 Electronic Communications |
Congressional Research Service Report 98-67Internet: An Overview of Six Key Policy Issues Affecting Its Use and Growth Updated November 5, 1998 Marcia S. Smith, Jane Bortnick Griffith, Richard M.
Nunno, John D. Moteff, and Lennard G. Kruger
|
| Title | Public Law and Bill Numbers |
| FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act | P.L. 105-277
H.R. 4328 |
| Division C, Title XI: Internet Tax Freedom Act | H.R. 1054 S. 442 |
| Division C, Title XIII: Children's Online Privacy Protection Act | S. 2326 |
| Division C, Title XIV: Child Online Protection Act | H.R. 3783 S. 1482 |
| Division C, Title XVII: Government Paperwork Elimination Act | S. 2107 |
| Protection of Children from Sexual Predators Act | P.L. 105-314
H.R. 3494/S. 2491 |
| Identity Theft and Assumption Deterrence Act | P.L. 105-318
H.R. 4151/S. 512 |
| Digital Millenium Copyright Act | P.L. 105-304
H.R. 2281/S. 2037 |
| Next Generation Internet Research Act | P.L. 105-305
H.R. 3332/S. 1609 |
Cryptography: Encryption and Digital Signatures
Cryptography can be used to ensure the confidentiality of data and messages (encryption), as well as to authenticate the sender of a computer message and to verify that nothing in the message has been changed (digital signatures).
Encryption
Encryption and decryption are methods of applying the science of cryptography to ensure the privacy of data and communications. CRS Issue Brief 96039, Encryption Technology: Congressional Issues, discusses the topic in more detail.
Cryptography traditionally has been the province of those seeking to protect military secrets, and until the 1970s relied on "secret key" cryptography where the sender and the recipient both had to have the same key. Thus a trusted courier or some other method was required to get the key from the sender to the recipient. The advent of "public key cryptography" in 1976 made it possible for encryption to be used on a much broader scale. In this form of cryptography, each user has a pair of keys: a public key available to anyone with which a message can be encrypted, and a private key known only to that user with which messages are decrypted. The "key pair" is electronically generated by whatever encryption product is used. In a hypothetical example, if Bob wants to sent a private e-mail message to Carol and ensure that no one else can read it, he obtains Carol's public key from Carol herself or from a publicly available list. Using Carol's public key, Bob encrypts his message. When Carol receives the message, she uses her private key to decrypt it. To reply to Bob, Carol gets Bob's public key from Bob or from a publicly available list and uses it to encrypt her response. When Bob receives the message, he uses his private key to decrypt it.
Use of strong (difficult to break) encryption is considered vital to the growth in use of the Internet, particularly for electronic commerce, because businesses and consumers want to protect the privacy of information exchanged via computer networks. When a message is encrypted, it is referred to as "ciphertext." That message is called "plaintext" before it is encrypted and after it has been decrypted. The Clinton Administration wants to ensure that authorized law enforcement officials and government entities can access the plaintext of a message if undesirable activity is suspected (terrorism, drug trafficking, and child pornography are often cited as examples). If the message is encrypted, they either have to break the encryption by "brute force" (trying all possible combinations until they get the right one), or get access to the decryption key.
The Clinton Administration has supported the wide use of strong encryption as long as it has a feature called "key recovery" to allow authorized law enforcement agents to access the plaintext in a timely manner by getting access to the decryption key. This has raised privacy issues. Also, although there are no limits on what type of encryption is sold in or imported into the United States, the Administration has sought to influence what type of products are available domestically by limiting exports, knowing that companies do not want to make one product for domestic use and another for export. This has raised industry concerns about placing U.S. computer hardware and software companies at a competitive disadvantage because they are subject to restraints on what they can export. The congressional debate today over encryption policy is focused on striking a "balance" among individual rights of privacy; the global competitiveness of U.S. companies making, using, or selling encryption products; promotion of secure electronic commerce; and law enforcement and national security needs to monitor undesirable behavior.
In December 1996, the Clinton Administration released temporary (two-year) export regulations designed to encourage computer hardware and software manufacturers to develop and implement key recovery technologies. Although there are other factors that affect the strength of an encryption product, the number of binary digits (bits) in the key has been used as the benchmark in this debate. The larger the number of bits, the more difficult it is to break the encryption. Under the interim regulations, companies were allowed to export 56 bit encryption products if they agreed to incorporate key recovery features into the product within the two years. If they already incorporated key recovery into the product, there was no limit on the bit length that could be exported (with some exceptions for banking.) Previously, only 40 bit encryption could be legally exported.
In September 1998, the Clinton Administration announced plans to allow the export of 56-bit encryption products without requiring provisions for key recovery, after a one-time review, to all users outside the seven "terrorist countries." The new policy will apply only to U.S. companies in the finance (which had already been granted in July), health care, insurance, and electronic commerce industries. Export of encryption products of any strength will be permitted to 42 designated countries if key recovery or access to plaintext is provided to a third party. The Administration will also support the FBI's proposal to establish a technical support center to help law enforcement in keeping abreast of encryption technologies. While industry groups approve of the new policy, they argue that 56-bit encryption has been broken and that stronger encryption is now necessary, and that the implementation of the new policy by federal agencies could possibly render it ineffective in increasing their ability to export encryption products. Privacy rights groups argue that the new policy will not increase the availability or use of 56-bit or stronger encryption by individual users of Internet communications.
There were seven bills in the 105th Congress addressing these encryption issues. Six of the seven bills (all except H.R. 1964) addressed the export issue. In summary, H.R. 695 (Goodlatte, as introduced), S. 376 (Leahy), and S. 377 (Burns), sought to relax export controls on encryption, although versions of H.R. 695 as reported from various committees had substantially different provisions. S. 909 (McCain) would have permitted easy export of 56 bit encryption without key recovery, and easy export of any strength encryption if it is based on a qualified system of key recovery. (S. 909 further provided that the 56 bit limit could increase as recommended by an Encryption Export Advisory Board established by the Act unless the President determines it would harm national security. The bill also allowed the President to waive any provision of the bill, including the export limits, in the interest of national security, or domestic safety and security.) Modifications to S. 909 announced by Senators McCain and Kerrey on March 4, 1998 included allowing U.S. companies to export products with optional recovery features to approved end users. S. 2067 (Ashcroft) allowed the removal of controls for encryption products deemed to be generally available in the international market, and allowed the Department of Justice to create a National Electronic Technologies Center to assist law enforcement in gaining efficient access to plaintext of communications and electronic information. The primary section of H.R. 1903 (Sensenbrenner) that dealt with export issues (section 7) was deleted before it passed the House, but the bill still called for export policy to be determined in light of the "public availability of comparable technology."
In the key recovery concept, a "key recovery agent" (or "key holder" in S. 376) would hold a copy of the decryption key. (Or the key could be split among two or more key recovery agents for added security.) Having access to such a "spare key" through a key recovery agent could be desirable for a user if a key is lost, stolen, or corrupted. Most parties to the encryption debate agree that market forces will drive the development of key recovery-based encryption products for stored computer data because businesses and individuals will want to be sure they can get copies of keys in an emergency. The questions involve the role of the government in "encouraging" the development of key recovery-based encryption, whether key recovery agents should be required to provide keys to duly authorized law enforcement officials, and the government's role in determining who can serve as key recovery agents. The Administration's 1996 interim regulations established criteria for key recovery agents that the Department of Commerce uses to support its decisions on whether or not to approve the export of key recovery encryption products. The Administration sought legislation to provide liability protection for such agents, as well as penalties if they make an unauthorized release of such information. S. 376 and S. 909 both addressed those issues. Under the Administration's new 1998 policy, key recovery business plans will not be required, and the regulatory requirements for key recovery agents will be reduced.
Another element needed for the widespread use of encryption is certificate authorities who would issue and manage electronic certificates (electronic records that identify a user within a secure information system) and verify that a particular individual is associated with a particular public key. This is especially important for the conduct of electronic commerce, for example, where buyers and sellers want to be assured of each other's identities. The combination of public key encryption and certificate authorities (some would add key recovery agents) is referred to as a "public key infrastructure" (PKI). There is debate over whether there should be a single, global PKI, or many different PKIs, but the establishment of one or more PKIs is expected to add the requisite element of "trust" to the Internet needed for its use to expand. H.R. 1903 (Sensenbrenner) called for a National Research Council study of PKIs.
Originally, S. 909 established mechanisms for the government to register key recovery agents and certificate authorities. While registration would have been voluntary, they would not have been fully covered by the bill's liability protections if they did not register. If a certificate authority registered with the government, it could only issue certificates to persons who had stored key recovery information with a government-registered key recovery agent or made other arrangements to assure lawful recovery of plaintext in a timely fashion. The linkage between certificate authorities and key recovery was controversial because some observers felt that the ability to issue certificates should be independent from the debate over key recovery. In March 1998, Senators McCain and Kerrey announced modifications to S. 909 including deletion of that linkage. H.R. 1964 (Markey) and H.R. 695 as reported from the House Commerce Committee prohibited conditioning the issuance of certificates on escrowing or sharing of encryption keys.
The Clinton Administration has not changed its policy that allows any type of encryption to be sold in or imported into the United States. However, on September 3, 1997 FBI Director Louis Freeh discussed domestic use restrictions at a hearing before the Senate Judiciary Committee's Subcommittee on Technology, Terrorism and Government Information. He expressed the point of view that only encryption products with key recovery be sold or imported for sale in the United States. Apparently the FBI also had drafted legislation along those lines (reportedly for a House committee) and the issue of domestic use restraints has become an integral part of the encryption debate. Publicly, the Administration maintains that it is not proposing domestic use restraints, but it did not prevent the FBI Director from promoting that course of action. Civil liberties groups in particular are opposed to domestic use controls. S. 376 (Leahy), S. 909 (McCain), and S. 2067 (Ashcroft) all prohibited mandatory key recovery and provided that persons in any state (and U.S. persons in foreign countries per S. 376 and S. 2067) may use any type of encryption they choose except as otherwise provided by the Act. S. 377 (Burns), H.R. 695 (Goodlatte, as introduced), and H.R. 1964 (Markey) said that federal and state governments may not restrict or regulate the sale of encryption products solely because they have encryption. The House Intelligence Committee's version of H.R. 695 included provisions supportive of the FBI's position. A similar amendment was defeated by the House Commerce Committee during its markup of the bill.
On March 4, 1998, Vice President Gore wrote to Senator Daschle restating the Administration's desire for a "balanced approach" to encryption policy and seeking a "good faith dialogue" to "produce cooperative solutions, rather than seeking to legislate domestic controls." The letter added that the discussions could also enable additional steps to relax export controls on encryption products. On April 15, Secretary of Commerce Daley made a speech wherein he said that although the Administration's policy was the right one, its implementation was a failure. He urged both industry and government to strive harder to reach consensus on the issue. At an April 24, 1998 meeting of the Congressional Internet Caucus, Undersecretary of Commerce William Reinsch commented that the Administration was not seeking a legislative solution to encryption issues in the 105th Congress.
The changes made to the Administration's encryption policy in September 1998 could have been related to an announcement made in July 1998 by a group of software companies of their plans to develop a product to capture data that could be given to law enforcement before it is encrypted and sent over the Internet. Privacy advocates argued, however, that although that proposal might generate more business for companies offering encryption products, it did not satisfy the demands of advocates of electronic privacy.
On October 7, five Representatives and four Senators signed a letter to the Vice President supporting the Administration's new policy, but stating that it was only the first step. The letter also indicated that they plan to introduce bills similar to H.R. 695 and S. 2067 in the 106th Congress to foster the widespread use of the strongest encryption.
Digital Signatures
Another use of cryptography on the Internet is for authentication and verification. Digital signatures, which are unique to each individual and to each message, can be used in conjunction with certificate authorities to verify that the individuals on each end of a communication are who they claim to be and to authenticate that nothing in the message has been changed. Through the use of digital signatures, legally valid signatures can be produced for use in electronic commerce. Digital signatures typically encrypt only the identification information and not the content of a message. (Digital signatures are one type of electronic signature. In general, electronic signatures can refer to any electronically created identifier meant to authenticate a writing, but do not necessarily involve encryption.)
While neither law enforcement nor national security organizations oppose the use of digital signatures, many question whether a standard for digital signatures should be established to enhance electronic commerce. Of a total of 40 states that have enacted or are considering electronic signature laws, 10 have enacted digital signature or combination electronic/digital signature laws (Florida, Indiana, Minnesota, Mississippi, New Hampshire, New Mexico, Oregon, Utah, Virginia, and Washington). Another eight are considering them. These laws are summarized in Survey of State Electronic & Digital Signature Legislative Initiatives by Albert Gidari and John Morgan of Perkins Cole. The article is available on the Internet Law & Policy Forum's (ILPF's) Web site:http:// www.ilpf.org/digdig/digrep.htm . Links to the texts of the state laws are provided on another ILPF Web site, www.ilpf.org/digsig/digsig2.htm.
According to Gidari and Morgan, three models have developed at the state level: the "Utah" or "prescriptive" model with a specific public key infrastructure scheme including state-licensed certificate authorities; the "California" or "criteria-based" model that requires digital or electronic signatures to satisfy certain criteria of reliability and security; and the "Massachusetts" or "signature enabling" model that adopts no specific technological approach or criteria, but recognizes electronic signatures and documents in a manner parallel to traditional signatures. Some of the proposed state laws are general, applying to a wide range of government or private sector activities, while others are more narrowly cast. One controversial aspect of the debate over digital signatures is whether there should be a single federal law in place of the various state laws.
One bill regarding electronic signatures, the Government Paperwork Elimination Act (S. 2107), was enacted as part of the Omnibus Appropriations Act (P.L. 105-277). This measure directs the Office of Management and Budget (OMB) to establish procedures for executive branch agencies to accept electronic submissions using electronic signatures, and requires agencies to accept those electronic submissions except where found to be impractical or inappropriate. Specifically, within five years of enactment, executive branch agencies must provide for the option of electronic maintenance, submission, or disclosure of information as a substitute for paper. Within 18 months of enactment, OMB must develop procedures to permit private employers to electronically store and file with executive agencies forms pertaining to their employees. In addition, OMB, together with the National Telecommunications and Information Administration, is to conduct an ongoing study of the use of electronic signatures, including an analysis of its impact on paperwork reduction, electronic commerce, individual privacy, and the security and authenticity of electronic transactions, and report to Congress periodically on these issues. Electronic records generated from this law will have full legal effect, and information collected from an executive agency using electronic signature services may only be used or disclosed by those using the information for business or government practices. None of these provisions, however, will apply to the Department of Treasury or the Internal Revenue Service, if the provisions conflict with internal revenue laws or the Internal Revenue Service Restructuring and Reform Act of 1998 or the Internal Revenue Code of 1986.
Two other bills were introduced in the House and one in the Senate regarding digital signatures -- H.R. 2937 (Baker), H.R. 2991 (Eshoo), and S. 1594 (Bennett). Also, the House passed H.R. 1903, the Computer Security Enhancement Act, on September 16, 1997, and the Senate Commerce Committee reported on the bill on October 13, 1998. H.R. 1903 included a provision establishing a panel to develop policy, guidelines, and technical standards for digital signatures. The House Banking Committee held a hearing on the federal role in electronic authentication on July 9, 1997. The House Science Committee held a hearing on digital signatures on October 28, 1997. The Senate Banking Committee held a general hearing on the topic on October 28, 1997 and specifically on S. 1594 on March 11, 1998. The Senate Commerce Committee held a hearing on S. 2107 on July 15, 1998.
Computer Security
Although unauthorized access to computer networks ("hacking") is by no means a new problem, growing use of the Internet increases the threat. Hacking or "cracking"(hacking with the intent to do harm) is a growing problem both for the government and the private sector. The extent of the problem is difficult to quantify because many institutions do not want the negative publicity associated with public acknowledgment of hacking attempts (whether successful or not). Also, many attempts to hack into a computer system may go undetected.
A 1996 report by the Senate Governmental Affairs Permanent Select Subcommittee on Investigations, together with a related series of hearings and a General Accounting Office report (GAO/AIMD-96-84) have provided some estimates. The GAO study referenced an assessment by the Defense Information Systems Agency that Department of Defense computers may have been attacked 250,000 times during 1995. The assessment added that the number may represent just a small fraction of the attempts because only an estimated 1 in 150 attacks are detected and reported. In the private sector, the subcommittee's report cited an estimate from one private security company that the private sector had lost $800 million in 1995 due to computer intrusions. Most losses have not been publicly acknowledged, however.
A 1998 survey by the Computer Security Institute (CSI) conducted in cooperation with the FBI reported that of the 520 responses from commercial, government, and academic security practitioners, 64% reported security breaches (an increase of 16% over its 1997 survey results). Breaches included theft of proprietary information, sabotage, insider abuse of Internet access, financial fraud, spoofing, denial of service, viruses, telecommunications fraud, wiretapping, eavesdropping, and laptop theft(1). Based on respondents' estimates, total financial losses in 1998 amounted to $137 million. However, only 46% of those reporting losses were able to quantify them. Therefore, the financial losses may be much greater. Financial losses include not only direct costs (theft of funds, costs to repair databases) but also indirect costs such as system "down-time" and, if measurable, losses due to loss of confidence. Tables from the CSI report and a press release are available at http://www.gosci.com/prelea11.htm.
Computer security administrators lament that not enough attention and resources are being paid to the security risks associated with networked systems. Even where the problems are recognized, fixes need to solve "Year 2000" problems (see CRS Issue Brief 97036) are taking precedent. Nevertheless, the market for computer security assessments and security products is growing. And, because of the demand for knowledgeable personnel, many former "hackers" are making legitimate money in the security business. Some security specialists insist that this is not without its risks.
Rules and regulations governing the security of federal computer systems are guided by the Computer Security Act of 1987 (P.L. 100-235) and OMB Circular A-130, Annex III. The Act requires each agency to submit to the Office of Management and Budget (OMB) a security plan. OMB chairs an interagency committee of Chief Information Officers (CIOs) in which a subcommittee is devoted to security issues. In addition, the Act authorizes the National Institute of Standards and Technology (NIST) to set standards for all civilian unclassified government systems. The National Security Agency (NSA) does the same for the federal government's classified computer systems. NIST and NSA have recently formed a partnership, along with a few other foreign countries, that is providing common criteria for certifying security products. This partnership facilitates an international market in security products.
Various federal agencies also have groups that will perform vulnerability analyses on federal systems, recommend fixes to problems identified, and to assist in integrating those fixes into systems. A variety of agencies have also set up computer emergency response teams (CERTs) that help system administrators deal with intrusions and the problems that might arise. The CERT at Carnegie Mellon University was established to provide such services to Internet users anywhere in the country and has recently signed a contract with the General Services Administration to provide similar services to government agencies that may not have their own capability.
Of growing concern is the risk hacking poses to America's basic infrastructures (e.g., transportation systems, electric utilities), which increasingly rely on networked computer systems (see CRS Report 98-675, Critical Infrastructures: A Primer). The President's Commission on Critical Infrastructure Protection (PCCIP) issued a report in November 1997 regarding the "cyberthreat" to five of the nation's basic infrastructures -- information and communications, banking and finance, energy (including electric power, oil, and gas), physical distribution, and vital human services. While not finding an immediate crisis, the PCCIP concluded that the nation's infrastructures are vulnerable and the consequences threatening to the security of the nation. The report, Critical Foundations: Protecting America's Infrastructures, led to a Presidential Decision Directive (PDD-63) that was released May 22, 1998.
PDD-63 sets as a national goal the ability to protect critical infrastructures from intentional attacks (both physical and cyber) by 2003. It sets up an organizational structure for achieving this goal. Nineteen critical infrastructures (including four for which the federal government has the primary responsibility) have been identified. A lead agency has been assigned to each infrastructure. The lead agency is to work with the appropriate private sector actors, and state and local governments in developing a national plan for their sector. Each plan is to include a vulnerability assessment, a remedial action plan, appropriate warning procedures, response strategies, reconstitution of services strategies, education and awareness program, research and development needs, intelligence enhancements, international cooperation, and any legislative and budgetary requirements.
A Critical Infrastructure Assurance Office is being set up in the Department of Commerce to help coordinate the development of these plans. A Critical Infrastructure Coordination Group, an interagency group, will address interdependencies between agencies and sectors. The Group is chaired by a National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism, and will report to the President through the Principal's Committee of the National Security Council on progress in implementing the PDD and the development of the national plans. The National Coordinator will also be the Executive Director of a National Infrastructure Assurance Council which will act as a Presidential advisory panel and include private, and state and local representatives.
PDD-63 also authorizes the Federal Bureau of Investigation to be the executive agent for a National Infrastructure Protection Center (NIPC). According to PDD-63, the NIPC will be the operational focal point for coordinating federal response to "attacks." The NIPC will also be the federal point of contact for developing threat analyses, issuing warnings and sharing information regarding intrusions, hacking methods and fixes. The NIPC will draw upon expertise found throughout the federal government. The PDD encourages the private sector to set up a parallel center to interact with the NIPC. The Joint Economic Committee held a hearing on "Cybercrime, Transnational Crime and Intellectual Property Theft" on March 24, 1998 highlighting the FBI's role in fighting such crime.
The federal computer fraud and abuse statute, 18 U.S.C. 1030, addresses protection of federal and bank computers, and computers used in interstate and foreign commerce. CRS Report 97-1025, Computer Fraud & Abuse: An Overview of 18 U.S.C. 1030 And Related Federal Criminal Laws, provides more information on the statute. In general, it prohibits trespassing, threats, damage, espionage, and using computers for committing fraud.
In December 1997, acknowledging the growing problem of crime on the Internet, the United States, Britain, Canada, France, Germany, Italy, Japan and Russia agreed on steps to fight computer crimes: insure that a sufficient number of trained and equipped law enforcement personnel are allocated to fighting high-tech crime; establish high-tech crime contacts available on a 24-hour basis; develop faster ways to trace attacks coming through computer networks to allow for identification of the responsible hacker or criminal; where extradition of a criminal is not possible, devote the same commitment of time and resources to that prosecution that a victim nation would have devoted; preserve information on computer networks so computer criminals cannot alter or destroy electronic evidence; review legal systems to ensure they appropriately criminalize computer wrongdoing and facilitate investigation of high-tech crimes; and work with industry to devise new solutions to make it easier to detect, prevent and punish computer crimes.
Computer Fraud and Scams, Protection of Personal Information, and General Computer Privacy Issues
Computer networks offer a new mechanism for the commission of fraud and scams against unwitting consumers. Although the types of fraud and scams that have been identified on the Internet are not new, perpetrators have easy access to a wide audience via the Internet. The Senate Governmental Affairs Committee's Permanent Subcommittee on Investigations held a hearing on the topic on February 10, 1998. On July 14, 1998, the Federal Trade Commission (FTC) released a list of the 12 most common scams found in unsolicited commercial electronic mail (for a general discussion of unsolicited email, see below). The list is available on the World Wide Web at http://www.ftc.gov./opa/9807/dozen.htm. The Securities and Exchange Commission (SEC) established a new Office of Internet Enforcement to handle Internet fraud cases in July 1998. The SEC reported that since 1995 it had brought more than 30 cases involving Internet-related securities fraud and now was receiving 120 complaints daily about Internet-related potential securities violations. On October 28, 1998, the SEC filed 23 enforcement actions against 44 individuals and companies for using the Internet to commit stock fraud (the SEC's press release is available at http://www.sec.gov/news/netfraud.htm).
As noted above, 18 U.S.C. 1030 addresses computer fraud, and the United States and seven other countries agreed in December 1997 to coordinate their efforts at fighting computer crime, including fraud. On May 12, 1998, just prior to President Clinton's attendance at the G-8 meeting, the White House announced an International Crime Control Strategy (ICCS) to provide new authorities and resources to fight international crime including fraud involving credit cards and other access devices, and authorizing wiretapping for investigations of felony computer crime offenses.
Consumer identity theft, in which one individual assumes the identity of another using personal information such as credit card and Social Security numbers, is also seen as increasing due to the widespread use of computers for storing and transmitting information. Congress directed the Federal Reserve Board to study the issue of the availability to the public of sensitive identifying information, whether such information could be used to commit financial fraud, and the risk to insured depository institutions. Its March 1997 report, Report to the Congress Concerning the Availability of Consumer Identifying Information and Financial Fraud, concluded that there are insufficient data to draw conclusions about losses from this particular subset of financial fraud. Although the Board noted that anecdotal information suggested that type of fraud is increasing, it concluded that the losses are a small part of overall fraud losses and do not pose a significant threat to insured depository institutions. A May 1998 General Accounting Office report, Identity Fraud: Information on Prevalence, Cost, and Internet Impact is Limited (GAO/GGD-98-100BR), also found that few statistics are available on identity fraud, but that many of the individuals it interviewed believe the Internet increases opportunities for identity theft and fraud.
Many bills were introduced in the Senate and House regarding protection of personally identifiable information generally, and especially Social Security numbers. Some of the legislation was targeted towards all consumers, while other bills focused primarily on preventing acquisition of a child's personally identifiable information without a parent's knowledge, or attempting to obtain information about parents from children. Four bills concerning protection of personal identifiable information were introduced in the Senate (S. 504, Feinstein; S. 512, Kyl; S. 600, Feinstein, and S. 2326, Bryan) and 12 in the House (H.R. 98, Vento; H.R. 1287, Franks; H.R. 1330, Kanjorski; H.R. 1331, Kennelly; H.R. 1367, Barrett; H.R. 1813, Kleczka; H.R. 1964, Markey; H.R. 1972, Franks; H.R. 2368, Tauzin; H.R. 3551, DeLauro; H.R. 3601, Shadegg; H.R. 4151, Shadegg; and H.R. 4667, Markey). CRS Report 97-833, Information Privacy, provides more information on the legal aspects of these issues.
Of all those bills, the only legislation that passed Congress concerns identify theft (S. 512/H.R. 4151) and requiring parental consent for the collection, use, and distribution of information about children under 13 (S. 2326).
The Senate passed S. 512 (Kyl) on July 30. The House passed H.R. 4151 (Shadegg) on October 7 after modifying it to more closely resemble S. 512. The Senate then passed H.R. 4151 on October 14. The bill was signed into law on October 30 (P.L. 105-318). The bill sets penalties for persons who knowingly, and with the intent to commit unlawful activities, possess, transfer, or use one or more means of identification not legally issued for use to that person. Vice President Gore hailed the passage of S. 512 in a July 31 press conference (see below). The House Judiciary Subcommittee on Courts and Intellectual Property held a general hearing on privacy in electronic communications on March 26, 1998. That Committee's Subcommittee on Crime held a hearing on H.R. 1972 and related legislation on April 30, 1998.
Congress and the Administration devoted considerable attention to the overall issue of protecting privacy on the Internet. Despite the large number of bills that were introduced, the focus of both branches of government is to encourage industry to self-regulate rather than passing new laws. As noted, the only bill that passed concerns the collection, use, and dissemination of information about children (S. 2326, see below).
Voluntary self regulation is the focus of the Clinton Administration's approach to Internet privacy. In its July 1997 report, A Framework for Global Electronic Commerce, the Administration endorsed industry self regulation for protecting consumer Internet privacy, stressing that if industry did not self-regulate effectively, the government might have to step in, particularly regarding children's Internet privacy.
The Federal Trade Commission (FTC) held a public workshop in June 1996 that addressed general issues of online privacy. Another workshop, in June 1997, focused on the collection of information about consumers by companies that operate computerized databases of personal information, called "individual reference services" or "look-up services." Just prior to the workshop, several of those companies announced voluntary principles they would follow to protect consumer privacy. In December 1997, the FTC released a report on the workshop and the industry principles: Individual Reference Services: A Report to Congress http://www/ftc/gov/opa/9712/inrefser.htm. Among the principles are that individual reference services will not distribute to the general public non-public information such as Social Security numbers, birth dates, mother's maiden names, credit histories, financial histories, medical records, or any information about children. Look-up services may not allow the general public to run searches using a Social Security number as a search term or make available information gathered from marketing transactions. Also, consumers will be allowed to obtain access to the non-public information maintained about them and to "opt-out" of that non-public information. The FTC noted that the principles did not address all areas of concern and made a number of recommendations accordingly.
On July 16, 1997, the FTC issued a letter advising the online industry that it was a deceptive practice to collect personal information from children without fully disclosing to parents how the data would be used and that Web sites must obtain parental permission before releasing such data to third parties. In December 1997, the FTC conducted a survey of 126 children's Web sites to determine the extent to which information collection practices were being disclosed. It found 86% of the Web sites collected information from children but fewer than 30% posted a privacy policy statement and only 4% required parental notification. Another survey was conducted in June 1998 of a broader range of 1,400 Web sites intended for children or adults. In its subsequent report, Privacy Online: A Report to Congress http://www.ftc.gov/reports/privacy3/index.htm, the FTC reported that of the 212 children's sites in this survey, 89% collected personal identifiable information but only 54% disclosed their information collection practices and fewer than 10% provided any form of parental control. The survey also included 674 commercial Web sites of which 92% collected personal information. Only 14% provided any notice of their information collection practices and only 2% provided a comprehensive privacy policy.
Frustrated at those results, the FTC announced on June 4, 1998 that it would seek legislation protecting children's privacy on the Internet by requiring parental permission before a Web site could request information about a child. Vice President Gore issued a statement supporting the FTC's actions. Earlier, on May 14, the Vice President had called for an "electronic bill of rights" to protect consumers' privacy. He encouraged Congress to pass medical records privacy legislation (see CRS Issue Brief 98002), and announced the establishment of an "opt-out" Web site http://www.consumer.gov by the FTC to allow individuals to indicate they do not wish personal information passed on to others. At a June 23-24, 1998 "summit" on Internet privacy organized by the Department of Commerce at the direction of the White House, Secretary of Commerce Daley warned industry that the Administration would seek legislation to protect all online consumers if industry did not accelerate its privacy protection efforts in general.
The House Commerce Committee's Subcommittee on Telecommunications held a hearing on H.R. 2368, the Data Privacy Act (Tauzin), on July 21, 1998. The bill would have provided incentives to industry to develop and implement voluntary privacy guidelines. The hearing focused on efforts to encourage the private sector to self regulate in this area. At the hearing, FTC Chairman Pitofsky said the FTC would wait until the end of the year to propose such legislation for adults to give industry one last chance to self regulate. He outlined the framework for such potential legislation at the hearing. Industry representatives defended the pace of their efforts to develop "seals of approval"for Web sites that clearly explain their privacy policies to users and agree to work with organizations overseeing the seals (such as the Better Business Bureau or TRUSTe) to resolve consumer complaints. Representatives of the Center for Democracy and Technology and the Center for Media Education expressed concern that self-regulation was insufficient to protect privacy on the Web. The Direct Marketing Association witness emphasized that many privacy concerns are about "chat rooms" and electronic mail, not Web sites, and each type of Internet usage needs to be treated separately.
On July 31, 1998, Vice President Gore addressed a wide range of privacy issues, reiterating his call for Congress to pass legislation protecting medical records, hailing passage of S. 512 (discussed above) as a first step towards dealing with identity theft issues, and asking Congress to pass legislation requiring parental consent before information is collected about children under 13. The Vice President renewed the Administration's emphasis on industry self-regulation, but noted the test of success would be the degree of industry participation.
Congress did pass legislation requiring operators of Web sites to obtain verifiable parental consent before collecting, using, or disseminating information about children under 13, and allowing parents to "opt out" of dissemination of information already collected about that child. It was included as the Children's Online Privacy Protection Act (originally S. 2326, Bryan), which is Title XIII of Division C of the FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act (P.L. 105-277). The Senate Commerce Committee held a hearing on S. 2326 on September 23. Medical records confidentiality legislation did not pass, however.
Many European countries believe that strong measures are needed to protect privacy in the processing of personal data. Over a period of many years, the European Union (EU) developed a policy referred to as the "European data directive" that requires member countries to pass laws prohibiting the transfer of personal data to countries that are not members of the EU ("third countries") unless the third countries ensure an "adequate level of protection" for personal data. The directive went into force on October 26, 1998. Since the United States does not have such legislation in force, the U.S. Department of Commerce is working with the EU to ensure that business between Europe and the United States is not disrupted. It is expected that the EU will accept some type of certification developed by the Commerce Department and industry that U.S. companies are satisfying the intent of the EU data directive (formally entitled "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data"). For more information on the history and content of the EU data directive, see: The European Union's Data Protection Directive: Selected Issues by Gina Stevens, CRS American Law Division General Distribution Memorandum, June 5, 1998.
Protecting Children from Unsuitable Material and Sexual Predators
Concern is growing about what children are encountering over the World Wide Web, particularly in terms of indecent material or contacts with strangers who intend to do them harm. The private sector has responded by developing filtering and tracking software to allow parents either to prevent their children from visiting certain Web sites or to provide a record of what sites their children have visited.
Congress passed the Communications Decency Act (CDA) as part of the 1996 Telecommunications Act (P.L. 104-104). Among other things, CDA would have made it illegal to send indecent material to children via the Internet (see CRS Report 97-841, Indecency: Restrictions on Broadcast Media, Cable Television, and the Internet). In June 1997, the Supreme Court overturned the portions of the CDA dealing with indecency and the Internet. (Existing law permits criminal prosecutions for transmitting obscenity or child pornography over the Internet.) Congress now has passed a replacement law, the Child Online Protection Act (see below).
Prohibiting Access by Children to Material That is "Harmful to Minors". Congress passed the Child Online Protection Act as part of the Omnibus Appropriations Act (P.L. 105-277, Title XIV of Division C). The language is based on S. 1482 (Coats) and H.R. 3783 (Oxley). The new law prohibits commercial distribution of material over the Web to children under 17 that is "harmful to minors." Web site operators are required to ask for a means of age verification such as a credit card number before displaying such material. It replaces provisions of the 1996 Communications Decency Act that were overturned by the Supreme Court. (See CRS Report 98-670 A, Obscenity, Child Pornography, and Indecency: Recent Developments and Pending Issues and CRS Report 98-328 A, Restrictions on Minor's Access to Material on the Internet.) By limiting the language to commercial activities and using the court-tested "harmful to minors" language instead of "indecent" as was used in the 1996 Act, the sponsors hope to have drafted a law that will survive court challenges. The American Civil Liberties Union (ACLU) and others filed suit against the new law in the U.S. District Court for the Eastern District of Pennsylvania on October 22, the day after President Clinton signed the bill into law.
The Senate Commerce Committee had held a hearing on S. 1482 on February 10, 1998 and reported the bill on June 25 (S.Rept. 105-225). The language of the bill was adopted as a Coats amendment to the FY1999 Commerce, Justice, State appropriations bill (S. 2260) on July 21. The House Commerce Telecommunications Subcommittee held a hearing on H.R. 3783 and related issues on September 11. That bill was reported from the Commerce Committee (H.Rept. 105-775) on October 5 and passed the House on October 7. It then was incorporated into the Omnibus Appropriations Act (Title XIV of Division C). A modified version of the Coats language also was attached to the Internet Tax Freedom Act, S. 442, which became Title XI of Division C of the Omnibus Appropriations Act.
The Child Online Protection Act establishes a Commission on Online Child Protection to conduct a one-year study of technologies and methods to help reduce access by children to material on the Web that is harmful to minors. Separately, the House adopted a Jackson-Lee amendment to H.R. 3494 (discussed below) on June 11 that required the FBI to prepare a study within two years on the capabilities of current computer-based control technologies to control the electronic transmission of pornographic images and identify needed research to develop such technologies and any inherent, operational, or constitutional impediments to their use. Similar language was included in the final version of H.R. 3494 (P.L. 105-314) although the National Academy of Sciences, not the FBI, is designated to perform the study.
Filtering Software. Although Congress considered legislation to require schools and libraries to use filtering software to screen out objectionable Web sites, no legislation passed. However, Congress did include a provision in the Child Online Protection Act requiring online service providers to advise parents that such software is available.
Software to block access to Web sites or e-mail addresses has existed for many years (commercial products include Cyber Patrol, Cyber Sitter, Net Nanny, Net Shepard, and SurfWatch). Other products (such as Net Snitch) do not prohibit access to sites, but maintain a record that a parent can review to know what sites a child has visited. Some filtering products screen sites based on keywords, while others use ratings systems based on ratings either by the software vendor or the Web site itself. Both types of ratings are becoming more available as industry attempts to self-regulate to stave off governmental regulation. Existing filtering software products have received mixed reviews, however, because they cannot effectively screen out all objectionable sites on the ever-changing Web, or because they inadvertently screen out useful material. Three House bills were introduced to require Internet service providers to offer filtering software to parents: H.R. 774 (Lofgren); H.R. 1180 (McDade); and H.R. 1964 (Markey). The Senate adopted a Dodd amendment to the FY1999 Commerce, State, Judiciary appropriations bill (S. 2260) on July 23 that required Internet service providers to offer filtering software to customers. Similar language was included in the Child Online Protection Act (discussed above).
Some privacy groups object to filtering software because of the amount of useful information to which it denies access. A November 1997 report on filtering software was released by the Electronic Privacy Information Center (EPIC) entitled Faulty Filters: How Content Filters Block Access to Kid-Friendly Information on the Internet http://www2.epic.org/reports/filter-report.html. EPIC tested a filtering program called Net Shepard, searching the Web for sites it expected to be useful to and suitable for children. For example, EPIC searched for Web sites about the "American Red Cross" (entered into the search engine in quotes to ensure that only items with that exact set of words in that order would be returned) with and without Net Shepard activated. EPIC reported that Net Shepard prevented access to 99.8% of the sites. From this and other similar examples, EPIC concluded that in the effort to protect children from a small amount of unsuitable material, they were being denied access to a large amount of suitable information. Many privacy advocates also feel that filtering is a form of censorship. Other critics object to the fact that a parent would not know specifically what sites or words a particular software product was blocking out.
A particular focus of the debate has become filtering systems for schools and libraries. Policies adopted by local communities reflect the spectrum of attitudes on this topic. Some are choosing to allow children to use computers at local libraries only with parental permission, some are using filtering software, and others are choosing no restrictions.
Senator McCain and Representative Franks introduced bills (S. 1619 and H.R. 3177) to require schools receiving federally-provided "E-rate" subsidies through the universal service fund to use filtering software to block out Internet sites that might contain material inappropriate for children. (For information on universal service and the E-rate, see CRS Issue Brief 98040, Telecommunications Discounts for Schools and Libraries: the "E-Rate" Program and Controversies). As proposed, the bills would have required libraries receiving E-rate funds to have one or more computers that use filtering software. The determination of what is inappropriate was left to the school, school board, library, or "other authority responsible for making the required certification." Supporters of the requirement for filtering systems argued that children must be protected from inappropriate material, particularly when their parents are not present to supervise them. Opponents argued that it is censorship, that the filtering software also prevents access to appropriate sites, and that such decisions should be left to the local community.
The Senate Commerce Committee reported S. 1619 on June 25 (S.Rept. 105-226). The Senate adopted that language as an amendment to a Coats amendment to the FY1999 Commerce, Justice, State appropriations bill (S. 2260) on July 21. (The Coats amendment concerned commercial distribution via the World Wide Web of material that is harmful to minors, discussed elsewhere). The House Appropriations Committee took a broader approach, adopting an Istook amendment to the FY1999 Labor-HHS appropriations bill (H.R. 4274) that required schools and libraries to install filtering software if they receive funds under any federal agency program or activity to acquire or operate any computer that is accessible to minors and has access to the Internet. Neither was included in the final version of those appropriations bills, both of which were incorporated into the Omnibus Appropriations Act.
Sexual Predators on the Internet. Congress also was concerned about sexual predators using the Internet to entice children. Because conversations can take place anonymously on the Internet, a child may not know that (s)he is talking with an adult. The adult may persuade the child to agree to a meeting, with tragic results. Congress passed H.R. 3494 (P.L. 105-314) to address those and other non computer-related issues related to protecting children from sexual predators.
Hearings were held by the House Judiciary Committee's Subcommittee on Crime on H.R. 3494, and related legislation on November 7, 1997 and April 30, 1998. H.R. 3494 passed the House on June 11 with a number of amendments added during committee markup on May 6 (H.Rept. 105-557) or on the floor, several of which are discussed elsewhere in this section. A Senate bill, S. 2491 (Hatch), was subsequently introduced with modifications to H.R. 3494. The Senate Judiciary Committee adopted its language as a substitute for H.R. 3494 during markup on September 17 and passed the substitute version on October 9. The House agreed to the Senate version on October 12. The bill, the Protection of Children from Sexual Predators Act, was signed into law on October 30 (P.L. 105-314). The Senate also had adopted a Moseley-Braun amendment on July 23 to the FY1999 Commerce, Justice, State appropriations bill (S. 2260) based on S. 1965 that contained some provisions similar to those in H.R. 3494.
Among its provisions as enacted, the law --
Legislation also was considered, but did not pass, to prevent sexual predators as defined in section 170101(a)(3) of the Violent Crime Control and Law Enforcement Act of 1994 from obtaining Internet accounts that could allow them to contact children (S. 1356, Faircloth; H.R. 2791, Roukema). Another House bill, H.R. 2815 (Weller), would have made it a crime to target children for sexually explicit messages or contacts.
A Faircloth amendment to the FY1999 Commerce, Justice, State appropriations bill (S. 2260) was adopted on July 22 giving the FBI administrative subpoena authority in cases involving a federal violation related to sexual exploitation and abuse of children. The provision is intended to make it easier for the FBI to gain access to Internet service provider records of suspected sexual predators. It was included in the final version of the Omnibus Appropriations Bill (P.L. 105-277, section 122 of General Provisions--Justice Department).
Other Legislation Related to Protecting Children. As already discussed, P.L. 105-314 (H.R. 3494) contains a number of provisions related to the protection of children other than the sexual predator issue. Other House bills were also considered related to protecting children and in some cases provisions similar to the bills were ultimately included in H.R. 3494 or other legislation. H.R. 2173 (Franks) would have required Internet service providers to report to law enforcement officials instances of suspected child abuse they discover or that are brought to their attention by users. The House Judiciary Committee's Subcommittee on Crime held a hearing on H.R. 2173 and related legislation on April 30, 1998, and language similar to H.R. 2173 was included in the final version of H.R. 3494. H.R. 3729 (Pryce) was very similar to language included in the final version of H.R. 3494 prohibiting federal prisoners from having unsupervised access to the Internet. H.R. 3985 (Lampson) would have authorized $2 million per year for FY1999-2002 for the U.S. Customs Service's International Child Pornography Investigation and Coordination Center to deal with the increase in child pornography activities due to the Internet. While that specific language did not pass, the Omnibus Appropriations Act (P.L. 105-277) sets aside $2.4 million in the Customs Service appropriation to double the staffing and resources for the child pornography cyber-smuggling initiative and provides $1 million in the Violent Crime Reduction Trust Fund for technology support for that initiative.
In the Senate, S. 900 (Feingold) would have amended federal sentencing guidelines to enhance a sentence "if the defendant used a computer with the intent to persuade, induce, entice, or coerce a child ... to engage in any prohibited sexual activity." S. 900 was reported from the Senate Judiciary Committee on October 9, 1997 without written report. Similar language was included in the final version of H.R. 3494 (P.L. 105-314).
Part of the concern about unsuitable material on the Internet involves unsolicited advertising ("junk e-mail") that contains pornography or links to pornographic Web sites (see below).
Industry Response. The Internet community is anxious to avoid legislation. At a "Kids Online Summit" in December 1997, several major players in the Internet industry pledged to do what they could to make the Internet safer for children. America Online (AOL), one of the largest Internet service providers, for example, announced a new policy stating that "when child pornography is appropriately brought to our attention and we have control over it, we will remove it. Subject to constitutional safeguards and statutory privacy safeguards, we will cooperate fully with law enforcement officials investigating child pornography on the Internet." AOL, AT&T, and Microsoft promised to offer filtering software to parents and implement an outreach and educational campaign to increase its use. Those companies and others debuted a public awareness and educational campaign called "America Links Up: A Kids Online Teach-in" http://www.americalinksup.org/ on September 15, 1998 during National Kids Online Week. It includes public service announcements, teach-ins around the country, information and guidance for parents, and a videotape. The campaign advises parents to "take the trip together" with their children so they know what sites are being visited.
Privacy of Personal Information in Government Databases
The growth in the use of the Internet for providing government services raises similar concerns about how to ensure the confidentiality of personal information. Use of computer and telecommunications technologies by government agencies for storing, accessing, and disseminating information offers the advantages of potentially reducing costs, while simultaneously improving customer service. For these reasons, agencies have placed considerable emphasis on developing online access to information and enhancing the ability of citizens to supply information electronically to the government to receive services or comply with rules and regulations. Both the Administration's National Performance Review (NPR) effort and its National Information Infrastructure (NII) initiative emphasized the use of information technology for improving efficiency of government operations, increasing citizen access to government information, and providing better service to individuals.
As these efforts move from the planning to the operational phases, agencies are faced with the need to provide adequate privacy protections for these systems and services. While the Internet offers considerable advantages in terms of the ease with which large numbers of people can interact with agency computer systems, it also lacks security. It is critical for the success of these new "electronic government" initiatives that the public has confidence that personal privacy is not jeopardized. Thus, agencies must develop adequate procedures and apply technological safeguards to ensure that confidentiality of agency records is not compromised.
An example is the development of an online Personal Earnings and Benefit Estimate Statement (PEBES) by the Social Security Administration (SSA). As summarized in its September 1997 report Social Security: Privacy and Customer Service in the Electronic Age, the SSA initiated an online PEBES service in March 1997, following earlier pilot testing and after considerable study and developmental work. The system allowed individuals to query the system for their PEBES data and receive instantaneous response over the Internet. People needed to supply five authenticating elements (name, social security number, date of birth, state of birth, and mother's maiden name) to gain access to the data. While these authentication procedures were consistent with what is required using SSA's 800-number and for written requests, there was a strong public response to potential privacy abuses.
The concerns centered on the fact that the authenticating data are readily available from a variety of sources and thus PEBES information could be obtained by those other than the individual whose records would be provided. In response to these concerns, SSA suspended operation of the online PEBES system and held six public forums around the country to solicit comments from experts and interested citizens. Based upon the input received from these forums and other sources, such as congressional hearings, SSA concluded that it would provide a modified version of online PEBES on the Internet with additional security and authentication safeguards. The now-operational modified system of online PEBES allows requests to be made via the Internet but responses are sent via mail. Since the law requires SSA to provide, by 1999, PEBES statements each year to all workers 25 and older, SSA considers it a very high priority to establish an online PEBES system that will meet necessary security and privacy standards. It has announced plans to implement additional safeguards using a public key infrastructure in the future.
The SSA example is indicative of a major trend toward greater use of the Internet for these types of government functions. Congress passed the Government Paperwork Elimination Act (Title XVII of Division C of the Omnibus Appropriations Act, P.L. 105-277) that directs the Office of Management and Budget to develop procedures for the use and acceptance of "electronic" signatures (of which digital signatures are one type) by executive branch agencies. Legislation (H.R. 2991, Eshoo) that would have required agencies to create online versions of their forms and make them accessible to the public, did not pass. It was intended to enable citizens to fill out forms online, return them (along with payments, such as taxes owed), and verify the transactions using digital signature technology.
Major legislative changes to the welfare, immigration, and health care payments systems also necessitate the creation of large scale databases to monitor the status of applicants for programs. For example, the Personal Responsibility and Work Opportunity Reconciliation Act, P.L. 104-193 (welfare reform), establishes new federal databases for all new hires nationwide, quarterly wage reports of all working persons, unemployment insurance data, and lists of people who owe or are owed child support. The first component of this system, the National Directory of New Hires, requires every state to send data on new hires daily to the Department of Health and Human Services (HHS). The goal of this system is to track parents who are overdue on their child support payments, but some privacy advocates are concerned that it might be used for purposes beyond those identified in the statute, such as other government agencies using it to verify eligibility for benefits programs.
The Illegal Immigration Reform and Immigrant Responsibility Act (P.L. 104-208) required enhancements to the systems used to monitor immigration into the United States in an effort to thwart illegal immigration. The Health Insurance Portability and Accountability Act (P.L. 104-191) established requirements for the use of standard electronic transactions for activities such as the submissions of health insurance financial claims and transmission of payment and remittance advice. (See CRS Issue Brief 98002, Medical Records Confidentiality, for a discussion of those issues and related legislation: H.R. 52, H.R. 1815, H.R. 3900, S. 1368, and S. 1921). These developments, combined with efforts to move towards more electronic benefits delivery systems, reinforce the need for effective mechanisms to protect confidentiality and ensure system security in government computer operations.
Technical issues associated with implementation of these systems have caused delays in the systems becoming operational, but the privacy issues remain unchanged.
In a broad speech on Internet privacy issues on May 14, 1998, Vice President Gore announced the release of a memorandum for heads of executive department and agencies outlining steps agencies must take to ensure that the expanded use of information technologies does not erode privacy protections already provided in statute.
Intellectual Property
The era of global Internet connectivity presents significant challenges to effectively protecting the rights of copyright holders. Computers can make exact duplicates of originals and networks can provide access to literally millions of individuals. Some observers maintain that the growth of international computer networks will depend, in part, upon the willingness of individuals and businesses to make information available electronically. Absent adequate intellectual property protection, authors and publishers often are reluctant to provide Internet access to material of value. Some experts contend that technological solutions, such as encryption, digital signatures, digital watermarks, and other verification software, will address these concerns. Others suggest that the existing legal regime for intellectual property rights is inadequate for addressing the electronic distribution of material and must be replaced with different approaches to fostering creativity in the digital environment. Many maintain that existing legal authorities can and should be modified to account for the changing technological scene and recommend expanding the current legal framework to encompass the transmission of digital information.
The 105th Congress addressed three aspects of intellectual property rights in the digital era: implementation of two World Intellectual Property Organization (WIPO) treaties; copyright infringement liability protection for Online Service Providers (OSPs); and copyright protection of collections of information (databases). As the debate evolved, various bills merged with or were replaced by others. Ultimately, all three issues were combined in the House-passed version of H.R. 2281. In the Senate, WIPO implementation and OSP liability limitation were in S. 2037, which passed the Senate on May 14, while database protection issues were in S. 2291, which did not get out of committee. WIPO implementation and OSP liability limitation were signed into law (P.L. 105-304), while data protection issues were not included in that law and are expected to be debated again in the 106th Congress.
WIPO Implementation
The 105th Congress passed legislation (P.L. 105-304) to implement two new World Intellectual Property Organization (WIPO) treaties adopted in Geneva in December 1996 -- the WIPO Performances and Phonograms Treaty and the WIPO Copyright Treaty. The law (originating as H.R. 2281 and S. 2037(2)) amends the Copyright Act to prohibit the circumvention of anti-copying technology and assure the integrity of copyright management information systems. Alternative bills (H.R. 3048, Boucher; and S. 1146, Ashcroft) were introduced that had somewhat different language concerning circumvention of anti-copying technologies and copyright management information systems, and including provisions related to use of copyrighted digital material by teachers and librarians. (See CRS Report 97-444, World Intellectual Property Organization Copyright Treaty: An Overview.) Librarians were particularly concerned that the circumvention language would mean that users had to pay each time they copied a small portion of a work on the Internet. As enacted, P.L. 105-304 delays implementation of that provision for two years, during which time the Secretary of Commerce is to study its impact on fair use. The Secretary could waive the ban where fair use would be harmed.
Online Service Provider Liability Protection
P.L. 105-304 also addresses copyright infringement liability of Online Service Providers (OSPs)(3). The debate focused on the legal liability of the OSPs in situations where they act strictly as conduits for material that infringes on copyright. While copyright holders generally asserted that existing copyright law is adequate to deal with the issue of OSP liability, others in the telecommunications industry and the academic and library communities advocated new legislation to specify the OSP exemption from liability. (See CRS Report 97-950, Online Service Provider Copyright Liability: Analysis and Discussion of H.R. 2180 and S. 1146.) As enacted, the law exempts OSPs from liability if they act only as conduits of information.
Database Protection
Legislation on the issue of database protection was also considered by the 105th Congress. It passed the House, but not the Senate. The Collections of Information Antipiracy Act (H.R. 2652, Coble), passed the House on May 19 and then was also attached to H.R. 2281 when it passed the House August 4. A Senate bill, S. 2291 (Grams), was introduced July 10, 1998. The House bill was the subject of hearings by the Subcommittee on Courts and Intellectual Property of House Judiciary on October 23, 1997 and February 12, 1998. The decision to attach the database protection bill (H.R. 2652) to the WIPO implementation/OSP liability protection bill (H.R. 2281) in the House was controversial. Critics who had concerns about the database provisions, including major scientific and library associations and the Clinton Administration, argued that the issue might prevent the rest of the bill from being enacted. The Clinton Administration had raised constitutional questions about Congress' authority to enact such legislation. The section was dropped from H.R. 2281 before it cleared Congress. The issues are likely to be debated again in the 106th Congress.
The issue is very controversial. Scientific groups and the library community have cautioned against establishing new protections for databases that might compromise fair use and access to data for scientific research. Among the issues they have raised are whether a need for a new intellectual property right has been adequately demonstrated, the definition of key terms such as "database" that might encompass a broader array of information than what would be necessary to protect competition in the information industry, and the importance of ensuring that information produced by government employees remains publicly available, free from copyright restrictions.
Database producers argue that the compilation of factual databases requires some form of protection beyond current law if companies are expected to make substantial investments in creating them. The ability to download and retransmit data over the Internet facilitates copying of information, making producers of factual, noncopyrightable, databases more vulnerable. They argue that the absence of some form of database-specific property rights has a chilling effect on the database industry that would result in fewer factual databases being compiled and thus could potentially reduce the availability of information to the public.
Unsolicited Commercial Electronic Mail ("Junk E-Mail" or "Spamming")
One aspect of increased use of the Internet for electronic mail (e-mail) has been the advent of unsolicited advertising, or "junk e-mail" (also called "spamming," "unsolicited commercial e-mail," or "unsolicited bulk e-mail"). The Report to the Federal Trade Commission of the Ad-Hoc Working Group on Unsolicited Commercial Email http://www.cdt.org/spam reviews the issues in this debate.
In 1991, Congress passed the Telephone Consumer Protection Act (P.L. 102-243) that prohibits, inter alia, unsolicited advertising via facsimile machines, or "junk fax" (see CRS Report 98-514, Telemarketing Fraud: Congressional Efforts to Protect Consumers). Many question whether there should be an analogous law for computers, or at least some method for letting a consumer know before opening an e-mail message whether or not it is unsolicited advertising and to direct the sender to cease transmission of such messages. At a June 17, 1998 hearing on spamming before the Senate Commerce Committee, America Online (AOL) stated that junk e-mail represents 5-30% of the 15 million Internet e-mail messages it handles each day.
Opponents of junk e-mail such as the Coalition Against Unsolicited Commercial Email (CAUCE) argue that not only is junk e-mail annoying, but its cost is borne by consumers, not marketers. Consumers are charged higher fees by Internet service providers that must invest resources to upgrade equipment to manage the high volume of e-mail, deal with customer complaints, and mount legal challenges to junk e-mailers. According to the May 4, 1998 issue of Internet Week, $2 of each customer's monthly bill is attributable to spam http://www.techweb.com/se/directlink.cgi?INW19980504S0003. Some want to prevent bulk e-mailers from sending messages to anyone with whom they do not have an established business relationship, treating junk e-mail the same way as junk fax. Proponents of unsolicited commercial e-mail argue that it is a valid method of advertising. The Direct Marketing Association (DMA), for example, argues that instead of banning unsolicited commercial e-mail, individuals should be given the opportunity to notify the sender of the message that they want to be removed from its mailing list -- or "opt-out."
To date, the issue of restraining junk e-mail has been fought primarily over the Internet or in the courts. Some Internet service providers will return junk e-mail to its origin, and groups opposed to junk e-mail will send blasts of e-mail to a mass e-mail company, disrupting the company's computer systems. Filtering software also is available to screen out e-mail based on keywords or return addresses. Knowing this, mass e-mailers may avoid certain keywords or continually change addresses to foil the software, however. In the courts, Internet service providers with unhappy customers and businesses that believe their reputations have been tarnished by misrepresentations in junk e-mail have brought suit against mass e-mailers.
Although the House and Senate each passed legislation addressing the unsolicited commercial e-mail problem, no bill ultimately cleared the 105th Congress. The Senate had adopted a Murkowski-Torricelli amendment to S. 1618, the Anti-slamming(4) Amendments Act, that follows the "opt-out" philosophy and reflected provisions in S. 771 (Murkowski) and S. 875 (Torricelli). The language would have required senders of commercial e-mail to clearly identify in the subject line of the message that it was an advertisement, required Internet service providers to make software available to their subscribers to block such e-mail, and prohibited sending e-mail to anyone who had asked not to receive such mail. Similar language was included in the House version of the Anti-slamming bill, H.R. 3888, marked up by the House Commerce Telecommunications Subcommittee on August 6. Concerns were raised by several subcommittee members during the markup, however, that the language might infringe on First Amendment rights, and commented that they wanted more information before proceeding with the bill because of that and other issues. A very different version was adopted during full committee markup on September 24. As reported from the full committee (H.Rept. 105-801), the bill included only a sense of Congress statement that industry should self-regulate in this area. The bill passed the House on October 12, but differences between the House and Senate on this and other issues could not be resolved before Congress adjourned.
Four other House bills also addressed the issue. H.R. 1748 (Smith) would have amended the 1991 Telephone Consumer Protection Act to treat junk e-mail the same as junk fax. H.R. 2368 (Tauzin) encouraged industry to establish voluntary guidelines for transmission of junk e-mail. H.R. 4124 (Cook) and H.R. 4176 (Markey) reflected the opt-out approach.
As noted earlier, some unsolicited e-mail either contains indecent material or provides links to other sites where indecent material is available. Thus, controls over junk e-mail have also arisen in the context of protecting children from unsuitable material. In October 1997, AOL filed suit to prevent a company that sends unsolicited e-mails offering "cyberstrippers" from sending e-mail to AOL subscribers. The company, Over the Air Equipment, agreed on December 18, 1997 to drop its challenge to a preliminary injunction barring it from sending such advertisements to AOL subscribers (Reuters, December 18, 1997, 11:57 AET).
Internet Domain Names
During the 105th Congress, controversy surfaced over the disposition of the Internet domain name system (DNS). Internet domain names were created to provide users with a simple location name for computers on the Internet, rather than using the more complex, unique Internet Protocol (IP) number that designates their specific location. As the Internet has grown, the method for allocating and designating domain names has become increasingly controversial. The domain name issue is discussed in more detail in CRS Report 97-868, Internet Domain Names: Background and Policy Issues.
The Internet originated with research funding provided by the Department of Defense Advanced Research Projects Agency (DARPA) to establish a military network. As its use expanded, a civilian segment evolved with support from the National Science Foundation (NSF) and other science agencies. While there are no formal statutory authorities or international agreements governing the management and operation of the Internet and the DNS, several entities play key roles in the DNS. The Internet Assigned Numbers Authority (IANA) makes technical decisions concerning root servers, determines qualifications for applicants to manage country code Top Level Domains (TLDs), assigns unique protocol parameters, and manages the IP address space, including delegating blocks of addresses to registries around the world to assign to users in their geographic area. IANA operates out of the University of Southern California's Information Sciences Institute and has been funded primarily by the Department of Defense.
Prior to 1993, the National Science Foundation (NSF) was responsible for registration of nonmilitary generic Top Level Domains (gTLDs) such as .com, .org, .net, and .edu. In 1993, the NSF entered into a 5-year cooperative agreement with Network Solutions, Inc. (NSI) to operate Internet domain name registration services. In 1995, the agreement was modified to allow NSI to charge registrants a $50 fee per year for the first two years, of which 70% went to NSI to cover its costs and 30% was deposited in the "Intellectual Infrastructure Fund" to be reinvested in the Internet. Since the imposition of fees in 1995, criticism arose over NSI's sole control over registration of the gTLDs. In addition, there was an increase in trademark disputes arising out of the enormous growth of registrations in the .com domain. With the cooperative agreement between NSI and NSF due to expire in 1998, the Administration, through the Department of Commerce (DOC), began exploring ways to transfer administration of the DNS to the private sector.
In the wake of much discussion among Internet stakeholders, and after extensive public comment on a previous proposal, the DOC, on June 5, 1998, issued a final statement of policy, Management of Internet Names and Addresses (also known as the "White Paper"). The White Paper states that the U.S. government is prepared to recognize and enter into agreement with "a new not-for-profit corporation formed by private sector Internet stakeholders to administer policy for the Internet name and address system." In deciding upon an entity with which to enter such an agreement, the U.S. government will assess whether the new system ensures stability, competition, private and bottom-up coordination, and fair representation of the Internet community as a whole.
In effect, the White Paper endorsed a process whereby the divergent interests of the Internet community would come together and decide how Internet names and addresses will be managed and administered. Accordingly, Internet constituencies from around the world (calling themselves "the International Forum on the White Paper"or IFWP) held a series of meetings during the summer of 1998 to discuss how the New Corporation (NewCo) might be constituted and structured. In September of 1998, IANA, in collaboration with NSI, released a proposed set of bylaws and articles of incorporation for a new entity called the Internet Corporation for Assigned Names and Numbers (ICANN). The proposal was criticized by some Internet stakeholders, who claimed that ICANN does not adequately represent a consensus of the entire Internet community. Accordingly, other competing proposals for a NewCo were submitted to DOC. On October 20, 1998, the DOC tentatively approved the ICANN proposal. Pending the satisfactory resolution of several remaining concerns raised by the competing proposals -- including accountability, transparent decision-making processes, and conflict of interest -- the DOC will begin work on a transition agreement with ICANN. Meanwhile, nine members of ICANN's interim board have been chosen (four Americans, three Europeans, one from Japan, and one from Australia).
The White Paper also signaled DOC's intention to ramp down the government's Cooperative Agreement with NSI, with the objective of introducing competition into the domain name space while maintaining stability and ensuring an orderly transition. On October 6, 1998, DOC and NSI announced an extension of the Cooperative Agreement between the federal government and NSI through September 30, 2000. During this transition period, government obligations will be terminated as DNS responsibilities are transferred to the NewCo. Specifically, NSI has committed to a timetable for development of a Shared Registration System that will permit multiple registrars (including NSI) to provide registration services within the .com, .net., and .org gTLDs. By March 31, 1999, NSI will establish a test bed supporting actual registrations by five registrars who will be accredited by the NewCo. According to the agreement, the Shared Registration System will be deployed by June 1, 1999, and fully implemented and available to all accredited registrars by October 1, 1999. NSI will also continue to administer the root server system until receiving further instruction from the government.
During the 105th Congress, a number of DNS hearings were held by the House Committees on Science, on Commerce, and on the Judiciary. The hearings explored issues such as governance, trademark issues, how to foster competition in domain name registration services, and how the Administration will manage and oversee the transition to private sector ownership of the DNS. Most recently, the House Committees on Commerce and on Science held hearings on June 10 and October 7, 1998, respectively. On October 15, the Chairman of the House Committee on Commerce sent letters of inquiry to DOC and the White House reflecting concerns that the process that produced the ICANN proposal was insufficiently open and responsive to the interests of all Internet stakeholders.
One of the thorniest issues surrounding the DNS is the resolution of trademark disputes that arise in designating domain names. In the early years of the Internet, when the primary users were academic institutions and government agencies, little concern existed over trademarks and domain names. As the Internet grew, however, the fastest growing number of requests for domain names were in the .com domain because of the explosion of businesses offering products and services on the Internet. Since domain names have been available from NSI on a first-come, first-serve basis, some companies discovered that their name had already been registered. The situation was aggravated by some people registering domain names in the hope that they might be able to sell them to companies that place a high value on them and certain companies registering the names of all their product lines.
The increase in conflicts over property rights to certain trademarked names has resulted in several lawsuits. Under the current policy, NSI does not determine the legality of registrations, but when trademark ownership is demonstrated, has placed the use of a name on hold until the parties involved resolve the domain name dispute. The White Paper calls upon the World Intellectual Property Organization (WIPO) to convene an international process, including individuals from the private sector and government, to develop a set of recommendations for trademark/domain name dispute resolutions. WIPO is developing recommendations and is scheduled to present them to the NewCo in March 1999. Meanwhile, the Next Generation Internet Research Act of 1998 (P.L. 105-305) directs the National Academy of Sciences to conduct a study of the short and long-term effects on trademark rights of adding new generic top-level domains and related dispute resolution procedures.
Another DNS issue relates to the disposition of the Intellectual Infrastructure Fund, derived from domain name registration fees collected by NSI. The fund grew to $56 million before NSF and NSI discontinued collecting fees for the fund as of April 1, 1998. A number of suggestions were offered for use of the fund, including returning money to registrants, setting up a nonprofit entity to allocate funds, or using it for global administrative projects, such as Internet registries in developing countries. The VA/HUD/Independent Agencies FY1998 Appropriations Act (P.L. 105-65) directed NSF to credit up to $23 million of the funds to NSF's Research and Related Activities account for Next Generation Internet activities. A class action suit filed by six Internet users against NSF and NSI in October 1997 questioned the legal authority of NSF to allow NSI to charge for registering Internet addresses and requested $55 million in refunds. The suit also sought to prevent the government from spending the money as directed by Congress. On April 6, 1998, U.S. District Judge Thomas Hogan dismissed the charge that NSF lacked authority to permit NSI to collect fees, but let stand another charge challenging the portion of the fee collected for the infrastructure fund. However, the FY1998 Emergency Supplemental Appropriations Act (P.L. 105-174), enacted on May 1, 1998, contains language ratifying and legalizing the infrastructure fund. Accordingly, Judge Hogan reversed his decision, thereby allowing NSF to spend the $23 million from the fund through FY1999 on the Next Generation Internet program.
105th Congress Legislation
(Note: Many bills would fit under several different categories. They are categorized here based on each bill's major thrust in the context of the topics discussed in this report. Committees to which the bills were referred are noted in parentheses. Bills that were enacted are in bold. See text for disposition of other bills.)
Encryption and Digital Signatures
H.R. 695, Goodlatte, Safety and Freedom Through Encryption (Judiciary, International Relations, National Security, Intelligence, Commerce)
H.R. 2937, Baker, Electronic Financial Services Efficiency Act (Commerce, Government Reform and Oversight, Judiciary, Science, Banking and Financial Services)
H.R. 2991, Eshoo, Electronic Commerce Enhancement Act (Government Reform and Oversight, Commerce)
S. 376, Leahy, Encrypted Communications Privacy Act (Judiciary)
S. 377, Burns, Promotion of Commerce On-Line in the Digital Era (Commerce, Science, and Transportation)
S. 909, McCain, Secure Public Networks Act (Commerce, Science, and Transportation)
S. 1594, Bennett, Digital Signature and Electronic Authentication Law (Banking)
S. 2067, Ashcroft, Encryption Protects the Rights of Individuals from Violation and
Abuse in Cyberspace (Judiciary)
P.L. 105-277 (Title XVII, Division C), S. 2107, Abraham, Government
Paperwork Elimination Act (Commerce)
Computer Security (General)
H.R. 1903, Sensenbrenner, Computer Security Enhancement Act (Science)
Computer Privacy (General)
H.R. 98, Vento, Consumer Internet Privacy Protection (Commerce)
H.R. 1287, Bob Franks, Social Security On-line Privacy Protection (Commerce)
H.R. 1330, Kanjorski, American Family Privacy (Government Reform and Oversight)
H.R. 1331, Kennelly, Social Security Information Safeguards (Ways and Means)
H.R. 1367, Barrett, Federal Internet Privacy Protection (Government Reform and Oversight)
H.R. 1813, Kleczka, Personal Information Privacy (Ways and Means, Banking and Financial Services, Judiciary)
H.R. 1964, Markey, Communications Privacy and Consumer Empowerment (Commerce)
H.R. 1972, Bob Franks, Children's Privacy Protection and Parental Empowerment (Judiciary)
H.R. 2368, Tauzin, Data Privacy Act (Commerce)
H.R. 3551, DeLauro, Identity Piracy Act (Judiciary, Transportation and
Infrastructure)
H.R. 3601, Shadegg, Identity Theft and Assumption Deterrence Act (Judiciary,
Transportation and Infrastructure)
P.L. 105-318, H.R. 4151, Shadegg, Identity Theft and Assumption Deterrence
Act (Judiciary)
H.R. 4667, Markey, Electronic Privacy Bill of Rights (Commerce)
S. 504, Feinstein, Children's Privacy Protection and Parental Empowerment (Judiciary)
P.L. 105-318, S. 512, Kyl, Identify Theft and Assumption Deterrence Act
(Judiciary)
S. 600, Feinstein, Personal Information Privacy (Finance)
P.L. 105-277 (Title XIII, Division C),S. 2326, Bryan, Children's Online Privacy
Computer Privacy (Protecting Children from Pornography, Predators)
Filtering
HR 774, Lofgren, Internet Freedom and Child Protection (Commerce)
HR 1180, McDade, Family-Friendly Internet Access (Commerce)
H.R. 3177, Franks, Safe Schools Internet Act (Commerce)
S. 1619, McCain, Internet School Filtering Act (Commerce)
Other
H.R. 2173, Franks, Child Abuse Notification Act (Judiciary)
H.R. 2648, Bachus, Abolishing Child Pornography Act (Judiciary)
H.R. 2791, Roukema, Prohibition on Provision of Internet Service Accounts to Sexually Violent Predators (Commerce)
H.R. 2815, Weller, Protecting Children from Internet Predators (Judiciary)
P.L. 105-314, H.R. 3494, McCollum, Child Protection and Sexual Predator Punishment Act (Judiciary)
H.R. 3729, Pryce, Stop Trafficking of Pornography in Prisons (Judiciary)
P.L. 105-277 (Title XIV, Division C) H.R. 3783, Oxley, Child Online Protection Act (Commerce)
H.R. 3985, Lampson, Authorize Appropriations for International Child Pornography
Investigation and Coordination Center of the Customs Service (Ways and
Means)
S. 900, Feingold, Child Exploitation Sentencing Enhancement Act (Judiciary)
S. 1356, Faircloth, Prohibition on Provision of Internet Service Accounts to Sexually Violent Predators (Commerce, Science and Transportation)
P.L. 105-277 (Title XIV, Division C), S. 1482, Coats, Prohibition of Commercial
Distribution on the World Wide Web of Material That is Harmful to
Minors (Commerce)
S. 1965, Moseley-Braun, Internet Predator Prevention Act (Judiciary)
S. 1987, DeWine, Child Protection and Sexual Predator Punishment Act (Judiciary)
P.L. 105-314, S. 2491, Hatch, Protection of Children from Sexual Predators Act
Computer Privacy (Medical Records Confidentiality)
H.R. 52, Condit, Fair Health Information Practices Act (Commerce, Government Reform and Oversight, Judiciary)
H.R. 1815, McDermott, Medical Privacy in the Age of Technologies Act (Commerce, Government Reform and Oversight)
H.R. 3900, Shays, Consumer Health and Research Technology Protection Act
(Commerce, Ways and Means, Government Reform and Oversight)
S. 1368, Leahy, Medical Information Privacy and Security Act (Labor and Human Resources)
S. 1921, Jeffords, Health Care Personal Information Nondisclosure Act (Labor and Human Resources)
Intellectual Property
H.R. 2180, Coble, On-Line Copyright Liability Limitation Act (Judiciary)
P.L. 105-304, H.R. 2281, Coble, WIPO Copyright Treaties Implementation Act
and On-Line Copyright Infringement Liability Limitation Act (Judiciary)
H.R. 2652, Coble, Collections of Information Antipiracy Act (Judiciary)
H.R. 3048, Boucher, Digital Era Copyright Enhancement Act (Judiciary)
H.R. 3209, Coble, On-Line Copyright Infringement Liability Limitation Act (Judiciary)
S. 1121, Hatch, WIPO Copyright and Performances and Phonograms Treaty
Implementation Act of 1997 (Judiciary)
S. 1146, Ashcroft, Digital Copyright Clarification and Technology Education Act of
1997 (Judiciary)
P.L. 105-304, S. 2037, Hatch, Digital Millenium Copyright Act (Judiciary)
S. 2291, Grams, Collections of Information Antipiracy Act (Judiciary)
Unsolicited Commercial E-mail
H.R. 1748, Christopher Smith, Netizens Protection Act (Commerce)
H.R. 3888, Tauzin, Anti-Slamming Amendments (Commerce)
H.R. 4124, Cook, E-Mail User Protection Act (Commerce)
H.R. 4176, Markey, Digital Jamming Act, (Commerce)
S. 771, Murkowski, Unsolicited Commercial Electronic Mail Choice Act
(Commerce, Science, and Transportation)
S. 875, Torricelli, Electronic Mailbox Protection Act (Commerce, Science, and
Transportation)
S. 1618, McCain, Anti-Slamming Amendments (Commerce, Science, and
Internet Domain Names
H.R. 3332, Sensenbrenner, Next Generation Internet Research Act (Science)
S. 1609, Frist, Next Generation Internet Research Act (Commerce, Science, and
Transportation)
S. 1727, Leahy, to authorize the comprehensive independent study of the effects of
trademark and intellectual property rights holders of adding new generic
top-level domains and related dispute resolution procedures (Judiciary)
Related CRS Reports
Computer Fraud & Abuse: A Sketch of 18 U.S.C. 1030 And Related Federal Criminal Laws, by Charles Doyle. CRS Report 97-1024 A. 5 p. December 3, 1997.
Computer Fraud & Abuse: An Overview of 18 U.S.C. 1030 And Related Federal Criminal Laws, by Charles Doyle. CRS Report 97-1025 A. 85 p. November 28, 1997.
Critical Infrastructures: A Primer, by John Moteff. CRS Report 98-675 STM. 6 p. August 13, 1998.
"Digital Era Copyright Enhancement Act": Analysis of H.R. 3048, by Dorothy Schrader. CRS Report 98-520 A. 8 p. May 18, 1998.
Encryption and Banking, by M. Maureen Murphy. 12 p. CRS Report 97-835 A. September 15, 1997.
Encryption Export Controls, by Jeanne J. Grimmett. 6 p. CRS Report 97-837 A. September 12, 1997.
Encryption, Key Recovery & Law Enforcement: Selected Legal Issues and Legislative Proposals, by Charles Doyle. 41 p. CRS Report 97-845 A. September 12, 1997.
Encryption Technology and U.S. National Security, by Michael Vaden and Edward Bruner. 9 p. CRS Report 96-670 F. August 8, 1996.
Encryption Technology: Congressional Issues, by Richard Nunno. CRS Issue Brief 96039. 15 p. (Updated Regularly)
Indecency: Restrictions on Broadcast Media, Cable Television, and the Internet, by Henry Cohen. CRS Report 97-841 A. 14 p. September 12, 1997.
Information Privacy, by Gina Marie Stevens. CRS Report 97-833 A. 13 p. September 15, 1997.
Internet Domain Names: Background and Policy Issues, by Jane Bortnick Griffith. CRS Report 97-868 STM. 6 p. October 30, 1998.
Internet Gambling: A Sketch of Legislative Proposals, by Charles Doyle. CRS Report 980757 A. 17 p. September 14, 1998.
Internet: History, Infrastructure, and Selected Issues, by Rita Tehan. CRS Report 98-649 C. 21 p. July 28, 1998.
Internet Tax Bills in the 105th Congress, by Nonna Noto. CRS Report 98-509 E. 21 p. August 21, 1998.
Internet Technology, by Ivan Kaminow and Jane Bortnick Griffith. CRS Report 97-392 SPR. 6 p. December 24, 1997.
Medical Records Confidentiality, coordinated by Irene Stith-Coleman. CRS Issue Brief 98002. 15 p. (Updated Regularly)
Next Generation Internet, by Glenn J. McLoughlin. CRS Report 97-521 STM. 6 p. June 8, 1998.
Obscenity, Child Pornography, and Indecency: Recent Developments and Pending Issues, by Henry Cohen. CRS Report 98-670 A. 6 p. October 23, 1998.
Online Service Provider Copyright Liability: Analysis and Discussion of H.R. 2180 and S. 1146, by Dorothy Schrader. CRS Report 97-950 A. 15 p. April 14, 1998.
Protecting Privacy on the Internet: A Summary of Legislative Proposals, by Angela Choy, Marcia Smith, and Jane Bortnick Griffith. CRS Report 97-1061 STM. 6 p. December 19, 1997.
Restrictions on Minor's Access to Material on the Internet, by Henry Cohen. CRS Report 98-328 A. 6 p. July 16, 1998.
Telecommunications Discounts for Schools and Libraries: the "E-Rate" Program and Controversies, by Angele Gilroy. CRS Issue Brief 98040. 14 p. (Updated regularly).
Telemarketing Fraud: Congressional Efforts to Protect Consumers, by Bruce Mulock. CRS Report 98-514 E. 6 p. June 2, 1998.
World Intellectual Property Organization Copyright Treaty: An Overview, by Dorothy Schrader. CRS Report 97-444 A. 27 p. September 10, 1998.
WIPO Copyright Treaty Implementation Legislation: Recent Developments, by Dorothy Schrader. CRS Report 98-463. 17 p. September 24, 1998.
World Intellectual Property Organization Performance and Phonograms Treaty: An Overview, by Dorothy Schrader. CRS Report 97-523. 35 p. September 10, 1998.
1. (back)Reports of unauthorized access to credit card numbers stored on computers also have attracted much interest. Not only is there the risk of direct financial loss from someone using a credit card without authorization of the card owner, but increasingly people are concerned about consumer identity theft that involves use of another's personally identifiable information such as credit card numbers. That issue is addressed below.
2. (back)Two Senate bills, S. 1121 and S. 1146, were considered by the Senate Judiciary Committee. A new bill, S. 2037, was then reported from Committee on May 14, 1998.
3. (back)The OSP provisions of H.R. 2281 originated in H.R. 2180, that itself was superseded by H.R. 3209. They were merged into H.R. 2281 during markup by the House Judiciary Committee on April 1, 1998.
4. (back)"Slamming" is the unauthorized change of someone's long distance telephone service provider. See CRS Issue Brief 98027.
Return to CONTENTS section of this Long Report.
|
This site is produced and maintained by the U.S. Department of State. Links to other Internet sites should not be construed as an endorsement of the views contained therein. 
|
 IIP Home | Electronic Communications |