Thank you Mark so much. And it is a real honor to have been invited by you Mark to be here today. You are, without question, a one one man, multinational, privacy advocacy group in yourself. And, combined with all the people who are here, really helped create an environment in which we are able to have a fair discussion about this issue.
As a matter of fact, I was just out in the hallway, I saw a noted cryptographer sharing a laugh with an FBI agent. It is so nice to see people getting along. Something about spring time in Washington, I guess. It also reminds me of the Biblical story of the lion laying down with the lamb. A mother with her two kids approached a zoo keeper at the National Zoo to tell him that the lion and the lamb were laying together in slumber, together in the same cage. She said it is the fulfillment, I told my children, of the Biblical prophecy, I told my children. The zoo keeper looked at her and said: "Don't get too excited lady. We throw a new lamb in there every day." Knowing this cryptographer, I am not sure who was the lamb, and who was the lion, in their conversation outside.
As everyone knows, the U.S. and NATO are currently engaged in military action in Kosovo against the Serbs. According to many accounts the Serbs are in the process of emptying out villages in Kosovo of their ethnic Albania inhabitants. Many ethnic Albanians are being killed in thousands, or are either in hiding, or on the run, and fleeing to border areas.
I mentioned this to all of you not to simply make note of the grim reality of current events, but because I think that I think that it is helpful to remind ourselves of a few things when thinking about privacy and freedom first. We can observe quite readily on TV and on the news on the net that great harm in being done to people in Kosovo based upon their ethnicity, their religious affiliation, what village they may hail from, or who their parents may be. Right now in parts of the former Yugoslavia, information about who you could literally mean whether you safe, or are in grave personal peril. This is such a depressing situation, because this is not a story from the middle ages or Nazi Germany. This is post cold war Europe in 1999.
My longstanding interest in privacy comes from my belief that privacy protection is part and parcel of exercising basic civic freedoms, and utterly interwoven in our self-identity as Americans. To my mind, losing our privacy altogether would be tantamount to losing our freedom.
It is for these reasons that I am honored to be invited to address this conference. And it is for these reasons that I will again battle on Capitol Hill for a strong pro-consumer encryption policy, and while, and why, I will continue my fight to put basic rules on the books, even as we promote new technologies in telecommunications competition. [Applause.]
Last year, building upon the work done at the Federal Trade Commission, I offered legislation, along with Senator Richard Bryan to protect the privacy rights of kids twelve and under. This measure was ultimately approved by the Congress, and is now the law. The question for us in this session of Congress is whether or not Americans loose their privacy protections upon turning thirteen years of age. While becoming a teenager will always become a rite of passage in America, it must not become a milestone for the flight of privacy.
As many of you know, I found the unique identifying technology in the Intel Pentium III, and Microsoft products, very disturbing. I quickly wrote to the CEO of Intel when the Pentium III was unveiled to request a redesign of the chip to better address consumer privacy concerns.
Many people have come up to me in recent days and have noted that the unique identifier that causes concerns for many privacy advocates and consumers was critical in tracking down the alleged perpetrator of the Melissa virus. There is a wringing of hands over the difficulty of reconciling the duality of the technology. On the one hand, it is a threat to privacy. And on the other, it may help solve crimes, or make transactions more secure. My response to them is that it is indeed very difficult to reconcile the two, but only if you rely solely upon the technology. If there are no rules that articulate permissible uses, and consumers rights, "yes," I tell them, "it is quite difficult for consumers to know handle this." Again, that is why WE NEED RULES. We need rules so companies know how to handle their -- we need rules governing how law enforcement can get access to this information.
For any online privacy notice to work it must be designed to serve consumers by being clear, conspicuous, concise, and common sense in its approach. It will not do the industry any good to gleefully trumpet an increase in the number of sites posting privacy notices, if it turns out that many of such postings are either hard to find, hard to understand, or both. In addition, as technology changes, sites will inevitably be able to glean more information electronically and surreptitiously from consumers.
In such a context, merely informing consumers that a site may have already gathered personal information electronically, and providing notice about how it intends to use such information, IS UNACCEPTABLE. That is like saying burglary is OK, as long a the thief leaves behind a note clearly indicating what was stolen, and how the thief intends to use the stolen items. Company executives often ask me, "What if I post on my site a notice about what information I am gathering, and how I am going to use it. Is that OK?" The answer is "almost." A key ingredient is missing, consumer consent. Notice alone is insufficient. Consumers must have an effective opportunity to grant or deny consent. To be fair, I am giving the critique of the work of people in companies who are at least trying to be constructive, and are trying to be part of the solution.
I do not accept the notion that the Internet is too complex is too complex, and technology is changing so rapidly, that we cannot develop enforceable privacy protections for consumers. As technologies change, and business plans for online commerce adjust, consumers' privacy principles remain a constant.
In addition to an overarching privacy bill of rights, which I just outlined for electronic commerce, one that doesn't just cover those who are twelve and under, which Senator Bryan and I were able to put on the books, and the FTC is in the rule making, but for everyone thirteen and over, I also believe that it is essential to enhance the protections offered in two key areas: financial services and health care.
I have recently introduced more detailed legislation addressing these two areas, because I believe that financial data and health data warrant a greater degree of protection, and I think there is general consensus of that notion. Today, the convergence of the banking, the securities, and insurance industry, in to giant financial service conglomerate is making it possible construct a detailed record of consumers' credit card purchases, checking or savings account deposits or withdrawals, brokerage accounts, mutual fund holdings, and insurance coverage. If we fail to give financial services consumers effective privacy protections soon, we may enter a world in which loans are denied when an insurance company informs an affiliated bank that the consumer has a serious medical condition; in which highly vulnerable groups, such as seniors, the widows, who have have just received life insurance beneficiary checks, get cold calls by stockbrokers based on information provided by an insurance company or a bank; and, in which virtually every purchase a consumer makes becomes part of a digital dossier that is used for cross marketing purposes.
The lack of a federal law to protect the privacy of our medical records leaves us vulnerable to collapses of confidentiality regarding our most personal and sensitive information. Recently, there was an article in the newspaper about a company that is, quote, seeking the mother lode in health data mining. The goal of this company is to compile medical data on millions of Americans, and sell this data to any buyer. Everyone's personal health information has become a valuable to be traded like soybeans, or pork bellies, except this commodity contains your families most personal and intimate secrets. With no federal law to prevent unfettered access to your medical information, patient confidentiality has become a virtual myth, and the sale of your secrets a virtual reality.
The Hippocratic Oath provides that "all who may come to my knowledge in the exercise of my profession or in daily commerce with men which ought not to be spread abroad I will keep secret and will never reveal." I believe that this is a firm basis, not only for good medicine, but also for good public policy on patient privacy. But without a federal medical law, not only is your personal information at risk, but also your quality of health care. We can't let privacy slide to the point where the only way for a person to insure confidentiality is to avoid to medical treatment altogether.
While threats to your privacy in this information age compel us to debate the implementation of a privacy medical law, Congress has another reason to address medical privacy. A provision in the Health Insurance Portability and Accountability Act, HIPA, has imposed an August 1999 deadline for Congress to enact medical privacy legislation. Now is the time to work expeditiously to pass a strong and effective bill.
On March 10 I introduced the Medical Information Privacy and Security Act of 1999. Its companion in the Senate was introduced on the same day by Senators Leahy and Kennedy. Congressman Jim McDermott now, has introduced it in the House. This bill provides strong privacy measures while respecting the health care profession's need to share information for treatment and diagnosis. It limits the amount of personal health information required for billing and payment purposes. And, it gives patients the opportunity to control access to their medical information by third parties. Furthermore, the bill will prevent law enforcement agents from browsing through medical records without a warrant. And, would close the existing gaps in federal privacy rules to ensure protection of personally identifiable health information by creating a federal law.
The bill would not preempt any state law or regulation that offers greater privacy safe caps. And, we propose this for two reasons. First, a strong federal privacy law will eliminate much of the current patchwork of state laws governing the exchange of medical information, and will replace the patchwork with strong clear standards that will apply to everyone. And second, MIPSA makes room for possible future threats to medical privacy that we may not even anticipate today.
As medical information technology moves forward into the next century, we must maintain the public trust to seek stronger medical privacy laws closer by each of our homes. These elements are essential to any strong medical privacy act.
I want to encourage anyone here today, with any thoughts or insights on online privacy, of banking privacy, or health care privacy, to give me a call, or to contact my staff. Collin Crowell, who is on my staff -- Can you raise your hand back there Collin? -- Collin is the person who is without question the primary staffer on the House side who thinks most about all of these privacy related issues. If there are any of you want to have your thoughts included in any debate on privacy, please give Collin or me a call personally. And I want to especially encourage the online industry to think about how to address these issues in a comprehensive way. Do not wait for a privacy meltdown of Chernobyl like proportion before you endorse some government overhaul.
I will be introducing an updated privacy bill of rights legislative initiative in the coming weeks, and I would appreciate any input or comment people may have. What you believe should be included in such legislation. And I would solicit from you any help, any support, that you can give to the movement of this legislation. We have reached a point now where we can in fact lobby electronically. Where we can contact every Congressional office over and over again with national networks that care about the issues.
When the issue of encryption, the battle between the FBI and the computer, and software, and individual, individuals in our society, that EPIC seeks to protect, was before the Commerce Committee last year, we had Louie Freeh and the National Security Agency brief us in private, the entire committee, and we weren't even allowed to bring in our staffs into the briefing, because they wanted us to understand how important it was for the law enforcement industry, uh, uh, individuals, to have a back door to every piece of software, every computer, that was sold in the United States and around the globe. On the other hand, as I was making this amendment, to take the privacy point of view the next morning, there were tens of thousands of individuals across the country, who were for the first time using their electronic capacity to be able reach our committee who were inundating our committee members, and by a vote of 32 to 14 I won, which would have been absolutely unpredictable two weeks before when the FBI, the CIA and the National Security Council, saying to our committee members that this was essential. If you want to in group involve yourself, your company, your associations in this issue, I promise you that you can make a huge difference.
Let us put these safeguards on the books in an anticipatory way. Let us not wait until it becomes obvious because of 20/20 or 60 Minutes or Front Page exposÚs, in newspaper after newspaper across the country, that this has turned into a national crisis.
I want to thank all of you for all the work that you do on this issue. I especially want to thank Mark and all of the people who work with him for putting together this critical conference. And I want to work with all of you in the year ahead to put these laws on the books. Thank you all so so much. [Applause.]
[Rep. Markey did not take any questions from the audience.]