December 29, 1998

YEAR-END WORLDWIDE ROUND-UP ON INTERNET PRIVACY

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—The most prominent cyber-rights issue of the year is privacy. Several other pressing problems vie for top billing—such as freedom of expression, which was the subject of a recent Human Rights Watch report, or universal service, which got a battering in the United States as the government fought over the E-Rate for schools and libraries—but in historic world trends, privacy saw the most interesting developments.

The fight for privacy took contradictory paths this year. In toto, there will be more snooping and more data collection over the next few years. But some positive developments can also be seen.

The right of consumers to protect their personal information from businesses took a couple steps forward. At the same time, protections against snooping (particularly from the government) were weakened. Encryption, which is essential to all forms of privacy protection—as well as freedom of expression, as pointed out in the Human Rights Watch report—remains legislatively crippled.

A natural place to start our survey is the Communications Assistance for Law Enforcement Act, the earliest legal attention given by government to the Internet and, appropriately enough, the area also providing the most recent news.

CALEA, a law extending traditional wire-tapping capabilities to digital telephones, was proposed during the Bush Administration and passed in 1994. Every step was dogged by debates over how much power the law should give to the police. Amazingly, four years after the law’s passage and months after the original deadline for implementation, the combatants are still arguing over it.

The outlines of the new wire-tapping capabilities are now clearly drawn. But on December 14, various telephone companies submitted comments to the FCC complaining about some details in its proposed technical requirements. Several civil liberties groups (the Electronic Privacy Information Center, the Electronic Frontier Foundation, and the ACLU) raised similar concerns.

The technical arguments over requirements are arcane: for instance, should call-completion information include the keys pressed by a suspect after making a call, or should that keying information be given only when the police have the right to listen to the content of the call?

Arguments over details are not worth retelling here. The point made by the telephone companies is that the FBI is demanding, and the FCC willing to ratify, wire-tapping requirements that would raise telephony costs substantially, or worse still, require major technical design changes to wireless phones and networks. Telephone companies fight parts of CALEA for financial reasons, while the civil liberties groups talk of the frightening extension of governmental power.

Digital, wireless telephones expand the range of activities available to the public. It is now clear that, at least in small ways, CALEA will also expand the information available to the police through wire-taps, which have increased in number over the years.

Expanded access to law enforcement was not the intent of the law, but it is the outcome of negotiations over its implementation. One provision that law enforcement didn’t win as part of CALEA, “roving wiretaps” that cover a suspect rather than a particular phone, was granted without debate in either house of Congress in a separate law passed in October.

The goal of CALEA, which is to permit the government to tap into digital communications, spread internationally this year. Governments as diverse as Great Britain, Russia, and India proposed requirements for Internet providers to give law enforcement access to their customers’ personal communications—bypassing, in all cases, traditional legal checks on wiretapping.

Four weeks ago, the European Union proposed a sweeping surveillance system to be called ENFOPOL. It goes beyond CALEA by covering all digital communications (such as electronic mail), not just telephony.

ENFOPOL is an imitation of a mysterious global surveillance system called Echelon, whose operation is shrouded in the same kind of secrecy that used to completely hide the National Security Agency. Recent news reports exposing the existence of Echelon led some privacy advocates to hope that European governments would fight it, but they have taken warmly to the idea instead.

There is another wave sweeping the world, however, driven by public opinion. This movement calls for restrictions on databases, both in government and in private industry, and for control by individuals over critical data like their medical histories and purchasing habits.

October 1998 was to be the date when all member countries of the European Union were to adopt strict laws regulating what information is collected from people, how it is collected, and with whom it can be shared. On the same date, European countries were supposed to stop sharing data with companies in countries that lacked similar protections—a bold threat to bring international trade to a halt.

While governments around the world passed laws to protect privacy so that their trade with Europe would not be disrupted, U.S. representatives expressed confidence that no drastic severance of trade would occur. Their gamble paid off, because data exchange between the U.S. and Europe continues while negotiations over the privacy directive drag on.

Even in the EU, several countries have missed the deadline for passing privacy laws. But it is important to realized that many, notably Germany, have strong laws in place. These laws have proven that a modern economy can include privacy protection, and have formed the basis for the EU directive.

In the U.S., government and business tend to agree that restrictions on data sharing are costly and (the ranking sin of government) an expression of over-regulation. Polls show that the public takes a dramatically different view.

In the absence of laws, sophisticated tracking continues to encroach on privacy, through such systems as the Doubleclick service that allows multiple Web sites to share purchasing information. But a few cracks have appeared in the government’s anti-regulation position.

In June, after a year of investigating commercial practices on the Web, the Federal Trade Commission suggested for the first time that Congress pass a law to protect privacy. The scope of the proposed law was narrow—to keep sites from asking children under 13 for personal information unless their parents approved—but the very idea was an admission that self-regulation by businesses is not always enough. Furthermore, the FTC’s report contained an enormous amount of evidence that businesses were not taking privacy seriously.

The final major issue for our privacy wrap-up is encryption. Here, the status quo remains relatively untouched.

Encryption is a rare instance of a technology that works well and whose spread is hampered only by law. The U.S., where most encryption products are developed, has held back the export of strong encryption for decades through Commerce Department regulations, unshaken by many Congressional attempts to remove them.

Unlike the past few years, no law was introduced into Congress this year either relaxing or strengthening laws against encryption. Luckily, government proposals for cumbersome key escrow systems—where central databases keep users’ keys and hand them over to governments upon receiving legal wiretapping requests—have waned.

Perhaps the FBI is busy with other things, such as the investigation of campaign finance law violations (although one could ask then why it have done so little about them). Congress and the Clinton Administration also seem preoccupied with other matters. It is worth noting, however, that even impeachment is a cyber-rights issues, as it was driven forward by an illegal tape recording made by Linda Tripp.

The British government, however, has floated a plan for key escrow, and a law remains on the books in France requiring it for all encryption used in that country. There is no reason to believe that such a system will actually be feasible, though.

The main encryption battle took place around the international Wassenaar Agreement, which tries to control the spread of military and “dual use” technologies. The agreement always contained a place-holder for encryption, but it had serious holes and left many encryption experts hoping that it would prove useless in the face of movements in many nations to liberalize encryption.

Instead, at a conference that met earlier this month to update the agreement, the U.S. persuaded delegates to add clauses that essentially committed the 33 member countries to adopt restrictions like those in the U.S. Encryption of any strength can be developed and sold within these countries, but cannot be exported to a non-member country unless it includes a maximum key length of 56 bits—a length making it easy for governments (or anyone with a lot of computing power) to break the key and view the communication.

Having completed our privacy wrap-up, I will follow the poor example of many other journalists at this time of year and leap into the crystal ball with some predictions:

So that’s the scene. If you don’t like it, there is still time to speak up. Unless you feel safer keeping your opinions private.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles