[Congressional Record Volume 145, Number 158 (Wednesday, November 10, 1999)]
[Senate]
[Pages S14535-S14541]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. KOHL (for himself and Mr. Torricelli):
  S. 1901. A bill to establish the Privacy Protection Study Commission 
to evaluate the efficacy of the Freedom of Information Act and the 
Electronic Freedom of Information Act Amendments of 1996, to determine 
whether new laws are necessary, and to provide advice and 
recommendations; to the Committee on the Judiciary.


          the privacy protection study commission act of 1999

  Mr. KOHL. Mr. President, I rise today to introduce the Privacy 
Protection Study Commission Act of 1999 with my colleague Senator 
Torricelli. This legislation addresses privacy protection by creating 
an expert Commission charged with the duty to explore privacy concerns. 
We cannot underestimate the importance of this issue. Privacy matters, 
and it will continue to matter more and more in this information age of 
high speed data, Internet transactions, and lightning-quick 
technological advances.
  There exists a massive wealth of information in today's world, which 
is increasingly stored electronically. In fact, experts estimate that 
the average American is ``profiled'' in up to 150 commercial electronic 
databases. That means that there is a great deal of data--in some 
cases, very detailed and personal--out there and easily accessible 
courtesy of the Internet revolution. With the click of a button it is 
possible to examine all sorts of personal information, be it an 
address, a criminal record, a credit history, a shopping performance, 
or even a medical file.
  Generally, the uses of this data are benign, even beneficial. 
Occasionally, however, personal information is obtained 
surreptitiously, and even peddled to third parties for profit or other 
uses. This is especially troubling when, in many cases, people do not 
even know that their own personal information is being ``shopped.''
  Two schools of thought exist on how we should address these privacy 
concerns. There are some who insist that we must do something and do it 
quickly. Others urge us to rely entirely on ``self-regulation''--
according to them most companies will act reasonably and, if not, 
consumers will demand privacy protection as a condition for their 
continued business.
  Both approaches have some merit, but also some problems. For example, 
even though horror stories abound about violations of privacy, Congress 
should not act by anecdote or on the basis of a few bad actors. Indeed, 
enacting ``knee-jerk,'' ``quick-fix'' legislation could very well do 
more harm than good. By the same token, however, self-regulation alone 
is unlikely to be the silver bullet that solves all privacy concerns. 
By itself, we have no assurance that it will bring the actors in line 
with adequate privacy protection standards.
  Because it is better to do it right--in terms of addressing the 
myriad of complicated privacy concerns--than to do it fast, perhaps 
what is needed is a cooling off period. Such a ``breather'' will ensure 
that our action is based on a comprehensive understanding of the 
issues, rather than a ``mishmash'' of political pressures and clever 
soundbites.
  For those reasons, and recognizing that there are no quick and easy 
answers, I suggest that we step back to consider the issue of privacy 
more thoughtfully. Let's admit that neither laws nor self-regulation 
alone may be the solution. Let's also concede that no one is going to 
divine the right approach overnight. But given the time and resources, 
a ``Privacy Protection Study Commission'' composed of experts drawn 
from the fields of law, civil rights and liberties, privacy matters, 
business, or information technology, may offer insights on how to 
address and ensure balanced privacy protection into the next 
millennium.
  The bill I am introducing today would do just that. The Commission 
would be comprised of nine bright minds equally chosen by the Senate, 
the House, and the Administration. As drafted, the Commission will be 
granted the latitude to explore and fully examine the current 
complexities of privacy protection. After 18 months, the Commission 
will be required to report back to Congress with its findings and 
proposals. If legislation is necessary, the Commission will be in the 
best position to recommend a balanced course of action. And if 
lawmaking is not warranted, the Commission's recognition of that fact 
will help persuade a skeptical Congress and public.
  This is not a brand new idea. Twenty-five years ago, Congress created 
a Privacy Protection Commission to study privacy concerns as they 
related to government uses of personal information. That Commission's 
findings were seminal. A quarter of a century later, because so much 
has changed, it is time to re-examine this issue on a much broader 
scale. The uses of personal information that concerned the Commission 
25 years ago have exploded today, especially in this era of e-commerce, 
super databases, and mega-mergers. People are genuinely worried--
perhaps they shouldn't be--but their concerns are real.
  For example, a Wall Street Journal survey revealed that Americans 
today are more concerned about invasions of their personal privacy than 
they are

[[Page S14536]]

about world war. Another poll cited in the Economist noted that 80 
percent are worried about what happens to information collected about 
them. William Afire summed it up best in a recent New York Times essay: 
``We are dealing here with a political sleeper issue. People are 
getting wise to being secretly examined and manipulated and it rubs 
them the wrong way.''
  One final note: given that privacy is not an easy issue and that it 
appears in so many other contexts, I invite all interested parties to 
help us improve our legislation to create a Commission. We need to 
forge a middle ground consensus with our approach, and the door is open 
to all who share this goal.
  Mr. President, I ask unanimous consent that the previously cited 
material be printed in the Record.
  There being no objection, the material was ordered to be printed in 
the Record as follows:

                   [From the Economist--May 1, 1999]

                           The End of Privacy

       Remember, they are always watching you. Use cash when you 
     can. Do not give your phone number, social-security number or 
     address, unless you absolutely have to. Do not fill in 
     questionnaires or respond to telemarketers. Demand that 
     credit and datamarketing firms produce all information they 
     have on you, correct errors and remove you from marketing 
     lists. Check your medical records often. If you suspect a 
     government agency has a file on you, demand to see it. Block 
     caller ID on your phone, and keep your number unlisted. Never 
     use electronic tollbooths on roads. Never leave your mobile 
     phone on--your movements can be traced. Do not use store 
     credit or discount cards. If you must use the Internet, 
     encrypt your e-mail, reject all ``cookies'' and never give 
     your real name when registering at websites. Better still, 
     use somebody else's computer. At work, assume that calls, 
     voice mail, e-mail and computer use are all monitored.
       This sounds like a paranoid ravings of the Unabomber. In 
     fact, it is advice being offered by the more zealous of 
     today's privacy campaigners. In an increasingly wired world, 
     people are continually creating information about themselves 
     that is recorded and often sold or pooled with information 
     from other sources. The goal of privacy advocates is not 
     extreme. Anyone who took these precautions would merely be 
     seeking a level of privacy available to all 20 years ago. And 
     yet such behaviour now would seem obsessive and paranoid 
     indeed.
       That is a clue to how fast things have changed. To try to 
     restore the privacy that was universal in the 1970s is to 
     chase a chimera. Computer technology is developing so rapidly 
     that it is hard to predict how it will be applied. But some 
     trends are unmistakable. The volume of data recorded about 
     people will continue to expand dramatically (see pages 21-
     23). Disputes about privacy will become more bitter. Attempts 
     to restrain the surveillance society through new laws will 
     intensify. Consumers will pay more for services that offer a 
     privacy pledge. And the market for privacy-protection 
     technology will grow.
     Always observed
       Yet there is a bold prediction: all these efforts to hold 
     back the rising tide of electronic intrusion into privacy 
     will fail. They may offer a brief respite for those 
     determined, whatever the trouble or cost, to protect 
     themselves. But 20 years hence most people will find that the 
     privacy they take for granted today will be just as elusive 
     as the privacy of the 1970s now seems. Some will shrug and 
     say: ``Who cares? I have nothing to hide.'' But many others 
     will be disturbed by the idea that most of their behaviour 
     leaves a permanent and easily traceable record. People will 
     have to start assuming that they simply have no privacy. This 
     will constitute one of the greatest social changes of modern 
     times.
       Privacy is doomed for the same reason that it has been 
     eroded so fast over the past two decades. Presented with the 
     prospect of its loss, many might prefer to eschew even the 
     huge benefits that the new information economy promises. But 
     they will not, in practice, be offered that choice. Instead, 
     each benefit--safer streets, cheaper communications, more 
     entertainment, better government services, more convenient 
     shopping, a wider selection of products--will seem worth the 
     surrender of a bit more personal information. Privacy is a 
     residual value, hard to define or protect in the abstract. 
     The cumulative effect of these bargains--each attractive on 
     their own--will be the end of privacy.
       For a similar reason, attempts to protect privacy through 
     new laws will fail--as they have done in the past. The 
     European Union's data protection directive, the most sweeping 
     recent attempt, gives individuals unprecedented control over 
     information about themselves. This could provide remedies 
     against the most egregious intrusions. But it is doubtful 
     whether the law can be applied in practice, if too many 
     people try to use it. Already the Europeans are hinting that 
     they will not enforce the strict terms of the directive 
     against America, which has less stringent protections.
       Policing the proliferating number of databases and the 
     thriving trade in information would not only be costly in 
     itself, it would also impose huge burdens on the economy. 
     Moreover, such laws are based on a novel concept: that 
     individuals have a property right in information about 
     themselves. Broadly enforced, such a property right would be 
     antithetical to an open society. It would pose a threat not 
     only to commerce, but also to a free press and to much 
     political activity, to say nothing of everyday conversation.
       It is more likely that laws will be used not to obstruct 
     the recording and collection of information, but to catch 
     those who use it to do harm. Fortunately, the same technology 
     that is destroying privacy also makes it easier to trap 
     stalkers, detect fraud, prosecute criminals and hold the 
     government to account. The result could be less privacy, 
     certainly--but also more security for the law-abiding.
       Whatever new legal remedies emerge, opting out of 
     information-gathering is bound to become ever harder and less 
     attractive. If most urban streets are monitored by 
     intelligent video cameras that can identify criminals, who 
     will want to live on a street without one? If most people 
     carry their entire medical history on a plastic card that the 
     emergency services come to rely on, a refusal to carry the 
     card could be life-threatening. To get a foretaste of what is 
     to come, try hiring a car or booking a room at a top hotel 
     without a credit card.


                                leaders

       In a way, the future may be like the past, when few except 
     the rich enjoyed much privacy. To earlier generations, 
     escaping the claustrophobic all-knowingness of a village for 
     the relative anonymity of the city was one of the more 
     liberating aspects of modern life. But the era of urban 
     anonymity already looks like a mere historical interlude. 
     There is, however one difference between past and future. In 
     the village, everybody knew everybody else's business. In the 
     future, nobody will know for certain who knows what about 
     them. That will be uncomfortable. But the best advice may be: 
     get used to it.


                        the surveillance society

       New information technology offers huge benefits--higher 
     productivity, better crime prevention, improved medical care, 
     dazzling entertainment, more convenience. But it comes at a 
     price: less and less privacy
       ``The right to be left alone.'' For many this phrase, made 
     famous by Louis Brandeis, an American Supreme Court justice, 
     captures the essence of a notoriously slippery, but crucial 
     concept. Drawing the boundaries of privacy has always been 
     tricky. Most people have long accepted the need to provide 
     some information about themselves in order to vote, work, 
     shop, pursue a business, socialise or even borrow a library 
     book. But exercising control over who knows what about you 
     has also come to be seen as an essential feature of a 
     civilised society.
       Totalitarian excesses have made ``Big Brother'' one of the 
     20th century's most frightening bogeyman. Some right of 
     privacy, however qualified, has been a major difference 
     between democracies and dictatorships. An explicit right to 
     privacy is now enshrined in scores of national constitutions 
     as well as in international human-rights treaties. Without 
     the ``right to be left alone,'' to shut out on occasion the 
     prying eyes and importunities of both government and society, 
     other political and civil liberties seem fragile. Today most 
     people in rich societies assume that, provided they obey the 
     law, they have a right to enjoy privacy whenever it suits 
     them.
       They are wrong. Despite a raft of laws, treaties and 
     constitutional provisions, privacy has been eroded for 
     decades. This trend is now likely to accelerate sharply. The 
     cause is the same as that which alarmed Brandeis when he 
     first popularized his phrase in an article in 1890; 
     technological change. In his day it was the spread of 
     photography and cheap printing that posed the most immediate 
     threat to privacy. In our day it is the computer. The 
     quantity of information that is now available to governments 
     and companies about individuals would have horrified 
     Brandeis. But the power to gather and disseminate data 
     electronically is growing so fast that it raises an even more 
     unsettling question: in 20 years' time, will there be any 
     privacy left to protect?
       Most privacy debates concern media intrusion, which is also 
     what bothered Brandeis. And yet the greatest threat to 
     privacy today comes not from the media, whose antics affect 
     few people, but from the mundane business of recording and 
     collecting an ever-expanding number of everyday transactions. 
     Most people know that information is collected about them, 
     but are not certain how much. Many are puzzled or annoyed by 
     unsolicited junk mail coming through their letter boxes. And 
     yet junk mail is just the visible tip of an information 
     iceberg. The volume of personal data in both commercial and 
     government databases has grown by leaps and bounds in recent 
     years along with advances in computer technology. The United 
     States, perhaps the most computerized society in the world, 
     is leading the way, but other countries are not far behind.
       Advances in computing are having a twin effect. They are 
     not only making it possible to collect information that once 
     went largely unrecorded, but are also making it relatively 
     easy to store, analyze and retrieve this information in ways 
     which, until quite recently, were impossible.
       Just consider the amount of information already being 
     collected as a matter of routine--any spending that involves 
     a credit or

[[Page S14537]]

     bank debit card, most financial transactions, telephone 
     calls, all dealings with national or local government. 
     Supermarkets record every item being bought by customers who 
     use discount cards. Mobile-phone companies are busy 
     installing equipment that allows them to track the location 
     of anyone who has a phone switched on. Electronic toll-booths 
     and traffic-monitoring systems can record the movement of 
     individual vehicles. Pioneered in Britain, closed-circuit tv 
     cameras now scan increasingly large swathes of urban 
     landscapes in other countries too. The trade in consumer 
     information has hugely expanded in the past ten years. One 
     single company, Acxiom Corporation in Conway, Arkansas, has a 
     database combining public and consumer information that 
     covers 95% of American households. Is there anyone left on 
     the planet who does not know that their use of the Internet 
     is being recorded by somebody, somewhere?
       Firms are as interested in their employees as in their 
     customers. A 1997 survey by the American Management 
     Association of 900 large companies found that nearly two-
     thirds admitted to some form of electronic surveillance of 
     their own workers. Powerful new software makes it easy for 
     bosses to monitor and record not only all telephone 
     conversations, but every keystroke and e-mail message as 
     well.
       Information is power, so its hardly surprising that 
     governments are as keen as companies to use data-processing 
     technology. They do this for many entirely legitimate 
     reasons--tracking benefit claimants, delivering better health 
     care, fighting crime, pursuing terrorists. But it inevitable 
     means more government surveillance.
       A controversial law passed in 1994 to aid law enforcement 
     requires telecoms firms operating in America to install 
     equipment that allows the government to intercept and monitor 
     all telephone and data communications, although disputes 
     between the firms and the FBI have delayed its 
     implementation. Intelligence agencies from America, Britain, 
     Canada, Australia and New Zealand jointly monitor all 
     international satellite-telecommunications traffic via a 
     system called ``Echelon'' that can pick specific words or 
     phrases from hundreds of thousands of messages.
       America, Britain, Canada and Australia are also compiling 
     national DNA databases of convicted criminals. Many other 
     countries are considering following suit. The idea of DNA 
     databases that cover entire populations is still highly 
     controversial, but those databases would be such a powerful 
     tool for fighting crime and disease that pressure for their 
     creation seems inevitable. Iceland's parliament has agreed a 
     plan to sell the DNA database of its population to a medical-
     research firm, a move bitterly opposed by some on privacy 
     grounds.
     To each a number
       The general public may be only vaguely aware of the 
     mushrooming growth of information-gathering, but when they 
     are offered a glimpse, most people do not like what they see. 
     A survey by America's Federal Trade Commission found that 80% 
     of Americans are worried about what happens to information 
     collected about them. Skirmishes between privacy advocates 
     and those collecting information are occurring with 
     increasing frequency.
       This year both intel and Microsoft have run into a storm of 
     criticism when it was revealed that their products--the chips 
     and software at the heart of most personal computers--
     transmitted unique identification numbers whenever a 
     personal-computer user logged on to the Internet. Both 
     companies hastily offered software to allow users to turn the 
     identifying numbers off, but their critics maintain that any 
     software fix can be breached. In fact, a growing number of 
     electronic devices and software packages contain identifying 
     numbers to help them interact with each other.
       In February an outcry greeted news that image Data, a small 
     New Hampshire firm, had received finance and technical 
     assistance from the American Secret Service to build a 
     national database of photographs used on drivers' licenses. 
     As a first step, the company had already bought the 
     photographs of more than 22m drivers from state governments 
     in South Carolina, Florida and Colorado. Image Data insists 
     that the database, which would allow retailers or police 
     across the country instantly to match a name and photograph, 
     is primarily designed to fight cheque and credit-card fraud. 
     But in response to more than 14,000 e-mail complaints, all 
     three state moved quickly to cancel the sale.
       It is always hard to predict the impact of new technology, 
     but there are several developments already on the horizon 
     which, if the recent past is anything to go by, are bound to 
     be used for monitoring of one sort or another. The 
     paraphernalia of snooping, whether legal or not, is becoming 
     both frighteningly sophisticated and easily affordable. 
     Already, tiny microphones are capable of recording whispered 
     conversations from across the street. Conversations can even 
     be monitored from the normally imperceptible vibrations of 
     window glass. Some technologists think that the tiny 
     battlefield reconnaissance drones being developed by the 
     American armed forces will be easy to commercialize. Small 
     video cameras the size of a large wasp may some day be able 
     to fly into a room, attach themselves to a wall or ceiling 
     and record everything that goes on there.
       Overt monitoring is likely to grow as well. Intelligent 
     software systems are already able to scan and identify 
     individuals from video images. Combined with the plummeting 
     price and size of cameras, such software should eventually 
     make video surveillance possible almost anywhere, at any 
     time. Street criminals might then be observed and traced with 
     ease.
       The burgeoning field of ``biometrics'' will make possible 
     cheap and fool-proof systems that can identify people from 
     their voices, eyeballs, thumbprints or any other measurable 
     part of their anatomy. That could mean doing away with 
     today's cumbersome array of security passes, tickets and even 
     credit cards. Alternatively, pocket-sized ``smart' cards 
     might soon be able to store all of a person's medical or 
     credit history, among other things, together with physical 
     data needed to verify his or her identity.
       In a few years' time utilities might be able to monitor the 
     performance of home appliances, sending repairmen or 
     replacements even before they break down. Local supermarkets 
     could check the contents of customers' refrigerators, 
     compiling a shopping list as they run out of supplies of 
     butter, cheese or milk. Or office workers might check up on 
     the children at home from their desktop computers.
       But all of these benefits, from better medical care and 
     crime prevention to the more banal delights of the 
     ``intelligent'' home, come with one obvious drawback--an 
     ever-widening trail of electronic data. Because the cost of 
     storing and analysing the data is also plummeting, almost any 
     action will leave a near-permanent record. However 
     ingeniously information-processing technology is used, what 
     seems certain is that threats to traditional notions of 
     privacy will proliferate.
       This prospect provokes a range of responses, none of them 
     entirely adequate. More laws. Brandeis's article was a plea 
     for a right to sue for damages against intrusions of privacy. 
     It spawned a burst of privacy statutes in America and 
     elsewhere. And yet privacy lawsuits hardly ever succeed, 
     except in France, and even there they are rare. Courts find 
     it almost impossible to pin down a precise enough legal 
     definition of privacy.
       America's consumer-credit laws, passed in the 1970s, give 
     individuals the right to example their credit records and to 
     demand corrections. The European Union has recently gone a 
     lot further. The EU Data Protection directive, which came 
     into force last October, aims to give people control over 
     their data, requiring ``unambiguous'' consent before a 
     company or agency can process it, and barring the use of the 
     data for any purpose other than that for which it was 
     originally collected. Each EU country, is pledged to appoint 
     a privacy commissioner to act on behalf of citizens whose 
     rights have been violated. The directive also bars the export 
     of data to countries that do not have comparably stringent 
     protections.
       Most EU countries have yet to pass the domestic laws needs 
     to implement the directive, so it is difficult to say how it 
     will work in practice. But the Americans view it as 
     Draconian, and a trade row has blown up about the EU's 
     threat to stop data exports to the United States. A 
     compromise may be reached that enables American firms to 
     follow voluntary guidelines; but that merely could create 
     a big loophole. If, on the other hand, the EU insist on 
     barring data exports, not only might a trade war be 
     started but also the development of electronic commerce in 
     Europe could come screeching to a complete halt, 
     inflicting a huge cost on the EU's economy.
       In any case, it is far from clear what effect the new law 
     will have even in Europe. More products or services may have 
     to be offered with the kind of legalistic bumf that is now 
     attached to computer software. But, as with software, most 
     consumers are likely to sign without reading it. The new law 
     may give individuals a valuable tool to fight against some of 
     the worst abuses, rather on the pattern of consumer-credit 
     laws. But, also as with those laws--and indeed, with 
     government freedom of information laws in general--
     individuals will have to be determined and persistent to 
     exercise their rights. Corporate and government officials can 
     often find ways to delay or evade individual requests for 
     information. Policing the rising tide of data collection and 
     trading is probably beyond the capability of any government 
     without a crackdown so massive that it could stop the new 
     information economy in its tracks.
       Market solutions. The Americans generally prefer to rely on 
     self-regulation and market pressures. Yet so far, self-
     regulation has failed abysmally. A Federal Trade Commission 
     survey of 1,400 American Internet sites last year found that 
     only 2% had posted a privacy policy in line with that 
     advocated by the commission, although more have probably done 
     so since, not least in response to increased concern over 
     privacy. Studies of members of America's Direct Marketing 
     Association by independence researchers have found that more 
     than half did not abide even by the association's modest 
     guidelines.
       If consumers were to become more alarmed about privacy, 
     however, market solutions could offer some protection. The 
     Internet, the frontline of the privacy battle-field, has 
     already spawned anonymous remailers, firms that forward e-
     mail stripped of any identifying information. One website 
     (www.anonymizer.com) offers anonymous Internet browsing. 
     Electronic digital cash, for use or off the Internet, may 
     eventually provide some anonymity but, like today's physical 
     cash, it will probably be used only for smaller purchases.

[[Page S14538]]

     Enter the infomediary
       John Hagel and Marc Singer of McKinsey, a management 
     consulting firm, believe that from such services will emerge 
     ``informediaries'', firms that become brokers of information 
     between consumers and other companies, giving consumers 
     privacy protection and also earning them some revenue for the 
     information they are willing to release about themselves. If 
     consumers were willing to pay for such brokerage, 
     infomediaries might succeed on the Internet. Such firms would 
     have the strongest possible stake in maintaining their 
     reputation for privacy protection. But it is hard to imagine 
     them thriving unless consumers are willing to funnel every 
     transaction they make through a single infomediary. Even if 
     this is possible--which is unclear--many consumers may not 
     want to rely so much on a single firm. Most, for example, 
     already have more than one credit card.
       In the meantime, many companies already declare that they 
     will not sell information they collect about customers. But 
     many others find it possible profitable not to make--to--or 
     keep--this pledge. Consumers who want privacy must be ever 
     vigilant, which is more than most can manage. Even those 
     companies which advertise that they will not sell information 
     do not promise not to buy it. They almost certainly know more 
     about their customers than their customers realize. And in 
     any case, market solutions, including informediaries, are 
     unlikely to be able to deal with growing government databases 
     or increased surveillance in public areas.
       Technology. The Internet has spawned a fierce war between 
     fans of encryption and governments, especially America's, 
     which argue that they must have access to the keys to 
     software codes used on the web in the interests of the law 
     enforcement. This quarrel has been rumbling on for years. But 
     given the easy availability of increasingly complex codes, 
     governments may just have to accept defeat, which would 
     provide more privacy not just for innocent web users, but for 
     criminals as well. Yet even encryption will only serve to 
     restore to Internet users the level of privacy that most 
     people have assumed they now enjoy in traditional (i.e., 
     paper) mail.
       Away from the web, the technological race between snoopers 
     and anti-snoopers will also undoubtedly continue. But 
     technology can only ever be a partial answer. Privacy will be 
     reduced not only by government or private snooping, but by 
     the constant recording of all sorts of information that 
     individuals must provide to receive products or benefits--
     which is as true on as off the Internet.
       Transparency. Despairing of efforts to protect privacy in 
     the face of the approaching technological deluge, David Brin, 
     an American physicist and science-fiction writer, proposes a 
     radical alternative--its complete abolition. In his book 
     ``The Transparent Society'' (Addision-Wesley, $25) he argues 
     that in future the rich and powerful--and most ominously of 
     all, governments--will derive the greatest benefit from 
     privacy protection, rather than ordinary people. Instead, 
     says Mr. Brin, a clear, simple rule should be adopted: 
     everyone should have access to all information. Every citizen 
     should be able to tap into any database, corporate or 
     governmental, containing personal information. Images from 
     the video-surveillance cameras on city streets should be 
     accessible to everyone, not just the police.
       The idea sounds disconcerting, he admits. But he argues 
     that privacy is doomed in any case. Transparency would enable 
     people to know who knows what about them, and for the ruled 
     to keep any eye on their rulers. Video cameras would record 
     not only criminals, but also abusive policemen. Corporate 
     chiefs would know that information about themselves is as 
     freely available as it is about their customers or workers. 
     Simple deterrence would then encourage restraint in 
     information gathering--and maybe even more courtesy.
       Yet Mr. Brin does not explain what would happen to 
     transparency violators or whether there would be any limits. 
     What about national-security data or trade secrets? Police or 
     medical files? Criminals might find these of great interest. 
     What is more, transparency would be just as difficult to 
     enforce legally as privacy protection is now. Indeed, the 
     very idea of making privacy into a crime seems outlandish.
       There is unlikely to be a single answer to the dilemma 
     posed by the conflict between privacy and the growing power 
     of information technology. But unless society collectively 
     turns away from the benefits that technology can offer--
     surely the most unlikely outcome of all--privacy debates are 
     likely to become very more intense. In the brave new world of 
     the information age, the right to be left alone is certain to 
     come under siege as never before.
                                  ____


                           Nosy Parker Lives

                      [William Safire, Washington]

       A state sells its driver's license records to a stalker; he 
     selects his victim--a Hollywood starlet--from the photos and 
     murders her.
       A telephone company sells a list of calls; an extortionist 
     analyzes the pattern of calls and blackmails the owner of the 
     phone.
       A hospital transfers patient records to an insurance 
     affiliate, which turns down a policy renewal.
       A bank sells a financial disclosure statement to a 
     borrower's employer, who fires the employee for profligacy.
       An Internet browser sells the records of a nettie's 
     searches to a lawyer's private investigator, who uses 
     ``cookie''-generated evidence against the nettie in a 
     lawsuit.
       Such invasions of privacy are no longer far-out 
     possibilities. The first listed above, the murder of Rebecca 
     Schaeffer, led to the Driver's Privacy Protection Act. That 
     Federal law enables motorists to ``opt out''--to direct that 
     information about them not be sold for commercial purposes.
       But even that opt out puts the burden of protection on the 
     potential victim, and most people are too busy or lazy to 
     initiate self-protection. Far more effective would be what 
     privacy advocates call opt in--requiring the state or 
     business to request permission of individual customers before 
     selling their names to practioners of ``target marketing.''
       In practical terms, the difference between opt in and opt 
     out is the difference between a door locked with a bolt and a 
     door left ajar. But in a divided appeals court--under the 
     strained rubric of commercial free speech--the intrusive 
     telecommunications giant US West won. Its private customers 
     and the public are the losers.
       Corporate mergers and technologies of E-commerce and 
     electronic surveillance are pulverizing the walls of personal 
     privacy. Belatedly, Americans are awakening to their new 
     nakedness as targets of marketers.
       Your bank account, you health record, your genetic code, 
     your personal and shopping habits and sexual interests are 
     your own business. That information has a value. If anybody 
     wants to pay for an intimate look inside your life, let them 
     make you an offer and you'll think about it. That's opt in. 
     You may decide to trade the desired information about 
     yourself for services like an E-mail box or stock quotes or 
     other inducement. But require them to ask you first.
       We are dealing here with a political sleeper issue. People 
     are getting wise to being secretly examined and manipulated 
     and it rubs them the wrong way.
       Politicians sense that a strange dissonance is agitating 
     their constituents. But most are leery of the issue because 
     it cuts across ideologies and party lines--not just encrypted 
     communication versus national security, but personal liberty 
     versus the free market.
       That's why there has been such Sturm und Drang around the 
     Financial Services Act of 1999. Most pols think it is bogged 
     down only because of a turf war between the Treasury and the 
     Fed over who regulates the new bank-broker-insurance mergers. 
     It goes deeper.
       The House passed a bill 343 to 86 to make ``pretext 
     calling'' by snoops pretending to be the customer a Federal 
     crime, plus an ``opt out'' that puts the burden on bank 
     customers to tell their banks not to disclose account 
     information to marketers. The bank lobby went along with 
     this.
       The Senate passed a version without privacy protection 
     because Banking Chairman Phil Gramm said so. But in Senate-
     House conference, Republican Richard Shelby of Alabama (who 
     already toughened drivers' protection at the behest of 
     Phyllis Schlafly's Eagle Forum and the A.C.L.U.) is pressing 
     for the House version. `` `Opt out' is weak,'' Shelby tells 
     me, ``but it's a start.''
       The groundswelling resentment is in search of a public 
     champion. The start will gain momentum when some Presidential 
     candidate seizes the sleeper issue of the too-targeted 
     consumer. Laws need not always be the answer: to avert 
     regulation, smart businesses will complete to assure 
     customers' right to decide.
       The libertarian principle is plain: excepting legitimate 
     needs of law enforcement and public interest, control of 
     information about an individual must rest with the person 
     himself. When the required permission is asked, he or she can 
     sell it or trade it--or tell the bank, the search engine and 
     the Motor Vehicle Bureau to keep their mouths shut.
                                  ____


                        Privately Held Concerns

                  [Oct. 22, 1999--Wall Street Journal]

       Congress has been paddling 20 years to get a financial-
     service overhaul bill, and now the canoe threatens to run 
     aground on one of those imaginary concerns that only sounds 
     good in press release--``consumer privacy.'' In the column 
     alongside, Paul Gigot describes the hardball politics behind 
     the financial reform bill's other sticking point--the 
     Community Reinvestment Act. Our subject here is Senator 
     Richard Shelby's strange idea of what, precisely, should 
     constitute ``consumer privacy'' in the new world. ``It's our 
     responsibility to identify what is out of bounds,' '' 
     declared the identity confused Republican as he surfaced this 
     phantom last spring.
       Privacy concerns are a proper discussion point for the 
     information age, but financial reform would actually end to 
     alleviate some of them. If a single company were allowed to 
     sell insurance, portfolio advice and checking accounts, there 
     would be less incentive to peddle information to third 
     parties. Legislative reform and mergers in the financial 
     industry were all supposed to be aimed at the same goal, 
     using information efficiently within a single company to 
     serve customers. Yet to Mr. Shelby, this is a predatorial 
     act.
       He's demanding language that would mean a Citigroup banker, 
     say, couldn't tell a Citigroup insurance agent that Mr. Jones 
     is a hot insurance prospect--unless Mr. Jones gives his 
     permission in writing first. Mr. Shelby threatens to withhold 
     his crucial

[[Page S14539]]

     vote unless this deal-breaker is written into the law.
       To inflict this inconvenience on Mr. Jones is weird enough: 
     He has already volunteered to have a relationship with 
     Citigroup. But even weirder is the urge to cripple a law 
     whose whole purpose is to modernize an industry structure 
     that forces consumers today to chase six different companies 
     around to get a full mix of financial services. In essence, 
     financial products all do the same thing: shift income in 
     time. You want to go to college now based on your future 
     earnings, so you take out a loan. You want to retire in 20 
     years based on your present earnings, so you get an IRA. And 
     if a single cry goes up from modern man, it's ``Simplify my 
     life.''
       A vote last Friday seemed, to put Mr. Shelby's peeve to 
     rest. Under the current language, consumers would have an 
     ``opt out'' if they don't want their information shared. But 
     Mr. Shelby won't let go, and joining his chorus are Ralph 
     Nader on the left, Phyllis Schlafly on the right and various 
     gnats buzzing around the interest-group honeypot.
       He claims to be responding to constituent complaints about 
     telemarketing, not to mention a poll showing that 90% of 
     consumers respond favorably to the word ``privacy.'' Well, 
     duh. Consumers don't want their information made available 
     indiscriminately to strangers. But putting up barriers to 
     free exchange inside a company that a customer already has 
     chosen to do business with is a farfetched application of a 
     sensible idea.
       Mr. Shelby was a key supporter of language that would push 
     banks to set up their insurance and securities operations as 
     affiliates under a holding company. Now he wants to stop 
     these affiliates from talking to each other. Maybe he's just 
     confused, but it sounds more like a favor to Alabama bankers 
     and insurance agents who want to make life a lot harder for 
     their New York competitors trying to open up local markets.
                                  ____


        Growing Compatibility Issue: Computers and User Privacy

            [By John Markoff, New York Times, March 3, 1999]

       San Francisco, March 2--The Intel Corporation recently 
     blinked in a confrontation with privacy advocates protesting 
     the company's plans to ship its newest generation of 
     microprocessors with an embedded serial number that could be 
     used to identify a computer--and by extension its user.
       But those on each side of the dispute acknowledge that it 
     was only an initial skirmish in a wider struggle. From 
     computers to cellular phones to digital video players, 
     everyday devices and software programs increasingly embed 
     telltale identifying numbers that let them interact.
       Whether such digital fingerprints constitute an imminent 
     privacy threat or are simply part of the foundation of 
     advanced computer systems and networks is the subject of a 
     growing debate between the computer industry and privacy 
     groups. At its heart is a fundamental disagreement over the 
     role of electronic anonymity in a democratic society.
       Privacy groups argue fiercely that the merger of computers 
     and the Internet has brought the specter of a new 
     surveillance society in which it will be difficult to find 
     any device that cannot be traced to the user when it is used. 
     But a growing alliance of computer industry executives, 
     engineers, law enforcement officials and scholars contend 
     that absolute anonymity is not only increasingly difficult to 
     obtain technically, but is also a potential threat to 
     democratic order because of the possibility of electronic 
     crime and terrorism.
       ``You already have zero privacy--get over it,'' Scott 
     McNealy, chairman and chief executive of Sun Microsystems, 
     said at a recent news conference held to introduce the 
     company's newest software, known as Jini, intended to 
     interconnect virtually all types of electronic devices from 
     computer to cameras. Privacy advocates contend that software 
     like Jini, which assigns an identification number to each 
     device each time it connects to a network, could be misused 
     as networks envelop almost everyone in society in a dense web 
     of devices that see, hear, and monitor behavior and location.
       ``Once information becomes available for one purpose there 
     is always pressure from other organizations to use it for 
     their purposes,'' said, Lauren Weinstein, editor of Privacy 
     Forum, an on-line journal.
       This week, a programmer in Massachusetts found that 
     identifying numbers can easily be found in word processing 
     and spreadsheet files created with Microsoft's popular Word 
     and Excel programs and in the Windows 95 and 98 operating 
     systems.
       Moreover, unlike the Intel serial number, which the 
     computer user can conceal, the numbers used by the Microsoft 
     programs--found in millions of personal computers--cannot be 
     controlled by the user.
       The programmer, Richard M. Smith, president of Phar Lap 
     Software, a developer of computer programming tools in 
     Cambridge, Mass., noticed that the Windows operating system 
     contains a unique registration number stored on each personal 
     computer in a small data base known as the Windows registry.
       His curiosity aroused, Mr. Smith investigated further and 
     found that the number that uniquely identifies his computer 
     to the network used in most office computing systems, known 
     as the Ethernet, was routinely copied to, each Microsoft Word 
     or Excel document he created.
       The number is used to create a longer number, known as a 
     globally unique identifier. It is there, he said, to enable 
     computer users to create sophisticated documents comprising 
     work processing, spreadsheet, presentation and data base 
     information.
       Each of those components in a document needs a separate 
     identity, and computer designers have found the Ethernet 
     number a convenient and widely available identifier, he said. 
     But such universal identifiers are of particular concern to 
     privacy advocated because they could be used to compile 
     information on individuals from many data bases.
       ``The infrastructure relies a lot on serial numbers,'' Mr. 
     Smith said. ``We've let the genie out of the bottle.''
       Jeff Ressler, a Microsoft product manager, said that if a 
     computer did not have an Ethernet adapter then another 
     identifying number was generated that was likely to be 
     unique. ``We need a big number, which is a unique 
     identifier,'' he said. ``If we didn't have, it would be 
     impossible to make our software programs work together across 
     networks.''
       Indeed, an increasing range of technologies have provisions 
     for identifying their users for either technical reasons 
     (such as connecting to a network) or commercial ones (such as 
     determining which ads to show to Web surfers). But engineers 
     and network designers argue that identify information is a 
     vital aspect of modern security design because it is 
     necessary to authenticate an individual in a network, thereby 
     preventing fraud or intrusion.
       Last month at the introduction of Intel's powerful Pentium 
     III chip, Intel executives showed more than a dozen data 
     security uses for the serial number contained electronically 
     in each of the chips, ranging from limiting access to 
     protecting documents or software against piracy.
       Intel, the largest chip maker, had recently backed down 
     somewhat after it was challenged by privacy advocates over 
     the identity feature, agreeing that at least some processors 
     for the consumer market would be made in a way that requires 
     the user to activate the feature.
       Far from scaling back its vision, however, Intel said it 
     was planning an even wider range of features in its chips to 
     help companies protect copyrighted materials. It also pointed 
     to software applications that would use the embedded number 
     to identify participants in electronic chat rooms on the 
     Internet and thereby, for example, protect children from 
     Internet stalkers.
       But in achieving those goals, it would also create a 
     universal identifier, which could be used by software 
     applications to track computer users wherever they surfed on 
     the World Wide Web. And that, despite the chip maker's 
     assertions that it is working to enhance security and 
     privacy, has led some privacy advocates to taunt Intel and 
     accused it of a ``Big Brother Inside'' strategy.
       They contend that by uniquely identifying each computer it 
     will make it possible for marketers or Government and law 
     enforcement officials to track the activities of anyone 
     connected to a computer network more closely. They also say 
     that such a permanent identifier could be used in a similar 
     fashion to the data, known as ``cookies,'' that are placed on 
     a computer's hard drive by Web site to track the comings and 
     goings of Internet users.


                    putting privacy on the defensive

       Intel's decision to forge ahead with identity features in 
     its chip technology may signal a turning point in the battle 
     over privacy in the electronic age. Until now, privacy 
     concerns have generally put industry's executives on the 
     defensive. Now questions are being raised about whether there 
     should be limits to privacy in an Inernet era.
       ``Judge Brandeis's definition of privacy was `the right to 
     be left alone,' not the right to operate in absolute 
     secrecy,'' said Paul Saffo, a researcher at the Institute for 
     the Future in Menlo Park, Calif.
       Some Silicon Valley engineers and executives say that the 
     Intel critics are being naive and have failed to understand 
     that all devices connected to computer networks require 
     identification features simply to function correctly.
       Moreover, they note that identifying numbers have for more 
     than two decades been a requirement for any computer 
     connected to an Ethernet network. (Although still found most 
     widely in office settings, Ethernet connections are 
     increasingly being used for high-speed Internet Service in 
     the home via digital telephone lines and cable modems.)
       All of Apple Computer's popular iMac machines come with an 
     Ethernet connection that has a unique permanent number 
     installed in the factory. The number is used to identify the 
     computer to the local network.
       While the Ethernet number is not broadcast over the 
     Internet at large, it could easily be discovered by a 
     software application like a Web browser and transmitted to a 
     remote Web site tracking the identities of its users, a 
     number of computer engineers said.
       Moreover, they say that other kinds of networks require 
     identify numbers to protect against fraud. Each cellular 
     telephone currently has two numbers: the telephone number, 
     which can easily be changed, and an electronic serial number, 
     which is permanently put in place at the factory to protect 
     against theft or fraud.
       The serial number is accessible to the cellular telephone 
     network, and as cellular telephones add Internet browsing and 
     E-mail capabilities, it will potentially have the same

[[Page S14540]]

     identity capability as the Intel processor serial number.
       Other examples include DIVX DVD disks, which come with a 
     serial number that permits tracking the use of each movie by 
     a centralized network-recording system managed by the 
     companies that sell the disks.


                fearing the misuse of all those numbers

       Industry executives say that as the line between 
     communications and computing becomes increasingly blurred, 
     every electronic device will require some kind of 
     identification to attach to the network
       Making those numbers available to networks that need to 
     pass information or to find a mobile user while at the same 
     time denying the information to those who wish to gather 
     information into vast data bases may be an impossible task.
       Privacy advocates argue that even if isolated numbers look 
     harmless, they are actually harbingers of a trend toward ever 
     more invasive surveillance networks.
       ``Whatever we can do to actually minimize the collection of 
     personal data is good,' said March Rotenberg, director of the 
     Electronic Privacy Information Center, one of three groups 
     trying to organize a boycott of Intel's chips.
       The groups are concerned that the Government will require 
     ever more invasive hardware modifications to keep track of 
     individuals. Already they point to the 1994 Communications 
     Assistance for Law Enforcement Act, which requires that 
     telephone companies modify their network switches to make it 
     easier for Government wiretappers.
       Also, the Federal Communications Commission is developing 
     regulations that will require every cellular telephone to be 
     able to report its precise location for ``911'' emergency 
     calls. Privacy groups are worried that this feature will be 
     used as a tracking technology by law enforcement officials.
       ``The ultimate danger is that the Government will mandate 
     that each chip have special logic added'' to track identifies 
     in cyberspace, said Vernor Vinge, a computer scientist at San 
     Diego State University. ``We're on a slide in that 
     direction.''
       Mr. Vinge is the author of ``True Names'' (Tor Books, 
     1984), a widely cited science fiction novel in the early 
     1980's, that forecast a world in which anonymity in computer 
     networks is illegal.
       Intel executives insist that their chip is being 
     misconstrued by privacy groups.
       ``We're going to start building security architecture into 
     our chips, and this is the first step,'' said Pat Gelsinger, 
     Intel vice president and general manager of desktop products. 
     ``The discouraging part of this is our objective is to 
     accomplish privacy.
       That quandry--that it is almost impossible to 
     compartmentalize information for one purpose so that it 
     cannot be misused--lies at the heart of the argument. 
     Moreover providing security while at the same time offering 
     anonymity has long been a technical and a political 
     challenge.
       ``We need to find ways to distinguish between security and 
     identity,'' said James X. Dempsey, a privacy expert at the 
     Center for Democracy and Technology, a Washington lobbying 
     organization.
       So far the prospects are not encouraging. One technical 
     solution developed by a cryptographer, David Chaum, made it 
     possible for individuals to make electronic cash payments 
     anonymously in a network.
       In the system Mr. Chaum designed, a user employs a 
     different number with each organization, thereby insuring 
     that there is no universal tracking capability.
       But while Mr. Chaum's solution has been widely considered 
     ingenious, it has failed in the marketplace. Last year, his 
     company, Digicash Inc. based in Palo Alto, Calif., filed for 
     bankruptcy protection.
       ``Privacy never seems to sell,'' said Bruce Schneier, a 
     cryptographer and a computer industry consultant. ``Those who 
     are interested in privacy don't want to pay for it.''
                                  ____


                         Privacy Isn't Dead Yet

                          [By Amitai Etzioni]

       It seems self-evident that information about your shoe size 
     does not need to be as well guarded as information about 
     tests ordered by your doctor. But with the Federal and state 
     governments' piecemeal approach to privacy protection, if we 
     release information about one facet of our lives, we 
     inadvertently expose much about the others.
       During Senate hearings in 1987 about Robert Bork's fitness 
     to serve as a Supreme Court justice, a reporter found out 
     which videotapes Mr. Bork rented. The response was the 
     enactment of the Video Privacy Protection Act. Another law 
     prohibits the Social Security Administration (but hardly 
     anybody else) from releasing our Social Security numbers. 
     Still other laws limit what states can do with information 
     that we provide to motor vehicle departments.
       Congress is now seeking to add some more panels to this 
     crazy quilt of narrowly drawn privacy laws. The House 
     recently endorsed a bill to prohibit banks and securities and 
     insurance companies owned by the same parent corporation from 
     sharing personal medical information. And Congress is 
     grappling with laws to prevent some information about our 
     mutual-fund holdings from being sold and bought as freely as 
     hot dogs.
       But with superpowerful computers and vast databases in the 
     private sector, personal information can't be segmented in 
     this manner. For example, in 1996, a man in Los Angeles got 
     himself a store card, which gave him discounts and allowed 
     the store to trace what he purchased. After injuring his knee 
     in the store, he sued for damages. He was then told that if 
     he proceeded with his suit the store would use the fact that 
     he bought a lot of liquor to show that he must have fallen 
     because he was a drunkard.
       Some health insurers try to ``cherry pick'' their clients, 
     seeking to cover only those who are least likely to have 
     genetic problems or contract costly diseases like AIDS. Some 
     laws prohibit insurers from asking people directly about 
     their sexual orientation. But companies sometimes refuse to 
     insure those whose vocation (designer?), place of residence 
     (Greenwich Village?) and marital status (single at 40-plus?) 
     suggest that they might pose high risks.
       Especially comprehensive privacy invaders are ``cookies''--
     surveillance files that many marketers implant in the 
     personal computers of people who visit their Web sites to 
     allow the marketers to track users' preferences and 
     transactions. Cookies, we are assured, merely inform 
     marketers about our wishes so that advertising can be better 
     directed, sparing us from a flood of junk mail.
       Actually, by tracing the steps we take once we gain a new 
     piece of information, cookies reveal not only what we buy (a 
     thong from Victoria's Secret? Antidepressants?) but also how 
     we think. Nineteen eighty-four is here courtesy of Intel, 
     Microsoft and quite a few other corporations.
       All this has led Scott McNealy, the chairman and chief 
     executive of Sun Microsystems, to state, ``You already have 
     zero privacy--get over it.'' This pronouncement of the death 
     of privacy is premature, but we will be able to keep it alive 
     only if we introduce general, all-encompassing protections 
     over segmented ones.
       Some cyberspace anonymity can be provided by new 
     technologies like anti-cookie programs and encryption 
     software that allow us to encrypt all of our data. Corporate 
     self-regulation can also help. I.B.M., for example, said last 
     week that it would pull its advertising from Web sites that 
     don't have clear privacy policies. Other companies like 
     Disney and Kellogg have voluntarily agreed not to collect 
     information about children 12 or younger without the consent 
     of their parents. And some new Government regulation of 
     Internet commerce may soon be required, if only because the 
     European Union is insisting that any personal information 
     about the citizens of its member countries cannot be used 
     without the citizen's consent.
       Especially sensitive information should get extra 
     protection. But such selective security can work only if all 
     the other information about a person is not freely accessible 
     elsewhere.
                                  ____


                  A Middle Ground in the Privacy War?

                   [By John Schwartz--March 29, 1999]

       Jim Hightower, the former agriculture commissioner of 
     Texas, is fond of saying that ``there's nothing in the middle 
     of the road but yellow stripes and dead armadillos.''
       It's punchy, and has become a rallying cry of sorts for 
     activists on all sides. But is it right? Amitai Etzioni, a 
     professor at George Washington University, thinks not. He 
     thinks he has found a workable middle ground between the 
     combatants in one of the fiercest fights in our high-tech 
     society: the right of privacy.
       Etzioni has carved out a place for himself over the decades 
     as a leader in the ``communitarian'' movement. 
     Communitarianism works toward a civil society that transcends 
     both government regulation and commercial intrusion--a 
     society where the golden rule is as important as the rule of 
     law, and the notion that ``he who has the gold makes the 
     rules'' does not apply.
       What does all that have to do with privacy? Etzioni has 
     written a new book, ``The Limits of Privacy,'' that applies 
     communitarian principles to this thorny issue.
       For the most part, the debate over privacy is carried out 
     from two sides separated by a huge ideological gap--a gap so 
     vast that they seem to feel a need to shout just to get their 
     voices to carry across it. So Etzioni comes in with a theme 
     not often heard, that middle of the road that Hightower hates 
     so much.
       What he wants to do is to forge a new privacy doctrine that 
     protects the individual from snooping corporations and 
     irresponsible government, but cedes individual privacy rights 
     when public health and safety are at stake--``a balance 
     between rights and the common good,'' he writes.
       In the book, Etzioni tours a number of major privacy 
     issues, passing judgment as he goes along. Pro-privacy 
     decisions that prohibited mandatory testing infants for HIV, 
     for example, take the concept too far and put children at 
     risk, he says. Privacy advocates' campaigns against the 
     government's attempts to wiretap and unscramble encrypted 
     messages, he says, are misguided in the face of the evil that 
     walks the planet.
       The prospect of some kind of national ID system, which many 
     privacy advocates view as anathema, he finds useful for 
     catching criminals, reducing fraud and ending the crime of 
     identity theft. The broad distribution of our medical records 
     for commercial gain, however, takes too much away from us for 
     little benefit to society.
       I called Etzioni to ask about his book. He said civil 
     libertarians talk about the threat of government intrusion 
     into our lives, and government talks about the threat of 
     criminals, but that the more he got into his research, the 
     more it seemed that the two

[[Page S14541]]

     sides were missing ``the number one enemy--it's a small group 
     of corporations that have more information about us than the 
     East German police ever had about the Germans.''
       He's horrified, for example, by recent news that both 
     Microsoft Corp. and Intel Corp. have included identifier 
     codes in their products that could be used to track people's 
     online habits: ``They not only track what we are doing,'' he 
     says. ``They track what we think.''
       His rethinking of privacy leads him to reject the notions 
     that led to a constitutional right of privacy, best expressed 
     in the landmark 1965 case Griswold v. Connecticut.
       In that case, Justice William O. Douglas found a right of 
     privacy in the ``penumbra,'' or shadow border, of rights 
     granted by other constitutional amendments--such as freedom 
     of speech, freedom from unreasonable search and seizure, 
     freedom from having troops billeted in our homes.
       Etzioni scoffs at this ``stretched interpretation of a 
     curious amalgam of sundry pieces of various constitutional 
     rights,'' and says we need only look to the simpler balancing 
     act we've developed in Fourth Amendment cases governing 
     search and seizure, which give us privacy protection by 
     requiring proper warrants before government can tape a phone 
     or search a home.
       ``We cannot say that we will not allow the FBI under any 
     conditions, because of a cyberpunk dream of a world without 
     government, to read any message.'' He finds such a view ``so 
     ideological, so extreme, that somebody has to talk for a 
     sense of balance.''
       I was surprised to see, in the acknowledgements in his 
     book, warm thanks to Marc Rotenberg, who heads the Electronic 
     Privacy Information Center. Rotenberg is about as staunch a 
     privacy advocate as I know, and I can't imagine him finding 
     much common ground with Etzioni--but Etzioni told me that 
     ``Marc is among all the people in this area the most 
     reasonable. One can talk to him.''
       So I called Rotenberg, too. He said he deeply respects 
     Etzioni, but can't find much in the book to agree with. For 
     all the talk of balance, he say, ``we have invariably found 
     that when the rights of the individual are balanced against 
     the claims of the community, that the individual loses out.''
       We're in the midst of a ``privacy crisis'' in which ``we 
     have been unable to come up with solutions to the privacy 
     challenges that new business practices and new technologies 
     are creating,'' Rotenberg told me.
       The way to reach answers, he suggested, is not to seek 
     middle ground but to draw the lines more clearly, the way 
     judges do in deciding cases. When a criminal defendant 
     challenges a policeman's pat-down search in court, Rotenberg 
     explained, ``the guy with the small plastic bag of cocaine 
     either gets to walk or he doesn't. . . . Making those lines 
     fuzzier doesn't really take you any closer to finding 
     answers.''
       As you can see, this is one argument that isn't settled. 
     But I'm glad that Etzioni has joined the conversation--both 
     for the trademark civility he brings to it, and for the 
     dialogue he will spark.

  Mr. TORRICELLI. Mr. President, I rise today to introduce the Privacy 
Protection Study Commission Act of 1999 with my colleague, Senator 
Kohl. This legislation creates a Commission to comprehensively examine 
privacy concerns. This Commission will provide Congress with 
information to facilitate our decision making regarding how to best 
address individual privacy protections.
  The rise in the use of information technology--particularly the 
Internet, has led to concerns regarding the security of personal 
information. As many as 40 million people around the world have the 
ability to access the Internet. The use of computers for personal and 
business transactions has resulted in the availability of vast amounts 
of financial, medical and other information in the public domain. 
Information about online users is also collected by Web sites through 
technology which tracks an individual's every interaction with the 
Internet.
  Despite the ease of availability of personal information, the United 
States is one of the few countries in the world that does not have 
comprehensive legal protection for personal information. This is in 
part due to differences in opinion regarding the best way to address 
the problem. While some argue that the Internet's size and constantly 
changing technology demands government and industry self-regulation, 
others advocate for strong legislative and regulatory protections. And, 
still others note that such protections, although necessary, could lead 
to unconstitutional consequences if drafted without a comprehensive 
understanding of the issue. As a result, congressional efforts to 
address privacy concerns have been patchwork in nature.
  This is why Senator Kohl and I are proposing the creation of a 
Commission with the purpose of thoughtfully considering the range of 
issues involved in the privacy debate and the implications of self-
regulation, legislation, and federal regulation. The Commission will be 
comprised of experts in the fields of law, civil rights, business, and 
government. After 18 months, the Commission will deliver a report to 
Congress recommending the necessary legislative protections are needed. 
The Commission will have the authority to gather the necessary 
information to reach conclusions that are balanced and fair.
  Americans are genuinely concerned about individual privacy. The 
Privacy Commission proposed by Senator Kohl and myself will enable 
Congress and the public to evaluate the extent to which we should be 
concerned and the proper way to address those concerns. The privacy 
debate is multifaceted and I encourage my colleagues to join Senator 
Kohl and myself in our efforts to gain a better understanding of it. 
Senator Kohl and I look forward to working with all those interested in 
furthering this debate and giving Americans a greater sense of 
confidence in the security of their personal information.
                                 ______