us telecommunications privacy policy

Deciding on who should know about Americans’ private telephone conversations and other forms of telecom- municating has always been an issue fraught with, on the one hand, fear of intrusive government or corporate agents and, on the other, a desire for government and corporations to control crime and vend services respec- tively. This article looks at how legal and legislative compromises have been reached in order to address differing goals, and what forms future privacy issues may take. The discussion fo- cuses first on the political origins of the USA’s current laws governing privacy and the telephone, then on novel privacy issues arising out of new telecommunications technologies.’

Dr James E. Katz can be contacted at Bell Communications Research, 445 South Street, Morristown, NJ, 07960-1910, USA (Tel: 201-829 4556).

‘My emphasis is on interpersonal telecommunications. It is not within the purview of this paper to examine telecommunications vis-8-vis workplace privacy nor policy at the sub-national (state) level. For more details regarding the cultural and historical basis of USA privacy concerns, see James E. Katz, ‘Public policy origins of telecommunications privacy and the emerging issues’, h-formation Age, Vol 10, No 3, July 1988. pp 169-76.

US telecommunications privacy policy

Socio-political responses to technological advances

James E. Katz

Ever since the telephone was invented there have been attempts to invade, as well as to protect, the transactions taking place on it. Through the years Congress and the Supreme Court have come around to a position of generally supporting privacy protections, while the Executive Branch has normally wanted weaker ones, with greater access to information on its citizenry. Today, Americans have extensive privacy protections for much of their interpersonal telecommunications. While a few areas may produce policy controversies in the coming years, such as methods of creating and enforcing privacy of cellular telephone calls, there is now a far-reaching legislative framework that was put into place in 1986. Public sentiment so strongly favours privacy that there is likely to be resistance to any new technologies or marketing practices that invade it.

It is useful to keep in mind that when we talk about the privacy of electronic communications, the subject actually comprises two aspects: the content of the communication; and the fact itself that the communication was made. The first area deals with the substance of the message. Invasions of privacy here have to do with messages that are intercepted, diverted, recorded or monitored by parties other than the originator and intended recipient of the message. An example of a privacy violation in this area would be an illegal wiretap, whose existence is unknown to the two parties talking on a telephone.

The second area concerns who uses which service, when and with whom. Records which are generally considered confidential but which are subject to privacy violations include who subscribes to adult programmes on cable television, which numbers were dialled from a particular telephone number, and who communicated with whom over an electronic mail service. Note that in this second area it is not the content of the communication that is the central concern but the utilization of the service itself. In the past, it was the first area that was of major interest to federal policymakers, but today both are, and both are likely to remain of equal importance in the future.

0308-5961/88/040353-16!$3.00 0 1988 Butterworth & Co (Publishers) Ltd 353

US relecomml~nicrrfion.s prirtrcy poliq

Content of communications: a privacy overview

Almost as soon as telephones became commercially available they were being tapped. As usual, however, as soon as a technology for penetrating privacy is devised, a counter-measure soon follows. The telephone exemplifies this. The first patent for a telephone scrambler was issued in 1SSl. just five years after the telephone itself was patented.’ However, few people availed themselves of scramblers, and wiretapping, which was not barred by federal legislation, became widespread in the years before the First World War.” Neither, apparently, was wiretapping seen as having been barred by the Constitution. In a 1933 test of the constitutionality of wiretapping, the US Supreme Court ruled that telephone calls are not protected by the Bill of Rights’ prohibition of unreasonable searches or seizures. The Court majority held that only material things were protected. Partly in response to this, Congress passed in the same year the Federal Communications Act which, among other things, did prohibit the interception of telephone calls.

Since then, the Supreme Court has taken a broader view of ‘private property’. In 1966 it set out stringent guidelines on electronic surveillance by police. The ruling was made in response to a case which found that New York State’s wiretap law was too imprecise. The next year it also decided against the federal government’s position that it could wiretap public places without warrants. The government argued that there was no expectation of privacy in public places, such as in a telephone booth. But the Court held that the Constitution protected people not places.

After the Supreme Court made its decision curbing wiretapping in the 196Os, Congress passed an Omnibus Crime Control Act (Public Law 90-351) which among other things gave greater leeway to government officials to tap telephones. This major revision of federal criminal statutes included a revision (in Title III) to the limitations on wiretapping imposed by the Court. Title III permits wiretapping by government agents if a warrant had been issued, or when there is the consent of at least one party, or an emergency, or when the president has ordered it to protect national security.

When the Nixon Administration took office in 1969, it asserted that it would use Title III to the maximum extent possible. It did. The administration also maintained that it could use warrantless taps to surveille domestic groups that it viewed as threats to national security. It turned out that this rationale was also applied to some members of the White House’s own National Security Council, who had their telephones tapped for many months in an attempt to uncover leaks to the press.4 However, this view was rejected by the Supreme Court in 1972, the same year in which burglars acting at the behest of President Nixon’s reelection campaign committee were caught breaking into the Demo- cratic Party Headquarters at Watergate.

Until 1986, the Omnibus Crime Control Act was the primary source of guidance about telephone tapping. Title III of the Act subjected only ‘aural’ communications on conventional telephones to its strictures. It did not address the communication forms that were only then emerging, such as e-mail (electronic mail), high-speed data transmissions by microwave, satellite-relayed telephone calls, and computer-to-computer data flows on conventional wires and on optical fibre. Since all these forms were non-aural, their interception was not barred by law.

2George O’Toole, The Private Sector, Nor- ton, New York, 1978, p 97. 3Alan LeMond and Ron Fry, No Place to Hide, St Martin’s Press, New York, 1975, pp 4-5. These authors quote a New York Times article of 17 May 1916, which reports on a Senate investigating committee that determined that wiretapping by authorities in New York City began in 1895. The committee also received testimony from a New York Telephone Com- pany officer that 350 telephones were officially tapped by police between 1914 and 1915. ‘These disclosures were part of revelations about long-standing and sometimes illegal governmental privacy invasion practices. Among the discoveries made public was that the National Security Agency, with the assistance of RCA and IT&T, monitored all USA-originating international cable traffic for nearly 20 years. A superb overview of these activities is contained in M. Halperin, The Lawless State: The Crimes of the U.S. Intelligence Agencies, Penguin, New York, 1976.

354 TELECOMMUNICATIONS POLICY December 1988

As cellular telephones, microwave transmissions. and so on ex- panded, the courts and the telecommunication industry repeatedly asked Congress for legislation to guide privacy policy in this area. Congress did respond. Before discussing this latest legislation, it would be appropriate to look at the second major issue in communications privacy mentioned earlier, namely, the usage of communications.

Usage of communications: a growing controverq

Title III of the Omnibus Crime Control Act protected usage information by defining ‘content’ so broadly that it was included under the latter’s strictures. Consequently, operose court orders vvere needed by the government for access to usage records. Yet usage information supplied by proliferatin, 0 technologies falling outside Title III’s ambit (ie, anything other than conventional telephone conversations) was left in a legal limbo. Courts had to begin grappling with these excluded areas.

In 1978 the Supreme Court decided that a ‘pen register’ was not subject to the restrictions of Title III, nor of any other law. Pen registers are instruments that record and/or indicate numbers dialled or transmitted from a particular telephone. They can be used by a third party at a remote location to gather information. Another device often used for privacy invasion, and also not covered by Title III. is the trap-and-trace device. This captures an incoming electronic or other impulse on a telephone and identifies the number from vvhich a call was made. However, many designs of this device require attachment on a telephone line, which in turn would require trespassing onto the property of the person whose phone is to be monitored. And, of course, trespass is illegal.5

In the early 198Os, a cinema operator vvas arrested in Columbus, Ohio, for showing pornographic films. As part of his defence, he attempted to show that he was not violating community standards. Among the ways that he sought to show this was to subpoena the records of Warner Communications, operator of the Qube system, which offered adult entertainment on its cable service. Part of the defence was that the same film as he had been arrested for showing had already been shown on cable. It is also generally presumed that his defence was that community leaders, such as the city council members, subscribed to the cable system’s adult programming, which was comparable with his offerings; thus there would be no violation of community standards. Such revelations would presumably be embarrassing to the community leaders. This move alarmed the cable industry which felt its records were not to be exploited in this manner. Ultimately Warner released ‘summative data’ giving general numbers of viewers but which did not allow any means of identifying specific viewers. (This

5There would be no trespass if the person district attorney dropped the case before it came to trial.)

who owned the property authorized the At about this time, in Madison, Wisconsin, a man was arrested for

device’s placement. But seeking such per- drug dealing; the prosecutor wanted records of his e-mail communica- mission might render useless the rationale for its placement in the first place. This

tions, believing they would yield evidence in the case and also support

would be the case if, for example, a further prosecutions. The company providing the electronic mail service suspected bookmaker were asked for per- resisted the prosecutor’s attempts to gain this information. A court mission to trace by the police. It would not be the case if permission were sought from

battle ensued over access to his electronic mail data files, but was

someone receiving threatening telephone aborted when the defendant pleaded guilty.

calls. These cases prompted the videotex industry to promulgate and

TELECOMMUNICATIONS POLICY December 1988 355

US telecomnurnicalions privacy polic,v

defend operating standards which bar the release of usage data of individual customers. They highlighted the need for legislation clar- ifying the legal status of private electronic communications. in both content and form. Telecommunication technology clearly had outstrip- ped the legislative framework.

Besides law enforcement, communications usage data also have commerical import. Information about who receives what type of communication gives valuable marketing data about the recipient. Cable companies have sold this information to marketing firms, often to the displeasure of cable customers. In response, at the cable industry’s initiative, protective contracts and ‘good practice’ codes have been drawn up between service providers and customers as a barrier to improper exploitation of these data; recently, a new law (which will be discussed next) governs their disclosure to governmental agencies. Still there will be continuing pressure to use these data for commercial purposes. The privacy questions concerning marketing aspects of information on telephone company customers (as opposed to legally required disclosure to governmental agencies) will be addressed later in the article.

Electronic Communications Privacy Act

The Electronic Communications Privacy Act was passed in 1986 after the inadequacies of the wiretap legislation of the late 1960s became increasingly apparent to four groups active in the policy process: the electronic communications industry, public interest groups, proactive governmental policy analysts. and liberal members of Congress concerned with privacy of the individual.

Each of these groups had a particular interest in getting new legislation passed that would protect the privacy of electronic communications - including both content and usage. The trade associations and their constituent members were concerned about their ability to vend services which had been coming under a variety of attacks on privacy grounds through court proceedings. They felt that their services would become more valuable if they could assure a high degree of privacy in the communications they carried. Among the groups that were active in lobbying Congress on this subject were the Videotex Industry Association, the Electronic Mail Association, AT&T, and several of the regional Bell operating companies.

The American Civil Liberties Union (ACLU) has had a longstanding concern with the protection of the individual from government snooping and interference. Because of this interest, there was a natural fit between their activities and the growing attention being paid to electronic communications. The ACLU held a series of conferences in 198445 on this subject which attracted considerable attention from the privacy policy community and which helped coalesce forces pressing for change.

The Office of Technology Assessment, a staff arm of the US Congress with the mission of anticipating consequences of technological change, had put telecommunications on its research agenda. Congress wanted to protect the privacy of communications by the public (as well as by business firms and governmental agencies) and was less concerned about the ability of law enforcement agencies to monitor such communications. Its concerns were not new, and in fact similar


‘The testimony of James Knapp, deputy assistant attorney general, at hearings on ECPA, outlines the Justice Department’s objections. See US House Judiciary Com- mittee, Electronic Communications Priva- cy Act hearings, 5 March 1986, pp 212-53. It was only after the hearings that the Justice Department altered its position. ‘Washington Post, 20 January 1986, p A21. Blnterview with anonymous telecommunications policy analyst based in Washington, DC, 16 October 1986. qhe full details of this complicated law cannot be presented here. For a review, see Russell S. Burnside, ‘Electronic Com- munications Privacy Act of 1986’, Rutgers Computer & Technology Law Journal, No 13, 1987, pp 451-517. lo Washington Post, 16 May 1986, p A 13. “The law states that electronic communications include ‘any transfer of signs, signals, writing, images, sounds, data or intelligence of any nature’ which is transmitted ‘in whole or in part by wire, radio, electromagnetic, photoelectronic or photo- optical system that affects interstate or foreign commerce.’ The law also ex- panded electronic communications systems to include computer facilities involved in such communications. The Constitution reserves the right of States to regulate their own internal commerce, but the courts have traditionally been quite broad in their extension of ‘interstate’ commerce to matters that might seem to be largely intrastate.

legislation had been introduced in several previous sessions of Congress. However, the Justice Department had stymied the bills by arguing

that their ability to counter crime and domestic security threats would

be degraded. Justice Department officials felt that even though there were gaps in the law, they did not wish to support any moves that would diminish their ability to use taps and electronic interceptions for law enforcement purposes.h They argued that e-mail services kept backup copies of transmissions in case of a system crash or in support of the billing process. Consequently they were no different from banks, which kept copies of cheques and other transactions. They should therefore be considered ‘third-party record-holders’ in legal terms. As such they would be required to hand over records by authority of an administrative subpoena, which can be signed in any prosecutor’s office, just as a bank would have to. For both commercial and self-image reasons, the e-mail industry did not want its commodity relegated to a lower status

than that enjoyed by first class mail. First class mail can only be opened with a warrant obtained by a judge who has evaluated an affidavit showing ‘probable cause’ that the opening of the mail would yield material evidence in a criminal case.

This disagreement between the law enforcement community and privacy advocates held up passage of the bill for over a year. During the negotiations the Justice Department did offer to try to develop a new category of access to e-mail - something between an administrative subpoena and a warrant - but the e-mail industry, the privacy coalition, and their Capitol Hill supporters held their ground.’ Through intensive discussions and lobbying, the Justice Department finally became persuaded by these groups that it would not be impeded seriously by a new privacy law and in fact saw ways that gave it better crime-fighting ability. Another argument swaying the Justice Department was that the law would make electronic communications services more attractive to potential clients.’

The final version of the Electronic Communications Privacy Act (ECPA, Public Law 99-508), signed by President Reagan on 21 October 1986, set forth a national policy on the privacy of electronic communications. Rather than protecting only aural communications on telephones, as was the case with the 1968 wiretap law, it protected nearly all forms of electronic communications as well as the computer facilities involved in such communications (eg electronic mail and networking). Thus the law extends legal protection to the vast majority of mainframes, both those that are now in existence and those that will eventually be built. In addition, most computer workstations and minicomputers, as well as about 10% of home personal computers, are involved in electronic mail. Hence the law’s scope is very broad indeed.’

Importantly, the Act extended for the first time legal privacy protections to the large and rapidly growing e-mail community. (Industry sources estimate that in the USA, 250 million electronic mail messages were transmitted by the 5 million users in 1985.“) A collateral outcome of passing the Act is that it relieved the fear, on the part of foreign government agencies operating or receiving data services in the USA, that the federal government would swoop in and grab their data. Albeit that the USA is still quite far from the Council of Europe’s data privacy guidelines, by passing the ECPA it has removed at least one potential competitive barrier for US data services and also removed a potential misunderstanding of international proportions.”


US rrlrcomnunicutions priwcy policy

No protection for cordless telephones

‘*Courts in two states had already upheld law enforcement monitoring of cordless telephones on the grounds that they were equivalent to radio transmitters. 13Washington Post, 20 January 1986, p A 17. l4 Wall Street Journal, 29 October 1986, p 31. Packaging on cordless telephones is reauired bv the FCC to state that ‘privacy of ‘communications may not be ensured;. Regulations are under consideration for similar labelling on cellular telephones. ‘%enate Report to PL 99-508. Given this reasoning, innovators might wish to consider keeping their emerging telecommunications technologies as secure as possible from penetration in order to avoid losing potential legal protection at a later time. “Dropping costs may make encoding a cordless standard. Some companies have criticized ECPA for ‘giving cellular manufacturers the opportunity to claim, falsely, that their systems are more secure’. John Ft. Kresse, ‘Privacy of conversations over cordless and cellular telephones’, George Mason Law Review. Voll9, No 2,1987, pp 335-50, p 349. “Access is easier if the message has been stored for more than six months. Rather than a court warrant, a less stringent administrative subpoena is all that is necessary to win access. In such cases, the government must give prior notice to the relevant e-mail customer; conversely, the customer could file a motion to reverse any court-ordered subpoena that required release of the information. Still the prior notification can be suspended for 90 days if there might be an ‘adverse result’ from doing so; in the meantime the government would have access to the records.

While a variety of radio signals are protected - if for example they are encrypted, transmitted through a common carrier, or used as part of a cellular phone call - some forms of electronic communication are left unprotected. These include any radio communication that is ‘readily accessible to the general public’ (the rationale for this is obvious, for otherwise it would be illegal to listen to one’s radio), general mobile radio services, marine, aeronautical, police, fire and other public safety communications, and specified satellite transmissions.

Exempted also is the radio portion of cordless telephone calls - the portion between the cordless telephone’s handset and base unit. This lack of protection for cordless telephones stemmed from the ease with which the calls can be intercepted, even inadvertently, by FM radio receivers. Because of this, lawmakers wanted cordless telephone users to assume that their conversations may be overheard.” One Justice Department official compared cordless telephone privacy as being the same thing as ‘protect[ing] the privacy of someone yelling from one backyard to the backyard of his neighbours’.‘”

Sanctions were set for violations of the law. Stiff penalties are specified if private interceptions are made for illegal commercial gain (eg, stock market information for insider trading). Much lighter penalties are levied for casual intercepts, such as by idle eavesdroppers. Enforcement against casual intercept, however, will prove problemati- cal; many older television sets can receive cellular mobile telephone conversations and this practice has resulted in some embarrassing stories. While the cellular telephones that AT&T provides to its executives are tagged with reminders that conversations are not secure, most cellular telephone manufacturers prefer not to advertise their vulnerability to interception.”

The lawmakers asserted that it is the ease of interception that distinguishes the criminal liability of those who eavesdrop on cellular vis-d-v& cordless telephones. I5 This distinction, however, is chimerical since both are easily intercepted by FM radios and old TV sets. Both are also easily encryptable, and many are manufactured so equipped. Despite this, I see technology (via encryption) eventually solving this legislative oddity.16

Another anomaly results from ECPA: the people to whom someone is talking on a cordless telephone may be unaware that their conversations are being held via a cordless telephone and thus could be freely intercepted. In such a case people might think they were being protected by ECPA when in fact they were not. Undoubtedly, there will be court tests of this aspect of ECPA.

In terms of the content of stored messages, such as those used in e-mail services, the federal government can require the disclosure of any message, no matter how long it has been stored, if it first obtains a warrant.”

The Act made it generally illegal for a person or entity providing public wire or electronic communication services to divulge the contents of any communication to any person save the intended recipient. It does provide for disclosure of the information if it is made in the course of the employee’s normal duties and appears related to the ‘commission of a crime’.

ECPA’s effect on the access to information about usage of telecommunications is varied. Pen registers and ‘trap-and-trace’ devices are


US rdrcommrrnicarions privucy poliq

barred, reversing the Supreme Court’s 1978 decision asserting their legality under Title III, except by government officials with court orders or by communication companies when used for billing purposes. ECPA narrowed Title III’s definition of ‘content’ to exclude information about the ‘existence of a communication’ and ‘identity of parties’. (Both of these are elements of usage’s meaning.) ECPA delimited governmental access to this information, requiring similar procedures to those cited above for stored communication content but without the advance notification requirement. Hence billing and administrative records, including who the parties were that were involved in a communication, now have limited protection but can also readily fall under government purview. Service providers are allowed to divulge usage data to any non-governmental entity or person without restriction.

ECPA’s delineation of privacy and access successfully cleared up the ambiguous legal status of e-mail (and other computer-based communication). The Act’s overall thrust protects the privacy of stored electronic communications both before and after delivery. It is now a misdemeanor to break into an electronic message system or to exceed authorized access in the system with the intent to alter or obtain stored messages. The penalties for this can be severe, including jail sentences.

Government access increased

But note that these are protections for unauthorized access. ECPA actually loosens some privacy protections in terms of governmental access, especially to data concerning usage. It does this partly by weakening some safeguards that existed under Title III wiretap legislation and partly by expanding areas of potential governmental inspection. ECPA expands the government’s ability to get telecommunications-based intelligence by:

0 0

0

0

l

0

0

a

l

Adding 30% more crimes that can qualify for surveillance orders. Increasing the number of Justice Department officials who can authorize applications for court approved wire tapping. Permitting any entity of government to request authority to seize stored data. Allowing the FBI to hire private contractors to conduct the wiretaps. Easing legal requirements for obtaining a court order to gain access to electronic communications and stored data. Eliminating all barriers to government interception of cordless telephone conversations and some pager transmissions. Authorizing for the first time use of mobile tracking devices and roving telephone taps (which enable tapping of several telephones), provided a court order is obtained. Widening ‘good faith’ defences of officials who overstep the law in surveillance and protecting them from civil action or prosecution (limiting the ability of those who might be wronged to strike back at the offending party). Giving government a freer hand in surveilling communication usage (as opposed to communication content).

This last area, especially, seems to reduce privacy protection. For example, it enhances the government’s power to surveille network usage patterns of citizens or to seek sources of leaks without getting


judicial approval. One lawyer maintains that ECPA ‘taken as a whole [. . .] will increase substantially the possibilities for surveillance by federal agencies.“s

Private taping an ongoing issue

As a sidelight to the passage of ECPA it should be noted that the laws governing the recording of telephone conversations applies only to third parties. Private citizens are still legally permitted to record the telephone conversations that they have, and they are not legally obliged to inform the other party that they are doing so. There have been attempts to oulaw this practice as an invasion of privacy or at least as a violation of confidentiality, the most recent attempt being in 19%. It was aimed only at federal government employees and officials and came in the wake of a scandal involving a high Reagan Administration appointee. Charles Z. Wick, close advisor of President Reagan and director of the US Information Agency, was discovered to have been recording dozens of conversations with others without their knowledge or consent. As a result of this disclosure, Senators Howard Metzenbaum (D-Ohio) and Dale Bumpers (D-Arkansas) introduced an amendment to the criminal code barring any government employee from making such recordings. Their amendment did include exemptions for law enforcement, counterintelligence and national security personnel.

Rebuking their proposal, the Justice Department held it would impede crime-fighting. Republican senators accused them of attempting to embarrass their leader, President Reagan. Metzenbaum and Bum- pers stated that they were astonished by the protests to their plan, Metzenbaum asserting ‘that a lot more secret taping is going on than a lot of us imagined’.” The amendment was defeated by 41 votes against 51.

This attempt to outlaw a form of telephone taping illustrates how an outside revelation or scandal can prompt the political system into action. In this case, the law on taping was not changed, but it is possible that next time it will be.

Privacy prognosis

With the passage of ECPA, strong legislation is now in place giving both the executive and judicial branches guidance about the interception of electronic communications. It places sanctions on unauthorized persons who intercept most types of private interpersonal electronic communication signals, or who release information concerning such communications. It protects the privacy of communication services and provides penalties for those who steal services from electronic communication companies.

ECPA’s scope means that the USA has a broad telecommunications privacy policy. A compromise disappointing in many ways to privacy advocates, it nonetheless extends protections to many technologies, albeit sometimes in an incongruous fashion. Probably only fine-tuning

“Robert L. Corn, ‘The odyssey of federal legislation will be passed for at least the next decade. One topic likely to wiretapping law’, Cat0 Policy Report, Vol be addressed is cordless telephone conversation privacy (especially for 9, No 1, January/February 1987, pp 1, 13-15.

non-cordless users talking to someone on a cordless telephone). Yet any

‘%Q Almanac, 7984, Congressional new laws or amendments are unlikely to change ECPA’s central theme. Quarterly. Washington, DC, 1985, p 222. Additional protections of citizens from governmental snooping are


unlikely to be passed, short of some sudden revelation of government wrong-doing. In fact, citizen protections may be reduced in the name of societal protection, such as giving law enforcement agencies freedom

from specific impediments, if the case can be made that a national peril will be avoided.“’

The law seems suited for implementation of the Broadband Inte- grated Services Digital Network (BISDN)” or of any other intelligent network, since it addresses the anticipated means and service offerings. New areas of dispute are sure to arise as the service is actually implemented, but these disputes are likely to be over the specific applications of the service rather than the underlying privacy status of BISDN or other future networks. That is to say that there will presumably be attempts to set up sex services over the network, much as is the case with the present telephone system over which dial-a-porn is offered and with the French Minitel, which has been used by individuals to arrange to meet for sexual contact. But the legal battles will be over the ambiguities of conflicting laws and social values rather than over the premise of privacy of the network, which is legally insured in many respects by the ECPA. No matter which of the foreseeable technologies becomes the industry standard, the legal loopholes for technological end-runs around privacy standards appear closed for the balance of the century.2’ What is unclear is whether ECPA will open the way for governmental prying or instead preserve a high level of user privacy; the fear among several legal experts is that it will do the former.”

The privacy legislation process

This review of telecommunications privacy reveals several noteworthy aspects about how it is handled by the US policy process.

0 There is at times a distinction made between the privacy of what is transmitted over the telecommunications system and the privacy of the communication having taken place at all. Legal attempts to gain information from telecommunication service vendors now follow these two paths discretly. Service vendors, for their part, have traditionally followed an official path of non-disclosure of information on either of these two aspects of communications, except where legally required. Building a strong and diverse coalition supportive of change was important in gettin g the far-reaching 1986 ECPA passed. Future attempts to pass significant legislation without widespread agreement on the problem definition seem unlikely to be successful; even with agreement on problem definition, winning enough support for a particular solution also proved to be a great challenge. Coalition building is highly effective in developing privacy legislation especially if economic and civil liberty groups combine in their efforts. Reagan Administration opposition to ECPA was eliminated in part because of economic considerations.

20Examples of such perils could be widespread drug-inspired corruption, spying by Soviets, or economic terrorism. Economic terrorism is exemplified by the Tylenol poisoning incidents in the USA and by the poisoning of food sold in supermarket chains in Japan. *‘BISON and other intelligent networks are l visualized as a user-controlled system capable of delivering all forms of information to anyone, at any time and at nearly any place. These information forms include full-fidelity voice and sound, data, and full-motion image and video transmissions. Essentially massive amounts of data can flow to or from any individual or organization. qechnologies now on the drawing boards may well challenge the organization of technology under ECPA’s formula. For instance, universal radio, were it to be deployed, would blur the law’s current cellular-cordless telephony distinction. This system is discussed in Don Cox, ‘Universal digital portable radio communications’, Technical Memorandum TM-ARH-002627, 2 April 1986. Bell Com- munications Research, Navesink. NJ. 230p tit, Refs 9, 16, 18.

With technologies that appear to invade or hurt privacy, it would probably be extremely difficult for telephone companies (telcos) to recruit the support of civil liberty groups, and without their support, impediments to new technologies might not be able to be removed, or their removal might be greatly delayed. It is possible that a difficult legislative battle would be required to allow certain technologies to be deployed in the network of the future, even if


these technologies could be subscribed to individually at a premium rate. All of the legislative steps now put into effect are compromises. None offers extremely high levels of privacy or security since to do so would work against other goals. Total sanctity of communications privacy would unacceptably hobble crime fighting and counter-espionage. It appears that the defence of economic interests is a very high priority in privacy laws. For example, ECPA specifies much harsher penalties for privacy penetrations that are motivated for economic reasons than for the identical action undertaken with a different motive. The economic interests of the videotex industry led it to lobby aggressively for that legislation. One implication of this finding is that telecommunications technologies which do have a privacy cost will also need to have explicit counterbalancing benefits. In particular, if it could be shown that a technology gives birth to new industries, improves the trade balance. increases industrial efficiency, and creates meaningful jobs, the privacy costs would be more willingly accepted by the polity. From the early history of telephony, and from various sociopolitical forces, we can speculate as to the future direction of privacy policy. Already mentioned is the dialectical succession of the development of technologies first to invade, then protect, privacy. Further, there is an inevitable lag between what can be accomplished with technology and the legal system’s regulation of it. Practices may be readily tolerated - from a legal point of view - for many decades, but then, quite suddenly, decisive action can be taken to totally redefine their legality.

New debates over customer information

For the purposes of this analysis it is useful to distinguish between data that are collected for social control, including law enforcement, and data that are used for marketing. Technological progress is posing privacy challenges, and solving some, in this latter area as well.2’

Marketing practices generally concern information about the use of the communication system (as opposed to the substance of communication, distinguished above). During a period of heavy regulation there was not much reason for telcos to exploit this type of data, and indeed the basic legislative framework for telcos, the 1934 Federal Communica- tions Act, defined this information as the intellectual property of the telco. Further, before the existence of automation and powerful switches, customer records did not contain much information that was of interest outside of network provisioning.

Yet the introduction of new telephone technologies makes information available about customers’ usage of the system, and often the hardware and software possessed by them. Generally, the information includes the level and types of service and equipment customers have, and data about network usage. These data are collectively called

“‘Technology can reduce privacy prob- Customer Propietary Network Information (CPNI). CPNI becomes lems in a straightforward manner without more plentiful as more services and equipment options are created via the need for regulatory intervention. A network modernization. Its commercial value also increases as sales of prosaic example is the adoption of telephone answering machines to screen customer premise equipment and enhanced services grows. Some of this calls. information is not considered particularly sensitive from the personal


US frlecomnflrnicariorls privucy policy

25The major regulations are propounded in Federal Communications Commission CC Dockets 86-79.85-26 and 85-229. 26These choices are solicited annually by the telcos from these customers. *‘John Bush, ‘Who can tell what the phone company knows about you?’ Data Com- munications, June 1988, pp 55-58. **In my opinion the FCC itself does not realize the potential importance of this precept, but I believe that it will be used in court cases in other areas. The precept is also in line with the principles of control over personal data that is embodied in Council of Europe declarations on privacy. Hence the precept is likely to spread in this country to personal records that are trans- ferred from one source to another.

privacy viewpoint, but may have great commercial value, and so in that sense can be considered private. This includes information such as how

many telephone lines are possessed by a large business. and types of customer premise equipment. Houever, it includes other information that is generally considered quite private, such as the numbers to which calls are made.

The Federal Communications Commission (FCC) has recently propounded regulations to govern the release of these data to firms (including telco subsidiaries) that want them for marketing and planning purposes. The regulations, which give leeway to each telco to develop its own rules, set minimum standards.‘” For example, each multi-line business customer is to be given the right to decide which of the various potential telecom service vendors can have access to its CPNI.‘”

It is expected that some privacy and commercial aspects to CPNI will be of concern to customers and vendors alike. CPNI may be used to market new services to customers who would consider it a source of nuisance because of unsolicited sales calls. But it is also possible that a commercial firm might find this information employed to its own disadvantage by a competitor (which might be an unregulated subsidiary of a telco). To illustrate, if the information-releasing firm were itself in

the transaction processing or telecommunications services business, its own CPNI would be extremely valuable strategic information.*’

Commercial considerations aside, I see the FCC regulations on CPNI setting an important precedent in customer control over private information. In essence they place the ownership of the data in the hands of the customer - the data generator - rather than in those of the original service provider - the telco. The precept. then. is that the customer ‘loans’ the information to the telco for a service, but the control over who has access to that information remains with the ‘owner’. Some people may not care who sees the data, others will; but the control resides with the customer. This approach to using data provides a model which has broad applicability and will be more widely

adopted in the future.*’ Another aspect of CPNI concerns electronic accessibility of residen-

tial listing information. Already in the USA many consumers complain about telephone solicitation from sales people. Through data merging and consumer targeting, large numbers of unsolicited telephone calls and new forms of intrusion may be generated. To illustrate, home telephone numbers might be paired with political party registration and neighbourhood income information; this information could be sold to political canvassers or telemarketers, which in turn might cause a deluge of telephone calls to homes.

While name, address and telephone number is already publicly available via paper telephone books and city directories, it is increasingly made available in electronic form. Some telcos offer large customers online access to their directory assistance databases and are considering making it available to residential customers. Ready electronic access will make searching, matching and sorting all the easier, especially for large institutions.

In my estimation, moderate public outcry over these practices is likely, especially in privacy sensitive regions of the country like the West Coast. Even when they have no direct part in providing the information used to create the privacy disturbance, telcos will take the brunt of the criticism, since the invasion will occur via the telephone.


US Ielecommunications prirwcy polic!

29After all, it has always been legal in this country for any representative of a company or member of religious group to knock at your door and ask you questions on subjects as private as your children’s education or your spiritual beliefs. It is just as legal to close the door on them as to hang up on unwanted telephone solicitations. 3”These features are described in detail in C. Brant Hirschman, et al, ‘LASS: putting the telephone customer in charge’, Bell Laboratories Record, May 1985, pp 1 l-l 8. 3’This is done by having the customer dial a code immediately after receiving the nuisance call. This code adds the number to the telephone system’s memory. From then on each incoming call will be compared with the list of rejected numbers. If a match is found, the caller gets an announcement saying it cannot be com- pleted due to the customer’s request. 3qhis is roughly analogous to some states’ practices where ‘dial-a-porn’ services are restricted to certain prefixes. Consequently customers have the ability to prevent calls made from their phones fo these numbers. 33For a thorough review of the legal principles impinqing on telemarketing, see Mark S. Nadel, rRings of privacy’, G/e Journal on Regulation. Vol 4, No 1, Fall 1986, pp 99-l 28.

It is also likely, in my opinion, that the opposition will fade, partly because the public will become inured to such practices, which are only extensions of current ones.2y The very technology that makes directory information available will also tend to move it into the domain of public acceptability. Perhaps the ready acceptance by France of Minitel, which allows a name search throughout the largest country in West Europe, suggests that there may also be little resistance in the USA to this widened data availability. Further, if there is a sense of balance in this technology, so that even if one can be located via the database, one can also locate others, it might lessen public opposition.

Another reason why I believe opposition will fade is that modest policy changes, aided by technological advances, will reduce the intrusiveness of these calls. As state public utility commissions (PUCs) begin considering regulations for the telemarketing industry, the industry will try to regulate itself to head off PUC action. One or the other of these entities might place restrictions on telemarketing. An approach that might win wide support is the compilation of a statewide list of all people who do not wish to receive telephone solicitations. Technology might help such a system come into place. For example, an interface could be developed that could block even random digit dialling from reaching numbers on the list. A new source of telco revenue might be created if a fee were charged for this listing or blocking service.

New technologies to support privacy

Technology can give privacy a further twist in the form of the Customer Local Area Signalling Service (CLASS”“). (CLASS is a service mark of Bellcore.) Such services, many of which are being test marketed, offer features such as auto-call back of last number that tried to reach your phone, selective call-forwarding, incoming call identification (or caller- ID) and call blocking.30 Selective call forwarding, for example, can enhance one’s privacy from interruption by allowing only certain pre-selected numbers to get through to a call-forwarded location (all other calls would go through to their original destination). Two of these features merit closer examination.

Call blocking

Call blocking allows a customer to prevent calls originating from certain pre-specified numbers from getting through.3’ Hence upon receiving a telemarketing call the customer could press a button that prevents any further calls from that number from ever ringing the customer’s telephone again. Though attractive from a privacy point of view, call blocking can be easily circumvented by a telemarketer getting a new number which would not a priori be blocked. Yet if telemarketing calls continued to be a nuisance, regulations might require that all telemarketing organizations be restricted to certain prefixes.3” If these regulations were adopted, customers with call blocking could then block all telemarketing calls. Such regulations would raise constitutional questions regarding the telemarketer’s freedom of speech.33

In my estimation, market forces might also regulate personal information flow and dramatically alter telecom industry practices. For instance, individuals might provide personal information in exchange for payment from those seeking the information, and the telco would be the broker. Thus for a fee people might refrain from being on any


“Under readily deployable technology. name-forwarding would only work if callers used their home telephones. In such a case the telco has subscriber name information at hand to forward to the caller- ID service recipient. Name-forwarding would not work if the call was made from another telephone or by someone at a residence other than the registered customer. Still a smart-card-based system (which is already being experimentally deployed) would not have such a limita- tion. The smart-card owner would use the card to make the telephone call. By so doing the Delco would have the caller’s name lo be forwarded to the recipient regardless of where the call originates. 35The caller, some argue, is only paying for non-publicaOon of the number, not necessarily non-disclosure. This is probably going to be the rule governing the above question. However for the future one can envisage several levels of privacy priori- ties. It might be that a premium could be charged for a special non-disclosure service which would not forward the calling party’s number lo the call recipient. Some of this premium would be shared with a caller-ID subscriber as an incentive lo answer the telephone.

US telecommunications privacy policy

‘not-to-be-solicited’ list, or they might receive a small payment for each solicitation they heard. Parties wishing to get through but who have been call blocked might offer a payment to be put through. The payment would be split between the call recipient and the telco. While this is far from contemporary practice, it is possible that with the spread of ‘free-market’ ideology a micro-market in individual control over personal information could develop. Certainly the powerful technologies required to operate such a market will soon be within easy reach.

Caller identification

Another CLASS service, often called caller-ID, also has major privacy ramifications. Caller-ID shows to the call-recipient the telephone number from which he or she is being called. While the recipient’s telephone is ringing, and before it is picked up, the calling number appears on a small screen at the base of the telephone. (This is analogous to looking through a door peephole to get an idea of who is out there before opening the door.) Heretofore the person making the call obviously knew the number he was calling, but the call recipient usually had no idea who was calling. This new service has the potential of making levels of disclosures more balanced.

Now that technology can serve either the call making or call receiving party, whose ‘right to privacy’ should have greater precedence? A national public opinion survey by Cambridge Reports, taken in the winter of 1988, suggests that the majority of people feel that the privacy of the call recipient should take precedence over the desire of the caller to get through. It is my guess that the normative expectation is that the calling party should disclose his or her identity to the call recipient, so that caller-ID service only helps do this before the called party picks up the telephone. (While currently only the originating number is displayed, there is no technological reason why soon the caller’s name could not also be disclosed.34) Although the ACLU has protested this new service as privacy invasive, most people do not appear to think it so, according to the 1988 Cambridge Poll. In fact they generally think that it would increase their privacy.

Yet caller-ID poses two privacy dilemmas for policymakers. The first is the question of subscribers to unlisted number service. If their number is disclosed whenever they make a call, the implicit promise of non-disclosure appears to be violated. A solution might be to block the number from disclosure to the called party (a series of ‘x’es might appear in the window). But then what about the rights of the called party, who is also paying for an enhanced service? So another solution might be to maintain that the non-published number is just that: non-published, but no guarantee is extended about divulging it in outgoing calls. This remains an interesting legal puzzle which I believe will be resolved along the lines of preference to the call recipient party, congruent with the normative system already in place.35

The second policy dilemma with caller-ID service is its potential for privacy invasion. For instance, a person might be hesitant to use a suicide or rape hotline for fear of losing anonymity. Others do not trust their local police and would only contact them to report a crime anonymously. Hence with caller-ID, this source of intelligence would be foreclosed. Further, call originating information might be used by commercial firms to follow up contacts. Customers calling with a service question would unknowingly have their numbers referred to the sales


US trlrcommltnicariotls prirucy policy

36‘Marketing firm slices US into 240,000 parts to spur clients sales’, Wall Street Journal, 3 November 1986. pp 1, 24. ?3ichard A. Posner, The Economics of Privacy, University of Chicago Press, Chi- cago, 1980. 38’Computer use for news’, New York Times, 29 September 1986, p 12; ‘Compu- ter records become powerful tool for inves- tigative reporters and editors’, Wall Street Journal, 3 February 1988, p 24.

department for later solicitation. These are serious but not insurmount- able challenges to privacy. Rather than fundamental and liberty- threatening privacy issues, they more properly fall under the category of privacy as a quality of life issue. Yet they are nonetheless worthy questions. As technology advances some new privacy challenges arise while others become solved at both the liberty and quality of life levels.

Prospects for public action

My expectation is that the future of telecommunications privacy will be a series of contrasts: a lot more demand for personal data, a lot more personal data available, and a few new barriers, both regulatory and technological, to their disclosure. Novel and arcane levels of disclosure and withholding of information will come into being. The concept described earlier, that people should control the data they create, will win acceptance in narrow but important areas. Over-arching these developments will be the desire on the part of governmental and private sectors for more data, and their increasingly efficient tools to get them. CPNI will continue to be an attractive resource to be tapped for commercial purposes, especially since marketing practices will empha- size more than ever detailed knowledge of market segments, including habits and demographics.3h Finally, the cost-effectiveness of using such data will be increasing.

Commercial users might argue that if data could be used to lower costs, these savings would be passed along to the consumer.37 Appreciation of the economics of data usage for commercial purposes might be especially keen among public utility commissioners who realize that the more profitable telcos are, the lower their rates for customers could be. This has obvious political and public policy appeal. Thus opposition from these important policy bodies in terms of data privacy may be muted, although in consumer-activist states the commissions will probably be barring access to personal data. In fact, some state commissions might even encourage access. These trends will result in lowering the threshold to CPNI and other customer data use by telcos and other commercial entities.

CPNI will return time and again to the specialized agenda of the telecommunications policy community. Players besides telecommunications service providers will seek access to residential CPNI, and it will be difficult to stop them. Policy-making organizations like the FCC will be under pressure from commercial ventures to allow wider access and perhaps even redefine CPNI to meet the growing needs of data-using organizations and network service providers. CPNI will be an element in the growing use of publicly available information by all sectors of society, from news reporters to market analysts.38 And inevitably there will be court and utility commission challenges by those seeking to retain privacy over information as well as those seeking its divulgance.

Present public policy concerning privacy is favourable to telephone company interests. I do not anticipate any immediate change in this situation. A longer-term problem will, I believe, prove extremely challenging for the telephone companies, namely the treatment of data possessed by them. They will be continuously evaluating the possiblities of packaging and selling their data, especially as BISDN or other intelligent networks are implemented. While regulations currently address this area, growing data availability will force this issue before


US tdrcommunicarions privucy policy

policymakers and will pose for telcos questions of appropriately exploiting their unique and often confidential position r,is-ri-vis their customers.

Telecommunications privacy as a societal value

Ultimately, it must be remembered that privacy is just one of many desirable goals and is often inversely related to another good: knowledge. Society has an important interest in harvesting information about itself and its members as well as protecting its constituent members’ privacy.

The US political system, although sometimes viewed by engineers and telecommunications managers as consisting of unpleasant horse- trading and showmanship, does determine the structure and profitabil- ity of the telecommunications industry (as witnessed by the break-up of AT&T and the regulatory determination of rates of return on telephone company investments). Consequently, it is important to underscore an important aspect of that system in the light of privacy policy: the rationalizing ideology which dominates the discussion of privacy. That ideology can be summed up by the word ‘balance’. The term means that privacy is one of many valuable goals, and that its pursuit. while worthy in itself, must not cause other highly valued goals to be forgone in the process. These other goals include safeguarding and husbanding economic investments, promoting governmental efficiency. and protecting society. In debates over privacy, policymakers frequently refer to the importance of ‘balance’ and their support of the concept. I believe that such verbal assertions of support are reflective of the true values held by these policymakers.

Telecommunications systems seek to allow people to get in touch with one another. This usually means less privacy for the individual. In order for the system to do its job it must, at the very least, know how to deliver information to the individual. In the past this has meant the system has had to know the user’s physical location. (Such will presumably be true for synchronous communication in the future, although not necessarily.) Consequently, the system knows something about the individual. The system’s possession and use of this information to some extent reduces the individual’s control over knowledge about him or herself. As communications systems become more personalized and tailored to an individual’s profile, it is likely that the system will know more about the individual. Not only will those who operate the system be in possession of potentially privacy-invasive information, but users may be able to exploit the system to gain or manipulate information about other individuals.

Paradoxically, while putting people in touch with each other electronically reduces an individual’s privacy as mentioned above, it can also increase their privacy at least in comparison with written communications. Being able to pick up the telephone, discuss a personal problem with a friend, hang up, and not have any record of the content

%avid Flaherty. Privacy in Colonial New of the communication is a far cry from the irregular movement of mail in

England, University of Virginia Press, Colonial America wherein envelopes were often dumped on a table in a Charlottesville, VA, 1972, p 116. 4oJames E. Katz, ‘Telecommunications

neighbourhood tavern where local residents could come in and sort

and computers: whither privacy policy poli- through the items at leisure. 39 The rise in personal privacy since then has

cy?‘. Sociery, November/December 1987, been due in large measure to the sociological and ideological forces that pp 81-86. have been described elsewhere,‘” but the argument could be forwarded


US IelecommunicaIions privacy polic_v

4’33% of the public believes that telephone companies share information about individuals with others, according to a 1983 poll. Telephone companies, when compared with nine other institutions, had the lowest proportion of the public believing that they shared personal information. The others, in order of increasing belief by the public that they shared personal information, were: the IRS, the FBI, public opinion polling firms, the Census Bureau, government welfare agencies, banks, in- surance companies, loan companies and credit bureaux. The poll was conducted by Louis Harris and Associates for Southern New England Telephone Company. See Southern New England Telephone, The Road After 1984: The Impact of Technolo- gy on Society, SNET, New Haven, CN, 1984, p 9.

that it has also been due in some part to the greater confidentiality allowed by evanescent, unrecoverable telephonic communications.

The specific contribution that telecommunications privacy makes to expanding and preserving human rights may be unclear, but the wide gulf between privacy standards to totalitarian versus democratic states suggests that privacy and human rights are at least related. Consequent- ly, there is an important social reason beyond meeting company goals for telephone companies wanting to maintain privacy of telecommunications usage and content. In addition, telcos have a vested interest in privacy protection. It is possible that people would use telecommunications services less if they were being monitored or if their privacy were in great doubt. One of the commercial strengths of the telephone companies is their high standing in the public’s mind; the public believes that telephone data is held in confidence.“’ The loss or forfeiture of this reputation would be a major intangible loss for the telephone companies, perhaps even a tangible one too.

Better security for society can at times mean less privacy for the individual. Likewise, complete privacy can endanger society’s security. Thus, security and privacy are often seen as conflicting goals, with an excess in one area leading to an abuse of the other. But security versus privacy is not necessarily a zero sum game. The highest challenge in this context for the architects both of our telecommunications system and of our policy system is not simply to balance these two often competing demands, but rather through a creative mix of technology and policy to increase individual privacy as well as user, system and societal security.


us telecommunications privacy policy

Documents