Order Code RL31408
CRS Report for Congress
Received through the CRS Web
Internet Privacy: Overview
and Pending Legislation
Updated September 1, 2005
Marcia S. Smith
Specialist in Aerospace and Telecommunications Policy
Resources, Science, and Industry Division
Congressional Research Service ˜ The Library of Congress
Internet Privacy: Overview and Pending Legislation
Summary
Internet privacy issues generally encompass two types of concerns. One is the
collection of personally identifiable information (PII) by website operators from
visitors to government and commercial websites, or by software that is surreptitiously
installed on a user’s computer (“spyware”) and transmits the information to someone
else. The other is the monitoring of electronic mail and Web usage by the
government or law enforcement officials, employers, or email service providers.
The September 11, 2001 terrorist attacks intensified debate over the issue of law
enforcement monitoring, with some advocating increased tools for law enforcement
officials to track down terrorists, and others cautioning that fundamental tenets of
democracy, such as privacy, not be endangered in that pursuit. Congress passed the
2001 USA PATRIOT Act (P.L. 107-56) that, inter alia, makes it easier for law
enforcement to monitor Internet activities. That act was later amended by the
Homeland Security Act (P.L. 107-296), loosening restrictions as to when, and to
whom, Internet Service Providers may voluntarily release the content of
communications if they believe there is a danger of death or injury. The report of the
9/11 Commission called for a full and informed debate on the USA PATRIOT Act,
and creation of a board to ensure that privacy and civil liberties are protected.
Congress directed that a Privacy and Civil Liberties Oversight Board be established
as part of the law that implements many of the Commission’s recommendations (P.L.
108-457). Legislation is pending (H.R. 1310) to make certain modifications to that
Board, and to change some of the sunset provisions of the USA PATRIOT Act (H.R.
1526, H.R. 3199, S. 737).
The debate over website information policies concerns whether industry self
regulation or legislation is the best approach to protecting consumer privacy.
Congress has considered legislation that would require commercial website operators
to follow certain fair information practices, but the only law that has been enacted
(COPPA, P.L. 105-277) concerns the privacy of children under 13, not the general
public. Legislation has passed regarding information practices for federal government
websites, including, the E-Government Act (P.L. 107-347).
The growing controversy about how to protect computer users from “spyware”
without creating unintended consequences is discussed in CRS Report RL32706.
Another issue, identity theft, is not an Internet privacy issue per se, but is often
debated in the context of whether the Internet makes identity theft more prevalent.
For example, Internet-based practices called “phishing” and “pharming” may
contribute to identity theft. Identity theft is briefly discussed in this report; more
information is available in CRS Report RS22082, CRS Report RL31919, and CRS
Report RL32535. Wireless privacy issues are discussed in CRS Report RL31636.
This report tracks Internet privacy-related legislation in the 109th Congress, and
provides an overview of Internet privacy issues and related laws passed in the
previous two Congresses.
This report will be updated.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Internet: Commercial Website Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Children’s Online Privacy Protection Act (COPPA), P.L. 105-277 . . . . . . . 1
FTC Activities and Fair Information Practices . . . . . . . . . . . . . . . . . . . . . . . 2
Advocates of Self Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Advocates of Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Congressional Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Internet: Federal Government Website Information Practices . . . . . . . . . . . . . . . 4
Monitoring of E-mail and Web Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
By Government and Law Enforcement Officials . . . . . . . . . . . . . . . . . . . . . . 6
The USA PATRIOT Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Concerns about the USA PATRIOT Act . . . . . . . . . . . . . . . . . . . . . . . . 7
Sunset Clause of the USA Patriot Act . . . . . . . . . . . . . . . . . . . . . . . . . . 8
The 9/11 Commission Report, and Creation
of the Privacy and Civil Liberties Oversight Board . . . . . . . . . . . . 8
By Employers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
By E-Mail Service Providers: The “Councilman Case” . . . . . . . . . . . . . . . 10
Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Identity Theft (Including Phishing and Pharming) . . . . . . . . . . . . . . . . . . . . . . . . 12
Identity Theft Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
“Phishing” and “Pharming” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Existing Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Pending Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Summary of 109th Congress Internet Privacy-Related Legislation . . . . . . . . . . . 17
Appendix A. Internet Privacy-Related Legislation
Passed by the 108th Congress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Appendix B. Internet Privacy-Related Legislation
Passed by the 107th Congress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
List of Tables
Table 1: Pending Legislation in the 109th Congress . . . . . . . . . . . . . . . . . . . . . . . 17
Internet Privacy: Overview
and Pending Legislation
Introduction
Internet privacy issues generally encompass two types of concerns. One is the
collection of personally identifiable information (PII) by website operators from
visitors to government and commercial websites, or by software that is surreptitiously
installed on a user’s computer (“spyware”) and transmits the information to someone
else. The other is the monitoring of electronic mail and Web usage by the
government or law enforcement officials, employers, or e-mail service providers.
Another issue, identity theft, is not an Internet privacy issue per se, but is often
debated in the context of whether the Internet makes identity theft more prevalent.
For example, Internet-based practices called “phishing” and “pharming” may
contribute to identity theft.
This report discusses Internet privacy-related issues and tracks legislation.
Background information on Internet privacy issues is available in CRS Report
RL30784, Internet Privacy: An Analysis of Technology and Policy Issues, and CRS
Report RL31289, The Internet and the USA PATRIOT Act: Potential Implications
for Electronic Privacy, Security, Commerce, and Government.
Internet: Commercial Website Practices
One aspect of the Internet (“online”) privacy debate focuses on whether industry
self regulation or legislation is the best route to assure consumer privacy protection.
In particular, consumers appear concerned about the extent to which website
operators collect “personally identifiable information” (PII) and share that data with
third parties without their knowledge. Although many in Congress and the Clinton
Administration preferred industry self regulation, the 105th Congress passed
legislation (COPPA, see below) to protect the privacy of children under 13 as they
use commercial websites. Many bills have been introduced since that time regarding
protection of those not covered by COPPA, but the only legislation that has passed
concerns federal government, not commercial, websites.
Children’s Online Privacy Protection Act (COPPA),
P.L. 105-277
Congress, the Clinton Administration, and the Federal Trade Commission (FTC)
initially focused their attention on protecting the privacy of children under 13 as they
visit commercial websites. Not only are there concerns about information children
might divulge about themselves, but also about their parents. The result was the
CRS-2
Children’s Online Privacy Protection Act (COPPA), Title XIII of Division C of the
FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act,
P.L. 105-277. The FTC’s final rule implementing the law became effective April 21,
2000 [http://www.ftc.gov/os/1999/10/64fr59888.htm]. Commercial websites and
online services directed to children under 13, or that knowingly collect information
from them, must inform parents of their information practices and obtain verifiable
parental consent before collecting, using, or disclosing personal information from
children. The Commission adopted a “sliding scale” for complying with the
verifiable consent requirement depending on how the data would be used. That is,
if the information was for internal use only, the verifiable consent could be obtained
from the parent by e-mail, plus an additional step to ensure the person giving consent
is, in fact, the parent. If the website operator planned to disclose the information
publicly or to third parties, a higher standard was set. This sliding scale was set to
expire in 2002 with the expectation that better verification technologies would
become available. However, in 2002, the FTC determined that such technologies
still were not available, and the sliding scale was extended to April 12, 2005. In
2005, the Commission extended it again, and is seeking public comment on how to
proceed, as part of its overall review of the COPPA rule.1
The law also provides for industry groups or others to develop self-regulatory
“safe harbor” guidelines that, if approved by the FTC, can be used by websites to
comply with the law. The FTC approved self-regulatory guidelines proposed by the
Better Business Bureau on January 26, 2001. On June 11, 2003, then-FTC
Chairman Timothy Muris stated in testimony to the Senate Commerce Committee
that the FTC had brought eight COPPA cases, and obtained agreements requiring
payment of civil penalties totaling more than $350,000.2
As required by COPPA, on April 21, 2005, the Commission issued a request for
public comment on its final rule, five years after the rule’s effective date.3
Comments are requested on the costs and benefits of the rule; whether it should be
retained, eliminated, or modified; and its effect on practices relating to the collection
of information relating to children, children’s ability to access information of their
choice online, and the availability of websites directed to children.
FTC Activities and Fair Information Practices
The FTC conducted or sponsored several surveys between 1997 and 2000 to
determine the extent to which commercial website operators abided by four fair
information practices — providing notice to users of their information practices
before collecting personal information, allowing users choice as to whether and how
personal information is used, allowing users access to data collected and the ability
to contest its accuracy, and ensuring security of the information from unauthorized
1 FTC Seeks Public Comment on Children’s Online Privacy Rule. FTC press release, April
21, 2005. [http://www.ftc.gov/opa/2005/04/coppacomments.htm]
2 Prepared statement of Timothy Muris, Chairman, Federal Trade Commission, p. 10,
available at [http://commerce.senate.gov/hearings/witnesslist.cfm?id=807].
3 FTC Seeks Public Comment on Children’s Online Privacy Rule, op. cit.
CRS-3
use. Some include enforcement as a fifth fair information practice. Regarding
choice, the term “opt-in” refers to a requirement that a consumer give affirmative
consent to an information practice, while “opt-out” means that permission is
assumed unless the consumer indicates otherwise. See CRS Report RL30784 for
more information on the FTC surveys and fair information practices. The FTC’s
reports are available on its website [http://www.ftc.gov].
Briefly, the first two FTC surveys (December 1997 and June 1998) created
concern about the information practices of websites directed at children and led to
the enactment of COPPA (see above). The FTC continued monitoring websites to
determine if legislation was needed for those not covered by COPPA. In 1999, the
FTC concluded that more legislation was not needed at that time because of
indications of progress by industry at self-regulation, including creation of “seal”
programs (see below) and by two surveys conducted by Georgetown University.
However, in May 2000, the FTC changed its mind following another survey that
found only 20% of randomly visited websites and 42% of the 100 most popular
websites had implemented all four fair information practices. The FTC voted to
recommend that Congress pass legislation requiring websites to adhere to the four
fair information practices, but the 3-2 vote indicated division within the Commission.
On October 4, 2001, Timothy Muris, who had recently become FTC Chairman, stated
that he did not see a need for additional legislation at that time. (Mr. Muris was
succeeded as FTC Chairman on August 16, 2004 by Deborah Platt Majoras.)
Advocates of Self Regulation
In 1998, members of the online industry formed the Online Privacy Alliance
(OPA) to encourage industry self regulation. OPA developed a set of privacy
guidelines, and its members are required to adopt and implement posted privacy
policies. The Better Business Bureau (BBB), TRUSTe, and WebTrust have
established “seals” for websites. To display a seal from one of those organizations,
a website operator must agree to abide by certain privacy principles (some of which
are based on the OPA guidelines), a complaint resolution process, and to being
monitored for compliance. Advocates of self regulation argue that these seal
programs demonstrate industry’s ability to police itself.
Technological solutions also are being offered. P3P (Platform for Privacy
Preferences) is one such technology. It essentially creates machine-readable privacy
policies through which users can match their privacy preferences with the privacy
policies of the websites they visit. One concern is that P3P requires companies to
produce shortened versions of their privacy policies, which could raise issues of
whether the shortened policies are legally binding, since they may omit nuances and
“sacrifice accuracy for brevity.”4 For more information on P3P, see
[http://www.w3.org/P3P/].
4 Clark, Drew. Tech, Banking Firms Criticize Limitations of Privacy Standard.
NationalJournal.com, November 11, 2002.
CRS-4
Advocates of Legislation
Consumer, privacy rights and other interest groups believe self regulation is
insufficient. They argue that the seal programs do not carry the weight of law, and
that while a site may disclose its privacy policy, that does not necessarily equate to
having a policy that protects privacy. The Center for Democracy and Technology
(CDT, at [http://www.cdt.org]) and the Electronic Privacy Information Center
(EPIC, at [http://www.epic.org]) each released reports on this topic. EPIC’s most
recent report, Privacy Self Regulation: A Decade of Disappointment, argues that the
National Do Not Call list, which restricts telemarketing phone calls, demonstrates
that government regulation can be more effective than industry self regulation.
Calling telemarketing a 20th Century problem, the report concludes that the FTC has
given self regulation a decade to work in the Internet privacy arena, and it is time for
the agency “to apply the lessons from telemarketing and other efforts to address the
21st century [sic] problem of Internet privacy.”5
Some privacy interest groups, such as EPIC, also feel that P3P is insufficient,
arguing that it is too complex and confusing and fails to address many privacy
issues. An EPIC report from June 2000 further explains its findings
[http://www.epic.org/reports/prettypoorprivacy.html].
Privacy advocates are particularly concerned about online profiling, where
companies collect data about what websites are visited by a particular user and
develop profiles of that user’s preferences and interests for targeted advertising.
Following a one-day workshop on online profiling, FTC issued a two-part report in
the summer of 2000 that also heralded the announcement by a group of companies
that collect such data, the Network Advertising Initiative (NAI), of self-regulatory
principles. At that time, the FTC nonetheless called on Congress to enact legislation
to ensure consumer privacy vis a vis online profiling because of concern that “bad
actors” and others might not follow the self-regulatory guidelines.
Congressional Action
Many Internet privacy bills were considered by the 107th and 108th Congresses.
Other than extending an existing prohibition regarding federal websites (see next
section), none cleared Congress. Legislation is pending again in the 109th Congress
(see table at end of report).
Internet: Federal Government
Website Information Practices
Under a May 1998 directive from President Clinton and a June 1999 Office of
Management and Budget (OMB) memorandum, federal agencies must ensure that
their information practices adhere to the 1974 Privacy Act. In June 2000, however,
5 EPIC. Privacy Self Regulation: A Decade of Disappointment, by Chris Jay Hoofnagle.
March 4, 2005. [http://www.epic.org/reports/decadedisappoint.pdf] p.5.
CRS-5
the Clinton White House revealed that contractors for the Office of National Drug
Control Policy (ONDCP) had been using “cookies” (small text files placed on users’
computers when they access a particular website) to collect information about those
using an ONDCP site during an anti-drug campaign. ONDCP was directed to cease
using cookies, and OMB issued another memorandum reminding agencies to post
and comply with privacy policies, and detailing the limited circumstances under
which agencies should collect personal information. A September 5, 2000 letter from
OMB to the Department of Commerce further clarified that “persistent”cookies,
which remain on a user’s computer for varying lengths of time (from hours to years),
are not allowed unless four specific conditions are met. “Session” cookies, which
expire when the user exits the browser, are permitted.
At the time, Congress was considering whether commercial websites should be
required to abide by FTC’s four fair information practices. The incident sparked
interest in whether federal websites should adhere to the same requirements. In the
FY2001 Transportation Appropriations Act (P.L. 106-346), Congress prohibited
funds in the FY2001 Treasury-Postal Appropriations Act from being used to collect,
review, or create aggregate lists that include PII about an individual’s access to or use
of a federal website or enter into agreements with third parties to do so, with
exceptions. Similar language has been included in subsequent appropriations bills.
For FY2005, it is Sec. 633 of the Transportation-Treasury Appropriations Act
(incorporated into P.L. 108-447, the FY2005 Consolidated Appropriations Act). The
FY2006 Transportation-Treasury Appropriations bill (H.R. 3058) as passed by the
House (Sec. 933) and as reported from the Senate Appropriations Committee (Sec.
831) includes the same language.
Section 646 of the FY2001 Treasury-Postal Appropriations Act (P.L. 106-554)
required Inspectors General (IGs) to report to Congress on activities by those
agencies or departments relating to their own collection of PII, or entering into
agreements with third parties to obtain PII about use of websites. Then-Senator Fred
Thompson released two reports in April and June 2001 based on the findings of
agency IGs who discovered unauthorized persistent cookies and other violations of
government privacy guidelines on several agency websites. An April 2001 GAO
report (GAO-01-424) concluded that most of the 65 sites it reviewed were following
OMB’s guidance.
The E-Government Act (P.L. 107-347) sets requirements on government
agencies regarding how they assure the privacy of personal information in
government information systems and establish guidelines for privacy policies for
federal websites. The law requires federal websites to include a privacy notice that
addresses what information is to be collected, why, its intended use, what notice or
opportunities for consent are available to individuals regarding what is collected and
how it is shared, how the information will be secured, and the rights of individuals
under the 1974 Privacy Act and other relevant laws. It also requires federal agencies
to translate their website privacy policies into a standardized machine-readable
format, enabling P3P to work (see above discussion of P3P), for example.
CRS-6
Monitoring of E-mail and Web Usage
By Government and Law Enforcement Officials
Another concern is the extent to which electronic mail (e-mail) exchanges or
visits to websites may be monitored by law enforcement agencies or employers. In
the wake of the September 11 terrorist attacks, the debate over law enforcement
monitoring has intensified. Previously, the issue had focused on the extent to which
the Federal Bureau of Investigation (FBI), with legal authorization, used a software
program, called Carnivore (later renamed DCS 1000), to intercept e-mail and monitor
Web activities of certain suspects. The FBI would install the software on the
equipment of Internet Service Providers (ISPs). Privacy advocates were concerned
about whether Carnivore-like systems can differentiate between e-mail and Internet
usage by a subject of an investigation and similar usage by other people. Technical
details of the system were not publicly available, meaning that privacy groups were
unable to independently determine exactly what the system could or could not do,
leading to their concerns. Section 305 of the 21st Century Department of Justice
Appropriations Authorization Act (P.L. 107-273) required the Justice Department to
report to Congress at the end of FY2002 and FY2003 on its use of Carnivore/DCS
1000 or any similar system. EPIC obtained the reports in January 2005 under the
Freedom of Information Act and placed them on its website.6 The reports indicate
that the Justice Department no longer uses Carnivore/DCS 1000, using commercially
available software instead. The Justice Department reported that it used commercial
software to conduct court-ordered electronic surveillance five times in FY2002 and
eight times in FY2003.
The USA PATRIOT Act. Following the terrorist attacks, Congress passed the
Uniting and Strengthening America by Providing Appropriate Tools to Intercept and
Obstruct Terrorism (USA PATRIOT) Act, P.L. 107-56, which expands law
enforcement’s ability to monitor Internet activities. Inter alia, the law modifies the
definitions of “pen registers” and “trap and trace devices” to include devices that
monitor addressing and routing information for Internet communications. Carnivore-
like programs may now fit within the new definitions. The Internet privacy-related
provisions of the USA PATRIOT Act, included as part of Title II, are as follows:
! Section 210, which expands the scope of subpoenas for records of
electronic communications to include records commonly associated
with Internet usage, such as session times and duration.
! Section 212, which allows ISPs to divulge records or other
information (but not the contents of communications) pertaining to
a subscriber if they believe there is immediate danger of death or
serious physical injury or as otherwise authorized, and requires them
to divulge such records or information (excluding contents of
communications) to a governmental entity under certain conditions.
It also allows an ISP to divulge the contents of communications to
6 S e e : [ h t t p : / / w w w . e p i c . o r g / p r i v a c y / c a r n i v o r e / 2 0 0 2 _ r e p o r t . p d f ] a n d
[http://www.epic.org/privacy/carnivore/2003_report.pdf]
CRS-7
a law enforcement agency if it reasonably believes that an
emergency involving immediate danger of death or serious physical
injury requires disclosure of the information without delay. This
section was amended by the Cyber Security Enhancement Act
— see below.
! Section 216, which adds routing and addressing information (used
in Internet communications) to dialing information, expanding what
information a government agency may capture using pen registers
and trap and trace devices as authorized by a court order, while
excluding the content of any wire or electronic communications. The
section also requires law enforcement officials to keep certain
records when they use their own pen registers or trap and trace
devices and to provide those records to the court that issued the
order within 30 days of expiration of the order. To the extent that
Carnivore-like systems fall with the new definition of pen registers
or trap and trace devices provided in the act, that language would
increase judicial oversight of the use of such systems.
! Section 217, which allows a person acting under color of law to
intercept the wire or electronic communications of a computer
trespasser transmitted to, through, or from a protected computer
under certain circumstances, and
! Section 224, which sets a four-year sunset period for many of the
Title II provisions. Sections 210 and 216 are excluded from the
sunset. Sections 212 and 217 are not, and therefore will expire on
December 31, 2005. As discussed below, Congress is considering
legislation that would amend this sunset clause, making either more
or fewer sections subject to it.
The Cyber Security Enhancement Act, section 225 of the 2002 Homeland
Security Act (P.L. 107-296), amends section 212 of the USA PATRIOT Act. It
lowers the threshold for when ISPs may voluntarily divulge the content of
communications. Now ISPs need only a “good faith” (instead of a “reasonable”)
belief that there is an emergency involving danger (instead of “immediate” danger)
of death or serious physical injury. The contents can be disclosed to “a Federal, state,
or local governmental entity” (instead of a “law enforcement agency”).
Concerns about the USA PATRIOT Act. Privacy advocates are especially
concerned about the language added by the Cyber Security Enhancement Act. EPIC
notes, for example, that allowing the contents of Internet communications to be
disclosed voluntarily to any governmental entity not only poses increased risk to
personal privacy, but also is a poor security strategy. Another concern is that the law
does not provide for judicial oversight of the use of these procedures.7 A Senate
7 [http://www.epic.org/alert/EPIC_Alert_9.23.html]. See entry under “[3] Homeland
Security Bill Limits Open Government, and click on hyperlink to EPIC’s February 26, 2002
(continued...)
CRS-8
Judiciary Committee hearing on September 23, 2004 explored some of these
concerns. Several House and Senate committees in the 109th Congress are holding
hearings on various provisions of the USA PATRIOT Act.
Sunset Clause of the USA Patriot Act. As noted, several sections of the
USA PATRIOT Act are covered by a “sunset” provision (Sec. 224) under which they
will expire on December 31, 2005, including Sec. 212 and 217. Sec. 210 and Sec.
216 are not subject to the sunset clause; i.e., they are permanent.
In the 109th Congress, several bills are pending that would modify the sunset
clause by making temporary provisions permanent, by making permanent provisions
temporary, or by modifying reporting requirements or otherwise enhancing oversight
of how the provisions are implemented. H.R. 1526 (Otter) would make Sec. 216
expire. H.R. 3199 (Sensenbrenner) would make all the provisions permanent. S. 737
(Craig) would expand reporting requirements for Sec. 216. S. 1389 (Specter) would
enhance the oversight for Sec. 212. H.R. 3199 passed the House on July 21, 2005.
The Senate passed H.R. 3199 on July 29 after substituting the text of S. 1389 as
reported from committee (no written report).
For more on the sunset clause, see CRS Report RS21704, USA PATRIOT Act
Sunset, A Sketch, or CRS Report RL32186, USA PATRIOT Act: Provisions that
Expire on December 31, 2005.
The 9/11 Commission Report, and Creation of the Privacy and Civil
Liberties Oversight Board. On July 22, 2004, the “9/11 Commission” released
its report on the terrorist attacks.8 The Commission concluded (pp. 394-395) that
many of the USA PATRIOT Act provisions appear beneficial, but that “Because of
concerns regarding the shifting balance of power to the government, we think that a
full and informed debate on the Patriot Act would be healthy.” The Commission
recommended that “The burden of proof for retaining a particular governmental
power should be on the executive, to explain (a) that the power actually materially
enhances security and (b) that there is adequate supervision of the executive’s use of
the powers to ensure protection of civil liberties. If the power is granted, there must
be adequate guidelines and oversight to properly confine its use.” The Commission
also called for creation of a board within the executive branch “to oversee adherence
to the guidelines we recommend and the commitment the government makes to
defend our civil liberties.” The commissioners went on to say that “We must find
ways of reconciling security with liberty, since the success of one helps protect the
other. The choice between security and liberty is a false choice, as nothing is more
likely to endanger America’s liberties than the success of a terrorist attack at home.
Our history has shown us that insecurity threatens liberty. Yet, if our liberties are
curtailed, we lose the values that we are struggling to defend.”
7 (...continued)
letter to the House Judiciary Committee.
8 National Commission on Terrorist Attacks Upon the United States. The 9/11 Commission
Report. 585 p. [http://www.9-11commission.gov/report/911Report.pdf]
CRS-9
The 108th Congress passed legislation implementing many of the Commission’s
recommendations. Called the Intelligence Reform and Terrorism Prevention Act (S.
2845, P.L. 108-458), Sec. 1061 creates a Privacy and Civil Liberties Oversight Board
as part of the Executive Office of the President. According to the bill’s sponsor,
Senator Collins, the Board’s purpose is to “ensure that privacy and civil liberties
concerns are appropriately considered in the implementation of all laws, regulations,
and policies that are related to efforts to protect the Nation against terrorism.”9 It
must report to Congress annually on an unclassified basis to the greatest extent
possible. It will be composed of five members, two of which (the chairman and vice-
chairman) must be confirmed by the Senate. All must come from outside the
government to help ensure their independence.
Reuters reported on August 4, 2005 that the five members of the Board have
been appointed, but the chairman and vice chairman have not yet been confirmed by
the Senate. The report cited critics (including a former 9/11 Commissioner,
Members of the House and Senate, and others) as concluding that the panel is a
“toothless, underfunded shell with inadequate support” from the President.10
H.R. 1310 (Maloney) would make a number of changes, including establishing
the Board as an independent agency in the executive branch, instead of part of the
Executive Office of the President; setting out certain qualifications for Board
members; and requiring that all of the Board members be confirmed by the Senate,
not just the chairman and vice-chairman.
By Employers
There also is concern about the extent to which employers monitor the e-mail
and other computer activities of employees. The public policy concern appears to
be not whether companies should be able to monitor activity, but whether they should
notify their employees of that monitoring. A 2005 survey of 526 companies by the
American Management Association and the ePolicy Institute found that 76% monitor
Web usage, and 55% retain and review e-mail messages.11 The survey found that
26% of the companies had fired employees for misusing the Internet, and 25% had
fired workers for e-mail misuse. Regarding notice, the survey reported that 80% of
the companies inform workers that they are monitoring content, keystrokes, and time
spent at the keyboard; 82% inform workers that computer files are stored and
reviewed; 86% inform workers that e-mail is monitored; and 89% inform workers
that Web usage is tracked. One criticism is that top level employees may not be
subject to the same monitoring as rank and file workers.12
9 Congressional Record, December 8, 2004, p. S11974.
10 Drees, Caroline. U.S. Civil Liberties Board Struggles Into Existence. Reuters, August
4, 2005, 12:33 (via Factiva).
11 American Management Association. 2005 Electronic Monitoring & Surveillance Survey.
Press Release, May 18, 2005. [http://www.amanet.org/press/amanews/ems05.htm]
12 Sandberg, Jared. Monitoring of Workers is Boss’s Right But Why Not Include Top
Brass? Wall Street Journal, May 18, 2005, p. B1 (via Factiva).
CRS-10
By E-Mail Service Providers: The “Councilman Case”
In what is widely-regarded as a landmark ruling concerning Internet privacy, the
U.S. Court of Appeals for the First Circuit in Massachusetts ruled (2-1) on June 29,
2004 that an e-mail service provider did not violate federal wiretapping statutes when
it intercepted and read subscribers’ e-mails to obtain a competitive business
advantage. The ruling upheld the decision of a lower court to dismiss the case.
The case involved an e-mail service provider, Interloc, Inc., that sold out-of-
print books. According to press accounts13 and the text of the court’s ruling,14
Interloc used software code to intercept and copy e-mail messages sent to its
subscribers (who were dealers looking for buyers of rare and out-of-print books) by
competitor Amazon.com. The e-mail was intercepted and copied prior to its delivery
to the recipient so that Interloc officials could read the e-mails and obtain a
competitive advantage over Amazon.com. Interloc Vice President Bradford
Councilman was charged with violating the Wiretap Act.15 The court’s majority
opinion noted that the parties stipulated that, at all times that the Interloc software
was performing operations on the e-mails, they existed in the random access memory
or in hard drives within Interloc’s computer system.
The case turned on the distinction between the e-mail being in transit, or in
storage (and therefore governed by a different law16). The government argued that
the e-mails were copied contemporaneously with their transmission, and therefore
were intercepted under the meaning of the Wiretap Act. Judges Torruella and Cyr
concluded, however, that they were in temporary storage in Interloc’s computer
system, and therefore were not subject to the provisions of the Wiretap Act. They
further stated that “We believe that the language of the statute makes clear that
Congress meant to give lesser protection to electronic communications than wire and
oral communication. Moreover, at this juncture, much of the protection may have
been eviscerated by the realities of modern technology.... However, it is not the
province of this court to graft meaning onto the statute where Congress has spoken
plainly.” (p. 14-15). In his dissent, Judge Lipez stated, conversely, that he did not
believe Congress intended for e-mail that is temporarily stored as part of the
transmission process to have less privacy than messages as they are in transit. He
agreed with the government’s contention that an “intercept” occurs between the time
13 (1) Jewell, Mark. Interception of E-Mail Raises Questions. Associated Press, June 30,
2004, 9:14 pm. (2) Zetter, Kim. E-Mail Snooping Ruled Permissible. Wired News, June
30, 2004, 08:40. (3) Krim, Jonathan. Court Limits Privacy of E-Mail Messages; Providers
Free to Monitor Communications. Washington Post, July 1, 2004, E1 (via Factiva).
14 U.S. v Bradford C. Councilman. U.S. Court of Appeals for the First Circuit. No. 03-1383.
[http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf].
15 The Wiretap Act,18 U.S.C. §§ 2510-2522, is Title I of the Electronic Communications
Privacy Act (ECPA), P.L. 99-508. According to Jewell, op. cit., two other defendants —
Alibris, which bought Interloc in 1998, and Interloc’s systems administrator — pleaded
guilty.
16 Stored communications are covered by the Stored Communications Act, which is Title II
of ECPA, 18 U.S.C. §§ 2701-2711.
CRS-11
the author hits the “send” button and the message arrives in the recipient’s in-box.
He concluded that “Councilman’s approach to the Wiretap Act would undo decades
of practice and precedent ... and would essentially render the act irrelevant .... Since
I find it inconceivable that Congress could have intended such a result merely by
omitting the term ‘electronic storage’ from its definition of ‘electronic
communication,’ I respectfully dissent.”17
Privacy advocates expressed deep concern about the ruling. Electronic Frontier
Foundation (EFF) attorney Kevin Bankston stated that the court had “effectively
given Internet communications providers free rein to invade the privacy of their users
for any reason and at any time.”18 The five major ISPs (AOL, Earthlink, Microsoft,
Comcast, and Yahoo) all reportedly have policies governing their terms of service
that state that they do not read subscribers’ e-mail or disclose personal information
unless required to do so by law enforcement agencies.19 The U.S. Department of
Justice appealed the court’s decision; and several civil liberties filed a “friend of the
court” brief in support of the government’s appeal. In August 2005, the First
Circuit Court of Appeals overturned the lower court’s decision 5-2.20
Two bills were introduced in the 108th Congress that would have affected this
debate by amending either the Wiretap Act or the Stored Communications Act.
There was no action on either bill. In the 109th Congress, H.R. 3503/S. 936 would
amend the Wiretap Act to clarify that it applies “contemporaneous with transit, or on
an ongoing basis during transit, through the use of any electronic, mechanical, or
other device or process, notwithstanding that the communication may simultaneously
be in electronic storage.”
Spyware
Spyware is discussed in more detail in CRS Report RL32706, Spyware:
Background and Policy Issues for Congress. The term “spyware” is not well
defined. One example of spyware is software products that include, as part of the
software itself, a method by which information is collected about the use of the
computer on which the software is installed. Some products may collect personally
identifiable information (PII). When the computer is connected to the Internet, the
software periodically relays the information back to the software manufacturer or a
marketing company. Some software traces a user’s Web activity and causes
advertisements to suddenly appear on the user’s monitor — called “pop-up” ads —
in response. Such software is called “adware,” and one aspect of the spyware debate
is whether adware should be included in the definition of spyware. Software
programs that include spyware can be sold or provided for free, on a disk (or other
17 U.S. v Bradford C. Councilman, p. 53.
18 Online Privacy “Eviscerated” by First Circuit Decision. June 29, 2004.
[http://www.eff.org/news/archives/2004_06.php#001658].
19 Krim, op. cit.
20 McCullagh, Declan. E-mail Wiretap Case Can Proceed, Court Says. c|net News.com,
August 11, 2005, 14:30:00 PDT.
CRS-12
media) or downloaded from the Internet. Typically, users have no knowledge that
spyware is on their computers.
A central point of the debate is whether new laws are needed, or if industry self-
regulation, coupled with enforcement actions under existing laws such as the Federal
Trade Commission Act, is sufficient. The lack of a precise definition for spyware is
cited as a fundamental problem in attempting to write new laws. FTC representatives
and others caution that new legislation could have unintended consequences, barring
current or future technologies that might, in fact, have beneficial uses. They further
insist that, if legal action is necessary, existing laws provide sufficient authority.
Consumer concern about control of their computers being taken over by spyware
leads others to conclude that legislative action is needed.
Utah and California have passed spyware laws, but there is no specific federal
law regarding spyware. In the 108th Congress, the House passed two bills (H.R. 2929
and H.R. 4661) and the Senate Commerce Committee reported S. 2145. There was
no further action.
In the 109th Congress, two bills have passed the House: H.R. 29 (Bono) and
H.R. 744 (Goodlatte). Two bills also are pending in the Senate: S. 687 (Burns-
Wyden), and S. 1004 (Allen). A Senate Commerce Committee hearing on S. 687
was held on May 11, 2005. For more information on the pending legislation, see
CRS Report RL32706.
Identity Theft (Including Phishing and Pharming)
Identity theft is not an Internet privacy issue, but the perception that the Internet
makes identity theft easier means that it is often discussed in the Internet privacy
context. The concern is that the widespread use of computers for storing and
transmitting information is contributing to the rising rate of identity theft over the
past several years, where one individual assumes the identity of another using
personal information such as credit card and Social Security numbers (SSNs). The
FTC has a toll free number (877-ID-THEFT) to help victims.21
The extent to which the Internet is responsible for the increase in cases is
debatable. Some attribute the rise instead to carelessness by businesses in handling
personally identifiable information, and by credit issuers that grant credit without
proper checks. More traditional methods of acquiring someone’s personal
information — from lost or stolen wallets, or “dumpster diving” — also are used by
identity thieves. Three high profile incidents that became public in early 2005 where
the security of consumer PII was compromised reinforced existing fears about
identity theft. The companies involved are ChoicePoint, Bank of America, and
LexisNexis. These incidents are described in CRS Report RS22082, Identity Theft:
The Internet Connection.
21 See also CRS Report RL31919, Remedies Available to Victims of Identity Theft; and CRS
Report RS21083, Identity Theft and the Fair Credit Reporting Act: an Analysis of TRW v.
Andrews and Current Legislation.
CRS-13
Identity Theft Statistics
In a 2003 survey for the FTC, Synovate found that 51% of victims knew how
their personal information was obtained by the thief: 14% said their information was
obtained from lost or stolen wallets, checkbooks, or credit cards; 13% said the
personal information was obtained during a transaction; 4% cited stolen mail; and
14% said the thief used “other” means (e.g. the information was misused by someone
who had access to it such as a family member or workplace associate).22
Another survey, conducted by the Council of Better Business Bureaus and
Javelin Strategy & Research, was released in January 2005.23 The 2005 Identity
Fraud Survey is based on data collected in 2004 by Synovate using questions that
closely mirrored those used in the 2003 FTC survey, plus several new questions. The
survey found that computer crime accounted for 11.6% of identity theft cases in
2004, compared with 68% from paper sources. It further found that the average loss
for online identity theft was $551 compared to $4,543 from paper sources. In cases
where the perpetrator could be identified, family members were responsible for 32%
of cases; complete strangers outside the workplace for 24%; friends, neighbors, and
in-home employees for 18%; someone at a company with access to personal
information for 13%; someone at the victim’s workplace for 4%; or “someone else”
for 8%. The study concluded that, contrary to popular perception, identity theft is
not getting worse. For example, it reported that the number of victims declined from
10.1 million in 2003 to 9.3 million in 2004, and the annual dollar volume, adjusted
for inflation, is “highly similar” ($52.6 billion) in the 2003 survey and this survey.
“Phishing” and “Pharming”
One method used to obtain PII is called “phishing.” It refers to an Internet-
based practice in which someone misrepresents their identity or authority in order to
induce another person to provide PII. Some common phishing scams involve e-mails
that purport to be from financial institutions or ISPs claiming that a person’s record
has been lost. The e-mail directs the person to a website that mimics the legitimate
business’ website and asks the person to enter a credit card number and other PII so
the record can be restored. In fact, the e-mail or website is controlled by a third party
who is attempting to extract information that will be used in identity theft or other
crimes. The FTC issued a consumer alert on phishing in June 2004.24 An “Anti-
Phishing Working Group” industry association has been established to collectively
work on solutions to phishing [http://www.antiphishing.org/].
22 Synovate. Federal Trade Commission — Identity Theft Survey Report. September 2003.
P. 30-31. [http://www.ftc.gov/opa/2003/09/idtheft.htm]
23 An abbreviated “complimentary” version of the report is available at
[http://www.javelinstrategy.com/reports/2005IdentityFraudSurveyReport.html]. A Better
Business Bureau press release is at [http://www.bbb.org/alerts/article.asp?ID=565]. The
survey was sponsored Checkfree, Visa, and Wells Fargo & Company, but the report
emphasizes that although those companies were invited to comment on the content of the
questionnaire, they were not involved in the tabulation, analysis, or reporting of final results.
24 FTC. How Not to Get Hooked by a ‘Phishing” Scam. June 2004. [http://www.ftc.gov/
bcp/conline/pubs/alerts/phishingalrt.pdf]
CRS-14
A version of phishing, dubbed “pharming,” involves fraudulent use of domain
names.25 In pharming, hackers hijack a legitimate website’s domain name, and
redirect traffic intended for that website to their own. The computer user sees the
intended website’s address in the browser’s address line, but instead, he or she is
connected to the hacker’s site and may unknowingly provide PII to the hacker.26
Existing Laws
The FTC enforces three federal laws that restrict disclosure of consumer
information and require companies to ensure the security and integrity of the data in
certain contexts — Section 5 of the Federal Trade Commission Act, the Fair Credit
Reporting Act (FCRA), and Title V of the Gramm-Leach-Bliley Act. FTC
Chairwoman Deborah Platt Majoras summarized these laws as they pertain to
identity theft at a March 10, 2005 hearing before the Senate Committee on Banking,
Housing, and Urban Affairs. 27 She identified two other laws that are not enforced by
the FTC, but which also restrict the disclosure of certain types of information: the
Driver’s Privacy Protection Act, and the Health Insurance Portability and
Accountability Act.
Congress also has passed laws specifically regarding identity theft: the 1998
Identity Theft and Assumption Deterrence Act; the 2003 Fair and Accurate Credit
Transactions (FACT) Act; and the 2004 Identity Theft Penalty Enhancement Act.
Those laws are summarized in CRS Report RL31919. Briefly, the Identity Theft and
Assumption Deterrence Act (P.L.105-318) directed the FTC to establish a central
repository for identity theft complaints, and provide victim assistance and consumer
education.
The FACT Act (P.L. 108-159) contains perhaps the most comprehensive
identity theft provisions in federal law. Implementation of that act is discussed in
CRS Report RL32535, Implementation of the Fair and Accurate Credit Transactions
(FACT) Act. Among its identity theft-related provisions, the law —
! requires consumer reporting agencies (CRAs) to follow certain
procedures concerning when to place, and what to do in response to,
fraud alerts on consumers’ credit files;
! allows consumers one free copy of their consumer report each year
from nationwide CRAs as long as the consumer requests it through
a centralized source under rules to be established by the FTC;28
25 For more on domain names, and the DNS, see CRS Report 97-868, Internet Domain
Names: Background and Policy Issues, by Lennard G. Kruger.
26 For more on pharming, see, for example: Delio, Michelle. Pharming Out-Scams Phishing.
Mar. 14, 2005 [http://www.wired.com/news/infostructure/0,1377,66853,00.html].
27 Available at [http://banking.senate.gov/_files/majoras.pdf].
28 The FTC rules on free credit reports were issued on June 4, 2004 and are available at
[http://www.ftc.gov/opa/2004/06/freeannual.htm].
CRS-15
! allows consumers one free copy of their consumer report each year
from nationwide specialty CRAs (medical records or payments,
residential or tenant history, check writing history, employment
history, and insurance claims) upon request pursuant to regulations
to be established by the FTC;
! requires credit card issuers to follow certain procedures if additional
cards are requested within 30 days of a change of address
notification for the same account;
! requires the truncation of credit card numbers on electronically
printed receipts;
! requires business entities to provide records evidencing transactions
alleged to be the result of identity theft to the victim and to law
enforcement agencies authorized by the victim to take receipt of the
records in question;
! requires CRAs to block the reporting of information in a consumer’s
file that resulted from identity theft and to notify the furnisher of the
information in question that it may be the result of identity theft;
! requires federal banking agencies, the FTC, and the National Credit
Union Administration to jointly develop guidelines for use by
financial institutions, creditors and other users of consumer reports
regarding identity theft; and
! extends the statute of limitations for when identity theft cases can be
brought.
The Identity Theft Penalty Enhancement Act (P.L. 108-275) makes aggravated
identity theft in conjunction with felonies a crime, and establishes mandatory
sentences — 2 additional years beyond the penalty for the underlying crime, or 5
additional years for those who steal identities in conjunction with a terrorist act.29
At the March 10, 2005 Senate Banking Committee hearing,30 FTC Chairwoman
Majoras discussed the”complicated maze” of laws that governs consumer data,
noting whether particular legal provisions apply depends on the type of company or
institution involved, the type of data collected or sold, and the purpose for which it
will be used. She conceded that it is not clear if data brokers like ChoicePoint come
under the FTC’s jurisdiction, and concluded that additional legislation may be
necessary, particularly regarding notice and security. A witness from the Secret
Service also testified about his agency’s jurisdiction over identity theft crimes.
29 Senate Clears Tougher Penalties for Identity Theft in Conjunction with Felony. CQ
Weekly, June 26, 2004, p. 1561.
3 0 The hearing can be viewed on the committee’s website at
[http://banking.senate.gov/index.cfm?Fuseaction=Hearings.Detail&HearingID=142].
CRS-16
Pending Legislation
Congress continues to consider ways to reduce the incidence of identity theft.
Legislative approaches include strengthening penalties for identity theft or for the
misuse of SSNs31; increasing regulation of data brokers, such as by requiring them
to notify individuals whose PII has been breached, or to obtain a consumer’s consent
before selling PII; limiting the use of SSNs or allowing individuals to choose an
identifier other than their SSN for Medicare purposes, for example; or making
phishing unlawful.
Many bills are pending (see table below), and many hearings have been held,
in the 109th Congress on identity theft and related topics, such as data security.
Among the committees holding hearings are the Senate Banking, Housing, and Urban
Affairs Committee; the House Energy and Commerce Committee; the Senate
Judiciary Committee; the House Financial Services Committee; and the Senate
Commerce, Science and Transportation Committee. For more on legislative action,
see CRS Report RL31919, Remedies Available to Victims of Identity Theft.
31 For more on Social Security numbers, see CRS Report RL30318, The Social Security
Number: Legal Developments Affecting Its Collection, Disclosure, and Confidentiality, by
Kathleen S. Swendiman.
CRS-17
Summary of 109th Congress Internet Privacy-
Related Legislation
The following table provides summary information on pending Internet privacy-
related legislation . It should be noted that although some bills have similar titles or
intents, the details may vary. For example, some bills seek to protect “personal
information,” while others protect “personally identifiable information” (PII). Some
concern “data,” while others concern “electronic data.” Definitions may vary, or, in
some cases, the FTC is directed to determine a definition.
Table 1: Pending Legislation in the 109th Congress
Bill (Sponsor)
Summary, Committee(s) of Referral, and Status
INTERNET PRIVACY GENERAL
H.R. 84
Online Privacy Protection Act. Requires the FTC to prescribe
(Frelinghuysen)
regulations to protect the privacy of personal information
collected from and about individuals not covered by COPPA.
(Energy & Commerce)
H.R. 1263
Consumer Privacy Protection Act. Broad consumer privacy bill
(Stearns)
including provisions related to identity theft, regulation of “data
collection organizations,” and a study of the impact on U.S.
interstate and foreign commerce of privacy laws, etc., adopted by
other countries. (Energy & Commerce, International Relations)
H.R. 1310
Protection of Civil Liberties Act. Inter alia, makes the Privacy
(Maloney)
and Civil Liberties Oversight Board an independent agency,
instead of part of the Executive Office of the President, and
specifies certain qualifications for Board members and requires
they be confirmed by the Senate. (Government Reform,
Judiciary, Homeland Security, Intelligence)
H.R. 1526
Security and Freedom Ensured Act (SAFE Act). Inter alia,
(Otter)
makes Sec. 216 of the USA PATRIOT Act subject to the sunset
date. (Judiciary, Intelligence)
H.R. 3058
FY2006 Transportation-Treasury Appropriations. Continues
(Knollenberg)
language in previous appropriations bills prohibiting federal
websites from collecting data about visitors to those websites.
Sec. 933 in House version (passed House June 30); Sec. 831 in
Senate version (reported from appropriations committee July
26, S.Rept. 109-109).
CRS-18
Bill (Sponsor)
Summary, Committee(s) of Referral, and Status
H.R. 3199
USA Patriot and Terrorism Prevention Reauthorization Act.
(Sensenbrenner)
Inter alia, House version repeals the sunset provision of USA
PATRIOT Act, meaning that none of the sections would expire.
S. 1389
Senate version, inter alia, enhances reporting requirements re Sec.
(Specter)
216. Reported from Judiciary and Intelligence Committees
(H.Rept. 109-174, Pt. I and Pt. II) 7/18/2005; passed House,
amended, July 21, 2005. Passed Senate July 29 after
substituting the language of S. 1389 as reported from Senate
Judiciary Committee (no written report) and further
amended.
H.R. 3503
E-Mail Privacy Act. Amends the Wiretap Act to clarify that it
(Cannon)
covers e-mail that is temporarily stored in transit (in response to
the Councilman case). (House Judiciary; Senate Judiciary)
S. 936
(Leahy-Sununu)
S. 737
Security and Freedom Ensured Act (SAFE Act). Inter alia,
(Craig)
sets additional requirements regarding use of authorities under
Sec. 216 of the USA PATRIOT Act. (Judiciary)
SPYWARE
H.R. 29
Spy Act. Requires the FTC to prescribe regulations prohibiting
(Bono)
the transmission of spyware programs via the Internet to
computers without the user’s consent, and notification to the user
that the program will be used to collect PII; makes phishing
unlawful. Reported from House Energy and Commerce
Committee (H.Rept. 109-32); passed House May 23.
H.R. 744
Internet Spyware (I-SPY) Prevention Act. Sets criminal
(Goodlatte)
penalties for certain spyware practices. Reported from
Judiciary Committee (H.Rept. 109-93); passed House May 23.
S. 687
SPY BLOCK Act. Broad anti-spyware bill. Hearing held.
(Burns-Wyden)
(Commerce)
S. 1004
Enhanced Consumer Protection Against Spyware Act. To
(Allen)
provide the FTC with the resources necessary to protect Internet
users from spyware. (Commerce)
IDENTITY THEFT/ PROTECTING SSNs AND OTHER PII
H.R. 82
Social Security On-line Privacy Protection Act. Regulates the
(Frelinghuysen)
use by interactive computer services of SSNs and related PII.
(Energy and Commerce)
H.R. 92
Permits Medicare beneficiaries to use an identification number
(Frelinghuysen)
other than their SSN in order to deter identity theft. (Ways and
Means, Energy and Commerce)
CRS-19
Bill (Sponsor)
Summary, Committee(s) of Referral, and Status
H.R. 220
Identity Theft Prevention Act. Protects the integrity and
(Paul)
confidentiality of SSNs, prohibits the establishment of a uniform
national identifying number, and prohibits federal agencies from
imposing standards of identification for individuals on other
agencies or persons. (Ways & Means, Government Reform)
H.R. 1069
Notification of Risk to Personal Data Act.* Requires federal
(Bean)
agencies, and persons engaged in interstate commerce, in
possession of electronic data containing personal information, to
disclose any unauthorized acquisition of such information;
requires financial institutions to disclose to customers and
consumer reporting agencies any unauthorized access to personal
information; and requires consumer reporting agencies to
implement fraud alerts under certain circumstances. (Energy &
Commerce, Government Reform, Financial Services)
H.R. 1078
Social Security Number Protection Act. Regulates the sale and
(Markey)
purchase of SSNs. (Energy & Commerce, Ways & Means)
H.R. 1080
Information Protection and Security Act. Regulates the
(Markey)
conduct of information brokers and the protection of PII held by
them. (Energy & Commerce)
H.R. 1099
Anti-Phishing Act. Criminalizes phishing. (Judiciary)
(Hooley)
H.R. 1653
Safeguarding Americans from Exporting Identification Data
(Markey)
(SAFE-ID) Act. Allows U.S. business entities to transmit PII of
U.S. citizens to foreign affiliates or subcontractors in another
S. 810
country if that country has adequate privacy protections and the
(Clinton)
citizen has been given prior notice and not opted-out; and
prohibits them from transmitting PII to foreign affiliates or
subcontractors in a country without adequate privacy protections
unless the U.S. citizen has opted-in. (House Energy &
Commerce; Senate Judiciary)
H.R. 1745
Social Security Number and Identity Theft Prevention Act. To
(Shaw)
enhance SSN protections, prevent fraudulent misuse of SSNs, and
otherwise enhance protection against identity theft. (Ways &
Means)
H.R. 3140
Consumer Data Security and Notification Act. To regulate
(Bean)
information brokers, enhance information security requirements
for consumer reporting agencies and information brokers, and
require consumer reporting agencies, financial institutions, and
other entities to notify consumers of data security breaches
involving sensitive consumer information. (Financial Services)
H.R. 3374
Consumer Notification and Financial Data Protection Act. To
(LaTourette)
provide for the uniform and timely notification of consumers
whose sensitive financial personal information has been placed at
risk by a breach of data security, to enhance data security
safeguards, and to provide appropriate consumer mitigation
services. (Financial Services)
CRS-20
Bill (Sponsor)
Summary, Committee(s) of Referral, and Status
H.R. 3375
Financial Data Security Act. To amend the Fair Credit
(Pryce)
Reporting Act to provide for secure financial data. (Financial
Services)
H.R. 3501
Consumer Access Rights Defense Act. To require financial
(Carson)
institutions and financial service providers to notify customers of
the unauthorized use of personal financial information. (Energy
and Commerce, Government Reform, Financial Services)
S. 29
Social Security Misuse Prevention Act. Limits the misuse of
(Feinstein)
SSNs and establishes criminal penalties for such misuse.
(Judiciary)
S. 115
Notification of Risk to Personal Data Act.* Requires federal
(Feinstein)
agencies, and persons engaged in interstate commerce, in
possession of electronic data containing personal information, to
disclose any unauthorized acquisition of such information.
(Judiciary)
S. 116
Privacy Act of 2005. Requires the consent of an individual prior
(Feinstein)
to the sale and marketing of the individual’s PII. (Judiciary)
S. 472
Anti-Phishing Act. Criminalizes phishing. (Judiciary)
(Leahy)
S. 500
Information Protection and Security Act. Regulates
(Bill Nelson)
information brokers and protects individual rights to PII.
(Commerce)
S. 751
Notification of Risk to Personal Data Act.* Requires federal
(Feinstein)
agencies, and persons engaged in interstate commerce, in
possession of data containing personal information to disclose any
unauthorized acquisition of such information. (Commerce)
S. 768
Comprehensive Identity Theft Prevention Act. Broad identity
(Schumer)
theft prevention bill, including protecting SSNs, assistance to
victims, coordinating international action against identity theft,
notification of information breaches, and establishing an Office of
Identity Theft at the FTC. (Commerce)
S. 1326
Notification of Risk to Personal Data Act. Requires agencies
(Sessions)
and persons in possession of computerized data containing
sensitive personal information to disclose security breaches if it
poses a significant risk of identity theft. (Judiciary)
S. 1332
Personal Data Privacy and Security Act. To prevent and
(Specter)
mitigate identity theft, to ensure privacy, and to enhance criminal
penalties and other protections against security breaches,
fraudulent access and misuse of PII. Read the second time and
placed on the legislative calendar July 1.
CRS-21
Bill (Sponsor)
Summary, Committee(s) of Referral, and Status
S. 1336
Consumer Identity Protection and Security Act. To establish
(Pryor)
procedures for the protection of consumers from misuse or
unauthorized access to sensitive personal information contained
in private information files maintained by commercial entities
engaged in or affecting interstate commerce and provide for their
enforcement by the FTC. (Commerce)
S. 1408
Identity Theft Protection Act. Strengthens data protection and
(Smith)
safeguards, requires notification of data breaches, and further
prevents identity theft. Ordered reported from Senate
Commerce Committee, amended, July 28, 2008.
S. 1461
Consumer Identity Protection and Security Act. To protect
(Shelby)
consumers from misuse of, and unauthorized access to, sensitive
personal information contained in private information files
maintained by commercial entities engaged in, or affecting,
interstate commerce, and provide for enforcement of those
procedures by the FTC. (Banking)
S. 1594
Financial Privacy Protection Act. To require financial services
(Corzine)
providers to maintain customer information security systems and
to notify customers of unauthorized access to personal
information. (Banking)
Prepared by CRS.
PII = Personally Identifiable Information
SSN = Social Security Number
* Although H.R. 1069, S. 115, and S. 751 have the same title, each is different.
CRS-22
Appendix A. Internet Privacy-Related Legislation
Passed by the 108th Congress
H.R. 2622
Fair and Accurate Credit Transactions Act. Includes
(Bachus)
several provisions related to identity theft, such as setting
requirements on consumer reporting agencies and credit card
P.L. 108-159
issuers, requiring truncation of credit card numbers on
electronically printed receipts, and extending the statute of
limitations for when identity theft cases can be brought.
H.R. 1731
Identity Theft Penalty Enhancement Act. Makes
(Carter)
aggravated identity theft in conjunction with felonies a
crime, and establishes mandatory sentences.
P.L. 108-275
H.R. 4818
FY2005 Transportation, Treasury and General
(Kolbe)
Government Appropriations Bill (incorporated into the
FY2005 Consolidated Appropriations Act). Sec. 633
P.L. 108-447
continues prohibition on use of appropriated funds to collect
personal information about visitors to federal websites.
S. 2845
Intelligence Reform and Terrorism Protection Act.
(Collins)
Creates Privacy and Civil Liberties Oversight Board.
P.L. 108-458
Appendix B. Internet Privacy-Related Legislation
Passed by the 107th Congress
H.R. 2458 (Turner)/
E-Government Act. Inter alia, sets requirements on
S. 803 (Lieberman)
government agencies in how they assure the privacy of
personal information in government information systems and
P.L. 107-347
establish guidelines for privacy policies for federal websites.
Homeland Security Act. Incorporates H.R. 3482, Cyber
H.R. 5505 (Armey)
Security Enhancement Act, as Sec. 225. Loosens
restrictions on ISPs, set in the USA PATRIOT Act, as to
P.L. 107-296
when, and to whom, they can voluntarily release information
about subscribers.
H.R. 2215
21st Century Department of Justice Authorization Act.
(Sensenbrenner)
Requires the Justice Department to notify Congress about its
use of Carnivore (DCS 1000) or similar Internet monitoring
P.L. 107-273
systems.
H.R. 3162
USA PATRIOT Act. Expands law enforcement’s authority
(Sensenbrenner)
to monitor Internet activities. See CRS Report RL31289 for
how the act affects use of the Internet. Amended by the
P.L. 107-56
Homeland Security Act (see P.L. 107-296).