Interesting People mailing list archives
IP: TESTIMONY OF DAVID J. FARBER HOUSE COMMITTEE ON COMMERCE
From: Dave Farber <farber () cis upenn edu>
Date: Thu, 30 Apr 1998 18:25:03 -0400
PREPARED TESTIMONY OF DAVID J. FARBER ALFRED FITLER MOORE PROFESSOR OF TELECOMMUNICATION SYSTEMS OF THE UNIVERSITY OF PENNSYLVANIA BEFORE THE HOUSE FULL COMMITTEE ON COMMERCE KICKOFF HEARING ON ELECTRONIC COMMERCE APRIL 30, 1998 Introduction Mr. Chairman and Members of the Committee, Id like to thank you for giving me the opportunity to share my thoughts with you today on the governments role in the development of electronic commerce. I see this as a critical issue to the continued growth and viability of the Internet, and I am pleased that this Committee is taking such an active part in trying to understand the proper role of the U.S. government in the administration of key Internet issues such as this. My interest in this issue, and others related to the health and growth of the Internet, stems from my almost 30 years of involvement in information technology issues. I am the Moore Professor of Telecommunications at the University of Pennsylvania, where I direct the Center for Communications & Information Science & Policy. In addition, I am a member of the Presidential Advisory Committee on High Performance Computing and Communications, Information Technology and Next Generation Internet. I am a long time member of the Board of Directors of the Electronic Frontier Foundation (EFF) and a member of the Board of Trustees of the Internet Society (ISOC). I am also a Fellow of the Center for Global Communications of Japan (GLOCOM). Even though I am a technologist, my long-term involvement in teaching telecommunications, working with the Electronic Frontier Foundation, and writing and publishing to the Internet community on technology, politics and culture enable me to comment in detail about the societal and economic implications of this new medium. Therefore, I plan on focusing on three points during my testimony. First, the government should not do anything to undermine the development of electronic commerce or technologies that enhance privacy protections and the security of the networks. Second, the government should support self-regulatory methods for routine kinds of marketing and consumer data. And finally, the government should provide legal protections for sensitive data such as medical records, Social Security numbers, tax information, and for information that consumers have been told would be kept private. The government should not undermine the development of electronic commerce or technologies that enhance privacy and make computer networks more secure. The Internet has been a potent empowering tool for individuals and small companies who traditionally have been disenfranchised from the government and at a disadvantage in the national and global marketplaces. Small businesses in rural areas are now able to advertise their products and ideas inexpensively and to wide audiences. This has enabled these businesses to grow, and, in turn, our economy benefits in substantial ways. Government imposition of taxes at this stage of development of electronic commerce could be devastating to these individuals and small businesses. Aside from the obvious jurisdictional problems with trying to determine which governing body can assess taxes, the financial burdens this would place on the seller of goods to determine the physical location of purchasers could also be devastating. Congress should be hesitant to impose any new tax burdens on electronic commerce until electronic commerce has had a chance to grow and more information is available regarding its benefits and vulnerabilities. Congress should also refrain from enacting laws that make the Internet less secure. In general, the public is very concerned with privacy and security of networks. According to a recent Business Week/Harris poll, consumers cite privacy as the primary inhibitor to their engaging in online transactions. A March 1997 study by the Boston Consulting Group for the self-rating organization TRUSTe estimates that as much as $6 billion in additional electronic commerce revenue could be generated by the year 2000 if consumers privacy concerns were addressed. More than 70% of the consumers surveyed were more concerned about the privacy of information transmitted over the Internet than over the telephone and via postal mail. Even more frightening, the President's Commission on Critical Infrastructure Protection found that American security, economy, way of life, and perhaps even survival are now dependent on the interrelated trio of electrical energy, communications, and computers. Today, the right command sent over a network to a power generating station's control computer could be just as effective as a backpack full of explosives. . . . Our vulnerabilities are increasing steadily while the costs associated with an effective attack continue to drop. But this doesnt mean that there should be more government regulation. In fact, many of the problems associated with network security and privacy are direct results of government regulation of secure encryption. As this Committee is probably aware, encryption technologies are used to scramble data so that it can only be deciphered by appropriate receivers. Strong encryption must be built into networks to ensure security and to protect privacy. Without strong encryption, electronic commerce is essentially crippled. People cannot send credit card information over the networks without there being a serious risk of that information being compromised. Digital cash, the equivalent of paper money with all the advantages of being able to engage in electronic purchases without identifying oneself, is slow to happen, because without worldwide protection at a very secure level, users could tamper with the dollar values in their accounts. Users will be afraid to provide personal information about themselves to vendors for fear that this information will be used by others for other purposes. Technologies to enable secure electronic transactions are being developed and used as we speak. But current U.S. export controls on encryption forbid companies and individuals from sending research results or products containing strong encryption overseas, in an attempt to protect classified government wiretapping capabilities. I believe the current controls are unconstitutional, and last year a Federal District Court agreed with me. The Clinton Administration and several bills in Congress attempt to solve the export control problem with proposals such as key recovery, but none of these proposals handles either the civil liberties issues or the network integrity and security issues. Key recovery simply adds another layer of insecurity to the networks. Anyone who can get access to the keys can get access to the data, but key recovery requires that the keys be made accessible to third parties without the knowledge or consent of the citizen or network operator. Rather than work in good faith to solve these issues, the Administration has threatened further unconstitutional measures that would extend the export controls by regulating the right to use encryption technology in the U.S. The United States government should pay attention to its own messages. On the one hand, the government issues reports describing the insecurity of the networks. On the other hand, the governments own encryption controls are causing this insecurity in the first place. The government needs to come to terms with the fact that its current export controls on encryption are crippling the development of electronic commerce and must be repealed. The government should support self-regulation for routine kinds of marketing and consumer data. Several self-regulating bodies have been developed over the past couple of years to help Internet marketers establish fair information collection policies and to provide consumers with notice about the information that is being collected about them. These organizations are making important strides toward helping online marketers behave responsibly. The government should support these self-regulatory methods for routine kinds of marketing and consumer data. In addition, the government can provide leadership for discussion on important issues, such as unsolicited electronic mail, without creating a regulatory framework. There should be no rush to regulate areas such as these where there are no clear answers as to what is the best way to handle problems. Instead, the government should encourage creative private sector solutions to help establish the best resolutions for these problems. Governments seem to have a tendency, when faced with something new like the Internet, to act to regulate or to slow it until they understand it. While there may be problems regarding laws and communities that must be addressed, it is important that the United States government permit the Internet to grow and avoid placing unnecessary restrictions on this important new communications medium. The United States government must also remember that the Internet is international. Any attempts to regulate commerce over the Internet should take note of the complexities of a global marketplace. The government should provide legal protections for sensitive data such as medical records, Social Security numbers, and credit and tax records, and for information that consumers have been told would be kept private. While the government should refuse to regulate where no regulation is needed, there are certain types of sensitive data that do require legal protection. For example, there should be laws protecting the privacy of medical records, Social Security numbers, credit reports and tax records. These types of data should not be subject to the whim of the marketplace. Where there is no existing legislation, or where existing legislation is inadequate, Congress needs to provide consumers with the ability to protect these types of sensitive data. For example, no matter what a given companys policy regarding the privacy of information it collects, it should always be actionable for that company to release a consumers medical records without explicit authorization from the consumer. Any such protection must also respect the intellectual property rights and civil liberties of those who collected the data. This is not just an issue here in the United States. The European Union has already passed privacy requirements that are far more stringent than the federal laws that currently exist in the United States. The European Unions directive forbids member countries from transacting with noncomplying countries. This could mean that many European countries will avoid doing business with United States companies, which could be extremely harmful to our electronic and physical commerce. This is not to say that we should be bullied into accepting privacy standards that are unconstitutional or overly restrictive. But in this global marketplace, Congress must help American businesses remain competitive while respecting the rights of citizens. The government also has an important role to play in setting minimum standards of protection for the data of citizens. When a company does not voluntarily agree to provide protections, such as notice of its privacy policies, to its users, the law should impose certain minimal protections regarding data use. The government also should create laws enabling consumers to bring civil causes of action when companies that promise self-regulation fail to deliver. Many consumers provide sensitive information about themselves because they receive assurances from the information collector that the information will be used by specific entities for specific purposes. A company should not be able to collect information under one pretense and then turn around and change its privacy policy, leaving the consumer with no legal recourse. Federal law supporting a consumer expectation of privacy would go a long way in protecting consumers from these predatory practices. Furthermore, under our current bankruptcy and merger and acquisition laws, this sensitive information loses its protection if the information collector declares bankruptcy or is purchased by another company. I am including an article from the Washington Post that describes how the name, logo, post office box and telephone number of the Cult Awareness Network (CAN) were purchased by one of the organizations that it worked against when CAN declared bankruptcy. There is a fear that CANs records of all people that contacted it will be purchased by that same group. Yet these people believed that their inquiries were private and would be protected by CAN. There should be laws to protect consumers privacy interests when sensitive information changes hands like this. Conclusion In conclusion, the United States government has an important responsibility in fostering the development of electronic commerce. The government should avoid creating new tax burdens on this growing market. The government should repeal the export controls on encryption and help the private sector create the tools necessary for protecting the privacy and security of the networks. The government should then look to the private sector for guidance on regulating routine pieces of information, such as marketing and consumer data. Finally, the government should focus on creating laws that protect sensitive information, such as medical data, credit reports, and tax information. Consumers expectations of privacy should be protected even when companies declare bankruptcy or are sold. Once again, I would like to thank the Committee for giving me the opportunity to share my thoughts with you today. Please let me know if I can provide you with any additional information as you consider this important issue. Attachment: Anti-Cult Group Dismembered As Former Foes Buy Its Assets http://newslibrary.krmediastream.com/cgi-bin/document/wp_auth?DBLIST=wp96&DO CNUM=50801 Reference: President's Commission on Critical Infrastructure Protection Report http://www.pccip.gov/report_index.html
Current thread:
- IP: TESTIMONY OF DAVID J. FARBER HOUSE COMMITTEE ON COMMERCE Dave Farber (Apr 30)