WASHINGTON-A noted privacy advocate said he is optimistic that legislation can be passed that would limit the government’s access to wireless location information, but other experts agreed that general privacy legislation isn’t likely to pass this year.
General privacy legislation “is not ready for prime time,” said Marci Weisler, vice president of business development for Vindigo, a wireless location information provider.
“Hopefully we can get the Fourth Amendment protections” passed, said James Dempsey of the Center for Democracy and Technology, noting that similar legislation came close to passing last year.
Government actions
This year, however, Dempsey must first find a sponsor for his bill, which would require the government show probable cause before obtaining location information. Last year’s sponsor, Rep. Charles Canady (R-Fla.), retired and another champion, Rep. Asa Hutchinson (R-Ark.), has been nominated to lead the Drug Enforcement Administration.
Prospects of the bill could be easier on the Senate side since the Democrats took control. The new chairman of the Senate Judiciary Committee, Sen. Patrick Leahy (D-Vt.), has long been a champion of privacy legislation, but he has yet to show any interest in the legislation. Dempsey said he believes Leahy and his staff have been “overwhelmed by the transition.” His hope is not diminished by Leahy’s lack of action because he believes that in addition to Leahy, Sens. Orrin G. Hatch (R-Utah), ranking member, and Charles Schumer (D-N.Y.) are also supportive of passing a bill that would guarantee Fourth Amendment protections in the cyber world.
The “wild card” for the bill, said Dempsey, is the Bush administration and whether it is willing to compromise more than the Clinton administration. The Clinton administration wanted legislation to increase law enforcement powers in the digital age, but didn’t want corresponding increases in privacy protection. “That’s not a go,” he added.
Dempsey and Weisler participated last week on a panel on wireless location privacy sponsored by the Advisory Committee to the Congressional Internet Caucus.
Later in the week at a House Commerce consumer protection subcommittee hearing on the prospects for information privacy legislation, Marc Rotenberg, executive director of Electronic Privacy Information Committee, urged the committee to pass legislation that would protect consumers not only from corporate use of personally identifiable information but also pass legislation that would protect consumers from government access to that information.
“By failing to act for fear of burdening industry, you are also failing to provide consumers with necessary Fourth Amendment protections,” said Rotenberg.
While he only stayed for a short time at the Congressional Internet Caucus event after delivering opening remarks, Rep. Michael M. Honda (D-Calif.) likely would have been happy with the consensus that general privacy legislation will probably not be passed this year.
“I would urge that Congress proceed slowly. `First to market’ in the legislative arena is not necessarily a good thing,” said Honda.
Labeling
Also announced at the forum was a new initiative to consolidate the symbols and labels used by electronic-commerce companies to designate that privacy is being protected. The initiative is spearheaded by Trust-e.
Trust-e was created four years ago as a way to educate the public about which Web sites had security policies. It is well known and can be identified on the Internet by the key symbol found on Web sites to indicate a link to a company’s security policy.
Since the key symbol was first established, many companies-including some wireless-have created security policies, but there is no way to distinguish the various levels of security. To combat this, Trust-e hopes the new initiative, known as Symbols and Labels, will make like symbols and like labels mean the same thing to everyone. For example one symbol would allow consumers to opt-in.
There are two reasons that common symbols are needed, said Trust-e. “First, seals of approval are effective in indicating that a site is monitored by a third party and that it adheres to high standards,” said Trust-e. Secondly, privacy statements have become too long to accommodate the small screens found on wireless phones and personal digital assistants.
In addition, the Symbols and Labels program hopes to create a label-similar to the Food and Drug Administration’s nutrition label-which will be a summary of key privacy practices of consumer concern. Some of the privacy label’s categories may include information sharing, location tracking and compliance mechanisms, said Trust-e.
The Symbols and Labels program was announced at the Advisory Committee event by Lori Fena, co-founder and chairman of the Trust-e board of directors, who said that the Cellular Telecommunications & Internet Association was participating in the program. This was later refuted by Steven K. Berry, CTIA senior vice president for federal affairs.
“We are not a part of the Trust-e program,” said Berry, noting that CTIA has been working with various people on the Hill to craft legislation that will treat wireless the same as the rest of the high-tech industry while recognizing that wireless networks are different than computer networks.
“We have spent hours with legislative counsel on the House side and quite frankly we don’t have answers. … You need a [chief technology officer] and an engineer. … If I can’t get the answers to satisfy the question of whether technology is there, it is more difficult to get to the policy,” said Berry.
The Personal Communications Industry Association is participating in the program. The idea is “consistent with what a lot of our members are interested in doing … to the extent that programs like Trust-e’s help consumers understand various policies. We think this could lead to self-regulation and a business solution rather than legislative or regulatory solutions,” said Rob Hoggarth, PCIA senior vice president for government relations.
Self-regulation
The idea of self-regulation was the purpose of a hearing held on Thursday by the House Commerce consumer protection subcommittee.
Whether government solutions are necessary or whether industry can adequately protect privacy by self-regulatory policies seemed to cut along party lines. The Republican majority stopped just short of saying it would leave the matter to industry, while the Democrat minority called for government policies to at least “set a floor.”
“Our role is to do no harm. [We want] to facilitate and actually encourage self-regulatory policies, self-regulatory regimes and technologies that empower consumers,” said Rep. Billy Tauzin (R-La.), chairman of the House Commerce Committee.
“There has to be a minimal floor that every American is entitled to [and it has to be] enforceable,” said Rep. Edward Markey (D-Mass.)
One witness at the hearing agreed with the idea of a minimum floor but said it might be too early. “There has to be some sort of minimum floor. What that is going to be is difficult to define and I don’t think we know enough,” said John Schwarz, chief executive officer of Reciprocal Inc.
The hearing consisted of a variety of demonstrations showing that technology exists to protect consumer privacy but one presenter also called for government action.
“While it would be convenient to claim that technology alone can solve these problems, to do so would be to pronounce a fallacy. … These technological tools tend to be used by sophisticated, technologically savvy people, and less so by the average Internet user. … It is my opinion that the protection of consumer privacy requires both legal and technological action,” said Stephen Hsu, co-founder, chairman and chief executive officer of SafeWeb Inc.
But during questioning from Rep. Cliff Stearns (R-Fla.), subcommittee chairman, Hsu backed off, saying government co
uld wait a few years before setting a policy.
“In the long run it is absolutely necessary … right now it is not a completely critical time. … In the long run, people should have that option [to opt-in or opt-out based on the type of the information] but if we wait a year or two, it will not kill anybody,” said Hsu.
If legislation is necessary, Hsu said it should deal with how companies that collect information can use it.
“If I buy something from Amazon.com, they have my name, my address and my credit-card number. I cannot develop any technology that protects that information once Amazon.com has it. That is the purview of legislation,” said Hsu.
Rotenberg strongly urged the subcommittee to develop privacy-protection legislation while at the same time encouraging the development of privacy-protecting technology.
“We have never viewed the use of technology and legislation as an either/or proposition. We think both are necessary,” said Rotenberg.
Such legislation should include definitions especially what constitutes notice, said Rotenberg. This will become even more acutely necessary when the wireless Web becomes even more prevalent. “If you are relying on notices, what is going to happen with those trying to look at the notices on a little screen?” he asked.
