Hearing before the House Committee on International Relations

Testimony and Statement for the Record of

Marc Rotenberg

Director, Electronic Privacy Information Center
Adjunct Professor, Georgetown University Law Center
Senior Lecturer, Washington College of Law

H.R. 2281. The WIPO Copyright Treaties Implementation Act
and Privacy Issues

Before the

Subcommittee on Telecommunications, Trade, and Consumer Protection,
Committee on Commerce,
U.S. House of Representatives

June 5, 1998

SUMMARY

Traditionally, copyright law has not posed a particular problem for privacy protection. Readers, listeners and viewers have always enjoyed very high levels of privacy, by practice if not by law, without any threat to the interests of copyright holders. Copyright grants certain rights to copyright holders, but these rights do not include the right to know the identity of the copyright user.

But HR 2281, as currently drafted, threatens to obliterate existing privacy safeguards by allowing intrusive new data collection techniques, limiting the ability of individuals to develop methods to protect their own privacy, and granting law enforcement access to personal information without core Fourth Amendment safeguards. Several changes must be made to the bill to protect well established privacy interests.

First, the definition of Copyright Management Information in section 1202 should explicitly exclude personally identifiable information. The current provision will create enormous problems and the Savings Clause proposed by the Senate is insufficient. The alternative 1202 language in HR 3048 will avoid a serious privacy problem and should be substituted.

Second, the anti-circumvention language in section 1201 is extraordinarily broad and will have all sorts of unintended consequences. The crime of circumvention should be specifically linked to the actual infringing act and not simply the use of a particular technique that may or may not be harmful. It is also important to narrow the definition of circumvention and technological protection mechanisms to ensure that many important techniques that promote the growth of the Internet are not accidentally prohibited. Again, HR 3048 provides a more carefully tailored way to address the concern identified in section 1201.

Third, it is important to establish procedural safeguards in proposed section 512(g) to avoid fishing expeditions by those who allege infringement. As the section currently stands, it will grant unprecedented authority to copyright holders to inquire into the private activities of others without any opportunity for the individual whose privacy is at risk to challenge the act in a court of law.

Fourth, the exception for law enforcement and intelligence activities in sections 1201(f) and 1202(d) is overly broad and should be narrowed. It is particularly important to make clear the need for a warrant or similar judicial authority when a search by a government agent occurs.

Fifth, a new provision establishing an affirmative right of anonymity should be incorporated. Such a provision would ease public concerns about the misuse of personal information and enable the growth of a vibrant economy for digital works.

Privacy remains a central concern for Internet users. The Internet is still in the very early stages of development. There is every opportunity to shape the on-line environment to promote electronic commerce, protect intellectual property and still preserve privacy. There is no reason to enact provisions that will sacrifice this essential freedom.

My name is Marc Rotenberg. I am the executive director of the Electronic Privacy Information Center, a public interest research organization based in Washington, DC. I am also an adjunct professor at Georgetown University Law Center and senior lecturer at the Washington College of Law. I have taught privacy law for almost ten years and I have been involved in many debates and discussions concerning privacy protection. I appreciate the opportunity to testify today on the WIPO treaty legislation and privacy issues. Privacy is an important concern of Internet users, and sensible copyright legislation should have minimal impact on the privacy interests of Internet users.

I also appreciate the efforts of Chairman Tauzin and Representative Markey and the other members of the Subcommittee in support of privacy protection. The Subcommittee has already shown a strong interest in protecting consumer interests in the online world. Consistent with your earlier efforts on this issue and your ongoing concerns, I believe that certain changes to HR 2281 are crucial to ensure protection of this essential freedom.

PROTECTION OF PRIVACY TODAY

For many years copyright protection and privacy protection have peacefully coexisted. Owners of copyrighted workers could receive compensation for their efforts from users of the works, while those same users could protect their privacy. In the traditional world of print publication and electronic broadcast, recipients of information had a high expectation of privacy. You could read the morning paper, listen to the radio, or watch TV and no one would know that you were doing any of these particular things. This is not simply privacy protection, but the specific ability to withhold disclosure of your identity -- the right to remain anonymous. Copyright protection for authors coupled with respect for the privacy of the reader, the viewer, and the listener has produced a vibrant and flourishing information world.

The need to preserve a high level of privacy is all the more important as you consider a new copyright regime that will be in place in the digital world for many years to come. As you may be aware, privacy is now the number one concern of Internet users. A report released this week by the Federal Trade Commission found that few web sites even have privacy policies. People are aware that information is often collected without their knowledge or consent. This is not a new problem. But the WIPO implementing legislation threatens to fundamentally transform many areas of life where privacy is routinely protected.

Apart from privacy as an important personal right, there is also the very real problem that the absence of privacy safeguards in the new on-line world may have significant economic costs. In fact, Commerce Secretary William Daley recently described privacy protection as a "make or break" issue for electronic commerce. Studies by consulting groups and others find that public concern about the loss of privacy contributes to a reluctance to use new online services.

PROBLEMS CREATED BY COPYRIGHT MANAGEMENT INFORMATION

One of the central problems with H.R. 2281 is section 1202 concerning Copyright Management Information. CMI is information related to a digital work. A CMI system could be used appropriately to help ensure that copyright holders are able to clearly establish the ownership of a copyrighted work in a digital environment. For example, making sure that a copyright notice could not be removed. But CMI could also be used, inappropriately I believe, to track the activities and interests of users of copyrighted works. In this design, it is not just the information necessary to protect the ownership interests of the copyright holder that is recorded, but also the specific uses of the copyrighted work.

As currently drafted, section 1202 defines the type of information that may be collected in the course of establishing a system for copyright management information. The focus is clearly on protecting ownership, but the section does not preclude the collection of personally identifiable information. As a practical matter, this could mean that every use of a copyrighted work would be linked to a particular user. This would produce far more detailed information about individual preferences, likes and dislikes that was ever collected in the past.

In our current world, the Washington Post might know that your are a subscriber if you have home delivery, though of course you could still pick up the paper at a newsstand. But the world created by this legislation will be very different.

The reason for this is that copyright exists at a much higher level of specificity than the purchase information that might generally be known to businesses. A copyright attaches to a single article, a single photograph, a single piece of music. It is one thing to say that you are a subscriber to Sports Illustrated, quite another to know that you read articles on gymnastics, but not football, look at pictures of swimmers but not boxers.

That the drafters of HR 2281 were aware of the privacy problem in this section is apparent in the language of 1202(c)(6) which makes clear that the Register of Copyrights, who could otherwise issue regulations, may not collect any information regarding the user of the copyrighted work. But this provision is far too narrow, and leaves open the opportunity for virtually anyone other than the Register -- including copyright holders, OSPs, and developers of new systems -- to hardwire the collection of personal information into the CMI.

It should be clear first that copyright holders have no special claim on what you or I wish to read, watch, or hear. Copyright law has never established a right to know the identity of a user of a copyrighted work. Where identity has been disclosed, it is generally pursuant to a licensing scheme (ASCAP) or some secondary purpose (shipping a product) and not federal legislation. It may also be necessary to determine the identity of a user of a work to establish infringement. But there is no general right of a copyright owner to know the identity of the user. The CMI provision, if left unchanged, could radically alter this fundamental arrangement.

I believe many others are well aware of this problem. Bruce Lehman made clear that CMI should not include tracking or usage information in testimony before the House Judiciary Committee. He said, "It would be wholly inconsistent with the purpose and construction of this bill to include tracking and usage information within the definition of CMI."]

To create databases that would record each person's use of copyrighted works would be establish the most intrusive and far-reaching data collection systems ever conceived. We have seen similar proposals to track users private communications. The Administration tried, by means of the Clipper scheme, to establish an unbreakable technique to track all communications in the digital world. No proposal has been more widely criticized on the Internet. Even the Administration conceded that Clipper was ultimately a failure.

It is not enough to note the special circumstances when users may be required to defeat copyright management schemes to further important ends, it is necessary to ask whether it is appropriate and fair for copyright holders to demand disclosure of one's identity as an additional cost of gaining access to a copyrighted work.

If this issue is unresolved, then the other provisions of 1202, notably subsections (a) and (b), become problematic. I would agree for example, that a user does not generally have the right to alter copyright management information pertaining to the owner of the work. But if the CMI also includes information about the individual, how could we say presumptively that he could not alter it, if it was for example, inaccurate, incomplete, or out of date. In such a setting the copyright interest would always trump the privacy interests. That can’t be right and it certainly isn't necessary to achieve the purpose of section 1202.

I believe that a very clear line must be drawn between the information that is necessary to establish the ownership of copyrighted works and the very different information relating to one's personal activities and private preferences. Without the ability to defeat unreasonable claims on users identity, individuals will face a harsh choice: sacrifice privacy and receive information or protect privacy and be cut off from information world. There is nothing in the technology or our legal tradition that requires this result.

There is a possible solution. Section 1202 of the Boucher-Campbell measure treats privacy issues more directly and more sensibly. It explicitly excludes from the definition of copyright management systems any personally identifiable information relating to the user of the work ("including but not limited to the name, account, address or other contact information of or pertaining to the user.") [new section 1202] In this manner it avoids the very serious problems that could arise if 1202 is left in its current form.

The attempt by the Senate to address privacy concerns through section 1205, while well intended, will simply not do the job. A sweeping new data collection system -- which is the essence of CMIs -- must make clear how personal information is to be protected. Section 1205 fails to establish the privacy rights that are necessary to protect the information that could be collected as a result of passage of this bill. In effect, it recognizes the problem, but proposes no solution.

If this is not clarified, then it is necessary before any copyright management scheme is enacted into law, to establish a legal right and the technical means to obtain information anonymously. Then it is necessary to make clear the privacy safeguards, established by statutory provisions similar to those found elsewhere, that will apply when personally identifiable information is obtained.

THE ISSUE WITH COOKIES

Several of the sponsors of the Senate measure have expressed concern about the treatment of cookies. The issue is this: could a copyright owner use a particular feature of the Internet protocols to log the activities of a user, by placing a small file on the user's disk, and effectively by means of this Act prevent the user from disabling the file.

The Senate wrestled with this problem. Some expressed concern about the potential privacy problems. Others said that there was in fact no problem. In the end, I think the Senate may have misunderstood the cookies problem. The Senate focused on the problems that could result if the cookie was encrypted or special copyright interest attached. Certain provisions in the bill suggested that defeating such "hardened" cookies would not be allowed.

This could well be a problem in the near future. But the much clearer problem today is found section 1201(a)(1) which says simply that "No person shall circumvent a technological protection measure that effectively controls access to a work protected under this title." This prohibition coupled with the definitions of circumvention and technological protection mechanism would produce many unintended consequences

For example, a cookie can be used to control access to a web site. This is done with many web sites today to make it easier for people to use web sites without having to remember lots of passwords. For example, the New York Times web site requires a password. The first time I went to the site, I registered and was given a password. The New York Times stored some information in a file on my computer, called the "cookie" file, so that when I returned to the New York Times web site my password would be automatically uploaded and I could get access to the site.

Now, what happens if I decide to delete the cookie file that the New York Times has placed on my computer? Perhaps I don't want others who use my computer to have access to the New York Times web site through my password. Perhaps I am concerned that the cookie might also contain some information about my interests that I don't think the New York Times should be collecting about me. Under the terms of HR 2281 as currently drafted, I believe it could be argued that this it is an unlawful circumvention of a technological protection system for me to remove this cookie from my own computer.

This result is reached for several reasons. First, the definition of technological protection mechanism is very broad. Second, the definition of circumvention is very broad. The language is such that it covers far more than extensive decrypting, reverse engineering, or cracking. Under the current language, simply "removing" or "deactivating" a bit of software would be considered circumvention. And, of course, the technology is changing rapidly.

It is very important to narrow the language in sections 1201(a)(1), 1201(a)(3)(A), and 1201(a)(3)(B) to avoid this result. Here again, HR 3048 offers a better approach by making clear that the circumvention conduct must be done for the "purpose of facilitating or engaging in an act of infringement," of a technological measure used by the copyright owner "to preclude or limit reproduction of work." Section 1201(a) in HR 3048 makes much clearer what the prohibited conduct is and avoids the many unintended consequences that would likely result from adoption of the current 1201(a) language.

IDENTIFICATION OF DIRECT INFRINGER

There is also a significant privacy problem in the way HR 2281 treats the problem of investigating infringement. The industry agreement to resolve the problem of OSP liability has, unfortunately, created new privacy risks for users.

The provision on "Identification of Direct Infringer" (Proposed Section 512(g) would grant broad new rights to obtain access to information about the activities of Internet users prior to any showing of actual infringement. While this provision may shield the OSPs from liability, it opens the door to new actions against users whether or not they are in fact engaging in infringing uses of copyrighted works.

Section 512 lacks adequate safeguards to ensure that inaccurate, incomplete, or outdated information does not result in improper or unreasonable intrusions on privacy. It grants too much latitude to those who might pursue fishing expeditions. While the declaration process is useful , there are no means set out to ensure that this process is not abused. Particularly in circumstances involving competitors or critics, it is not difficult to imagine that copyright holders might use their rights under 512(g) to investigate and gather information about the activities of others that would not generally be available in the off-line world.

Procedural safeguards should be established that would require a threshold showing of the likelihood of success on the merits, the opportunity for motion to oppose, and judicial review. At the very least, notice should be provided by the OSP to the subscriber within some reasonable time after information about the subscriber is disclosed to a third party. This perhaps the surest guarantee that this new authority is not abused.

ABOUT ENCRYPTION

One of the central technologies to protect privacy today is encryption. It is the means to hide information and also to authenticate information. Encryption research is proceeding at a fast pace, driven by the need to enable a secure environment for data transmission and to promote electronic commerce. We have a particular interest in the privacy community in ensuring that techniques to promote confidentiality and to protect identity are robust and secure.

It is central to the development of encryption, as it is to other scientific enterprises, that basic research be open, unrestricted, and subject to comment and criticism. An excellent example of the problem with the alternative approach was presented when the government announced the Clipper encryption scheme that would have been a standard across the federal government to protect the security of government information. A cryptography expert was able to show that the scheme could be easily broken. Efforts to restrict this testing that may even raise concerns about national security -- attacking the governments own codes-- could have devastating impact on privacy and network security.

I believe that 1201 takes the wrong approach in trying to limit the use of encryption techniques. The provision casts a long shadow over efforts to promote interoperatibility, to encourage innovation, and to strengthen network security. The simple problem is the attempt to criminalize a new technique rather than a bad act.

I urge you to narrow the language in 1201 to focus on the bad act and not the technology.

LAW ENFORCEMENT ACCESS

Mr. Chairman, I am concerned also about the current language in 1201(f) and 1202(d) that grants sweeping authority to agents of the government to engage in acts that would otherwise be prohibited by this measure. I appreciate that there are important circumstances necessary to the protection of the public and the investigation of crime that requires law enforcement officials to engage in certain activities. But these exceptions, when they are incorporated in law, are typically done by reference to explicit statutory authority and with the recognition that our Constitutional form of government places in between the investegatory authority of the government and the people an independent judiciary that has the responsibility to assess the claims of the government against the privacy interests of the citizenry.

This bill contemplates many circumstances where personally identifiable information will be collected and potentially disclosed. In the investigation of copyright infringement, for example, it is clearly the case that information about individuals could be obtained by law enforcement. Where such a search by a government agent occurs, it is appropriate and necessary to establish some form of judicial review to ensure that the search is not improper. Many of our modern privacy laws, dealing with everything from cable subscriber records to electronic mail, recognize that there are circumstances where law enforcement will need to get access to similar personal information to investigate allegations of wrongdoing. But all of these laws establish a requirement for a warrant, subpoena, or similar lawful process, to ensure that the interests of the individual are preserved.

No such language is found in HR. 2281. I believe this a serious omission and I would strongly urge the committee to revise 1202(f) and 1202(d) so as to make clear that when personal information in the possession of a third party is sought by an agent of the government, a lawful warrant, subpoena, or other lawful process is first obtained. It is not sufficient to say that the activity is "lawfully authorized." To be consistent with the core Fourth Amendment principle, that authorization must be pursuant to a judicial determination.

On this particular point, I am afraid that the Senate measure goes even further in the wrong direction. So much so, in fact, that it even calls into question whether the United States will be complying with its obligations in the WIPO treaty if it permits not only agents of the US government but also "contractors" and "other persons acting at the direction of" government officials to engage in acts otherwise prohibited by the Act. I am not aware of such a sweeping exception in any other federal statute. It goes far beyond the "order public" doctrine in international law that recognizes the special concerns of law enforcement.

Again, H.R. 3048 takes a more sensible approach. Relying on existing legal doctrines that permit law enforcement officials to engage in acts necessary to investigate crime and protect the public, it creates no new exemption that could undermine existing Fourth Amendment safeguards or even raise questions about compliance with the WIPO Treaty.

ADDITIONAL PRIVACY ISSUE - PROTECTION OF ANONYMITY

Addressing privacy concerns in legislation is often a defensive measure and raises the concern whether law can ever keep up with technology. I'd like to suggest that there may be a way to get out ahead of the privacy issue with the legislation with a proactive provision that could enable electronic commerce and protect privacy interests. The Subcommittee should consider a new provision that would explicitly guarantee the right of individuals to receive information without disclosure of identity -- a right of anonymity.

Such a provision would follow well established practices in the off-line world where it is possible for individuals to routinely buy books in bookstores, read newspapers at newsstands, and view pictures in museums, without ever disclosing their actual identity. Anonymity has also been central to the growth of the Internet and the vibrant intellectual traditions of this country. The Supreme Court has also recently affirmed that the right to speak anonymously is protected by the First Amendment.

A similar provision was recently adopted in the German multi-media law and is specifically intended to promote consumer confidence in new on-line services. Other governments, including Canada and the Netherlands are exploring new techniques to promote anonymity because they also believe that this could be one of the best ways to develop long-term solutions to the privacy problem.

I am not proposing any particular product, technical means or government standards. There may be dozens or hundreds of companies that could develop new products and services to enable anonymous payment for digital works and anonymous viewing of information in the on-line world. The critical point is to take this opportunity to encourage the creation of these systems by establishing a right for individuals to gain access to a copyrighted work without being compelled to disclose their actual identity. As long as the copyright holder receives value, I do not see a possible objection.

Such pro-active privacy measures could be the seeds of new privacy safeguards in the on-line world. Short of a legislative right, a study examining the prospects for such opportunities could certainly be pursued by the National Research Council. An earlier report on encryption has been quite useful for policy development. A similar report on means to promote anonymity in the on-line world could be useful.

NEED FOR PRIVACY SAFEGUARDS IN HR 2281

Privacy protection is central to the American tradition. It has long co-existed with copyright, and by practice, has enabled a rich and vigorous of information and ideas. It is particularly important with the development of new information technologies to ensure that privacy is protected.

Congress has recognized the importance of protecting the privacy of one's preferences, particularly in new information services. In 1984 as part of the Cable Act, privacy provisions were incorporated to protect the privacy of subscriber information. The Video Privacy Protection Act of 1988 extended safeguards to customers of video rental stores. Even the Telecommunication Reforms Act of 1996 makes clear the need to protect privacy in this new information world

The combination of a draconian copyright management regime with an absence of privacy protection enforceable in law, will allow information owners to extract personal information from consumers that would never have been disclosed in the off-line world. It is an unfair choice that no one should have to confront.

As currently drafted, H.R. 2281 will create many privacy problem. But there are ways to address these problems that still respect the interests of the copyrights holders. I have proposed several in my statement. I hope you will give them all full consideration.

The Internet is still in the very early stages of development. There is every opportunity to shape the on-line environment to promote electronic commerce, protect intellectual property and still preserve privacy. There is no reason to enact provisions that will sacrifice this essential freedom.

I appreciate your attention. I will be pleased to answer your questions.