The questions under consideration today by the Privacy Working Group of
the Information Infrastructure Task Force (IITF) are crucial for future
users of the nation's communications networks. In fact, protection of
personal privacy may be the single greatest challenge facing the
developers of the National Information Infrastructure (NII). The
recommendations of this group may very well determine whether in fact
the emerging communications network will foster growth, opportunity, and
democratic values.
Computer Professionals for Social Responsibility (CPSR) and many
other educational, scientific, commercial, and public interest
organizations have a special appreciation for computer networking
policy. CPSR, for example, began more than a dozen years ago, when
computer scientists who shared a common concern about the impact of
technology were able to communicate through an early prototype of
today's NII. Electronic messages were exchanged, study groups formed,
documents drafted, and an organization created because people had the
opportunity to communicate freely and safely in a new technological
environment.
As CPSR has grown, our use of the network has grown. Today we
manage a number of mailing lists for members who are interested in
topics as diverse as computers in the workplace, electronic warfare, and
computer science curriculum. We distribute several electronic
newsletters and post information to other newsgroups and information
providers on the network.
Throughout the development of electronic services, we have always
focused on privacy protection. The following policies illustrate our
commitment to this issue.
* We do not sell, rent, or lend our mailing lists.
* All of our electronic mailing lists are based on the "opt-in"
principle. If one wishes to receive information about a particular
topic, one affirmatively "subscribes" to the list. If at some point in
the future, one has no further interest in receiving information, it is
easy to "unsubscribe."
* We respect the right of anonymity. Network users can retrieve
information from our Internet Library without disclosing their identity.
They may also sign up for our mailing list and remain anonymous.
* We have avoided any form of universal identifier, such as the
Social Security number. The electronic mailing addresses provide enough
information to reach people through the network.
* We are also careful about computer security at our Internet site.
Features in the mailer programs that automatically allow outsiders to
obtain lists of names of those on "alias"-style mailing lists have been
disabled.
* These principles have worked well. We are able to provide
specialized services for members without violating their right of
privacy. We are also able to make information available to the general
public without requiring identification. In protecting privacy, we have
also created a free and open information environment.
CPSR is not unique. Many other organizations on the Internet--from
universities and libraries to research centers and hobbyists--follow
similar policies. What is amazing is that the most advanced
communications system ever built currently provides such a high level of
privacy protection.
Code of Fair Information Practices
CPSR believes that an NII privacy code should be developed and enforced.
We have already recommended a set of principles that could help address
many of the privacy concerns the NII will raise. These principles are as
follows.
1. The confidentiality of electronic communications should be
protected.
2. Privacy considerations must be recognized explicitly in the
provision, use, and regulation of telecommunication services.
3. The collection of personal data for telecommunication services
should be limited to the extent necessary to provide the service.
4. Service providers should not disclose information without the
explicit consent of service users. Service providers should be required
to make known their data collection practices to service users.
5. Users should not be required to pay for routine privacy
protection. Additional charges for privacy should be imposed only for
extraordinary protection.
6. Service providers should be encouraged to explore technical
means to protect privacy.
7. Appropriate security policies should be developed to protect
network communications.
8. A mechanism should be established to ensure the observance of
these principles.
These principles are based on similar policies developed in New
York, Canada, Japan, and Europe. Even though they provide a good
framework for privacy protection, it is important to recognize that any
code of fair information practices without an adequate enforcement
mechanism will have little impact. CPSR therefore recommends
establishing a privacy agency to oversee implementation of government
policy in this area.
As the NII develops, commercialization of the network will create
enormous privacy problems, and it is known that current industry
approaches leave much to be desired. We now have the opportunity to
shape the future of electronic communications and to design privacy
policies that take full advantage of our new information environment.
Public Education
As the Working Group has already noted, public education is critical in
the privacy realm.
It is our belief that citizens should not be responsible for
learning about new risks to their privacy. This is simply not
reasonable, and would not be acceptable for other consumer products.
When a communications product is offered to consumers, the consumer
should rightly expect that privacy will be protected and if the product
fails to provide privacy protection, it is defective.
Legislation
Government is the institution through which we come together to set
collective priorities, to organize our resources for the common good, to
set the rules under which we wish to live. For all its problems
government is essential.
CPSR has worked closely with state, national, and international
organizations on emerging privacy issues. Our specific legislative
proposals include:
*
Establish a privacy agency and ensure oversight of the Privacy Act
of 1974
*
Restrict the use of the Social Security Number
*
Extend privacy protection to the workplace
*
Update the Electronic Communications Privacy Act
Marc Rotenberg is director of the Washington office of Computer
Professionals for Social Responsibility.