iiiiii   iiiiii   a                INFORMATION POLICY ONLINE
  ii       ii    aaa
  ii       ii     aaa                An Internet Newsletter
  ii       ii      aaa                  published by the
  ii       ii aaaaaaaaa        Information Industry Association 
  ii       ii        aaa           555 New Jersey Ave., N.W.
  ii       ii         aaa             Washington, DC 20001
  ii       ii          aaa        Internet: <iia.ipo@his.com>
iiiiii   iiiiii       aaaaaaa   Volume 1, Number 3, May 1994
*****************************************************************
IN THIS ISSUE:
 [1]  House Okays Broader Access to DMV Records
 [2]  Industry Gives NTIA Its Perspective on Privacy
 [3]  International Opposition Mounts to U.S. Government
      Information Security Initiative
 [4]  NII Priorities: A Sampling of Views from the NII Advisory
      Council
 [5]  Information Industry Views on Customer Proprietary Network
      Information
 [6]  Information Industry Endorses Senate Telecom. Bill
 [7]  Health Care Reform Legislation Will Have Critical Impact on
      Future Information Policy and Practices
 [8]  Should the Federal Government Establish a U.S. Data
      Protection Commission?
 [9]  About "Information Policy Online" and the Information
      Industry Association
*****************************************************************
[1]  HOUSE OKAYS BROADER ACCESS TO DMV RECORDS

On April 20, the House of Representatives approved the Driver's Privacy
Protection Act (DPPA) as an amendment to omnibus anti-crime legislation.
The amendment, offered by Rep. James Moran (D-Va.), incorporates
significant changes to the Senate-passed version of the DPPA, many of
which had been called for by industry [See IIA-IPO, March 1993]. 

The Moran amendment takes the same basic approach as the version passed by
the Senate without any hearings: a federal requirement that states cut off
public access to personal information about any individual obtained in
connection with a motor vehicle record. The difference is that the
House-passed version sets out much broader exceptions to this access ban
than those approved by the Senate. These include: access by government
contractors as well as government agencies; broader access by a business
to verify information submitted to it; more expansive rules for access in
connection with (or anticipation of) litigation; a specific exception for
survey research and statistical reports; access by self-insured entities
for claims investigation or antifraud use; and use by licensed private
investigators. The legislation also provides for states to set up two
"opt-out" systems that would allow individuals to remove their names from
marketing lists and/or block otherwise unpermitted access to individual
records. The records of those not "opting out" would remain accessible for
these purposes. Finally, the Moran amendment would allow states to
specifically authorize other access for the purpose of public safety or
vehicle operation. The House version could be enforced by criminal or
civil litigation, but the criminal offenses are much narrower than in the
Senate version, and are limited to those who knowingly misuse, or who lie
to obtain, personal information from a motor vehicle record.

Many information companies currently depend on access to state department
of motor vehicle (DMV) records to provide valuable information products
and services. The House version of the DPPA would be far less disruptive
of these uses than the Senate-passed version. But industry expressed a
broader concern about the precedent that could be set by a federal law
that orders states to close off access to traditionally public records. In
response to this concern, both Rep. Moran and Rep.Don Edwards (D-Cal.),
chair of the Civil and Constitutional Rights Subcommittee, placed
statements in the Congressional Record when the Moran amendment was
adopted. The Moran statement stressed the "key differences" between DMV
records and other public records, asserting that the latter "are not
vulnerable to abuse in the same way," and underscoring that the DPPA "does
not apply to any other system of public records maintained by states or
local governments." Rep. Edwards was even more emphatic, referring to "the
need to maintain the public record character" of public records beyond the
DMV, and acknowledging that "broad public access to such [other] records
remains enormously important to our society." While floor statements are
not ordinarily accorded a great deal of weight in determining
Congressional intent, they are more significant when, as in the case of
the DPPA, the normal legislative procedures have been circumvented, and no
committee in either House has issued a formal report explaining the
legislation. 

With House passage of the omnibus crime bill on April 21, the scene now
shifts to a House-Senate conference committee, which must resolve the
differences between the House and Senate versions not only of the DPPA,
but of the dozens of other titles contained in the anti-crime package. 
**************************************************************
[2]  INFORMATION INDUSTRY GIVES NTIA ITS PERSPECTIVE ON PRIVACY

The information industry's diverse companies use personally identifiable
information in a wide variety of ways, but with the common goals of
developing and distributing innovative products and services to the
public, while respecting individuals' privacy interests. Whether
information flows through conventional channels, or in new ways in an
advanced National Information Infrastructure, this corporate
responsibility to maintain fair information practices remains. Speaking
for its member companies in comments filed March 30 with the National
Telecommunications and Information Administration (NTIA), IIA declared its
commitment to assisting information companies to fulfill this
responsibility in an efficient, comprehensive, and balanced way.

IIA's comments came in response to a sweeping Notice of Inquiry (NOI)
issued by NTIA, a Commerce Department agency, in February. NTIA's focus is
"privacy issues relating to private sector use of
telecommunications-related personal information," a broad category which
includes many information services offered by information industry
companies. The NOI places many of the most salient questions off-limits,
by excluding questions about the privacy impact of government access to
personal information. "In fact," IIA noted, "these are precisely the
issues that are most prominent in much of the media coverage about privacy
in the NII." IIA particularly cited the digital telephony and "Clipper
chip" escrowed encryption initiatives.

IIA used the filing of comments as an oppotunity to introduce its newly
approved Fair Information Practices Guidelines [See IIA-IPO, April 1994].
The comments noted that the guidelines drafting process, which included
examination of a wide variety of guidelines, policy statements, and other
proposals, from corporate, government and consumer organizations, both in
the U.S. and abroad, underscored "the difficulties of devising clear rules
designed for general applicability across the broad spectrum of
information products and services." IIA told NTIA that there is unlikely
to be "one size" of regulatory approach that "fits all" types of, and uses
for, personally identifiable information.

IIA's comments also addressed First Amendment limitations on government
regulation of private sector information practices, and the impact of
technological changes. "Successful policies should focus on the core
interests of the information content, rather than on particular media or
technology. The surest route to policy failure is to reflexively treat
technology as the enemy." Considering the importance of continuity in
information policy, neither public records -- intended to be broadly
accessible -- nor a company's customer lists -- which generally fall
outside the scope of government regulation -- change their essential
character and purpose when new technologies are used to compile or
manipulate them. Technology can also provide powerful tools for protecting
the privacy and security of the content of information distributed in an
advanced National Information Infrastructure.

Policy makers should consider three general guidelines:

- First, any regulatory actions should seek to preserve, to
  the greatest extent possible, the benefits offered by
  maximizing the flow of information.
- Second, any regulatory model should seek to maximize informed
  customer choice.
- Third, policy makers should take into account the full
  spectrum of means for achieving desired information
  practices, including market forces, expanded public education,
  and self-regulatory efforts by industry and other groups.

The development and implementation of sound, balanced company policies on
the collection, use and disclosure of personally identifiable information
can play a major role in resolving the policy issues addressed by the NOI.
As more companies adopt specific policies, and make these known to the
public, customers and consumers become better informed and better able to
choose intelligently among competing products, based, to whatever degree
the individual finds appropriate, on privacy factors. The information
industry urges the U.S. government to adhere to the long-standing U.S.
approach to privacy issues, whose many strengths include a respect for
First Amendment principles; a focus on restraining the intrusive
activities of government; and a pragmatic, sectoral approach.
*****************************************************************
[3]  INTERNATIONAL OPPOSITION MOUNTS TO U.S. GOVERNMENT
     INFORMATION SECURITY INITIATIVES

The Clinton Administration has experienced virtually unanimous opposition
from public interest and industry groups to the "Clipper Chip" escrowed
encryption initiative for computer security. Now international
organizations are also weighing in with opposition to Clipper and to the
Digital Signature initiative.

International businesses are demanding communication networks in which
information can flow freely and securely. As businesses consider
connecting to the National Information Infrastructure -- or, if you
prefer, the Global Information Infrastructure (GII) -- security is
critical to intra- and inter-corporate communications and transactions.
Hackers and unauthorized parties continue to violate the privacy and
security of unprotected communications systems. The International Chamber
of Commerce, long a champion of the need for secure communications
networks, recently criticized the Clipper initiative as "a national
approach to cryptography [which] seems to conflict with the needs of
international business." The ICC also noted that Clipper's key escrow
feature "would still be unacceptable to international companies because
one government, in this case the U.S. government, would hold the keys.

Digital signatures are also vital to the success of the emerging NII/GII.
An international standard, RSA, is accepted in the private sector for
digital signatures, but apparently not by the U.S. Administration. A
couple of years ago, the Administration announced its Digital Signature
Algorithm (DSA) as the proposed federal standard for digital signatures.
The DSA proposal was also almost unanimously opposed by business,
academia, and public interest groups. Part of the opposition was an
assertion that DSA infringed certain patents. Last summer, the
Administration announced a proposed patent cross-license for DSA, under
which the government could use the algorithm royalty-free, but the private
sector would have to pay patent royalties to do digital signatures.
Needless to say, this "solution" did not quell opposition to DSA from
non-governmental sources.

On February 4, 1994, the Administration announced its intent to achieve a
digital signature algorithm that would be free from patent license
royalties. While no specifics were provided, one option is to design a new
algorithm for digital signatures.

Meanwhile, RSA continues to gain acceptance as the worldwide digital
signature system. The Information Technology Advisory Expert Group,
representing European standards organizations, recently called for RSA to
be the standard used in Europe. So even if the Administration's goal of
freeing DSA from patent royalties can be achieved, this alone will not
make DSA accepted in the international marketplace. Regardless of
continued Administration campaigning for Clipper and DSA, the private
sector worldwide continues to embrace different implementation: the
digital encryption standard (DES) and RSA.

*****************************************************************
[4]  NII PRIORITIES:
     A SAMPLING OF VIEWS FROM THE NII ADVISORY COUNCIL

At its first meeting, the U.S. Advisory Council on the National Information
Infrastructure asked its members to prepare short papers on the major
issues that should be addressed. Here are excerpts from a few of the
submissions.

ESTHER DYSON, EDventure Holdings, Inc.

The priorities we should address are:

...a definition of universal access (desirable) and universal service
(controversial). It clearly includes interoperability of all systems, and
the ability of content providers (organizations and individuals) to
disseminate content as well as of individuals and organizations to receive
it...

...the need for privacy -- ranging from technical means such as robust
encryption to laws guaranteeing individuals' ownership and right to
control information about themselves.... 

...recommendations concerning freedom of speech, common carrier rights and
obligations, and other constitutional issues.

Note: Ms. Dyson has been asked to co-chair the Advisory Council's working
group on privacy and intellectual property issues.

CRAIG FIELDS, Microelectronics and Computer Technology Corp.

The Council is uniquely positioned to clarify the national intent for
universal service....Many questions have not been fully answered:...How
will we pay for these universal services selected from the national
information supermarket -- do we need an equivalent of food stamps?...

If the Federal Government seeks to accelerate the enrichment of the NII
over the coming years, how can the taxpayer tell if it is succeeding? Can
we identify just a few specific goals for the NII over the next, say,
seven years, in terms of information
services available to Americans; and lay out a road map of how to get to
there from here -- required technological accomplishments, if any; needed
regulatory reform; or whatever?

STANLEY S. HUBBARD, Hubbard Broadcasting Inc.

There are many individuals and many organizations across the country that
have predicted new and innovative communications systems for use within
the NII. Some of the ideas are practical and economically feasible and
some are not. In order to determine what will and will not work, what
people want or do not want, the marketplace must be totally free from any
restraints by which the government would pick "winners and losers."

MITCHELL KAPOR, Electronic Frontier Foundation

The character of the NII is best seen in what it enables, not what it is,
for the NII is no more about fiber optics, than modern painting is about
paint.

- The technical design of the NII will determine more about its public
usefulness than anything else. We have a choice to make the NII open to a
diversity of applications, information sources and services, or to keep it
closed to all but those who own and operate the networks.

- The NII may be a platform for the rich varieties of individual
expression, for the transaction of commerce, and for exchange of ideas, or
it may be nothing but 500 channels of least common denominator programming
entertainment. We must take steps to ensure that the NII is more than just
a repetition of the failures and shortcomings of mass media today.

DELANO LEWIS, National Public Radio

...Without sound financial incentives, private sector players will be
reluctant to provide the investment dollars needed to make the NII a
reality. [The Council should] identify and articulate the economic
incentives that need to be in place to encourage completion of the NII
without creating an artificial bias for or against particular technologies
or transmission media. The protection of intellectual property rights is
an important concern that has both usage and financial implications.

But if the terms of access to our Nation's information resources -- and the
content of those resources themselves -- were to be determined on the
basis of financial incentives alone, I believe that all of us, in the long
run, would be the poorer for it.... The Council must also plan to address
the ways in which non-commercial entities can continue to contribute to
the wealth of information that the NII will make accessible, and continue
to have access to that information on reasonable -- and, in some cases,
even preferential -- terms.

ALEX MANDL, AT&T

The evolving NII may require a new definition of "universal service."
...Any discussion of a new definition needs to be led by consumers,
government and industry. It must be a public debate to balance the many
stakeholders involved with public subsidies.

New approaches to providing "widespread access" for underserved populations
need to be explored. For instance, libraries, community centers and
schools, which have long been places where people acquire information and
develop skills, are examples of locations at which a reasonable selection
of information appliances and access to NII communications services and
information resources could be made available.

VANCE OPPERMAN, West Publishing Co.

The NII must be defined by two strong guiding principles: 
It must be Universal, Accessible, and Affordable.

True to the American ideal of equality, the NII must connect all of us with
one another -- regardless of place, regardless of race -- regardless of
disability or non-disability, age or income.... It must be Information
Rich.... The NII is only useful when it is chock full of information --
information put there by, and used by, people who are confident that they
are guaranteed: 

- First Amendment Free Speech; 
- Copyright and Intellectual Protections.

Creative expression, and the incentive to create, are protected and
encouraged not only by the First Amendment, but also by society's
guarantee that the products we create are respected as ours. And we are
entitled to be compensated for creative efforts.

- Privacy. Americans don't want millions of digital neighbors and
government gumshoes reading our mail or clucking over our cholesterol
counts.
**************************************************************
[5]  INFORMATION INDUSTRY VIEWS ON
     CUSTOMER PROPRIETARY NETWORK INFORMATION

When the Federal Communications Commission asked for public comments on
rules governing telephone companies' use of customer proprietary network
information (CPNI), the information industry's response concentrated on
three key issues:

(1) privacy concerns in regard to CPNI;
(2) the competitive nature of such information; and
(3) the ramifications of CPNI availability under current
    rules at a time when telephone companies are partnering
    with or acquiring competitive information providers.

While acknowledging that some restrictions on dissemination of personal
information may be necessary, the information industry supports the
"maximum practical availability of information such as CPNI because of its
substantial value for information product development and for the
provision of better service to the public. Consider the competitive nature
of CPNI: "It simply cannot be the case that this information is so
valuable to the mass market for information services that exchange
carriers must be given access to it, but so insignificant that it will not
create a major competitive dislocation if it is not provided to other
competitors on equal terms." Finally, regarding the use of CPNI in
partnering arrangements between carriers and competitive information
providers, "so long as the carrier collects CPNI by virtue of its
government-granted monopoly status, it must not be permitted to transfer
that advantage to its partners or joint venturers and thus frustrate the
goal of achieving competitive equity with regard to access to CPNI."
**************************************************************
[6]  INFORMATION INDUSTRY ENDORSES SENATE TELECOMMUNICATIONS BILL

Speaking on behalf of its member information companies, IIA wrote to every
member of the U.S. Senate to encourage their support for S. 1822, the
Communications Act of 1994, introduced earlier this year by Senator Fritz
Hollings, Chairman of the Senate Commerce Committee. Although the
Association takes no position on the bill's provisions governing
long-distance or equipment manufacturing, S. 1822 is the most
comprehensive and workable plan [currently before Congress] for advancing
a competitive environment for both the telecommunications and information
industries.

Information industry support for the bill is based on S. 1822's approach on
many issues of key importance to the industry. Especially praiseworthy are
the legislation's provisions calling for 

(1) the unbundling of local network functions and
    instituting cost-based pricing;
(2) enhancing the technological capabilities of
    telecommunications networks for advanced digital offerings;
(3) creating strong structural safeguards for the provision
    of a broad range of electronic publishing activities; and 
(4) establishing cross-subsidy protections for the provision of
    information (enhanced) services. The bill also assures
    equal treatment for information services providers in access
    to CPNI and in preempting state public utility regulation of
    information services.

The Senate Commerce Committee is continuing with hearings on S. 1822, with
mark-up tentatively planned for later this spring. In the meantime,
Chairman Jack Brooks of the House Judiciary Committee and Chairman John
Dingell of the House Energy and Commerce Committee are reportedly working
on a new, joint draft of H.R. 3626, passed by both Committees last month,
to be brought to the House floor. The House hopes to have comprehensive
telecommunications legislation completed shortly before or after the
Memorial Day recess.
**************************************************************
[7]   HEALTH CARE REFORM LEGISLATION WILL HAVE CRITICAL
      IMPACT ON FUTURE INFORMATION POLICY AND PRACTICES

Members of Congress have introduced numerous bills to implement health care
reform, including one by Senate Majority Leader George Mitchell. One House
subcommittee with primary jurisdiction -- the House Ways and Means
Subcommittee on Health -- has completed action on reform legislation, and
several other Senate and House committees have been holding closed-door
meetings to work out compromises on the bills.

While the major proposals differ greatly in the scale and approach for
health care delivery, all have provisions for administrative
simplification. To achieve this goal, the bills envision a fully automated
system of collection and dissemination of information. This system would
allow information about doctors, patients, billings and claims to be
transferred electronically anytime and anywhere in the nation. Included
within the major bills are: standard setting mechanisms for information
collection; requirements that data be collected and transmitted
electronically; outlines of the official source for the data; requirements
for privacy protection of data; and listings of entities responsible for
collecting and compiling information about the value of health care
delivery systems. These provisions could become the de facto standards for
all government information collected in the future.

In addition to the major health care reform proposals, several bills which
focus only on health care information collection have been introduced. The
Health Information Modernization and Security Act, H.R. 3137 and S. 1494,
address only health care collection and privacy protection. H.R. 4077, the
Fair Health Information Practices Act, outlines specific requirements for
the privacy protection of individually identifiable health care records
(see IIA-IPO, April 1994).

Many people are predicting that Congress will not enact a comprehensive
health care reform proposal this year. However, in an election year,
members will be anxious to adopt some type of reform. Because health care
information collection policy has not been in the Congressional or public
spotlight, it is possible that it could be adopted without much public
discussion. Information professionals need to watch vigilantly lest
Congress codify health care policies without fully examining the
ramifications for information policy.
**************************************************************
[8]  SHOULD THE FEDERAL GOVERNMENT ESTABLISH
     A U.S. DATA PROTECTION COMMISSION?

Is there a need in the United States for a single oversight body -- within
the Federal Government -to monitor how private sector information
companies protect the privacy of individuals? If so, what authority should
that body have? In what federal agency should it be housed? What type of
guidelines would it follow? How would its members be selected? Does
private industry have a stake in this?

These questions are being discussed by several federal government critics
as well as by Congress. The Clinton Administration's National Information
Infrastructure Task Force's (NIITF) Privacy Working Group will soon
release a report that is likely to prescribe some type of federal
government oversight in this area. Senator Paul Simon has introduced
legislation (S.1735) that would establish a U.S. Data Protection
Commission. Rep. Gary Condit (H.R.4077) has introduced legislation to
protect the privacy of individually identifiable information in health
care records. Both the Census Bureau and the Internal Revenue Service have
established internal task forces to examine the issue of privacy and data
protection.
**************************************************************
[9]   ABOUT "INFORMATION POLICY ONLINE"

INFORMATION POLICY ONLINE (IIA-IPO) is an online newsletter published on
the Internet by the Information Industry Association and distributed free
of charge. The purpose of the Newsletter is to inform readers of events
and activities affecting information policy, and to present an information
industry viewpoint concerning these events and activities.

IIA-IPO is copyrighted by the Information Industry Association; however,
IIA-IPO is distributed without charge and may be freely reproduced and
redistributed. Please acknowledge IIA-IPO as the source of the information
when quoting or redistributing the newsletter.

TO SUBSCRIBE TO IIA-IPO:
Send the message "subscribe" to <iiaipo-request@his.com>.

ARCHIVES.  IIA-IPO is archived. To get archived copies, ftp to
<ftpmail@his.com> with the message "GET FILENAME." Individual monthly
issues are archived with file names "iia0394.zip" for March 1994,
"iia0494.zip" for April 1994, etc.
-----------------------------------------------------------------
ABOUT THE INFORMATION INDUSTRY ASSOCIATION

THE INFORMATION INDUSTRY ASSOCIATION represents leading organizations
involved in the generation, processing, distribution and use of
information. IIA is home base for businesses offering the innovative
products and services that make up the information marketplace. IIA
fosters a responsive and responsible forum for promoting a competitive and
growing information marketplace. 
-----------------------------------------------------------------
President of the IIA:  Kenneth B. Allen
Editor of Information Policy Online:
     Steven J. Metalitz, IIA Vice President and General Counsel
Consulting Editor:
     J. Timothy Sprehe, Sprehe Information Management Associates 
For messages to IIA-IPO:  <iia.ipo@his.com>
Voice: (202) 639-8262  Fax: (202) 638-4403.
*****************************************************************

 ============================================================
 From the  'New Product Information'  Electronic News Service
 ============================================================
 This information was processed from data provided by the
 above mentioned company. For additional details, contact 
 the company at the address or telephone number indicated.
 OmniPage Pro is now used for converting all printed input! 
 ============================================================
 All submissions for this service should be addressed to:
 BAKER ENTERPRISES,  20 Ferro Dr,  Sewell, NJ  08080  U.S.A.
 Email: RBakerPC (AOL/Delphi), rbakerpc@delphi.com (Internet)
 ============================================================
