ARTS & FARCES internet

Prepared for the Members of the Jobs, Energy and Community Development Subcommittee on Telecommunications and Technology and Members of the Judiciary Subcommittee on Data Privacy and Information Policy.

Security, growing up spending every summer of my youth in Shoreham, Minnesota, meant a butter knife wedged in the front door jam. It wasn’t there to keep anyone out, but rather so a storm wouldn’t blow the door open and soak the cottage with wind-driven rain. Both doors had skeleton key locks, the keys for which were lost long before I can remember. Grandpa never locked his Buick’s doors—even when he ventured to the city. he said there was never anything in the car anyway and he didn’t want thieves breaking the windows to find that out.

When Grandpa died, Grandma got new locks and keys for all the doors.

Mom and Dad, on the other hand, always locked the doors at home. “The city was different,” we were told, when my sister and I asked. Indeed, when we moved to Chicago and Dad was in graduate school, we were given specific neighborhood boundaries we were not allowed to cross. “Bad things happen south of 60th Street,” was all we needed to hear until we moved to the suburbs.

You can imagine what would have happened if someone told my Grandpa he had to start locking his doors or told my Dad he couldn’t. But that’s precisely what’s happening in cyberspace. One side is telling us that we need locks while the other insists that we can’t have them.

Meanwhile, two recent GAO reports indicate that the government’s own computer networks lack adequate security.

Privacy

We didn’t have a phone in Shoreham because Grandma didn’t want her customers bothering her when she was out of town. We didn’t get mail at the lake either because we had to haul off our own trash. Early every summer Grandpa would take me out in an old Ole Lind Boatworks fishing boat to brief me on all of the secrets of the last nine months. “Old Mrs. Leeby retired and isn’t making doughnuts any more; young Mrs. Leeby’s aren’t as good, but don’t say anything.” “Mrs. Anderson’s son killed himself last winter, so be extra nice to her.” I’m sure some secrets were as dark and dank as the inner reaches of that boat’s covered bow, but I wasn’t privy to them. And that’s the point, isn’t it? Previous generations could easily exchange private information merely by moving out of earshot. These days that’s not so easy, and it’s nearly impossible in virtual space.

Every privacy study undertaken has found the same thing: consumers are adamant about wanting to protect their personal privacy. But the collection and misuse of consumer information continues unabated.

Consider the following government initiatives in just the past few weeks:

• Monitoring the network activity of private industries for illegal transactions.
• Allowing law enforcement to secretly enter private homes and offices to install data wiretap devices and disable any cryptography technologies.
• Monitoring the conversation and physical location of any cellular telephone in the country.
• The FTC Report to Congress indicating that self-regulation works and that “no legislative action is necessary at this time.”

Now the telephone company—and make no mistake; if you want telephone service in most of the country, you’re still forced to deal with one telephone company—has convinced a federal appeals court to reverse FCC rules designed to protect consumer data. The rules had required the telephone company to get explicit permission from customers before sharing or using personally identifiable information—including calling patterns—to market new services to them. The new decision prohibits the telephone company from selling consumer information, but allows internal use of the data. It should surprise no one that the telephone company recently began offering a new service to restrict telemarketing calls. Companies, we are constantly reminded through public relations campaigns, recognize that privacy is a concern to their customers.

Information Access

The federal government introduced a comprehensive search engine in May 1999, offering more than 3.8 million government web pages. All of the pages spanning more than 20,000 web sites are available to anyone with the price of admission: US$15 for an individual one-day-pass; US$30 for monthly access; and US$250 for a one year subscription.

The gov.search database—a collaboration of the Commerce Department’s National Technical Information Service (NTIS) and Cambridge, Massachusetts-based Northern Light Technology—allows users to search the full-text of governmental databases and screen the results by subject area, government branch, or federal agency.

Within hours of announcing the new service, the Commerce Department took it offline. The Clinton Administration wanted to rethink its plan of making citizens pay for access to federal information, bringing the plan in line with the administration’s open information policy.

Days later, Northern Light Technology said it intended to proceed with the service with or without support from the Clinton Administration. “We own the URL, usgovsearch.com,” David Suess, president and chief executive of Northern Light Technology told the New York Times on May 20, 1999. “We own all the intellectual property associated with the search engine. So I think that the important point is that we invested all the money, we are incurring all the expense to operate the service, so the Commerce Department does not actually have the authority to halt the service or to change the pricing model.”

What We Can Do Now

1. Recognize the individual right to privacy. In July 1998, the Minnesota Supreme Court acknowledged that Minnesota citizens have the right to bring lawsuits for invasion of privacy. “The right to privacy is an integral part of our humanity: one has a public persona, exposed and active, and a private persona, guarded and preserved. The heart of our liberty is choosing which parts of our lives shall become public and which parts we shall hold close,” wrote Chief Justice Kathleen Blatz in her opinion.
2. Recognize that transactional data and personal information about an individual is owned by that individual. The state may assign my address, and the telephone company may assign my phone number, but that data should be owned by me. I should control the purposes for which that information may be used.
3. Comply with the European Union Data Protection Directive. European countries recognize personal privacy as a fundamental human right. The Directive requires that Citizens be told to what purposes their personal information will be put when it is collected. It also allows them to opt-out of any information transfer to a third-party and any global information transfer must take place between countries with “adequate” data protections. In the most simple terms, information gathered for one purpose may not be used for another purpose without the subject’s informed consent.
4. Encourage the citizenry to use strong public-key cryptography and prohibit any mandatory key escrow system. Yes, criminals will surely use cryptography, just as they use telephones and computers and other tools that we all share. But the citizenry will also be more secure, and that greater good far outweighs anything else. Besides, Pandora is already out of that particular box.

Thank you for the opportunity and your attention.