December 15, 2003
The Honorable Michael K. Powell
Chairman
Federal Communications Commission
445 12th St. SW
Washington, DC 20554
Dear Chairman Powell
The Electronic Privacy Information Center (EPIC) writes to the FCC
to urge the Commission to address the privacy implications of VOIP
services and to ensure the establishment of strong privacy
safeguards for users of advanced network services.
For almost twenty years, the staff of EPIC has been involved in many
of the cutting edge privacy issues addressed by the FCC, including
Caller ID, the TCPA, CALEA, CPNI, location privacy, and most recently
the adoption of the Do Not Call regulations.
It is our view that a central requirement of a functional and
trustworthy communications network is the assurance of privacy
protection for users of the network. The failure to establish strong
and effective privacy safeguards for those who transmit personal
messages, confidential business information, financial and medical
records, (by way of example) will almost certainly reduce the
utility of the nation's communications infrastructure. Moreover, the
adoption of genuine privacy techniques -- as opposed to those which
enable widespread surveillance -- will be critical to privacy
protection in the years ahead.
The Commission must take affirmative steps to ensure strong privacy
protections for users of VoIP service. Such steps would be
consistent with the history of privacy law in the United States,
which is largely marked by efforts of Congress and regulators to
erect safeguards for technologies as they emerge. Privacy safeguards
ensure that the data collection is fair, transparent, and subject to
law. This approach builds consumer confidence, establishes a stable
business environment, and allows for the benefits of new technology
while safeguarding key interests.
The prospective benefits must not be unencumbered by threats to
privacy that would prevent consumer adoption of the new service.
Specifically, we urge the FCC to consider technical and legal
safeguards to protect communications traffic (content and routing
information) and user location information, and to ensure that those
expert in privacy law and regulation participate in the work of the
FCC on VOIP.
One of the great achievements of the American legal system has been
our strong commitment to protecting the privacy of personal
communications. This can be traced back at least as far as Benjamin
Franklin, who in establishing the national postal service recognized
the need to enact federal law to protect the privacy of
communications.
In the mid-1980s, the growth of the Internet and new communications
services was apparent. Individuals used desktop computers to send
messages to one another by means of electronic mail. New industries
were emerging and new services were being offered. But questions
about privacy protection in the new communications environment
arose. Congress wisely amended the federal wiretap law and enacted
the Electronic Communications Privacy Act, which extended privacy
protection to electronic communications and stored messages and
helped establish public support for new network services.
Similarly, in 1984, Congress passed the Cable Communications Policy
Act long before widespread adoption of cable television or two-way
interactive communications. That law established strong privacy
safeguards, including opt-in protections for subscriber privacy,
thereby encouraging adoption of the technology by consumers without
the risk that every second of viewing behavior would be collected,
sold, or delivered to law enforcement.
In 1991, well before cellular phones were widely distributed,
Congress acted to shield the devices from unwanted telemarketing.
Subsequent FCC regulations set a high standard for protection of
cellular phones, thus allowing wide adoption of the technology while
avoiding interruption and privacy invasion caused by unwanted
telemarketing. In 1994, those regulations were supplemented by the
Telemarketing Act, which resulted in greater consumer protections
for telephone privacy.
In the context of VoIP, many services, including "presence sensing"
and E911 services, will raise privacy issues. It is important that
moving forward, standards are set that limit retention and
secondary, improper uses of location information derived from VoIP
use. Location information should only be used to provide services
to users. It is inappropriate for it to be used for secondary
purposes, such as marketing based on an individual's location.
In a commercial context, improper use of location information may
lead to a loss of anonymity in our daily activities as companies
attach a marketing value to individuals' location. Used by
government for law enforcement and national security purposes,
unregulated access to location data threatens to create a society of
"dataveillance," where data such as location information is
routinely collected for surveillance, without any investigatory
predicate.
EPIC maintains our strong reservations regarding the application of
the Communications Assistance to Law Enforcement Act (CALEA)
requirements to this service. It is simply not coherent to argue
that VOIP services should be free of government regulation and then
for the government to require that communication service providers,
hardware manufacturers, and network developers incorporate the most
extreme communications surveillance requirements of the Federal
Bureau of Investigation. CALEA, if applied to VOIP, would establish
unprecedented regulation for new communications services.
Communications technologies like VoIP should be designed for
precisely what they are intended for: to enable communication
between people, not to allow surveillance on private citizens. The
requirement that VoIP contain surveillance mechanisms for government
usage also may create security holes in VoIP technology that
unauthorized persons may use to eavesdrop on private persons.
EPIC maintains online resources on VOIP and other privacy issues at
http://www.epic.org; we urge the FCC to consult those resources as
issues surrounding VoIP are studied.
Privacy issues must be addressed at the outset. The consequences
of failing to establish privacy protections for users of VOIP-based
services will be staggering.
We look forward to working with the FCC on these important issues.
Sincerely,
Marc Rotenberg
Executive Director
Chris Jay Hoofnagle
Associate Director