by Patricia Fusco ISP-Planet Managing Editor [October 19, 2001]

Congressional Seal Of Approval For Carnivore
Advocates of multifarious tech-related legislation have argued that since the events of September 11th there is a mandate for adopting their respective proposals. Yet many of these laws, rules, and regulations predate the actual events that took place and have little to do with the ways and means of thwarting terrorists.

Some key provisions of the USA Act [S510] and PATRIOT Act [HR975], the Internet gambling provisions of the Financial Anti Terrorism Act, the Tech Talent Bill, and proposals to expand the regulatory authority of the Federal Communications Commission actually undermine this country's sense of liberty. But few lawmakers consider this threat a real and present danger to freedom in America.

Late last week the House and Senate passed similar bills designed to give law enforcement and intelligence agencies increased authority to investigate and prosecute suspected terrorists. The Senate passed the USA Act by a 96 to 1 vote. The House passed a substitute version of the PATRIOT Act, by a vote of 337 to 79 late in the afternoon on October 12th.

Both initiatives included language that would increase electronic surveillance powers—updating existing laws to account for Internet and wireless communications—in the fight against terrorism. Naturally, the Federal Bureau of Investigation's controversial e-mail snooping system—known as Carnivore or Echelon—is an element.

Civil libertarians argue that these legislative provisions apply to crimes across the board, not just information gathering by foreign intelligence or suspected terrorists. Most liberals agree that Carnivore could arbitrarily interfere with individual rights to free speech, liberty, and freedom. But the average Joe believes that this is a small price to pay to feel safe and secure about the homeland.

The fact is that Carnivore has been in use for several years with no third-party oversight. If liberals want something to hoot and holler about they should have homed in on the lack of judiciary oversight concerning Carnivore. But Rep. Dick Armey (R-TX) intends to plug this gap between potential infringements on civil liberties and the need for advanced electronic surveillance systems.

Rep. Armey tagged markup language on a House version of an anti-terrorism bill ensuring that judges would have the ability to perform oversight on any use of the Carnivore system. The Texas Republican proposed that before any law enforcement agency implements a trap and trace device—on an ISP's packet-switched data network for example—the agency must maintain a specific record which will identify:

• Who installed the device
• The date and time the device was installed and uninstalled
• The configuration of the device at the time of installation and any subsequent modifications of the device
• Any information that has been collected by the device, and
• Send the sealed record collected by the device to the authorizing court within 30 days after termination of the order.

Let's hope that's enough to keep Carnivore leashed, but the judicial branch of our government is going to need one hefty secure storage network, won't it?

While the two different versions of the bills passed by the House and the Senate are very similar, there remains one key difference—the House bill contains a five-year sunset provision—the Senate bill has no such expiration date.

President George W. Bush issued a statement praising the House and Senate for passing the bills. Whether the Senate accepts the House version or the bill goes to a conference committee, Bush has indicated that either bill would quickly be signed into law.

Stay tuned for the final legislative results from Capitol Hill over the next few weeks as the tech agenda continues to meld with homeland security legislation.

(Back to top)

FCC Vanguard Of Homeland Security?
Newly appointed FCC Commissioner Michael Copps argued in a speech before the Federal Communications Bar Association—a Washington D.C. group made up largely of lawyers who practice before the FCC, work for large telecom companies, or work for the FCC—that the events of September 11 means that the FCC "has a larger job to do."

Specifically, Copps said that if September 11 was about anything other than evil, it was about communications. While lauding the telecommunications and media industries for their noble performance in the wake of the terrorist attacks, Copps said that the Commission must be in the vanguard of our homeland security efforts.

"First we need to identify which parts of our networks performed well and which require more work. We must work to repair the damage done to our infrastructure and then work to achieve redundancy and security in all those places where infrastructure is critical," Copps said. "We have already begun the effort of improving our 911 system so public safety and wireless providers can react even more effectively, and our preemption protocols so that the most important calls always go through. But we need to go beyond even this. There is more to be done."

Copps said that truly secure and reliable telecommunications and cyberspace systems are no longer a luxury after September 11th. Nor is action on convergence.

"This is the time to stop theorizing about technological and industry convergence and to start dealing with it," Copps added. "The events of September 11 will move such public policy and regulatory questions front-and-center. The Commission needs to be there."

Is this an indication that the so-far sedentary communication's agency under Chairman Michael Powell will be take sweeping actions in order to fulfill the pro-consumer mandate of the 1996 Telecom Act?

Not exactly.

Copps said the FCC's mission of facilitating competition in all communications markets does not include establishing competition merely for competition's sake.

"Companies have been rushing to deploy advanced technologies in response to competition from other broadband providers. As Congress predicted, the competition resulting from the 1996 Act is unleashing an unprecedented investment in 21st-century communications infrastructure," Copps said. "The role of government is not to pick winners and losers. Our job is to eliminate barriers to competition so that companies have the incentive to invest and innovate.

"As competition develops to replace monopolies, we should strive to meet another principle of the 1996 Act—deregulation. Where markets function properly, we can rely on market forces—rather than legacy regulation—to constrain anti-competitive conduct," Copps continued. "Where market failures persist or develop, however, we must respond with clear and enforceable rules tailored to serve the public interest."

Regulatory activism or pro-market pacifism from the FCC hinges on its definition of the word "monopoly." Let's face it; the next few months will likely be a deregulatory boon for big telecom companies and cable operators that are actively deploying wired broadband systems. Regulatory relief could be the spark that jump-starts the equipment marketplace.

But wireless broadband access is another matter. First, the FCC needs to allocate enough spectrum to keep homeland defense systems operating without a glitch. Next, the FCC needs to open up enough spectrum to make the vision of third generation wireless communication feasible. Finally, the Commission has to auction off the spectrum it makes available to commercial enterprises. This airwave allocation issue is going to take a while to fix.

(Back to top)

Four Champions Of Online Privacy?
So there's plenty being done about safety. What about liberty?

A bipartisan foursome including Rep. Cliff Stearns (R-FL), Rep. Billy Tauzin (R-LA), Rep. Bob Goodlatte (R-VA), and Rep. Rick Boucher (D-VA) outlined a proposal for future privacy laws late last week.

The proposal has three major points impacting privacy policy in the U.S.

• First—to repulse governors—it invokes federal preemption of state laws.
• Second—to aggravate consumers—it taps the Federal Trade Commission for enforcement.
• Third—to annoy lawyers from coast to coast—it allows for no private right of action. And just to make sure that every party is equally alienated, the privacy proposal would be applied in both online and offline realms.

If such a federal privacy policy could equally irritate all parties concerned, this thing just might have some teeth in it.

The policy proposal would regulate the collection of personally identifiable information (PII). It would make privacy statements required, the sale or disclosure of personal information limited, and safe harbor provisions allowed.

Rep. Stearns is Chairman of the House Commerce Committee's Subcommittee on Commerce Trade and Consumer Protection, which has held six hearings on Internet privacy this year, but has not introduced any successful legislation.

"After many discussions and deep consideration, I have developed a structure for general information privacy, both online and offline, that would be useful in formulating a legislative statement on information privacy," Sterns said.

While introducing the policy late last week, the Congressional quartet hinted that formal presentation of a privacy bill would be forthcoming early next year. Rep. Stearns presented his ideas as a platform for federal information privacy policy. He said the breadth and scope of the committee's inquiry have yet to be matched.

In addition to preempting state laws and granting FTC enforcement authority, the committee's guidelines include general rules for collecting personally identifiable data from individuals. Any business or organization that collects such data must notify people about its activities and state if the information could be used for other purposes. Specifics include publishing the following:

• Privacy Notice: The organization shall provide notice as to where a consumer may obtain the organization's privacy statement at the first instance of data collection. Small organization exemption to apply.
• Privacy Statement: The Statement shall be simple, easily to read, concise, clear and conspicuous. Statement shall only include the organization's practices as they relate to the collection, processing and use of personally identifiable information (PII).
• Opportunity to Limit Sale of Information: The data collecting organization must accord the consumer [at no cost] an opportunity to limit the sale or disclosure for consideration of his/her PII to a non-affiliate third party.
• Security Statement: The organization must provide, as a component of its privacy statement, a notice as to whether it takes reasonable precautions to prevent collected information from being obtained by non-authorized parties.
• Safe Harbor: An organization shall be in compliance with federal baseline privacy rules, if it complies with self-regulatory guidelines of a self-regulatory organization (SRO) approved by the FTC and consistent with federal baseline principles. The FTC shall approve a SRO only if it meets, at minimum, certain criteria, as enumerated in the federal privacy principles.
• ID Theft & Social Security Number Misuse Provision: Different and discrete steps have been recommended designed to enhance existing ID theft protections. In addition, no person may publicly display or sell another person's social security number without the affirmative consent of that person.
• PII Security Provision: An organization should demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy for treatment of PII across the organization.

Rep. Boucher said it is very important that that anyone who uses the Internet has notice of what information is collected by the websites visited. "Every website that collects information should have a statement that is readily accessible to the

Rep. Stearns said that he has just begun to share these thoughts with key House members for their input and he hoped to gain their collective views and insights.

Rep. Goodlatte said his goal was to keep state legislatures from creating a conflicting array of regulatory entanglements that would hinder enforcement.

Rep. Tauzin, addressing privacy standards of government websites said "I think that it is abhorrent that any federal website should have a cookie on it."

There's always one too many statements made during these press events, aren't there? More on this later … Let's hope 2002 at the earliest.

— End

Related articles:
	[Oct. 11, 2001]	U.S. Cyberspace Security Guru Named
	[Oct. 11, 2001]	Study Finds Web Server Attacks Doubled In 2001
	[Sep. 18, 2001]	Lawmakers To Scrap Tech Agenda

Online resource:
	InternetNews.com Special Report