Order Code 98-67 STM
CRS Report for Congress
Received through the CRS Web
Internet: An Overview of
Key Technology Policy Issues
Affecting Its Use and Growth
Updated December 24, 2003
Marcia S. Smith, John D. Moteff, Lennard G. Kruger,
Glenn J. McLoughlin, and Jeffrey W. Seifert
Resources, Science, and Industry Division
Congressional Research Service ˜ The Library of Congress
Internet: An Overview of Key Technology Policy Issues
Affecting Its Use and Growth
Summary
The growth of the Internet may be affected by a number of issues being debated
by Congress. This report summarizes several key technology policy issues.
1. Internet privacy issues encompass concerns about information collected by
Web site operators, and, separately, about the extent to which law enforcement
officials or employers monitor an individual’s Internet activities. The 2001 USA
PATRIOT Act (P.L. 107-56) has privacy advocates concerned about new authorities
granted to law enforcement officials in that regard.
2. Concerns about computer security are prevalent in both the government and
private sectors. Concerns have also been raised about the vulnerability of the
nation’s critical infrastructures (e.g. electrical power supply) to cyber attacks. Issues
for Congress include oversight and improvement of the protection of federal
computer systems and cooperation with and between the private sectors.
3. Broadband Internet access gives users the ability to send and receive data
at speeds far greater than current Internet access over traditional telephone lines.
With deployment of broadband technologies beginning to accelerate, Congress is
seeking to ensure fair competition and timely broadband deployment to all sectors
and geographical locations of American society.
4. Since the mid-1990s, commercial transactions on the Internet — called
electronic commerce (e-commerce) — have grown substantially. Among the issues
facing Congress are encryption procedures to protect e-commerce transactions,
extension of the 3-year tax moratorium on domestic e-commerce taxation, the impact
of the USA PATRIOT Act, and how the policies of the European Union (EU) and
World Trade Organization (WTO) may affect U.S. e-commerce activities.
5. The new federal anti-spam law, the CAN-SPAM Act, permits, but does not
require, the Federal Trade Commission (FTC) to create a “do not e-mail” list similar
to the National Do Not Call list for telemarketers. Whether to require the FTC to
establish such a list, and the extent to which the new law will actually reduce the
amount of spam, remain congressional issues in the wake of the law’s enactment.
6. The administration and governance of the Internet’s domain name system
(DNS) is currently under transition from federal to private sector control. Congress
is monitoring how the Department of Commerce is managing and overseeing this
transition in order to ensure competition and promote fairness among all Internet
constituencies.
7. The evolving role of the Internet in the political economy of the United States
continues to attract attention in the 108th Congress. Three major themes characterize
legislative activity and interest: Internet infrastructure development, resource
management, and the provision of online services by the government (called “e-
government”).
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Legislation Passed by the 108th Congress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The CAN-SPAM Act (P.L. 108-187) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The PROTECT Act (P.L. 108-21) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Internet Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Collection of Data by Web Site Operators and Fair Information Practices . . 2
Commercial Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Federal Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Monitoring of E-Mail and Web Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Government and Law Enforcement Monitoring . . . . . . . . . . . . . . . . . . 4
Employer Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Computer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Broadband Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Easing Restrictions and Requirements on Incumbent Telephone
Companies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Unbundling and Resale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Provision of InterLATA Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Open Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Federal Assistance for Broadband Deployment . . . . . . . . . . . . . . . . . . . . . . 13
Electronic Commerce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
The E-Commerce Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Issues for the Bush Administration and Congress . . . . . . . . . . . . . . . . . . . . 15
Protection and Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
E-Commerce Taxation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
The EU and WTO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
The 108th Congress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Unsolicited Commercial Electronic Mail (“Junk E-Mail” or “Spam”) . . . . . . . . 18
Internet Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Recent History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Top Level Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Protecting Children on the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Trademark Disputes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Government Information Technology Management . . . . . . . . . . . . . . . . . . . . . . 23
Internet Infrastructure and National Policy . . . . . . . . . . . . . . . . . . . . . . . . . 24
Information Technology R&D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Provision of Online Services (E-Government) . . . . . . . . . . . . . . . . . . . . . . 25
Open Source Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Appendix A: Pending Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Internet Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Computer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Broadband Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
E-Commerce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Internet Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Appendix B: List of Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Appendix C: Legislation Passed by the 105th - 107th Congresses . . . . . . . . . . . . 34
Legislation Enacted in the 105th Congress . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Legislation Enacted in the 106th Congress . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Legislation Enacted in the 107th Congress . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Appendix D: Related CRS Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Internet: An Overview of Key Technology
Policy Issues Affecting Its Use and Growth
Introduction
The continued growth of the Internet for personal, government, and business
purposes may be affected by a number of issues being debated by Congress. Among
them are Internet privacy, computer security, access to broadband (high-speed)
services, electronic commerce (e-commerce), unsolicited commercial electronic mail
(“junk e-mail” or “spam”), Internet domain names, and government information
technology management. This report provides brief summaries of those issues, as
well as appendices that list related legislation pending in the 108th Congress, a list of
acronyms, a discussion of related legislation passed in the 105th - 107th Congresses,
and a list of other CRS reports that provide more detail on the issues.
Legislation Passed by the 108th Congress
During the first session of the 108th Congress, two laws were enacted related to
the topics covered in this report. The first concerns commercial electronic mail (e-
mail), and the other is related to Internet domain names. Both of these subjects are
discussed in more detail later in this report. Following is a brief summary of the two
new laws.
The CAN-SPAM Act (P.L. 108-187)
P.L. 108-187 (S. 877), the CAN-SPAM Act, sets civil or criminal penalties if
senders of commercial e-mail do not provide a legitimate opportunity for recipients
to “opt-out” of receiving further commercial e-mail from the sender, if they use
deceptive subject headings, if they use fraudulent information in the header of the
message, if they “harvest” e-mail addresses from the Internet or use “dictionary
attacks” to create e-mail addresses, if they access someone else’s computer without
authorization and use it to send multiple commercial e-mail messages, or engage in
certain other activities connected with sending “spam” — variously defined by
participants in the debate as unsolicited commercial e-mail, unwanted commercial
e-mail, or fraudulent commercial e-mail. This new federal law preempts state laws
that specifically regulate electronic mail, but not other state laws, such as trespass,
contract, or tort law, or other state laws to the extent they relate to fraud or computer
crime. It authorizes, but does not require, the Federal Trade Commission to establish
a centralized “do not e-mail” list similar to the National Do Not Call list for
telemarketing.
CRS-2
The PROTECT Act (P.L. 108-21)
P.L 108-21 (S. 151), the PROTECT Act, contains a provision (Sec. 108,
Misleading Domain Names on the Internet) that makes it a punishable crime to
knowingly use a misleading domain name with the intent to deceive a person into
viewing obscenity on the Internet. Increased penalties are provided for deceiving
minors into viewing harmful material. (CRS Report RS21328 provides further
information on this and other legislative efforts to protect children from unsuitable
material on the Internet.)
Internet Privacy1
Internet privacy issues encompass a range of concerns. One is that the Internet
makes it easier for governmental and private sector entities to obtain information
about consumers and possibly use that information to the consumers’ detriment.
That issue focuses on the extent to which Web site operators collect personally
identifiable information (PII) about individuals and share that information with third
parties, often without the knowledge or consent of the people concerned. Another
aspect of Internet privacy is the extent to which Internet activities such as electronic
mail (e-mail) and visits to Web sites are monitored by government or law
enforcement officials, or employers.
Collection of Data by Web Site Operators
and Fair Information Practices
One aspect of the Internet privacy issue is whether commercial Web sites should
be required to adhere to four “fair information practices” proposed by the Federal
Trade Commission (FTC): providing notice to users of their information practices
before collecting personal information, allowing users choice as to whether and how
personal information is used, allowing users access to data collected and the ability
to contest its accuracy, and ensuring security of the information from unauthorized
use. Some add enforcement as a fifth practice. In particular, the question is whether
industry can be relied upon to regulate itself, or if legislation is needed to protect
consumer privacy. Questions also have arisen about whether federal government
Web sites should have to adhere to such practices. CRS Report RL30784, Internet
Privacy: An Analysis of Technology and Policy Issues, provides more detailed
information on fair information practices in the Internet context.
Commercial Web Sites. Based on surveys of commercial Web sites during
the late 1990s, the FTC issued reports and made recommendations about whether
legislation is needed to protect consumer privacy on the Web. Although the FTC and
1 CRS Report RL31408, Internet Privacy: Overview and Pending Legislation, by Marcia
S. Smith, provides an overview of Internet privacy issues and tracks pending legislation. It
is updated more frequently than this report. CRS Report RL30784, Internet Privacy: An
Analysis of Technology and Policy Issues, by Marcia S. Smith, provides more
comprehensive analysis of many of the issues involved in this debate.
CRS-3
the Clinton Administration favored self regulation, in 1998, frustrated at industry’s
slow pace, the FTC announced that it would seek legislation protecting children’s
privacy on the Internet by requiring parental permission before a Web site could
request information about a child under 13. The Children’s Online Privacy
Protection Act (COPPA, part of P.L. 105-277) was enacted four months later.
In 1999, the FTC concluded that further legislation was not needed at that time
for children or adults, but reversed its decision in 2000 when another survey
indicated that industry still was not self regulating to the desired extent. The FTC
voted 3-2 to propose legislation that would allow it to establish regulations requiring
Web site operators to follow the four fair information practices. In June 2001,
Timothy Muris replaced Robert Pitofsky as FTC chairman and indicated that he did
not see a need for additional legislation at that time.
The Internet industry has taken steps to demonstrate that it can self regulate. One
example is the establishment of “seals” for Web sites by the Better Business Bureau,
TRUSTe, and WebTrust. To display a seal from one of those organizations, a Web
site operator must agree to abide by certain privacy principles (some of which are
based on the OPA guidelines), a complaint resolution process, and to being
monitored for compliance. Another approach is using software called “P3P”
(Platform for Privacy Preferences) that gives individuals the option to allow their
web browser to match the privacy policies of websites they access with the user’s
selected privacy preferences. Advocates of self regulation argue that these efforts
demonstrate industry’s ability to police itself. Advocates of further legislation argue
that while the seal programs are useful, they do not carry the weight of law, limiting
remedies for consumers whose privacy has been violated. They also point out that
while a site may disclose its privacy policy, that does not necessarily equate to having
a policy that protects privacy. Some also consider P3P to be insufficient.
In the 108th Congress, H.R. 69 (Frelinghuysen) would require the FTC to
prescribe regulations to protect the privacy of personal information collected from
and about individuals not covered by COPPA. H.R. 1636 (Stearns) is a broad
consumer privacy bill. S. 745 (Feinstein) requires commercial entities to provide
notice and choice (opt-out) to individuals regarding the collection and disclosure or
sale of their PII, with exceptions. S. 1350 (Feinstein) requires federal agencies and
persons engaged in interstate commerce, who possess electronic data containing
personal information, to disclose any unauthorized acquisition of that data. See CRS
Report RL31408 for the status of Internet privacy legislation.
Federal Web Sites. Until the summer of 2000, attention was focused on
privacy issues associated with commercial Web sites. That changed in June 2000,
however, when controversy erupted over the privacy of visitors to government Web
sites. The issue concerned federal agencies’ use of computer “cookies”(small text
files placed on users’ computers when they access a particular Web site) to track
activity at their Web sites. Federal agencies had been directed by President Clinton
and the Office of Management and Budget (OMB) to ensure that their information
collection practices adhere to the Privacy Act of 1974. A September 5, 2000 letter
from OMB to the Department of Commerce further clarified that “persistent”
cookies, which remain on a user’s computer for varying lengths of time (from hours
CRS-4
to years), are not allowed unless four specific conditions are met. “Session” cookies,
which expire when the user exits the browser, are permitted.
In June 2000, however, it became known that contractors for the Office of
National Drug Control Policy (ONDCP) were using cookies to collect information
about those using ONDCP’s Web site during an anti-drug campaign. The White
House directed ONDCP to cease using cookies, and OMB issued a memorandum
reminding agencies to post and comply with privacy policies and detailing the limited
circumstances under which agencies should collect personal information.
Congress passed a provision in the FY2001 Treasury-General Government
Appropriations Act (the “Treasury-Postal” Appropriations Act) and the FY2001
Transportation Appropriations Act (P.L. 106-346, Section 501) that prohibited funds
from being used by any federal agency to collect, review, or create aggregate lists that
include personally identifiable information (PII) about an individual’s access to or
use of a federal Web site or enter into agreements with third parties to do so, with
exceptions. Similar language was included in the FY2002 Treasury-Postal
Appropriations Act (P.L. 107-67), and the Treasury-Postal section of the FY2003
Consolidated Appropriations Resolution (P.L. 108-7). Congress also passed the E-
Government Act (P.L. 107-347, H.R. 2458), which requires federal Web sites to
include a privacy notice that addresses what information is to be collected, why, its
intended use, what notice or opportunities for consent are available to individuals
regarding what is collected and how it is shared, how the information will be secured,
and the rights of individuals under the 1974 Privacy Act and other relevant laws. It
also requires federal Web sites to translate their privacy policies into a standardized
machine-readable format, enabling P3P to work, for example.
Monitoring of E-Mail and Web Activity
Government and Law Enforcement Monitoring. Another Internet
privacy storm broke in the summer of 2000 when it became known that the FBI, with
a court order, can install software on Internet Service Providers’ equipment to
intercept e-mail and monitor an individual’s Web activity. The extent to which that
software program, originally called Carnivore (now “DCS 1000”), can differentiate
between e-mail and Web activity involving a subject of an FBI investigation and
other people’s e-mail and Web activity is of considerable debate, with critics
claiming that Carnivore violates the privacy of innocent users. The 21st Century
Department of Justice Authorization Act (P.L. 107-283) requires the Justice
Department to report to Congress on its use of DCS 1000 or any similar system.
Conversely, following the September 11, 2001, terrorist attacks, Congress
passed the USA PATRIOT Act (P.L. 107-56), which expands law enforcement’s
ability to monitor Internet activities. The Internet privacy-related provisions of the
USA PATRIOT Act are discussed in CRS Report RL31289. The most controversial
provision is Section 212. As originally enacted, that section allows ISPs to divulge
records or other information (but not the contents of communications) pertaining to
a subscriber if they believe there is immediate danger of death or serious physical
injury or as otherwise authorized, and requires them to divulge such records or
information (excluding contents of communications) to a governmental entity under
certain conditions. It also allows an ISP to divulge the contents of communications
CRS-5
to a law enforcement agency if it reasonably believes that an emergency involving
immediate danger of death or serious physical injury requires disclosure of the
information without delay. In 2002, Congress amended this section, lowering the
threshold for when ISPs could voluntarily divulge information, and to whom. Under
the Cyber Security Enhancement Act, section 225 of the Homeland Security Act
(P.L. 107-296), ISPs need only a “good faith” belief (instead of a “reasonable”
belief), that there is an emergency involving danger (instead of “immediate” danger)
of death or serious physical injury. The contents of the communication can be
disclosed to “a Federal, state, or local governmental entity” (instead of a “law
enforcement agency”).
Privacy advocates complain that it is extremely difficult to monitor how the
USA PATRIOT Act is being implemented. They are especially concerned about the
amendment made by the Cyber Security Enhancement Act. For example, the
Electronic Privacy Information Center (EPIC) notes that allowing such information
to be disclosed to any governmental entity not only poses increased risk to personal
privacy, but also is a poor security strategy; and that the language does not provide
for judicial oversight of the use of these procedures.
S. 1695 (Leahy) would amend the PATRIOT Act to provide more oversight.
Inter alia, it would amend the sunset provision (Sec. 224) such that all of the above
cited sections would terminate on December 31, 2005, including Sections 210 and
216, which currently are not subject to the sunset clause. S. 1709 (Craig) would
amend the USA PATRIOT Act, inter alia to include Section 216 in the sunset
provision.
Employer Monitoring. An emerging issue is whether employers should be
required to notify their employees if e-mail or other computer-based activities are
monitored. A 2003 survey by the American Management Association
[http://www.amanet.org/research/index.htm] found that 52% of the companies
surveyed engage in some form of e-mail monitoring. The public policy concern
appears to be less about whether companies should be able to monitor activity, but
whether they should notify their employees of that monitoring.
Spyware
Some software products include, as part of the software itself, a method by
which information is collected about the use of the computer on which the software
is installed. When the computer is connected to the Internet, the software
periodically relays the information it has collected back to the software manufacturer
or a marketing company. The software that performs the collection and reporting
function is often called “spyware.” Software programs that include spyware can be
obtained on a disk or downloaded from the Internet. They may be sold or provided
for free. Typically, users have no knowledge that the software product they are using
includes spyware. Some argue that users should be notified if the software they are
using includes spyware. Two bills in the 107th Congress would have required such
notification, but there was no action on either bill. In the 108th Congress, H.R. 2929
(Bono) would require the FTC to prohibit, by regulation, transmission of a spyware
program to a computer via the Internet unless the user of the computer expressly
consents to the transmission, to establish requirements for the transmission of
CRS-6
spyware, and to prohibit the use of spyware to collect PII unless notice of that usage
is given in a prominent location.
Another use of the term spyware refers to software that can record a person’s
keystrokes on a computer keyboard. In this way, all typed information can be
obtained by another party, even if the author modifies or deletes what was written,
or if the characters do not appear on the monitor (such as when entering a password).
Commercial products have been available for some time, but the existence of such
software was highlighted in 2001 when the FBI used it in an illegal gambling and
loan sharking case. Law enforcement officials armed with a search warrant installed
spyware (called “key logging” software in this context) on the suspect’s computer,
allowing them to obtain his password for an encryption program he used, and thus
to obtain evidence. Some privacy advocates argued that wiretapping authority should
have been obtained, rather than a search warrant, because the software intercepts
communications. The court upheld the FBI. Press reports also indicate that the FBI
is developing a program dubbed “Magic Lantern,” which performs a similar task, but
can be installed remotely on a subject’s computer by surreptitiously including it in
an e-mail message, for example. Privacy advocates are questioning what type of
legal authorization would be required for use of such techniques.
Computer Security
On October 21, 2002, all 13 of the Internet’s root Domain Name System servers
were targeted by a distributed denial of service attack. While the attack had little
overall effect on the performance of the Internet, a more sophisticated and sustainable
attack might have had a more deleterious impact. As use of the Internet grows, so
has concern about security of and security on the Internet. A long list of security-
related incidents that have received wide-ranging media coverage (e.g. the Melissa
virus, the Love Bug, denial-of-service attacks, and the Code Red, Code Red II, and
Nimda worms) represents the tip of the iceberg. Every day, persons gain access, or
try to gain access, to someone else’s computer without authorization to read, copy,
modify, or destroy the information contained within. These persons range from
juveniles to disgruntled (ex)employees, to criminals, to competitors, to politically or
socially motivated groups, to agents of foreign governments.
The extent of the problem is unknown. Much of what gets reported as computer
“attacks” are probes, often conducted automatically with software widely available
for even juveniles to use. But the number of instances where someone has actually
gained unauthorized access is not known. Not every person or company whose
computer system has been compromised reports it either to the media or to
authorities. Sometimes the victim judges the incident not to be worth the trouble.
Sometimes the victim may judge that the adverse publicity would be worse.
Sometimes the affected parties do not even know their systems have been
compromised. There is some evidence to suggest, however, that the number of
incidents is increasing. According to the Computer Emergency Response Team
(CERT) at Carnegie-Mellon University, the number of incidents reported to it has
grown just about every year since the team’s establishment — from 132 incidents in
CRS-7
1989 to over 82,000 incidents in 2002. For the first three quarters of 2003, nearly
115,000 incidents have been reported.
The impact on society from the unauthorized access or use of computers is also
unknown. Again, some victims may choose not to report losses. In many cases, it
is difficult or impossible to quantify the losses. But social losses are not zero. Trust
in one’s system may be reduced. Proprietary and/or customer information (including
credit card numbers) may be compromised. Any unwanted code must be found and
removed. The veracity of the system’s data must be checked and restored if
necessary. Money may be stolen from accounts or extorted from the victim. If
disruptions occur, sales may be lost. If adverse publicity occurs, future sales may be
lost and stock prices may be affected. Estimates of the overall financial losses due
to unauthorized access vary and their accuracy is untested. Estimates typically range
in the billions of dollars per major event like the Love Bug virus or the denial-of-
service attacks in February 2000. Similar estimates have been made for the Code
Red worms. Estimates of losses internationally range up to the tens of billions of
dollars. In the 2003 Computer Crime and Security Survey,2 251 responders (out of
a total of 530) estimated financial losses of $202 million in the previous 12 months.
A majority of the losses were attributed to loss of proprietary information and fraud.
Aside from the losses discussed above, there is also growing concern that
unauthorized access to computer systems could pose an overall national security risk
should it result in the disruption of the nation’s critical infrastructures (e.g.,
transportation systems, banking and finance, electric power generation and
distribution). These infrastructures rely increasingly on computer networks to
operate, and are themselves linked by computer and communication networks. To
address this concern, President Clinton issued a Presidential Decision Directive
(PDD-63) in May 1998. PDD-63 set as a national goal the ability to protect critical
infrastructures from intentional attacks (both physical and cyber). It set up
organizational and operational structures within the federal government to help
achieve this goal and called for a coordinated effort to engage the private sector. (See
CRS Report RL30153, Critical Infrastructures: Background, Policy and
Implementation). The Bush Administration has chosen to follow a similar policy as
articulated in Executive Order 13231 (as amended by Executive Orders 13284 and
13286) and in Homeland Security Presidential Directive HSPD-7. In November
2002, Congress passed the Homeland Security Act of 2002 (P.L. 107-296),
transferring a number of the federal organizations established by PDD-63 to the new
2 The Computer Crime and Security Survey is conducted by the Computer Security Institute
(CSI) in cooperation with the San Francisco Federal Bureau of Investigation’s Computer
Intrusion Squad. The CSI/FBI Survey, as it has become known, has been conducted
annually since 1996, and surveys U.S. corporations, government agencies, financial and
medical institutions and universities. The 2003 figure for financial losses is a sharp decline
from the 2002 survey results which estimated losses at $456 million, but is in line with
previous years’ reporting. The CSI/FBI survey does not represent a statistical sampling of
the nation’s computer security practitioners, nor can it be extrapolated to estimate losses on
a national scale. The survey can be found at [http://www.gocsi.com/]. This website was last
viewed on Dec. 23, 2003.
CRS-8
Department of Homeland Security.3 The President’s Critical Infrastructure Board
(established by E.O. 13231 but later dissolved by E.O. 13286) released a National
Strategy to Secure Cyberspace in February 2003. The National Strategy assigns a
number of responsibilities to the new Department.
As a deterrent, the federal computer fraud and abuse statute, 18 U.S.C. 1030,
makes it a federal crime to gain unauthorized access to federal government
computers, to be exposed to certain information contained on government computers,
to damage or threaten to damage federal computers, bank computers, or computers
used in interstate commerce, to traffic in passwords for these computers, to commit
fraud from these computers, or from accessing a computer to commit espionage. The
statute also provides for penalties. For more information on this statute, see CRS
Report 97-1025, Computer Fraud and Abuse: An Overview of 18 U.S.C. 1030 and
Related Federal Criminal Laws. Most states also have laws against computer fraud
and abuse. The USA PATRIOT Act (P.L. 107- 56), passed in the wake of the
September 11, 2001 terrorist attacks, increased some of the penalties associated with
these illegal activities. The USA PATRIOT Act also permits a single warrant to be
granted to allow investigators to track hackers across jurisdictions. The Homeland
Security Act (P.L. 107-296) increased penalties for anyone who knowingly or
recklessly causes injury or death, while knowingly transmitting malicious code or
commands.
At the international level, the 41-country Council of Europe negotiated a
convention to facilitate tracking cyber criminals across national boundaries.4 The
United States, an observer at these negotiations, signed the convention and is
encouraging other countries to do so, too. U.S. businesses had expressed some
concern about their liability and the costs associated with record-keeping under this
treaty. In addition to this forum, the European Commission has published a couple
of communiques related to network security and the Organization of Economic
Cooperation and Development has reissued a set of guidelines related to information
and network security. There is also some debate within the international community
on what to do about computer intrusions by government agents; for example, whether
such acts would be considered acts of war. For more information regarding this
issue, see CRS Report RL30735, Cyberwarfare.
While the tools for prosecuting appear to be in place, most experts agree that
much more can be done to make the Internet and its users more secure. The federal
government is required to protect sensitive information on its own computers.
Congress passed the most recent requirements for federal agencies to follow in the
Federal Information Security Management Act of 2002 (P.L. 107-347, Title III).
These include following guidelines developed by the National Institute of Standards
and Technology and Office of Management And Budget (OMB) Circular A-130,
3 Many of the functions of these entities are now being performed by the National Computer
Security Division within the Department’s Information Analysis and Infrastructure
Protection Directorate.
4 The Convention on Cybercrime, ETS-185 can be found on the Council’s web page, at
[http://conventions.coe.int]; click on Full List of European Treaties. This web page was last
viewed on Dec. 23, 2003.
CRS-9
Appendix III in developing agency-wide information security programs. The Federal
Information Security Management Act (FISMA) also requires agencies to submit
their information security programs to an annual independent evaluation, the results
of which are summarized and reported to Congress.
The security of private-sector computer systems varies. Some industries have
been at the forefront of security (e.g. banking and finance), while others are just now
appreciating the threat to and vulnerabilities of their systems. In response to PDD-
63, some of the sectors that operate critical infrastructures formed Information
Sharing and Analysis Centers (ISACs) and across sectors they have formed the
Partnership for Critical Infrastructure Security. The goal of these associations is to
learn from each other’s experiences and to quickly respond to new attacks and
vulnerabilities. It should be noted, too, that in addition to CERT at Carnegie Mellon,
individual security firms and security-related associations offer clearinghouses for
security-related news, alerts, warnings, etc. The informal networks by which security
information spreads is also very extensive. One of the key recommendations in a
draft version of the National Strategy to Secure Cyberspace was that the private
sector (ISPs and network security firms) establish and operate a Cyberspace Network
Operations Center. As conceived, the Center would have been able to detect (and
perhaps even predict), as early as possible, attacks on the network and respond
quickly. In the final version of the Strategy, however, the concept of a formal Center
gave way to a more decentralized capability of monitoring, detection, analysis, and
response that would be performed by existing bodies of government and private
entities charged with network security, and coordinated by the Department of
Homeland Security.
The market for computer and Internet security (divided into hardware, software,
and service providers) is large and growing. PCWorld.com reported that a recent
International Data Corporation (IDC) study estimated that the world network security
market will grow from $17 billion in 2001 to $45 billion by 2006.5 Even so,
according to the CSI/FBI report, most organizations spend no more than 5% of their
total information technology budget on security.6 Operating systems and applications
developers say they are paying greater attention to designing better security into their
products. But still, it is common to have vulnerabilities found in products after they
have been put on the market. In some cases, patches have had to be offered at the
same time a new product is brought onto the market. And, although patches are
offered to fix these vulnerabilities in most cases, many system administrators do not
keep their software/configurations current.7 Many intrusions take advantage of
vulnerabilities noted many months earlier, for which fixes have already been offered.
There are as yet no industry standards for determining how secure a firm’s
computer system should be or for assessing how secure it is in fact. However, there
is a push by the major accounting houses and insurance firms to make corporate
5 The link to this article is no longer available.
6 CSI/FBI Survey, 2002. p.18.
7 The National Strategy to Secure Cyberspace recommends ways to make it easier for users
to update the latest security-related patches.
CRS-10
leaders and boards more accountable for their firms’ information assets. Also, some
observers speculate that it is only a matter of time before owners of computer systems
are held responsible for damages done to third-party computers as a result of
inadequately protecting their own systems.8 Nor are there any standards on how
secure a vendor’s software should be. The federal government, in cooperation with
a number of other countries, has developed a set of International Common Criteria
for Information Technology Security Evaluation, to allow certified laboratories to test
security products and rate their level of security for government use. These criteria
may evolve into industry standards for certifying security products. Some in the
security community feel that security will not improve without some requirements
imposed upon the private sector. However, both users and vendors of computer
software suggest that the market is sufficient to address security in the most cost-
effective manner. The Bush Administration, as the Clinton Administration before
it, has chosen to use engagement and not regulation to encourage the private sector
to improve security. However, both Administrations also did not rule out the use of
regulation if necessary.
Congress has maintained a strong oversight role in the area of computer
security, especially in regard to the security of government systems. It is expected
that this oversight will continue. The 108th Congress has not passed any major
legislation related to improving the security of the Internet to date. A few bills have
been introduced that touch upon, either directly or indirectly, Internet or computer
security. For example, S. 187 (Edwards) would require federal Chief Information
Officers (CIOs) to identify their agency’s network vulnerabilities, set performance
goals for addressing those vulnerabilities, and evaluate how those performance goals
are being met on a quarterly basis. It also would instruct the National Institute of
Standards and Technology to develop guidelines to assist CIOs in this task. S. 1633
(Corzine) and H.R. 3233 (Gutierrez) would require financial firms to notify
customers of unauthorized use of personal information maintained by those firms.
H.R. 1636 (Stearns) would require companies to effect adequate information security
policies to protect personal information of customers and to take remedial action to
information security advisories issues by the Department of Homeland Security.
H.R. 3159 (Waxman) would specifically include in the federal information security
requirements protections of information shared via peer-to-peer programs. S. 779
(Jeffords) and S. 1039 (Inhofe) would require wastewater facilities to conduct
vulnerability studies that would include assessing vulnerabilities of facility
information. H.R. 3159 passed the House on October 8, 2003.
8 See Computerworld. IT Security Destined for the Courtroom. May 21, 2001. Vol 35. No.
21. p 1,73.
CRS-11
Broadband Internet Access9
Broadband Internet access gives users the ability to send and receive data at
speeds far greater than conventional “dial up” Internet access over existing telephone
lines. New broadband technologies — cable modem, digital subscriber line (DSL),
satellite, and fixed wireless Internet — are currently being deployed nationwide by
the private sector. Concerns in Congress have arisen that while the number of new
broadband subscribers continues to grow, the rate of broadband deployment in urban
and high income areas appears to be outpacing deployment in rural and low-income
areas, thereby creating a potential “digital divide” in broadband access. The
Telecommunications Act of 1996 authorizes the Federal Communications
Commission (FCC) to intervene in the telecommunications market if it determines
that broadband is not being deployed to all Americans in a “reasonable and timely
fashion.”
At issue is what, if anything, should be done at the federal level to ensure that
broadband deployment is timely, that industry competes on a level playing field, and
that service is provided to all sectors of American society. Congress continues to
debate several proposed approaches to addressing broadband deployment, including:
easing restrictions and requirements on incumbent telephone companies; ensuring
that cable networks share their lines with, and give equal treatment to, rival ISPs
who wish to sell their services to consumers (e.g. the “open access” issue); and
providing federal financial assistance for broadband deployment in rural and
economically disadvantaged areas.
Easing Restrictions and Requirements on
Incumbent Telephone Companies
The debate over access to broadband services has prompted policymakers to
examine a range of issues to ensure that broadband will be available on a timely and
equal basis to all U.S. citizens. One issue under examination is whether present laws
and subsequent regulatory policies as they are applied to the ILECs (incumbent local
exchange [telephone] companies such as SBC or Verizon) are thwarting the
deployment of such services. Two such regulations are the restrictions placed on Bell
operating company (BOC) provision of long distance services within their service
territories, and network unbundling and resale requirements imposed on all
incumbent telephone companies. In the 107th Congress, H.R. 1542 (Tauzin-Dingell),
passed by the House on February 27, 2002, would have lifted these restrictions and
requirements, with some exceptions, for high speed data (broadband) transmission.
Unbundling and Resale. Present law requires all ILECs to open up their
networks to enable competitors to lease out parts of the incumbent’s network. These
unbundling and resale requirements, which are detailed in Section 251 of the
Telecommunications Act of 1996, were enacted in an attempt to open up the local
telephone network to competitors. Under these provisions, ILECS are required to
9 See also CRS Issue Brief IB10045, Broadband Internet Access: Background and Issues,
by Angele A. Gilroy and Lennard G. Kruger, which is updated more frequently than this
report.
CRS-12
grant competitors access to individual pieces, or elements, of their networks (e.g., a
line or a switch) and to sell them at below retail prices.
The FCC, in a February 2003 split decision, modified the regulatory framework
regarding how ILECs and competitors interact in the telecommunications
marketplace. The “triennial review”order (CC Docket 01-338) established new
guidelines regarding how ILECs must make their networks available to competitors.
Included in the FCC’s decision are provisions that: remove the requirement, over a
transition period, that line sharing be an unbundled network element; eliminate
unbundling for switching for business customers using high capacity loops (but gives
state utility commissions 90 days to rebut the national finding); give state
commissions 9 months to make geographic specific determinations regarding the
availability of unbundled elements and the unbundled network element platform;
remove unbundling requirements on newly deployed hybrid (fiber-copper) loops, but
ensure continued access to existing copper; and remove unbundling requirements on
all newly deployed fiber to the home. The details of the FCC’s decision remain
unclear as the text of the order has yet to be released.
Provision of InterLATA Services. As a result of the 1984 AT&T
divestiture, the Bell System service territory was broken up into service regions and
assigned to regional Bell operating companies (BOCs). The geographic area in which
a BOC may provide telephone services within its region was further divided into
local access and transport areas, or LATAs. These LATAs total 164 and vary
dramatically in size. LATAs generally contain one major metropolitan area and a
BOC will have numerous LATAs within its designated service region.
Telephone traffic that crosses LATA boundaries is referred to as interLATA
traffic. Restrictions contained in Section 271 of the Telecommunications Act of
1996 prohibit the BOCs from offering interLATA services within their service
regions until certain conditions are met. BOCs seeking to provide such services must
file an application with the FCC and the appropriate state regulatory authority that
demonstrates compliance with a 14-point competitive checklist of market-opening
requirements. The FCC, after consultation with the Justice Department and the
relevant state regulatory commission, determines whether the BOC is in compliance
and can be authorized to provide in-region interLATA services.10
As of December 3, 2003, all four BOCs — Verizon, SBC Communications,
BellSouth and West — have received approval to enter the in-region interLATA
market. Now that the approval process has been completed, the FCC’s role shifts to
monitoring to ensure compliance. Under the terms and conditions of the 1996 Act,
the FCC is required to monitor the BOCs to ensure compliance with the terms agreed
to when they were granted long distance approval. If the FCC determines that a BOC
is not fulfilling those terms, the FCC is required to order corrections, impose
penalties, or suspend or revoke approval. The independent telephone companies, or
non-BOC providers of local service, are not subject to these restrictions and were not
10 However, the FCC, in a February 2002 decision, established a procedure whereby
a BOC can request a limited modification of a LATA boundary to provide broadband
services, particularly in unserved or underserved areas.
CRS-13
required to file for approval to carry telephone traffic regardless of whether it crosses
LATA boundaries.11
Open Access
Legislation introduced into previous Congresses sought to prohibit
anticompetitive contracts and anticompetitive or discriminatory behavior by
broadband access transport providers. The legislation would have had the effect of
requiring cable companies who provide broadband access to give “open access” (also
referred to as “forced access” by its opponents) to all Internet service providers. At
issue is whether cable networks should be required to share their lines with, and give
equal treatment to, rival ISPs who wish to sell their services to consumers.12
Open access has been debated on the local level, as cities, counties, and states
have taken up the issue of whether to mandate open access requirements on local
cable franchises. On June 22, 2000, the U.S. Court of Appeals for the Ninth Circuit
ruled that high-speed Internet access via a cable modem is defined as a
“telecommunications service,” and not subject to direct regulation by local
franchising authorities. The debate thus moved to the federal level, where many
interpret the Court’s decision as giving the FCC authority to regulate broadband cable
services as a “telecommunications service.” On September 28, 2000, the FCC
formally issued a Notice of Inquiry (NOI) which will explore whether or not the
Commission should require access to cable and other high- speed systems by Internet
Service Providers (ISPs).13 On March 14, 2002, the FCC adopted a Declaratory
Ruling which classified cable modem service as an “interstate information service,”
subject to FCC jurisdiction and largely shielded from local regulation. However, on
October 6, 2003, the 9th U.S. Appeals Court in San Francisco vacated the FCC’s
Declaratory Ruling that cable modem service is an exclusively “interstate information
service.” The FCC is expected to appeal this ruling. A Notice of Proposed
Rulemaking will continue to examine cable modem service issues.
Federal Assistance for Broadband Deployment
Laws passed by the 107th Congress, and legislation pending in the 108th
Congress, would provide grants, loans, and tax credits for broadband deployment,
particularly in rural and/or low income areas. In the 107th Congress, the Farm
Security and Rural Investment Act of 2002 (P.L. 107-171) authorized the Secretary
of Agriculture to make loans and loan guarantees to eligible entities for facilities and
equipment providing broadband service in rural communities. Section 6103
11 For a more complete discussion of LATAs and BOC long distance entry see CRS Report
RL30018, Long Distance Telephony: Bell Operating Company Entry Into the Long-Distance
Market, by James R. Riehl.
12 Cable companies have announced access agreements with unaffiliated ISPs either
voluntarily (e.g. AT&T Broadband) or as part of merger approval conditions imposed by the
FCC and FTC (e.g. AOL-Time Warner).
13 See [http://www.fcc.gov/Bureaus/Miscellaneous/Notices/2000/fcc00355.pdf]
CRS-14
authorizes a total of $100 million through FY2007 ($20 million for each of fiscal
years 2002 through 2005, and $10 million for each of fiscal years 2006 and 2007).
In its FY2004 budget request, the Administration proposed canceling the
mandatory $20 million from the Commodity Credit Corporation (as provided in P.L.
107-171), while providing $9.1 million in discretionary funding through the FY2004
appropriations process. The conference agreement on the FY2004 Consolidated
Appropriations Act (H.R. 2673; H.Rept. 108-401) provides $13.1 million in loan
subsidies (which will support a loan level of $602 million) and $9 million for
broadband grants.
In the 108th Congress, legislation has again been introduced to provide financial
assistance to encourage broadband deployment (H.R. 138, H.R. 768, H.R. 769, H.R.
1396, H.R. 3089, S. 160, S. 305, S. 414, S. 905, S. 1637, S. 1796). In the Jobs and
Growth Tax Relief Reconciliation Act of 2003 (H.R. 2/P.L. 108-27), the Senate
inserted a provision allowing the expensing of broadband Internet access
expenditures. However, this provision was not retained during the House/Senate
Conference. The broadband expensing provision was subsequently attached to S.
1637, the Jumpstart Our Business Strength (JOBS) Act. For more information on
federal assistance for broadband deployment, see CRS Report RL30719, Broadband
and the Digital Divide: Federal Assistance Programs.
Electronic Commerce14
Background
The convergence of computer and telecommunications technologies has
revolutionized how we get, store, retrieve, and share information. Many experts
contend that this convergence has created the Information Economy, driven by the
Internet, and fueled a surge in U.S. productivity and economic growth. Commercial
transactions on the Internet, whether retail business-to-customer or business-to-
business, are commonly called electronic commerce, or “e-commerce.”
Since the mid-1990s, commercial transactions on the Internet have grown
substantially.15 By 1996, Internet traffic, including e-commerce, was doubling every
100 days. By mid-1997, the U.S. Department of Commerce reported that just over
4 million people were using e-commerce; by the end of 1997, that figure had grown
to over 10 million users. Business conducted over the Internet continues to grow,
even with an economic slowdown and with many new “dot-com” businesses no
14 See also CRS Report RS20426, Electronic Commerce: An Introduction, by Glenn J.
McLoughlin, which is updated more frequently than this report.
15 For statistics and other data on e-commerce, see CRS Report RL30435, Internet and E-
Commerce Statistics: What They Mean and Where to Find Them On the Web. Other sources
include: [http://www.idc.com], [http://www.abcnews.go.com], [http://www.forrester.com],
[http://www.emarketer.com], and [http://www.cs.cmu.edu]. It is important to note that some
measurements of e-commerce, particularly that data reported in the media, have not been
verified.
CRS-15
longer in existence. A January 2001 study by the Pew Internet and American Life
Project found that overall, 29 million American shoppers made purchases on-line
during the fourth quarter of 2001, spending an average of $392, up from $330 in the
fourth quarter of 2000. A quarter of all Internet users did some shopping on the
Internet this year, up from one-fifth of Internet users last year. Of those e-commerce
shoppers, 58 percent were women; this is the first time that more women than men
have been reported using the Internet for retail e-commerce.
Internationally, there are issues regarding Internet use and e-commerce growth.
The United States and Canada represent the largest percentage of Internet users, at
56.6%. Europe follows with 23.4%. At the end of 2000, of approximately 200
million Internet users worldwide, only 3.1% are in Latin America, 0.5% are in the
Middle East, and 0.6% are in Africa. The Asia Pacific region has 15.8% of all
Internet users; but its rate of growth of Internet use is nearly twice as fast as the
United States and Canada. The U.S.-Canada share of Internet use may decline to
36% by 2005.
The E-Commerce Industry
Even with some concern about accuracy and timeliness of e-commerce statistics,
reliable industry sources report huge jumps in e-commerce transactions, particularly
during fourth quarter holiday shopping. But long-term, industry growth has not been
limited to just holiday shopping. According to a study undertaken by the University
of Texas, the Internet portion of the U.S. economy grew at a compounded rate of
174% from 1995-1998 (the U.S. gross domestic product grew at 2.8% during the
same period), and e-commerce accounted for one-third of that growth. Increasingly,
many firms use “vortals” — vertically integrated portals or gateways that advertise
or provide information on a specific industry or special interest. As a portion of e-
commerce business, vortals provide targeted advertising for e-commerce
transactions, and may grow from 35% of all e-commerce advertising to 57% by 2004.
However, not all firms providing these services are profitable; in fact, most have yet
to turn a profit.
One of the fastest growing sectors of e-commerce is business-to-business
transactions — what is often called “B2B.” This sector continues to expand, even
in the current economic downturn. The Forrester Group, a private sector consulting
firm, estimates that by the end of 2003, that sector of the U.S. economy will reach
$1.5 trillion, up from nearly $200 billion in 2000. Business-to-business transactions
between small and medium sized businesses and their suppliers is rapidly growing,
as many of these firms begin to use Internet connections for supply chain
management, after-sales support, and payments.
Issues for the Bush Administration and Congress
Since the mid-1990s, Congress also has taken an active interest in e-commerce
issues. Among the many issues, Congress may revisit policies that establish federal
encryption procedures and provide electronic security in the wake of September 11,
2001. The 107th Congress passed a law that extends the moratorium on domestic e-
commerce taxation to November 2003 (P.L. 107-75). In addition, congressional
CRS-16
policymakers are looking at the European Union (EU) and WTO policies and
regulations in e-commerce.
Protection and Security Issues. There are a variety of protection and
security issues that affect e-commerce growth and development. Encryption is the
encoding of electronic messages to transfer important information and data, in which
“keys” are needed to unlock or decode the message. Encryption is an important
element of e-commerce security, with the issue of who holds the keys at the core of
the debate. In September 1999, United States announced plans to further relax its
encryption export policy by allowing export of unlimited key length encryption
products, with some exceptions. It also advocated reduced reporting requirements
for those firms that export encrypted products. The rules for implementing this
policy were issued in September 2000 by the Bureau of Export Administration in the
Department of Commerce. However, the events of September 11, 2001 have caused
many in industry and government to review this policy — and the USA PATRIOT
ACT of 2001 (P.L. 107-56) has given lawmakers greater authority to gain access to
electronic financial transactions (for example, to ferret out illegal money laundering).
Consumers and civil liberties activists are very concerned about this development and
have said they will monitor this law closely.
E-Commerce Taxation. Congress passed the Internet Tax Freedom Act on
October 21, 1998, as Titles XI and XII of the Omnibus Consolidated and Emergency
Supplemental Appropriations Act of 1999 (P.L. 105-277, 112 Stat 2681). Among
its provisions, the Act imposed a 3-year moratorium on the ability of state and local
governments to levy certain taxes on the Internet; it prohibited taxes on Internet
access, unless such a tax was generally imposed and actually enforced prior to
October 1, 1998; it created an Advisory Commission on Electronic Commerce
(ACEC), which may make recommendations to Congress on e-commerce taxation
in the United States and abroad; and it opposed regulatory, tariff, and tax barriers to
international e-commerce and asks the President to pursue international agreements
to ban them.) The ACEC made its policy recommendations, after much debate and
some divisiveness, to Congress on April 3, 2000. The ACEC called for, among its
recommendations, extending the domestic Internet tax moratorium for five more
years, through 2006; prohibiting the taxation of digitized goods over the Internet,
regardless of national source; and a continued moratorium on any international tariffs
on electronic transmissions over the Internet.
Congressional interest in Internet taxation has weighed concerns about impeding
the growth of e-commerce by taxing revenues; enforcement and compliance of an
Internet tax; and policies outside of the United States which do not impose an
Internet tax. H.R. 1552 (Cox), the Internet Tax Nondiscrimination Act, extends the
Internet tax moratorium through November 1, 2003. It was passed by both houses
of Congress and signed into law on November 28, 2001 (P.L. 107-75); see CRS
Report RS20980, Internet Tax Bills in the 107th Congress: A Brief Comparison, for
more information.
The EU and WTO. While much of the debate on the government’s role in e-
commerce has focused on domestic issues in the United States, two important players
— the EU and the WTO — will likely have an important impact on global e-
commerce policy development. The EU is very active in e-commerce issues. In
CRS-17
some areas there is agreement with U.S. policies, and in some areas there are still
tensions. While the EU as an entity represents a sizable portion of global Internet
commerce, across national boundaries, Internet use and e-commerce potential varies
widely. Supporters state that e-commerce policy should not be set by EU bureaucrats
in Brussels. Therefore, the EU has approached e-commerce with what one observer
has called a “light regulatory touch.” Among contentious issues, the EU has
supported the temporary moratorium on global e-commerce taxes, and supports
making the moratorium permanent. But the EU has taken a different approach than
U.S. policy by treating electronic transmissions (including those that deliver
electronic goods such as software) as services. This position would allow EU
countries more flexibility in imposing trade restrictions, and would allow treating
electronic transmissions — including e-commerce — as services, making them
subject to EU value-added duties. The EU also has taken a different approach to data
protection and privacy, key components for strengthening e-commerce security and
maintaining consumer confidence. The EU actions prohibit the transfer of data in
and out of the EU, unless the outside country provides sufficient privacy safeguards.
The U.S. position is to permit industry self-regulation of data protection and privacy
safeguards. (For more information on the European data directive, see CRS Report
RL30784, Internet Privacy: An Analysis of Technology and Policy Issues.)
The WTO has presented another set of challenges to U.S. policymakers. Among
the issues considered by the WTO has been an agreement to reduce trade barriers for
information technology goods and services. This issue was considered vital to the
development of telecommunications infrastructure — including the Internet —
among developing nations. A majority of participants signed an agreement to reduce
these barriers. The WTO also has developed a work program on electronic
commerce and to report on the progress of the work program, with recommendations,
as well as continuing the practice of not imposing tariffs on electronic transmission.
Future WTO meetings may address any additional e-commerce issues raised by
WTO working groups on goods, services, intellectual property and economic
development; or address related e-commerce issues raised at previous ministerial
conferences in areas such as privacy, security, taxation, and infrastructure. (See CRS
Report RS20319, Telecommunications Services Trade and the WTO Agreement and
CRS Report RS20387, The World Trade Organization (WTO) Seattle Ministerial
Conference).
The 108th Congress. The 108th Congress is considering several bills that
would extend the Internet tax moratorium. H.R. 49 (Rep. Cox) and S. 52 (Sen.
Wyden) would both permanently extend the moratorium enacted by the Internet Tax
Freedom Act. S. 150 (Sen. Allen) would also permanently extend the moratorium
enacted by the Internet Tax Freedom Act, as well as prohibit other multiple and
disciplinary taxes on e-commerce. All of these bills have been referred to
committees in the House and Senate. (See CRS Report RL31177, Extending the
Internet Tax Moratorium and Related Issues, by Nonna K. Noto).
CRS-18
Unsolicited Commercial Electronic Mail
(“Junk E-Mail” or “Spam”)16
One aspect of increased use of the Internet for electronic mail (e-mail) has been
the advent of unsolicited advertising, also called “unsolicited commercial e-mail
(UCE),” “unsolicited bulk e-mail,” “junk e-mail, “or “spam.” Complaints focus on
the fact that some spam contains or has links to pornography, that much of it is
fraudulent, and the volume of spam is steadily increasing. In April 2003, the Federal
Trade Commission (FTC) reported that of a random survey of 1,000 pieces of spam,
18% concerned “adult” offers (pornography, dating services, etc.) and 66% contained
indications of falsity in “from” lines, “subject” lines, or message text.17 According
to Brightmail [http://www.brightmail.com], a company that sells anti-spam software,
the volume of spam rose from 8% of all e-mail in January 2001 to 45% in January
2003. Brightmail forecasts that it will reach 50% by September 2003.
Opponents of junk e-mail argue that not only is it annoying and an invasion of
privacy (see CRS Report RL31408 for more on Internet privacy), but that its cost is
borne by consumers and Internet Service Providers (ISPs), not the marketers.
Consumers reportedly are charged higher fees by ISPs that must invest resources to
upgrade equipment to manage the high volume of e-mail, deal with customer
complaints, and mount legal challenges to junk e-mailers. Businesses may incur
costs due to lost productivity, or investing in upgraded equipment or anti-spam
software. The Ferris Research Group [http://www.ferris.com], which offers
consulting services on managing spam, estimates that spam will cost U.S.
organizations over $10 billion in 2003.
Proponents of unsolicited commercial e-mail argue that it is a valid method of
advertising and is protected by the First Amendment. The Direct Marketing
Association (DMA), for example, argues that instead of banning unsolicited
commercial e-mail, individuals should be given the opportunity to notify the sender
of the message that they want to be removed from its mailing list — or “opt-out.”
The DMA considers spam to be only fraudulent commercial e-mail, not unsolicited
commercial e-mail, and that legislation was needed to curb spam and “preserve the
promise of e-mail as the next great marketing channel” [http://www.the-
dma.org/cgi/disppressrelease?article=354].
To date, the issue of restraining junk e-mail has been fought primarily over the
Internet or in the courts. Some ISPs will return junk e-mail to its origin, and groups
opposed to junk e-mail will send blasts of e-mail to a mass e-mail company,
disrupting the company’s computer systems. Filtering software also is available to
screen out e-mail based on keywords or return addresses. Knowing this, mass e-
16 See also CRS Report RL31953, “Junk E-Mail”: An Overview of Issues and Legislation
Concerning Unsolicited Commercial Electronic Mail (“Spam”), by Marcia S. Smith, which
is updated more frequently than this report.
17 Federal Trade Commission. False Claims in Spam: A Report by the FTC’s Division of
Marketing Practices. April 30, 2003. P. 10. Available at the FTC’s spam Web site:
[http://www.ftc.gov/bcp/conline/edcams/spam/index.html].
CRS-19
mailers may avoid certain keywords or continually change addresses to foil the
software, however. In the courts, ISPs with unhappy customers and businesses that
believe their reputations have been tarnished by misrepresentations in junk e-mail
have brought suit against mass e-mailers.
Congress has debated spam legislation since the 105th Congress, and 36 states
enacted their own spam laws [http://www.spamlaws.com]. In 2003, Congress passed
a federal anti-spam law, the CAN-SPAM Act (P.L. 108-187). President Bush signed
it into law on December 16, 2003. The CAN-SPAM Act preempts state laws that
specifically address spam but not state laws that are not specific to e-mail, such as
trespass, contract, or tort law, or other state laws to the extent they relate to fraud or
computer crime. It does not ban unsolicited commercial e-mail. Rather, it allows
marketers to send commercial e-mail as long as it conforms with the law, such as
including a legitimate opportunity for consumers to “opt-out” of receiving future
commercial e-mails from that sender. It does not require a centralized “do not e-
mail” registry to be created by the Federal Trade Commission (FTC), similar to the
National Do Not Call registry for telemarketing. The bill requires only that the FTC
develop a plan and timetable for establishing a “do not e-mail” registry and to inform
Congress of any concerns it has with regard to establishing it. FTC Chairman
Timothy Muris has specifically warned that he does not believe a “do not e-mail”
registry would be enforceable or noticeably reduce spam. Mr. Muris and others
caution that consumers should not expect any legislation to be a “silver bullet” for
solving the spam problem; a combination of consumer education, technological
advancements, and legislation is required.
The extent to which P.L. 108-187 reduces “spam” may be debated if for no other
reason than there are various definitions of that term. Proponents of the legislation
argue that consumers are most irritated by fraudulent e-mail and that the bill should
reduce the volume of such e-mail because of the civil and criminal penalties included
therein. Opponents counter that consumers object to unsolicited commercial e-mail,
and since the bill legitimizes commercial e-mail (as long as it conforms with the
law’s provisions), consumers actually may receive more, not fewer, unsolicited
commercial e-mail messages. Thus, whether “spam” is reduced depends in part on
whether it is defined as only fraudulent commercial e-mail or as all unsolicited
commercial e-mail. Some critics of the law want legislation that would require
consumers to give their express consent — to “opt-in” — before marketers could
send e-mails. California passed such a law, which was to become effective January
1, 2004, but the CAN-SPAM Act preempts it. The European Union adopted an opt-
in approach for unsolicited commercial e-mail, unless there is an existing customer
relationship, that went into effect on October 31, 2003. (Individual EU countries
must pass their own legislation to implement the EU directive; not all have done so
yet.) The CAN-SPAM Act is discussed in more detail in CRS Report RL31953.
Although consumers are most familiar with spam on their personal computers,
it also is becoming an issue in text messaging on wireless telephones, pagers, and
personal digital assistants (PDAs). The CAN-SPAM Act includes a provision
requiring the FTC to establish regulations to protect wireless consumers from spam.
CRS Report RL31636 discusses wireless privacy and wireless spam in more detail.
CRS-20
Internet Domain Names18
The 108th Congress continues to monitor issues related to the Internet domain
name system (DNS). Internet domain names were created to provide users with a
simple location name for computers on the Internet, rather than using the more
complex, unique Internet Protocol (IP) number that designates their specific location.
As the Internet has grown, the method for allocating and designating domain names
has become increasingly controversial.
Recent History
The Internet originated with research funding provided by the Department of
Defense Advanced Research Projects Agency (DARPA) to establish a military
network. As its use expanded, a civilian segment evolved with support from the
National Science Foundation (NSF) and other science agencies. No formal statutory
authorities or international agreements govern the management and operation of the
Internet and the DNS. Prior to 1993, NSF was responsible for registration of
nonmilitary generic Top Level Domains (gTLDs) such as .com, .org, and .net. In
1993, the NSF entered into a 5-year cooperative agreement with Network Solutions,
Inc. (NSI) to operate Internet domain name registration services. With the
cooperative agreement between NSI and NSF due to expire in 1998, the Clinton
Administration, through the Department of Commerce (DOC), began exploring ways
to transfer administration of the DNS to the private sector.
In the wake of much discussion among Internet stakeholders, and after extensive
public comment on a previous proposal, the DOC, on June 5, 1998, issued a final
statement of policy, Management of Internet Names and Addresses (also known as
the “White Paper”). The White Paper stated that the U.S. government was prepared
to recognize and enter into agreement with “a new not-for-profit corporation formed
by private sector Internet stakeholders to administer policy for the Internet name and
address system.” On October 2, 1998, the DOC accepted a proposal for an Internet
Corporation for Assigned Names and Numbers (ICANN). On November 25, 1998,
DOC and ICANN signed an official Memorandum of Understanding (MOU),
whereby DOC and ICANN agreed to jointly design, develop, and test the
mechanisms, methods, and procedures necessary to transition management
responsibility for DNS functions to a private-sector not-for-profit entity.
The White Paper also signaled DOC’s intention to ramp down the government’s
Cooperative Agreement with NSI, with the objective of introducing competition into
the domain name space while maintaining stability and ensuring an orderly transition.
During this transition period, government obligations will be terminated as DNS
responsibilities are transferred to ICANN. Specifically, NSI committed to a
timetable for development of a Shared Registration System that permits multiple
registrars to provide registration services within the .com, .net., and .org gTLDs. NSI
(now VersiSign) will continue to administer the root server system until receiving
further instruction from the government.
18 See also CRS Report 97-868, Internet Domain Names: Background and Policy Issues, by
Lennard G. Kruger, which is updated more frequently than this report.
CRS-21
Significant disagreements between NSI on the one hand, and ICANN and DOC
on the other, arose over how a successful and equitable transition would be made
from NSI’s previous status as exclusive registrar of .com, org. and net. domain
names, to a system that allows multiple and competing registrars. On November 10,
1999, ICANN, NSI, and DOC formally signed an agreement which provided that NSI
(now VeriSign) was required to sell its registrar operation by May 10, 2001 in order
to retain control of the dot-com registry until 2007. In April 2001, arguing that the
registrar business is now highly competitive, VeriSign reached a new agreement with
ICANN whereby its registry and registrar businesses would not have to be separated.
With DOC approval, ICANN and VeriSign signed the formal agreement on May 25,
2001. The agreement provides that VeriSign will continue to operate the .org
registry until 2002; the .net registry until June 30, 2005 (which prior to that time will
be opened for recompetition unless market measurements indicate that an earlier
expiration date is necessary for competitive reasons); and the .com registry until at
least the expiration date of the current agreement in 2007, and possibly beyond.
VeriSign agreed to enhanced measures (including annual audits arranged by ICANN
and made available to the U.S. government) to ensure that its registry-operation unit
gives equal treatment to all domain name registrars, including VeriSign’s registrar
business.
On September 17, 2003, ICANN and the Department of Commerce agreed to
extend their MOU until September 30, 2006. The MOU specifies transition tasks
which ICANN has agreed to address. ICANN will implement an objective process
for selecting new Top Level Domains; implement an effective strategy for multi-
lingual communications and international outreach; and develop a contingency plan,
consistent with the international nature of the internet, to ensure continuity of
operations in the event of a severe disruption of operations.
Issues
The Department of Commerce remains responsible for monitoring the extent to
which ICANN satisfies the principles of the White Paper as it makes critical DNS
decisions. Congress remains interested in how the Administration manages and
oversees the transition to private sector ownership of the DNS. A February 2002
proposal by ICANN’s President to radically restructure and reform ICANN raised
concerns in Congress over the future of ICANN. An oversight hearing held by the
Senate Commerce, Science and Transportation Committee on June 12, 2002 focused
on ICANN reform and the role of the DOC in ensuring that reform. A June 20, 2002
bipartisan letter from the House Energy and Commerce Committee to the Secretary
of Commerce called for only a short term renewal of the DOC-ICANN Memorandum
of Understanding until ICANN institutes reforms that ensure greater accountability
and transparency. A letter from the Senate Republican High Tech Task Force also
urged heightened DOC scrutiny of the DOC-ICANN MOU and cited concerns that
ICANN has become an unaccountable regulatory body. On June 19, 2003,
Representative Baird introduced the Fair, Transparent, and Competitive Internet
Naming Act of 2003 (H.R. 2521), which requires the General Accounting Office to
conduct a study of ICANN’s business practices, procedures, accountability, and
administration.
CRS-22
Top Level Domains. At its July 16, 2000 meeting in Yokohama, the ICANN
Board of Directors adopted a policy for the introduction of new top-level domains
(TLDs), which could expand the number of domain names available for registration
by the public. After considering a total of 47 applications, the ICANN Board
selected seven companies or organizations each to operate a registry for one of seven
new TLDs, as follows: .biz, .aero, .name, .pro, .museum, .info, and .coop. ICANN’s
selection of new TLDs has proven controversial. Critics assert that the TLD selection
process was inappropriately subjective, insufficiently transparent, and lacking in
adequate due process procedures. In its defense, ICANN argues that the selection
process was sufficient to meet its goal of expeditiously selecting a limited number
of diverse TLDs, and that these will serve as an initial and experimental “proof of
concept” phase in order to ensure that new TLDs can be introduced in the future
without undermining the stability of the Internet. Meanwhile, ICANN considered
eleven applications for operating .org after the current agreement with VeriSign
expires on December 31, 2002. On October 14, 2002, the ICANN Board selected
the Internet Society’s Public Interest Registry as .org operator. Meanwhile, on
December 15, 2003, ICANN formally invited applications from all parties for new
TLDs. The application period closes on March 15.
Protecting Children on the Internet.
In the 107th Congress, legislation
sought to create a “kids-friendly top level domain name” that would contain only age-
appropriate content. The Dot Kids Implementation and Efficiency Act of 2002 was
signed into law on December 4, 2002 (P.L. 107-317) and authorizes the National
Telecommunications and Information Administration (NTIA) to require the .us
registry operator (currently NeuStar) to establish, operate, and maintain a second
level domain within the .us TLD that is restricted to material suitable for minors.
(For more information on the Dot Kids Act, and other legislative attempts to protect
children from unsuitable material on the Internet, see CRS Report RS21328).
In the 108th Congress, P.L. 108-21/S. 151 (PROTECT Act), contains a
provision (Sec. 108: Misleading Domain Names on the Internet) which would make
it a punishable crime to knowingly use a misleading domain name with the intent to
deceive a person into viewing obscenity on the Internet. Increased penalties are
provided for deceiving minors into viewing harmful material.
Governance. On June 22, 2002, ICANN released a “Blueprint for Reform,”
which calls for a significant restructuring of ICANN. Specifically, the Board of
Directors would be composed of fifteen members: the ICANN President, eight
members appointed by a nominating committee, and six selected by three Supporting
Organizations. The reform blueprint also recommends that ICANN collect a fee of
25 cents per registered domain name. New bylaws based on the reform proposal
were formally adopted by the ICANN Board at the October 2002 Board meeting in
Shanghai. Some in the Internet community have spoken against the ICANN reforms,
asserting that its elimination of elected At-Large board members precludes effective
representation of unaffiliated Internet users. In a related development, the United
Nations, at the December 2003 World Summit on the Information Society, debated
and agreed to study the issue of whether national governments should run the domain
name system instead of ICANN. The United Nations will revisit the issue in 2005,
after its study is complete.
CRS-23
Trademark Disputes. The increase in conflicts over property rights to
certain trademarked names has resulted in a number of lawsuits. The White Paper
called upon the World Intellectual Property Organization (WIPO) to develop a set of
recommendations for trademark/domain name dispute resolutions, and to submit
those recommendations to ICANN. At ICANN’s August 1999 meeting in Santiago,
the board of directors adopted a dispute resolution policy to be applied uniformly by
all ICANN-accredited registrars. Under this policy, registrars receiving complaints
will take no action until receiving instructions from the domain-name holder or an
order of a court or arbitrator. An exception is made for “abusive registrations” (i.e.
cybersquatting and cyberpiracy), whereby a special administrative procedure
(conducted largely online by a neutral panel, lasting 45 days or less, and costing
about $1000) will resolve the dispute. Implementation of ICANN’s Domain Name
Dispute Resolution Policy commenced on December 9, 1999.
WIPO initiated a second study which produced recommendations on how to
resolve disputes over bad faith, abusive, misleading or unfair use of other types of
domain names such as personal names, geographical terms, names of international
organizations, and others. WIPO released its second report on September 3, 2001,
recommending that generic drug names be canceled upon complaint and that
international intergovernmental organization names be subject to a dispute resolution
process. WIPO did not recommend new rules regarding personal, geographical, or
trade names.
Meanwhile, the 106th Congress took action, passing the Anticybersquatting
Consumer Protection Act (incorporated into P.L. 106-113, the FY2000 Consolidated
Appropriations Act). The Act gives courts the authority to order the forfeiture,
cancellation, and/or transfer of domain names registered in “bad faith” that are
identical or similar to trademarks, and provides for statutory civil damages of at least
$1,000, but not more than $100,000, per domain name identifier.
Government Information Technology
Management19
The evolving role of the Internet in the political economy of the United States
continues to attract increased congressional attention to government information
technology management issues. Interest has been further heightened by national
information infrastructure development efforts, e-government projects, and homeland
security initiatives. Although wide-ranging, government information technology
management issues can be characterized by three major themes: infrastructure
development, resource management, and the provision of online services (e-
government). As the emphasis of these efforts shifts from initial planning and
development to implementation and evaluation, it is anticipated that there will be an
increased focus on oversight during the 108th Congress.
19 See also CRS Report RL30661, Government Information Technology Management: Past
and Future Issues (the Clinger-Cohen Act),by Jeffrey W. Seifert.
CRS-24
Internet Infrastructure and National Policy
Since 1995, when the Internet first came into prominence, the question of who
should maintain and expand the U.S. information infrastructure has been raised by
many policymakers. While the legislative and executive branches have had
differences in the size and scope of specific initiatives and programs, both have
generally supported efforts to enhance and develop non-commercial use of the
Internet and information infrastructure. In its FY2002 budget request, the Bush
Administration expressed continued support for federal efforts to support Internet
research, technologies, and applications at the federal mission agencies, and the 108th
Congress supported those goals in the FY2003 Consolidated Appropriations
Resolution (P.L. 108-7).
At the Department of Commerce, the National Telecommunications and
Information Administration (NTIA) provides guidelines and recommendations for
domestic and global communications policy, manages the use of the electromagnetic
spectrum for public broadcast, and awards grants to industry-public sector
partnerships for research on new telecommunications applications and development
of information infrastructure. The Technology Opportunity Program (TOP) provides
matching merit-based grants to areas either underserved or not served at all by the
Internet. The NTIA budget also includes the continued development and construction
of public broadcast facilities, including funding for transition of broadcasting
facilities to digital transmissions. Some policymakers support a stronger role for
NTIA to close the divide between the nation’s digital “haves” and “have-nots.” They
contend that NTIA’s TOP grants and public telecommunications and facilities
planning programs would be appropriate avenues for helping bridge this divide. For
FY2003, Congress approved an NTIA budget of $73.7 million, with $15.5 million
for TOP, $43.6 million for public telecommunications facilities, and $14.6 million
for salaries. For the FY2004 budget, the Bush Administration has requested that both
the TOP and the public telecommunications and facilities planning programs be
zeroed out. Congress has supported these initiatives in the past; however, since the
final FY2004 Department of Commerce appropriations bill has not been passed by
Congress, it is still unclear at what levels these programs will be funded, if at all.
Information Technology R&D. At the federal level, almost all of the
funding for information science and technology and Internet development is part of
a single government-wide initiative. This is the Networking and Information
Technology Research and Development (NITRD) initiative, which, before 2002, was
called the Information Technology Research and Development (in turn, this was the
successor to the High Performance Computing and Communications Initiative of
1991). The NITRD initiative is an interagency effort that is intended to coordinate
key advances in information technology research and leverage funding into broader
advances in computing and networking. Under the NITRD initiative, the mission
agencies receive support for high-performance computing science and technology,
information technology software and hardware, networks and Internet-driven
applications, and education and training for personnel. For FY2003, the agencies
received $1.9 billion for NITRD activities, with NSF receiving about a third of this
budget. Other agencies receiving substantial funding under this initiative are the
Department of Defense, the Department of Health and Human Services, the
Department of Energy, the Department of Commerce, the National Aeronautics and
CRS-25
Space Administration ( NASA), and the Environmental Protection Agency. For
FY2004, the Bush Administration has proposed a 6% increase in the NITRD budget;
however, NASA’s funding under this proposal would be reduced by 8%. However,
until the full FY2004 appropriations is passed by Congress, funding for this initiative
will not be completely known.
Provision of Online Services (E-Government)20
Electronic government (e-government) is an evolving concept, meaning
different things to different people. However, it has significant relevance to four
important areas of governance: (1) delivery of services (government-to-citizen, or
G2C); (2) providing information (also G2C); (3) facilitating the procurement of
goods and services (government-to-business, or G2B, and business-to-government,
or B2G); and (4) facilitating efficient exchanges within and between agencies
(government-to-government, or G2G). For policymakers concerned about e-
government, a central area of concern is developing a comprehensive but flexible
strategy to coordinate the disparate e-government initiatives across the federal
government.
The movement to put government online raises as many issues as it provides
new opportunities. Some of these issues include, but are not limited to: security,
privacy, management of governmental technology resources, accessibility of
government services (including “digital divide” concerns as a result of a lack of skills
or access to computers, discussed earlier), and preservation of public information
(maintaining comparable freedom of information procedures for digital documents
as exist for paper documents). Although these issues are neither new nor unique to
e-government, they do present the challenge of performing governance functions
online without sacrificing the accountability of or public access to government that
citizens have grown to expect. Some industry groups have also raised concerns about
the U.S. government becoming a publicly funded market competitor through the
provision of fee-for-services such as the U.S. Postal Service’s eBillPay, which allows
consumers to schedule and make payments to creditors online
[http://www.usps.com/ebpp/welcome.htm].
E-government initiatives vary significantly in their breadth and depth from state
to state and agency to agency. So far, states such as California, Minnesota, and Utah
have taken the lead in developing e-government initiatives. However, there is rapidly
increasing interest and activity at the federal level as well. Perhaps the most well-
known federal example is the FirstGov Web site [http://www.firstgov.gov]. FirstGov
is a Web portal designed to serve as a single locus point for finding federal
government information on the Internet. The FirstGov site also provides access to
a variety of state and local government resources. Another example is the Social
Security Administration (SSA), which has also launched a number of e-government
20 See also CRS Report RL30745, Electronic Government: A Conceptual Overview, by
Harold C. Relyea, CRS Report RL31088, Electronic Government: Major Proposals and
Initiatives, by Harold C. Relyea, and CRS Report RL31057, A Primer on E-Government:
Sectors, Stages, Opportunities, and Challenges of Online Governance, by Jeffrey W. Seifert,
which are updated more frequently than this report.
CRS-26
initiatives including the option to apply for retirement insurance benefits online,
request a Social Security Statement, and the ability to request a replacement
Medicare card. At the Department of the Treasury, the U.S. Mint is using interactive
Internet sales to expand its marketing efforts and attract younger people into coin
collecting. Similarly, the General Services Administration (GSA) created a Web site,
FedBizOpps [http://www.fedbizopps.gov] to facilitate federal business opportunities
online.
Pursuant to the July 18, 2001 OMB Memorandum M-01-28, an E-Government
Task Force was established to create a strategy for achieving the Bush
Administration’s e-government goals.21 In doing so, the Task Force identified 23
interagency initiatives designed to better integrate agency operations and information
technology investments. These initiatives, sometimes referred to as the Quicksilver
projects, are grouped into five categories; government-to-citizen, government-to-
government, government-to-business, internal effectiveness and efficiency, and
addressing barriers to e-government success. Examples of these initiatives include
an e-authentication project led by the General Services Administration (GSA) to
increase the use of digital signatures, the eligibility assistance online project (also
referred to as GovBenefits.gov) led by the Department of Labor to create a common
access point for information regarding government benefits available to citizens, and
the Small Business Administration’s One-Stop Business Compliance project, being
designed to help businesses navigate legal and regulatory requirements. A 24th
initiative, a government wide payroll process project, was subsequently added by the
President’s Management Council. In 2002 the e-Clearance initiative, originally
included as part of the Enterprise Human Resources Integration project, was
established as a separate project, for a total of 25 initiatives. As the initial round of
e-government projects continue to develop, OMB has stated it plans to focus
attention on initiatives that consolidate information technology systems in six
functional areas, or lines of business. These include data and statistics, human
resources, criminal investigations, financial management, public health monitoring,
and monetary benefits.
On December 17, 2002, President Bush signed the E-Government Act of 2002
(P.L. 107-347) into law. The law contains a variety of provisions related to federal
government information technology management, information security, and the
provision of services and information electronically. One of the most recognized
provisions involves the creation of an Office of Electronic Government within OMB.
The Office is headed by an Administrator, who is responsible for carrying out a
variety of information resources management (IRM) functions, as well as
administering the interagency E-Government Fund provided for by the law.
For the 108th Congress, oversight of the Quicksilver projects, the
implementation of the E-Government Act, and the development of a second group
of e-government projects are anticipated to be significant issues. In addition, the
movement to expand the presence of government online raises as many issues as it
provides new opportunities. Some of these issues concern: security, privacy,
management of governmental technology resources, accessibility of government
21 See [http://www.whitehouse.gov/omb/inforeg/egovstrategy.pdf].
CRS-27
services (including “digital divide” concerns as a result of a lack of skills or access
to computers, or disabilities), and preservation of public information (maintaining
comparable freedom of information procedures for digital documents as exist for
paper documents). Although these issues are neither new nor unique to e-
government, they do present the challenge of performing governance functions online
without sacrificing the accountability of or public access to government that citizens
have grown to expect.
Open Source Software22
The use of open source software by the federal government has been gaining
attention as organizations continue to search for opportunities to enhance their
information technology (IT) operations while containing costs. For the federal
government and Congress, the debate over the use of open source software intersects
several other issues, including, but not limited to, the development of homeland
security and e-government initiatives, improving government information technology
management practices, strengthening computer security, and protecting intellectual
property rights. In the 108th Congress, the debate over open source software is
anticipated to revolve primarily around information security and intellectual property
rights. However, issues related to cost and quality are likely to be raised as well.
Open source software refers to a computer program whose source code, or
programming instructions, is made available to the general public to be improved or
modified as the user wishes. Some examples of open source software include the
Linux operating system and Apache Web server software. In contrast, closed source,
or proprietary, programs are those whose source code is not made available and can
only be altered by the software manufacturer. In the case of closed source software,
updates to a program are usually distributed in the form of a patch or as a new
version of the program that the user can install but not alter. Some examples of
closed source software include Microsoft Word and Corel WordPerfect. The
majority of software products most commonly used, such as operating systems, word
processing programs, and databases, are closed source programs.
For proponents, open source software is often viewed as a means to reduce an
organization’s dependence on the software products of a few companies while
possibly improving the security and stability of one’s computing infrastructure. For
critics, open source software is often viewed as a threat to intellectual property rights
with unproven cost and quality benefits. So far there appear to be no systematic
analyses available that have conclusively compared closed source to open source
software on the issue of security. In practice, computer security is highly dependent
on how an application is configured, maintained, and monitored. Similarly, the costs
of implementing an open source solution are dependent upon factors such as the cost
of acquiring the hardware/software, investments in training for IT personnel and end
users, maintenance and support costs, and the resources required to convert data and
applications to work in the new computing environment. Consequently, some
22 See also CRS Report RL31627, Computer Software and Open Source Issues: A Primer,
by Jeffrey W. Seifert, which is updated more frequently than this report.
CRS-28
computer experts suggest that it is not possible to conclude that either open source
or closed source software is inherently more secure or more cost efficient.
The growing emphasis on improved information security and critical
infrastructure protection overall, will likely be an influential factor in future decisions
to implement open source solutions. The rapidly changing computer environment
may also foster the use of a combination of open source and closed source
applications, rather than creating a need to choose one option at the exclusion of
another.
CRS-29
Appendix A: Pending Legislation
Internet Privacy
H.R. 69, Frelinghuysen, Online Privacy Protection Act, 1/7/03 (Energy &
Commerce)
H.R. 1636, Stearns, Consumer Privacy Protection Act, 4/3/03 (Energy & Commerce,
International Relations)
H.R. 2929, Bono, Safeguard Against Privacy Invasions Act, 7/25/03 (Energy &
Commerce)
S. 745, Feinstein, Privacy Act, 3/31/03 (Judiciary)
S. 1350, Feinstein, Notification of Risk to Personal Data Act, 6/26/03 (Judiciary)
S. 1695, Leahy, PATRIOT Oversight Restoration Act, 10/1/03 (Judiciary)
S. 1709, Craig, Security and Freedom Ensured (SAFE) Act, 10/02/03 (Judiciary)
Computer Security
H.R. 1636, Stearns, Consumer Privacy Protection Act, 4/3/03 (Energy & Commerce,
International Relations)
H.R. 3159, Waxman, Government Network Security Act, 9/24/03 (Government
Reform)
H.R. 3233, Gutierrez, Identity Theft and Credit Restoration Act, 10/2/03 (Financial
Services)
S. 187, Edwards, National Cyber Security Leadership Act of 2003 (Governmental
Affairs)
S. 779, Jeffords, Wasterwater Treatment Works Security and Safety Act, 4/3/03
(Environment & Public Works)
S. 1039, Inhofe, Wastewater Treatment Works Security Act, 5/12/03 (Environment
& Public Works)
S. 1633, Corzine, Identity Theft Notification and Credit Restoration Act, 9/17/03
(Banking, Housing, & Urban Affairs)
Broadband Internet Access
H.R. 49, Cox, To Permanently Extend the Moratorium Enacted by the Internet Tax
Freedom Act, 1/7/03 (Judiciary) H.R. 138, McHugh, Rural America Digital
Accessibility Act, 1/7/03 (Energy & Commerce, Ways & Means, and Science)
H.R. 340, Issa, Jumpstart Broadband Act, 1/27/03 (Energy & Commerce)
H.R. 363, Honda, Jumpstart Broadband Act, 1/27/03 (Energy & Commerce)
H.R. 768, English, Amends the Internal Revenue Code of 1988 to provide a
broadband Internet access tax credit, 2/13/03 (Ways & Means)
H.R. 769, English, Amends the Internal Revenue Code of 1986 to allow the
expensing of broadband Internet access expenditures, 2/13/03 (Ways & Means)
H.R. 1396, Markey, Spectrum Commons and Digital Dividend Act of 2003, 3/20/03
(Energy & Commerce)
H.R. 3089, Andrews, Greater Access to E-Governance Act, 9/16/03 (Energy &
Commerce)
CRS-30
S. 159, Boxer, Jumpstart Broadband Act, 1/14/03 (Commerce, Science &
Transportation)
S. 160, Burns, Amends the Internal Revenue Code of 1986 to allow the expensing
of broadband Internet access expenditures, 1/14/03 (Finance)
S. 305, Kerry, Amends the Internal Revenue Code of 1986 to include in the criteria
for selecting any project for the low-income housing credit whether such project
has high-speed Internet infrastructure, 2/5/03 (Finance)
S. 414, Daschle, Economic Recovery Act of 2003, 2/14/03, (Senate Leg. Calendar)
S. 905, Rockefeller, amends the Internal Revenue Code of 1986 to provide a
broadband Internet access tax credit, 4/11/03 (Finance)
S. 1637, Frist, Jumpstart Our Business Strength Act, 9/18/03 (Finance)
S. 1796, Coleman, Rural Renaissance Act, 10/29/03 (Finance)
E-Commerce
H.R. 49, Cox, To Permanently Extend the Moratorium Enacted by the Internet Tax
Freedom Act, 1/7/03 (Judiciary)
S. 52, Wyden, To Permanently Extend the Moratorium Enacted by the Internet Tax
Freedom Act, 1/17/03 (Commerce, Science, and Transportation)
S. 150, Allen, To Make Permanent the Moratorium on Taxes on Internet Access and
Multiple and Disciplinary Taxes on Electronic Commerce Imposed by the
Internet Tax Freedom Act, 1/13/03 (Commerce, Science, and Transportation)
Internet Domain Names
H.R. 939, Pence, Truth in Domain Names Act, 2/26/03 (Judiciary)
H.R. 2521, Baird, Fair, Transparent, and Competitive Internet Naming Act of 2003,
6/19/03 (Energy & Commerce)
S. 151, Hatch, PROTECT Act, 1/13/03 (Judiciary)
CRS-31
Appendix B: List of Acronyms
Alphabetically
ACEC
Advisory Commission on Electronic Commerce
B2B
Business-to-Business
B2G
Business-to-Government
BOC
Bell Operating Company
CIO
Chief Information Officer
DMA
Direct Marketing Association
DNS
Domain Name System
DOC
Department of Commerce
DSL
Digital Subscriber Line
EU
European Union
FBI
Federal Bureau of Investigation
FCC
Federal Communications Commission
FTC
Federal Trade Commission
G2B
Government-to-Business
G2C
Government-to-Citizen
G2G
Government-to-Government
GAO
General Accounting Office
GSA
General Services Administration
gTLD
generic Top Level Domain
ICANN Internet Corporation for Assigned Names and Numbers
ILEC
Incumbent Local Exchange Carrier
IP
Internet Protocol
ISP
Internet Service Provider
IT
Information Technology
LATA
Local Access and Transport Area
LEC
Local Exchange Carrier
MOU
Memorandum of Understanding
NGI
Next Generation Internet
NIST
National Institute for Standards and Technology
NSI
Network Solutions, Inc,
NSF
National Science Foundation
NTIA
National Telecommunications and Information Administration
ONDCP Office of National Drug Control Policy
OPA
Online Privacy Alliance
OSS
Open Source Software
SSA
Social Security Administration
SSN
Social Security Number
TLD
Top Level Domain
UCE
Unsolicited Commercial E-mail
WIPO
World Intellectual Property Organization
WTO
World Trade Organization
CRS-32
Categorically
U.S. Government Entities
DOC
Department of Commerce
FBI
Federal Bureau of Investigation
FCC
Federal Communications Commission
FTC
Federal Trade Commission
GAO
General Accounting Office
GSA
Government Services Administration
NIST
National Institute of Standards and Technology (part of Department of
Commerce)
NSF
National Science Foundation
NTIA
National Telecommunications and Information Administration (part of
Department of Commerce)
ONDCP Office of National Drug Control Policy
SSA
Social Security Administration
Private Sector Entities
BOC
Bell Operating Company
DMA
Direct Marketing Association
ICANN Internet Corporation for Assigned Names and Numbers
ILEC
Incumbent Local Exchange Carrier
ISP
Internet Service Provider
LEC
Local Exchange Carrier
NSI
Network Solutions, Inc.
OPA
Online Privacy Alliance
General Types of Internet Services
B2B
Business-to-Business
B2G
Business-to-Government
G2B
Government-to-Business
G2C
Government-to-Citizen
G2G
Government-to-Government
Internet and Telecommunications Terminology
CIO
Chief Information Officer
DNS
Domain Name System
DSL
Digital Subscriber Line
gTLD
generic Top Level Domain
IP
Internet Protocol
IT
Information Technology
LATA
Local Access and Transport Area
NGI
Next Generation Internet
OSS
Open Source Software
TLD
Top Level Domain
UCE
Unsolicited Commercial E-mail
CRS-33
Other
ACEC
Advisory Commission on Electronic Commerce
EU
European Union
MOU
Memorandum of Understanding
SSN
Social Security Number
WIPO
World Intellectual Property Organization
WTO
World Trade Organization
CRS-34
Appendix C: Legislation Passed
by the 105th - 107th Congresses
Editions of this report prepared in the 105th Congress and the 106th Congress
also addressed key technology policy issues affecting the use of growth of the
Internet. Some of those issues continue to be of interest to Congress and are
discussed in this edition of the report. Others, however, appear to be resolved from
a congressional point of view, at least the moment, specifically encryption, electronic
signatures, and protecting children from unsuitable material on the Internet. Those
topics are not discussed in this version of the report. Nevertheless, it appears useful
to retain information about legislation that passed on the subjects of most interest to
the two previous Congresses. Following is such a summary, based on the topics that
were previously covered in the report.
Legislation Enacted in the 105th Congress
Protecting Children: Child Online Protection Act, Children’s Online Privacy
Protection Act, and Child Protection and Sexual Predator Protection Act
In the FY1999 Omnibus Consolidated and Emergency Supplemental
Appropriations Act (P.L. 105-277), Congress included several provisions related to
protecting children on the Internet. Included is legislation making it a crime to send
material that is “harmful to minors” to children and protecting the privacy of
information provided by children under 13 over interactive computer services.
Separately, Congress passed a law (P.L. 105-314) that, inter alia, strengthens
penalties against sexual predators using the Internet.
The “harmful to minors” language is in the Child Online Protection Act, Title
XIV of Division C of the Omnibus Appropriations Act. Similar language was also
included in the Internet Tax Freedom Act (Title XI of Division C of the Omnibus
Appropriations Act). Called “CDA II” by some in reference to the Communications
Decency Act that passed Congress in 1996 but was overturned by the Supreme Court,
the bill restricts access to commercial material that is “harmful to minors”
distributed on the World Wide Web to those 17 and older. The American Civil
Liberties Union (ACLU) and others filed suit against enforcement of the portion of
the Act dealing with the “harmful to minors” language. In February, 1999, a federal
judge in Philadelphia issued a preliminary injunction against enforcement of that
section of the Act. The Justice Department has filed an appeal (see CRS Report 98-
670, Obscenity, Child Pornography, and Indecency: Recent Developments and
Pending Issues for further information).
The Children’s Online Privacy Protection Act, also part of the Omnibus
Appropriations Act (Title XIII of Division C), requires verifiable parental consent for
the collection, use, or dissemination of personally identifiable information from
children under 13.
The Omnibus Appropriation Act also includes a provision intended to make it
easier for the FBI to gain access to Internet service provider records of suspected
sexual predators (Section 102, General Provisions, Justice Department). It also sets
CRS-35
aside $2.4 million for the Customs Service to double the staffing and resources for
the child pornography cyber-smuggling initiative and provides $1 million in the
Violent Crime Reduction Trust Fund for technology support for that initiative.
The Protection of Children from Sexual Predators Act (P.L. 105-314) is a
broad law addressing concerns about sexual predators. Among its provisions are
increased penalties for anyone who uses a computer to persuade, entice, coerce, or
facilitate the transport of a child to engage in prohibited sexual activity, a
requirement that Internet service providers report to law enforcement if they become
aware of child pornography activities, a requirement that federal prisoners using the
Internet be supervised, and a requirement for a study by the National Academy of
Sciences on how to reduce the availability to children of pornography on the Internet.
Identity Theft and Assumption Deterrence Act
The Identity Theft and Assumption Deterrence Act (P.L. 105-318) sets penalties
for persons who knowingly, and with the intent to commit unlawful activities,
possess, transfer, or use one or more means of identification not legally issued for use
to that person.
Intellectual Property: Digital Millennium Copyright Act
Congress passed legislation (P.L. 105-304) implementing the World Intellectual
Property Organization (WIPO) treaties regarding protection of copyright on the
Internet. The law also limits copyright infringement liability for online service
providers that serve only as conduits of information. Provisions relating to database
protection that were included by the House were not included in the enacted version
and are being debated anew in the 106th Congress. Since database protection per se
is not an Internet issue, it is not included in this report (see CRS Report 98-902,
Intellectual Property Protection for Noncreative Databases).
Digital Signatures: Government Paperwork Elimination Act
Congress passed the Government Paperwork Elimination Act (Title XVII of
Division C of the Omnibus Appropriations Act, P.L. 105-277) that directs the Office
of Management and Budget to develop procedures for the use and acceptance of
“electronic” signatures (of which digital signatures are one type) by executive branch
agencies.
Internet Domain Names: Next Generation Internet Research Act
The Next Generation Internet Research Act (P.L. 105-305) directs the National
Academy of Sciences to conduct a study of the short- and long-term effects on
trademark rights of adding new generation top-level domains and related dispute
resolution procedures.
CRS-36
Summary of Legislation Passed by the 105th Congress
Title
Public Law Number
FY1999 Omnibus Consolidated and Emergency
P.L. 105-277
Supplemental Appropriations Act
Internet Tax Freedom Act
Division C, Title XI
Children’s Online Privacy Protection Act
Division C, Title XIII
Child Online Protection Act
Division C, Title XIV
Government Paperwork Elimination Act
Division C, Title XVII
Protection of Children from Sexual Predators Act
P.L. 105-314
Identity Theft and Assumption Deterrence Act
P.L. 105-318
Digital Millennium Copyright Act
P.L. 105-304
Next Generation Internet Research Act
P.L. 105-305
Legislation Enacted in the 106th Congress
Electronic Signatures
The Millennium Digital Commerce Act (P.L. 106-229) regulates Internet
electronic commerce by permitting and encouraging its continued expansion through
the operation of free market forces, including the legal recognition of electronic
signatures and electronic records.
Computer Security
The Computer Crime Enforcement Act (P.L. 106-572) establishes
Department of Justice grants to state and local authorities to help them investigate
and prosecute computer crimes. The law authorizes the expenditure of $25 million
for the grant program through FY2004. The FY2001 Department of Defense
Authorization Act (P.L. 106-398) includes language that originated in S. 1993 to
modify the Paperwork Reduction Act and other relevant statutes concerning
computer security of government systems, codifying agency responsibilities
regarding computer security.
CRS-37
Internet Privacy
Language in the FY2001 Transportation Appropriations Act (P. L. 106-246)
and the FY2001 Treasury-General Government Appropriations Act (included as
part of the Consolidated Appropriations Act, P.L. 106-554) addresses Web site
information collection practices by departments and agencies in the Treasury-General
Government Appropriations Act. Section 501 of the FY2001 Transportation
Appropriations Act prohibits funds in the FY2001 Treasury-General Government
Appropriations Act from being used by any federal agency to collect, review, or
create aggregate lists that include personally identifiable information (PII) about an
individual’s access to or use of a federal Web site, or enter into agreements with third
parties to do so, with exceptions. Section 646 of the FY2001 Treasury-General
Government Appropriations Act requires Inspectors General of agencies or
departments covered in that act to report to Congress within 60 days of enactment on
activities by those agencies or departments relating to the collection of PII about
individuals who access any Internet site of that department or agency, or entering into
agreements with third parties to obtain PII about use of government or non-
government Web sites.
The Social Security Number Confidentiality Act (P.L. 106-433) prohibits the
display of Social Security numbers on unopened checks or other Treasury-issued
drafts. (Although this is not an Internet issue, it is related to concerns about
consumer identity theft, a topic addressed in this report.)
The Internet False Identification Prevention Act (P.L. 106-578) updates
existing law against selling or distributing false identification documents to include
those sold or distributed through computer files, templates, and disks. It also requires
the Attorney General and Secretary of the Treasury to create a coordinating
committee to ensure that the creation and distribution of false IDs is vigorously
investigated and prosecuted.
Protecting Children from Unsuitable Material
The Children’s Internet Protection Act (Title XVII of the FY2001 Labor-
HHS Appropriations Act, included in the FY2001 Consolidated Appropriations
Act, P.L. 106-554) requires most schools and libraries that receive federal funding
through Title III of the Elementary and Secondary Education Act, the Museum and
Library Services Act, or “E-rate” subsidies from the universal service fund, to use
technology protection measures (filtering software or other technologies) to block
certain Web sites when computers are being used by minors, and in some cases, by
adults. When minors are using the computers, the technology protection measure
must block access to visual depictions that are obscene, child pornography, or
harmful to minors. When others are using the computers, the technology must block
visual depictions that are obscene or are child pornography. The technology
protection measure may be disabled by authorized persons to enable access for bona
fide research or other lawful purposes.
CRS-38
Internet Domain Names
The Anticybersquatting Consumer Protection Act (part of the FY2000
Consolidated Appropriations Act, P.L. 106-113) gives courts the authority to order
the forfeiture, cancellation, and/or transfer of domain names registered in “bad faith”
that are identical or similar to trademarks. The Act provides for statutory civil
damages of at least $1,000, but not more than $100,000 per domain name identifier.
Summary of Legislation Enacted in the 106th Congress
Title
Public Law Number
Millennium Digital Commerce Act
P.L. 106-229
Computer Crime Enforcement Act
P.L. 106-572
FY2001 Transportation Appropriations Act, section 501
P.L. 106-246
FY2001 Treasury-General Government Appropriations Act,
P.L. 106-554
section 646 (enacted by reference in the FY2001
Consolidated Appropriations Act)
Social Security Number Confidentiality Act
P.L. 106-433
Internet False Identification Prevention Act
P.L. 106-578
Children’s Internet Protection Act (Title XVII of the
P.L. 106-554
FY2001 Labor-HHS Appropriations Act, enacted by
reference in the FY2001 Consolidated Appropriations Act)
Anticybersquatting Consumer Protection Act (enacted by
P.L. 106-113
reference in the FY2000 Consolidated Appropriations Act)
Legislation Enacted in the 107th Congress
Internet Privacy
The 107th Congress passed four laws affecting Internet privacy. The USA
PATRIOT Act (P.L. 107-56), passed in the wake of the September 11, 2001
terrorist attacks, inter alia expands law enforcement’s authority to monitor Internet
activities. The Cyber Security Enhancement Act, included as section 225 of the
Homeland Security Act (P.L. 107-296), amends the USA PATRIOT Act to further
loosen restrictions on Internet Service Providers (ISPs) as to when, and to whom,
they can voluntarily release information about subscribers.
Prior to the terrorist attacks, concern had focused on the opposite issue —
whether law enforcement officials might be overstepping their authority when using
a software program named Carnivore (later renamed DCS 1000) to monitor Internet
activities. Although the USA PATRIOT Act expands law enforcement’s authority to
monitor Internet activities, Congress also passed a provision in the 21st Century
Department of Justice Authorization Act (P.L. 107-273, section 305) requiring
CRS-39
the Justice Department to notify Congress about its use of Carnivore or similar
systems.
Congress also passed the E-Government Act (P.L. 107-347) that, inter alia,
sets requirements on government agencies in how they assure the privacy of personal
information in government information systems and establish guidelines for privacy
policies for federal Web sites.
Broadband Internet Access
The Farm Security and Rural Investment Act of 2002 (P.L. 107-171, Section
6103) authorizes the Secretary of Agriculture to make loans and loan guarantees to
eligible entities for facilities and equipment providing broadband service in rural
communities. The National Science Foundation Authorization Act of 2002 (P.L.
107-368, Section 18(d)) directs the National Science Foundation to conduct a study
of broadband network access for schools and libraries.
Electronic Commerce
The Internet Tax Nondiscrimination Act (P.L. 107-75) extends the Internet
tax moratorium through November 1, 2003.
Internet Domain Names
The Dot Kids Implementation and Efficiency Act of 2002 (P.L. 107-317)
directs the National Telecommunications and Information Administration of the
Department of Commerce to require the .us registry operator to establish, operate,
and maintain a second level domain that is restricted to material suitable for minors.
E-Government
The E-Government Act of 2002 amends Title 44 U.S.C. by adding Chapter 36
— Management and Promotion of Electronic Government Services, and Chapter 37
— Information Technology Management Program, which includes a variety of
provisions related to information technology management and the provision of e-
government services. Among its provisions, the law establishes an Office of
Electronic Government in the Office of Management and Budget to be headed by an
Administrator appointed by the President. It also authorizes $345 million through
FY2006 for an E-Government Fund to support initiatives, including interagency and
intergovernmental projects, that involve the “development and implementation of
innovative uses of the Internet or other electronic methods, to conduct activities
electronically.” Additionally, the law includes language that re-authorizes and
amends the Government Information Security Reform Act (GISRA), establishes an
information technology worker exchange program between the federal government
and the private sector, promotes the use of Share-In-Savings procurement contracts,
and establishes coordination and oversight policies for the protection of confidential
information and statistical efficiency (the Confidential Information Protection and
Statistical Efficiency Act of 2002).
CRS-40
Summary of Legislation Passed by 107th Congress
Title
Public Law Number
Uniting and Strengthening America by Providing
P.L. 107-56
Appropriate Tools to Intercept and Obstruct
Terrorism (USA PATRIOT) Act
Internet Tax Nondiscrimination Act
P.L. 107-75
Farm Security and Rural Investment Act (Section 6103)
P.L. 107-171
Cyber Security Enhancement Act (Section 225 of the
P.L. 107-296
Homeland Security Act)
21st Century Department of Justice Authorization Act
P.L. 107-297
(Section 305)
Dot Kids Implementation and Efficiency Act
P.L. 107-317
E-Government Act
P.L. 107-347
National Science Foundation Authorization Act of 2002
P.L. 107-368
(Section 18d)
CRS-41
Appendix D: Related CRS Reports
Internet Privacy
CRS Report RL31289. The Internet and the USA PATRIOT Act: Potential
Implications for Electronic Privacy, Security, Commerce, and Government, by
Marcia S. Smith, Jeffrey W. Seifert, Glenn J. McLoughlin, and John Dimitri
Moteff.
CRS Report RL30784. Internet Privacy: An Analysis of Technology and Policy
Issues, by Marcia S. Smith.
CRS Report RL31408. Internet Privacy: Overview and Pending Legislation, by
Marcia S. Smith.
CRS Report RL30322. Online Privacy Protection: Issues and Developments, by
Gina Marie Stevens.
CRS Report 98-326. Privacy: An Overview of Federal Statutes Governing
Wiretapping and Electronic Eavesdropping, by Gina Marie Stevens and Charles
Doyle.
CRS Report RS21221. Privacy Protection for Online Information, by Gina Marie
Stevens.
CRS Report RL31200. Terrorism: Section by Section Analysis of the USA PATRIOT
Act, by Charles Doyle.
CRS Report RL31377. The USA PATRIOT Act: A Legal Analysis, by Charles Doyle.
CRS Report RS21203. The USA PATRIOT Act: A Sketch, by Charles Doyle.
Computer Security
CRS Report RL30153. Critical Infrastructures: Background, Policy, and
Implementation, by John D. Moteff
CRS Report RL31289. The Internet and the USA PATRIOT Act: Potential
Implications for Electronic Privacy, Security, Commerce, and Government, by
Marcia S. Smith, Jeffrey W. Seifert, Glenn J. McLoughlin, and John Dimitri
Moteff.
CRS Report RL31542. Homeland Security — Reducing the Vulnerability of Public
and Private Information Infrastructures from Terrorism: An Overview, by
Jeffrey Seifert.
CRS Report 31787. Information Warfare and Cyberwar: Capabilities and Related
Policy Issues, by Clay Wilson.
CRS-42
Broadband Internet Access
CRS Issue Brief IB10045. Broadband Internet Access: Background and Issues, by
Angele A. Gilroy and Lennard G. Kruger.
CRS Report RL30719. Broadband Internet Access and the Digital Divide: Federal
Assistance Programs, by Lennard G. Kruger.
CRS Report RL31938. Local Telephone Competition: A Brief Overview,. by Angele
A. Gilroy.
CRS Report RL30018. Long Distance Telephony: Bell Operating Company Entry
Into the Long Distance Market, by James R. Riehl.
CRS Issue Brief IB98040. Telecommunications Discounts for Schools and
Libraries: the “E-Rate” Program and Controversies, by Angele Gilroy.
Electronic Commerce
CRS Report RL31293. E-Commerce Statistics: Explanation and Sources, by Rita
E. Tehan.
CRS Report RS20426. Electronic Commerce: An Introduction, by Glenn J.
McLoughlin.
CRS Report RS20344. Electronic Signatures: Technology Developments and
Legislative Issues, by Richard Nunno.
CRS Report RL31177. Extending the Internet Tax Moratorium and Related Issues,
by Nonna A. Noto.
CRS Report RL31929. Internet Tax Bills in the 108th Congress, by Nonna A. Noto.
CRS Report RL31289. The Internet and the USA PATRIOT Act: Potential
Implications for Electronic Privacy, Security, Commerce, and Government, by
Marcia S. Smith, Jeffrey W. Seifert, Glenn J. McLoughlin, and John Dimitri
Moteff.
CRS Report RL31252. Internet Commerce and State Sales and Use Taxes, by
Stephen Maguire.
CRS Report RS20577. State Sales Taxation of Internet Transactions, by John
Luckey.
Unsolicited Commercial Electronic Mail (Junk E-Mail or Spam)
CRS Report RL31953. “Junk E-mail”: An Overview of Issues and Legislation
Concerning Unsolicited Commercial Electronic Mail (“Spam”), by Marcia S.
Smith.
CRS-43
CRS Report RL31488. Regulation of Unsolicited Commercial E-Mail, by Angie A.
Welborn.
CRS Report RL30763. Telemarketing: Dealing with Unwanted Telemarketing Calls,
by James R. Riehl.
Internet Domain Names
CRS Report 97-868 STM. Internet Domain Names: Background and Policy Issues,
by Lennard G. Kruger.
Government Information Technology Management
CRS Report RL31627. Computer Software and Open Source Issues: A Primer, by
Jeffrey W. Seifert.
CRS Report RL31594. Congressional Continuity of Operations (COOP): An
Overview of Concepts and Challenges, by R. Eric Petersen and Jeffrey W.
Seifert. 16 p.
CRS Report RS21140. Electronic Congress: Proposals and Issues, by Jeffrey W.
Seifert and R. Eric Petersen.
CRS Report RL30745. Electronic Government: A Conceptual Overview, by Harold
C. Relyea.
CRS Report RL30914. Federal Chief Information Officer (CIO): Opportunities and
Challenges, by Jeffrey W. Seifert.
CRS Report RL30661. Government Information Technology Management: Past and
Future Issues (the Clinger-Cohen Act), by Jeffrey W. Seifert.
CRS Report RL31103. House of Representatives Information Technology
Management Issues: An Overview of the Effects on Institutional Operations, the
Legislative Process, and Future Planning, by Jeffrey W. Seifert and R. Eric
Petersen.
CRS Report RL31289. The Internet and the USA PATRIOT Act: Potential
Implications for Electronic Privacy, Security, Commerce, and Government, by
Marcia S. Smith, Jeffrey W. Seifert, Glenn J. McLoughlin, and John Dimitri
Moteff.
CRS Report RS21469. The National Telecommunications and Information
Administration (NTIA): Budget, Programs, and Issues, by Glenn J. McLoughlin.
CRS Report RL31057. A Primer on E-Government: Sectors, Stages, Opportunities,
and Challenges of Online Governance, by Jeffrey W. Seifert.
CRS-44
Related Topics
Computer Fraud and Abuse
CRS Report RS20830. Computer Fraud and Abuse: A Sketch of 18 U.S.C. 1030 and
Related Federal Criminal Laws, by Charles Doyle.
CRS Report 97-1025. Computer Fraud & Abuse: An Overview of 18 U.S.C. 1030
And Related Federal Criminal Laws, by Charles Doyle.
Copyright and “Fair Use”
CRS Report RL30683. Copyright Cases in the Courts: Napster, MP3 Digital Music,
and DVD Motion Picture Encryption Technology, by Robin Jeweler.
CRS Report RL31029. Copyright Issues in Online Music Delivery, by Robin
Jeweler.
CRS Report RS21362. Copyright Law: Digital Rights Management Legislation in
the 107th Congress, by Robin Jeweler.
CRS Report RL31626. Copyright Law: Statutory Royalty Rates for Webcasters, by
Robin Jeweler.
CRS Report RL31827, “Digital Rights” and Fair Use in Copyright Law, by Robin
Jeweler.
CRS Report RL31423. Fair Use on the Internet, by Christopher A. Jennings.
CRS Report RS21206. “Fair Use” on the Internet: Linking, Framing, and
Copyright’s Reproduction and Public Display Rights, by Christopher A.
Jennings.
Identity Theft
CRS Report RL31752. Identity Theft: An Overview of Proposed Legislation, by
Angie A. Wellborn.
CRS Report RS21163. Remedies Available to Victims of Identity Theft, by Angie A.
Wellborn.
Internet-General
CRS Report RL31270. Internet Statistics: Explanation and Sources, by Rita E.
Tehan.
CRS Report RL30987. Spinning the Web: the Internet’s History and Structure, by
Rita Tehan.
CRS-45
Medical Records, Financial, and Other Privacy Issues
CRS Report RS20934. Brief Summary of the Medical Privacy Rule, by Gina Marie
Stevens.
CRS Report RS20500. Medical Records Privacy: Questions and Answers on the
December 2000 Federal Regulation, by C. Stephen Redhead.
CRS Report RS20185. Privacy Protection for Customer Financial Information, by
M. Maureen Murphy.
CRS Report RL31636. Wireless Privacy: Availability of Location Information for
Telemarketing, by Marcia S. Smith.
Protecting Children
CRS Report RS21328. Internet: Status of Legislative Attempts to Protect Children
from Unsuitable Material on the Web, by Marcia S. Smith and Amanda Jacobs.
CRS Report 98-670. Obscenity, Child Pornography, and Indecency: Recent
Developments and Pending Issues, by Henry Cohen.
Other Related Topics
CRS Report RL30602. Electronic Stock Market, by Mark Jickling.
CRS Report 97-619. Internet Gambling: Overview of Federal Criminal Law, by
Charles Doyle.
CRS Report RS20639. Internet Voting: Issues and Legislation, by Kevin Coleman.
CRS Report RL30456. Prescription Drug Sales Over the Internet, by Christopher
Sroka.
CRS Report RL30863. Telework in the Federal Government: Background, Policy,
and Oversight, by Lorraine H. Tong and Barbara L. Schwemle.