May 25, 2000, Thursday

SECTION: PREPARED TESTIMONY

LENGTH: 3198 words

HEADLINE: PREPARED TESTIMONY OF JEFF B. RICHARDS EXECUTIVE DIRECTOR OF THE INTERNET ALLIANCE WWW.INTERNETALLIANCE.ORG

BEFORE THE SENATE JUDICIARY COMMITTEE

BODY:
Good morning, I am Jeff Richards, Executive Director of the Internet Alliance. Since our founding in 1982 as the Videotex Industry Association, the Internet Alliance (IA) has been the only trade association to address online Internet issues from a consumer Internet online company perspective. Through public policy, advocacy, consumer outreach and strategic alliances, the IA is building the trust and confidence necessary for the Internet to become the global mass-market medium of this century. The Internet Alliance's members represent more than ninety percent of consumer access to the Internet in the United States. Since May of 1999, the Internet Alliance has been a separate subsidiary of the Direct Marketing Association, bringing the resources of a 4,500-member organization to bear on consumer Internet issues and their resolution.

Our mission is to increase consumer trust and confidence in the Internet by promoting good business practices, public education initiatives, enforcement of existing laws protecting consumers, and the development of a legal framework governing the Internet that will provide at the same time predictability and efficiency, security and freedom to innovate. I am pleased to be able to offer the Alliance's views on Internet security and privacy, and particularly on S. 2448. IA's consumer e- business focus gives its views particular relevance. Among the key issues affecting the willingness of consumers to use the Internet is security, law enforcement, and privacy. For example, while privacy is among the most cherished American values, ironically it not an absolute proposition, but a flexible and evolving set of expectations. Indeed those expectations change according to individual circumstances, such as where we are, what we are doing, and what stage of life we're in, as well as changing along with our culture and technology. Clearly, analyzing privacy in simplistic terms, while appealing, is unlikely to lead us to an optimal level of consumer satisfaction.

In particular, then, I will focus on security matters. Coming as I did from last week's G8 meeting during which we released the Internet Alliance White Paper entitled "An International Policy Framework for Internet Law Enforcement and Security," I saw again that -- at least among the G8 members -- there was a clear belief that law enforcement and security issues are in fact shaping the consumer Internet marketplace more than any other. My message today is that, with this Committee, the Internet Alliance agrees that law enforcement and security issues are central to achieving consumer confidence and trust. At the same time, we are not enthusiastic about and do not today support proposals to legislate privacy. For reasons that we will touch on later, privacy legislation invites unintended consequences, increases tensions over jurisdiction, and distracts us all from the critical point of agreement effective enforcement of current law.

IA members recognized several years ago, in the infancy of e-commerce, the importance of consumer confidence and trust in the protection of their data, and they were instrumental in designing the first privacy "best practices" guidelines. Beginning with our creation of the first industry privacy principles in 1996, and continuing through initiatives like TRUSTe, BBBOnline, and the Online Privacy Alliance's privacy guidelines, as the Internet was commercialized the private sector has changed the e-commerce landscape in favor of the consumer. At the same time government has monitored these efforts but has expressly endorsed industry leadership and encouraged corporate participation in these voluntary efforts, while forbearing to legislate. This approach to Internet regulation has proven very constructive.

I make these points because the areas of security and privacy of personally identifiable information offer the Committee an outstanding example of voluntary private sector action resulting in an unusual record of achievement. As noted in recent studies, over 90 percent of recently surveyed commercial web sites post privacy policies, a huge advance over the last two years; and the quality of the disclosures and other features is also rapidly increasing. It is doubtful that either government or non-profit sites come close to this level of performance. Most importantly, there is no question that industry has brought these benefits to consumers more rapidly than could have been the case under the compulsion of formal federal regulations. Likewise, the inherent flexibility of business-led efforts has allowed for a more prompt and tailored response to subsequent challenges, such as those posed recently by the evolution of ad server practices, that government has helped highlight.

This provides evidence that the optimal approach to consumer Internet issues is almost always found in a combination of efforts, a three-way partnership among industry committed to better serving customers, government committed to effectively enforcing current law, and an empowered public knowledgeable of its choices and competent to decide for itself among a range of options. I stress that as it addresses the rapidly changing Internet, government has a useful, even essential role. However, that role should rarely lead it to impose new legislative mandates and constraints, and then only by the least restrictive means available.

These ideas form the framework for the rest of my comments. We commend the Committee for its leadership role in oversight of the Internet and the many issues raised as the new medium alters our economy and our society in significant ways. The context for this hearing is compelling: just over the last few months, public attention has been focused on large-scale distributed-denial-of-service attacks, hacking of sensitive databases, a new set of viruses, and this week, the release of the Federal Trade Commission's annual e-commerce site privacy survey and recommendations. These are the kinds of events that normally generate widespread support for responsive legislation. We must keep in mind, however, that in each case the response of industry and, where laws were broken, law enforcement, has been quick and effective. This was without new laws or expanded enforcement authorities.

Mr. Chairman, Mr. Schumer, in S. 2448 you have proposed ambitious security and privacy legislation; and we express our appreciation for your sensitivity to a number of industry needs and concerns in its drafting. It covers several general areas: on the security side, 1) additional powers and resources for law enforcement in the Internet space; 2) increased penalties for existing crimes and the addition of new conduct to the criminal code; and 3) provisions for expanded law enforcement cooperation with computer crime investigations by foreign jurisdictions. On the privacy side: requirements that e-businesses give consumers notice before collection of personally identifiable information, and choice over how that information, if collected, can be disclosed to others. You have asked for our reaction to these initiatives.

While we approach any legislation governing the Internet with extreme caution, we feel that S. 2448 does contain security-related provisions of positive interest to industry. By way of background we have become vigorously involved in building bridges between industry and the law enforcement community.

Last fall the Internet Alliance launched the Law Enforcement and Security Council as a global initiative focused on the effective enforcement of current laws. The LESC is partnering with several law enforcement agencies to improve training and coordination in the enforcement of existing laws. We feel additional budgetary and personnel resources for these agencies, and more widespread training of and coordination among investigative and prosecutorial officers, to be the steps that would provide maximum benefit to all who use the Internet. I myself testified in support of these resources before Sen. Gregg's Appropriations Subcommittee earlier this year. Again, we feel increased enforcement of current laws is almost always sufficient to protect the public.

At the same time, the Internet Alliance also recognizes there are times when current law needs to be amended by narrowly tailored legislation in order to enhance effective enforcement. Thus, we advocate criminal provisions outlawing false email and message identification information, as a key step in empowering consumers to reduce the amount of unsolicited email, and in assisting ISP's to block outgoing messages which may be part of a distributed denial of service attack. We appreciate your inclusion in S. 2448 of a provision directed to these concerns. While it is not a complete solution in itself, we are convinced it is a necessary foundation for other consumer empowerment and law enforcement initiatives, some of which have been proposed in other bills.

With respect to the other security related provisions, the IA favors giving law enforcement adequate tools to investigate and prosecute criminal acts online. Our enforcement agencies are instrumental in contributing to the high quality of life we enjoy in America. As the Internet has emerged, they have been called on to meet extraordinary new challenges. In general, they are doing a fine job, as demonstrated by their successes in responding to the recently publicized DDoS, hacking and virus attacks, but there are modest changes in law which would further improve their ability to protect the public. We support S. 2448's proposals to satisfy the $5,000 threshold on computer crimes by expanding the definition of and allowing the aggregation of damages, and to give nationwide effect to certain evidentiary court orders. Experience has shown that current rules in these areas fall short in real world application.

However, we share the misgivings of civil liberties groups and others over law enforcement requests to expand wholesale the scope of trap and trace or pen register laws in the Internet context. While useful to law enforcement, we feel these steps threaten to undermine consumer confidence in the Internet and subject the actions and communications of innocent users to an unparalleled level of government monitoring and intrusion. At the same time, they could implicate ISP's and web site hosts in an unprecedented level of participation in criminal investigations and lead to mandatory, and impractical, data retention requirements. We commend you for having resisted these proposals in drafting S. 2448.

In our society, we have never subscribed to the idea that safety and security is worth the sacrifice of all freedoms. We accept some measure of risk, some inefficiency in our criminal law system, because we attach such a high value to individual freedom and privacy from government intrusion. Thus, the Internet Alliance feels strongly that Fourth Amendment and statutory protections such as ECPA must be safeguarded and made applicable in all online contexts. It is not reasonable to believe Internet users are greatly concerned about corporate use of personally identifiable information, but that they have little interest in government access to the same data. Survey results consistently have shown the opposite.

We also would like to raise concerns about the impact of broadening the scope of criminal conduct for computer crimes, and about the effect of the new hacking provisions. We concur with the addition of computer crimes to the list of offenses for which wiretaps may be sought. On the other hand, I believe you would agree that the federal role in law enforcement is a special one, and as we think about expanding our ability to combat hacking by broadening proscribed conduct, we should avoid spreading the net so far as to encompass relatively harmless nuisances and pranks In addition, our members feel strongly that any hacking provisions must not compromise their ability to hack into their own systems, or to hire others to do so. This is a technique essential to the ongoing process of discovering system weaknesses and correcting them. We have not concluded that the language of S. 2448 poses these problems, but we would like to work with you to make sure the right balance is clearly struck.

On our final security-side point, we have long urged greater domestic law enforcement cooperation with foreign criminal law authorities. Positive examples can be found, such as the assistance both the consumer Internet industry and U.S. law enforcement officials gave in the Philippine investigation of the "Love Bug" virus. However, the international character and ease of use of the Internet makes it inevitable that cross-border crimes will become more and more common. Again, we support increased budgetary, personnel and training resources for this purpose. And we have no substantive concerns with many of the international cooperation provisions of S. 2448. We offer the following examples as starting points for effective international dialog:

The law as finally amended should not require businesses to change their business practices to accommodate the needs of foreign, or domestic, criminal investigations.

The law should not impose significant, uncompensated expenses on ISP's or other e-businesses in responding to requests by law enforcement at the behest of foreign authorities.

It should not require business involvement in the investigation of conduct which is constitutionally protected in the United States or which is consistent with our underlying values. We believe S. 2448 contains language designed to produce this result, though we would like to review the specific wording with you to make sure it's effective.

Immunity from suit should be extended to those who in good faith comply with investigative requests under the law, which are valid on their face.

Turning now to privacy, I would like to make a few general comments. It is clear that privacy is growing as a federal legislative issue. Some policymakers and the media, in particular, are coming to believe that they grasp the complexity of the issue and the options available, and that the time has come for a decision on what federal privacy legislation should look like. As I noted at the beginning of my testimony, industry has always been at the forefront of thought, discussion and action in improving privacy protections available to Internet users. Yet, we in the business community are acutely aware that because of the complexity of cause-and-effect in the Internet space, even well intentioned legislation developed after several years of experience poses both to business and to consumers significant risks of unintended consequences. Hence, we must be involved in providing you the best of our knowledge and expertise.

From our standpoint, "getting it right" is essential:

Technology and business models are changing quickly, and require policymakers to acquire current factual knowledge and develop insight into future trends, so as not to rob consumers of new Internet functions or capabilities - and prevent new privacy innovations and solutions.

Policy models to date have rested on assumptions about what consumers want. There is a growing body of data indicating that they vary widely in their desires and expectations. We would all benefit from increased knowledge in this area.

Industry's voluntary response to the to the privacy challenge has been remarkably successful in delivering real benefits to consumers, and it is increasingly effective. We must be careful not to sap this momentum.

Quite significantly, it is becoming clear that we will not legislate in a vacuum. Other nations have taken up the privacy issue and still others may do so. As an example, it has taken the U.S. and the European Union two strenuous years to negotiate 'safe harbor' rules, which have yet to be tested in practice. In the United States, for example, we have looked at issues in a sector-by-sector approach, such as children, or the financial sector. In Europe, by contrast, there has been a more general approach.

These are complicated issues. We must take the time to integrate an international view into our thinking and assure ourselves that whatever we do will serve us both domestically and internationally.

A key factor from an industry standpoint is pre-emption of state and local laws. This comes as no surprise: the Internet provides the most compelling scenario in recent memory for uniformity of legal treatment across state, and indeed, national, borders. It is clear that S. 2448 does not contain the kind of language which in a constitutional sense "occupies the field" with respect to duties and risks of e-businesses in collecting and disseminating personally identifiable information.

In short, the privacy issue has been joined on many levels. I can assure you that we are every bit as committed as you are to giving consumers a secure and satisfying online experience. We hope to work with you to increase your knowledge of the complex dynamics at work here, dynamics just as subtle and involved as those in the areas of financial and medical privacy.

Finally, let me commend you on the public education campaign called for in S. 2448. We have consistently said that consumer empowerment is the essential ingredient in a successful national privacy policy, and education is a vital component of empowerment. Thus, we support your proposal, but we'd like to help improve it.

To a significant degree, the current debate on privacy is distorted by the perception that the sharing of personal information benefits only the corporate recipient. This of course is incorrect. While the public, and many of us, have come to see the Internet as "free," even on the Internet, free lunches are few and far between. It costs website hosts, merchants, ISP's and others significant resources to create and handle the traffic for useful, attractive, entertaining experiences for consumers. Even for large sales-oriented sites, these are not small components of the cost of doing business. But for most, access to information from consumers who make purchases, or who just visit, is critical to support revenue from web site advertisers.

The Internet offers new opportunities for data sharing and for consumer benefit. Moreover, its ability to save consumers time on purchases and to more perfectly match their expectations on variety, price, performance and other factors is unrivaled in the bricks and mortar world. Yet, because the Internet is an interactive medium, its advantages of speed and satisfaction are directly dependent on the sharing of information. These benefits will only increase in the future as the technology matures.

Thus, we recommend that the public education campaign communicate a balanced view of the risks and benefits of sharing information. We'd be glad to consult with you on this task.

Again, Mr. Chairman, Sen. Schumer, members of the committee, we appreciate the opportunity to comment on these important issues, and we look forward to an ongoing and constructive dialogue. I'd be glad to answer any questions.

END

LOAD-DATE: May 26, 2000

Document 62 of 261.


Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase: