Keynote Address by Rep. Edward Markey (D-MA).
As Delivered at the CFP 99 Convention.
Re: proposals for federal laws protecting privacy.
Date: April 7, 1999.
Source: This document was created by Tech Law Journal by transcribing an audio recording, and converting to HTML. Copyright 1999, Tech Law Journal. All rights reserved.

[Rep. Edward Markey was introduced by Mark Rotenberg, of the Electronic Privacy Information Center, and this year's Chairman of the convention.]

Thank you Mark so much. And it is a real honor to have been invited by you Mark to be here today. You are, without question, a one one man, multinational, privacy advocacy group in yourself. And, combined with all the people who are here, really helped create an environment in which we are able to have a fair discussion about this issue.

As a matter of fact, I was just out in the hallway, I saw a noted cryptographer sharing a laugh with an FBI agent. It is so nice to see people getting along. Something about spring time in Washington, I guess. It also reminds me of the Biblical story of the lion laying down with the lamb. A mother with her two kids approached a zoo keeper at the National Zoo to tell him that the lion and the lamb were laying together in slumber, together in the same cage. She said it is the fulfillment, I told my children, of the Biblical prophecy, I told my children. The zoo keeper looked at her and said: "Don't get too excited lady. We throw a new lamb in there every day." Knowing this cryptographer, I am not sure who was the lamb, and who was the lion, in their conversation outside.

As everyone knows, the U.S. and NATO are currently engaged in military action in Kosovo against the Serbs. According to many accounts the Serbs are in the process of emptying out villages in Kosovo of their ethnic Albania inhabitants. Many ethnic Albanians are being killed in thousands, or are either in hiding, or on the run, and fleeing to border areas.

I mentioned this to all of you not to simply make note of the grim reality of current events, but because I think that I think that it is helpful to remind ourselves of a few things when thinking about privacy and freedom first. We can observe quite readily on TV and on the news on the net that great harm in being done to people in Kosovo based upon their ethnicity, their religious affiliation, what village they may hail from, or who their parents may be. Right now in parts of the former Yugoslavia, information about who you could literally mean whether you safe, or are in grave personal peril. This is such a depressing situation, because this is not a story from the middle ages or Nazi Germany. This is post cold war Europe in 1999.

When people from the European Community tell us that they are, that they see privacy policy not merely through a prism of trade relations, but as a cultural issue, or as a sensitive social issue, or personal issue, we should listen to them. I personally agree with them.

Our own privacy policy should reflect the socio-cultural mores of our American community, as much as our economic system. I say this to remind ourselves that on a global medium such as the Internet, information about you will not only be of interest to Madison Avenue, or your insurance. As all of us become ever more digital in how we work and play, information about us will become more detailed, more personal in nature. And the ability to create and compile and distribute digital dossiers on each of us will become greatly facilitated.

My longstanding interest in privacy comes from my belief that privacy protection is part and parcel of exercising basic civic freedoms, and utterly interwoven in our self-identity as Americans. To my mind, losing our privacy altogether would be tantamount to losing our freedom.

It is for these reasons that I am honored to be invited to address this conference. And it is for these reasons that I will again battle on Capitol Hill for a strong pro-consumer encryption policy, and while, and why, I will continue my fight to put basic rules on the books, even as we promote new technologies in telecommunications competition. [Applause.]

Last year, building upon the work done at the Federal Trade Commission, I offered legislation, along with Senator Richard Bryan to protect the privacy rights of kids twelve and under. This measure was ultimately approved by the Congress, and is now the law. The question for us in this session of Congress is whether or not Americans loose their privacy protections upon turning thirteen years of age. While becoming a teenager will always become a rite of passage in America, it must not become a milestone for the flight of privacy.

I believe that any solution to implementing a national privacy policy has to be a combination of three key elements. One, technological tools. Two, industry self-regulation. And three, government enforced set of basic privacy rules. Let me briefly outline three elements that I think will ultimately be what our national privacy policy is built upon. I have long believed in the potential for technology to help solve some public problems that technology creates. There is no question that my interest in making sure that strong encryption remains available to all Americans comes from the belief that people ought to be able to take steps themselves to protect their own data, conversations, or intellectual property. Moreover, in the context of online transactional information, the platform for privacy preferences, or P3P, certainly holds much promise. P3P may someday avail consumers of an increased ability to signal electronically to sites on the web consumers desires as to how such entity should treat their personal information.

At the very least, this would save consumers the toil of clicking on the privacy policy of each web site they visit in order to ascertain what each site might have in store for their personal data. Yet this technology can truly work only if it is widely available, and only if the private sector honors the privacy preferences being expressed by the consumers. In addition, as the unveiling of Intel's Pentium III made clear to many of us, relying upon technology alone puts consumer privacy at the trailing edge of a never ending process of technological oneupsmanship. As consumers get new tools, new challenges opposed to the full and effective utilization, all the technological tools, this is not in itself a bad thing. We obviously want technology to evolve. My point is only that personal privacy should not bend to latest technology, but rather technology should be designed with technology in mind. We cannot count on every technology company to do this. And every consumer cannot be expected to be savvy enough about all of the latest gadgetry of the latest products in order to protect themselves. It is an unrealistic expectation, which is why WE NEED RULES.

As many of you know, I found the unique identifying technology in the Intel Pentium III, and Microsoft products, very disturbing. I quickly wrote to the CEO of Intel when the Pentium III was unveiled to request a redesign of the chip to better address consumer privacy concerns.

Many people have come up to me in recent days and have noted that the unique identifier that causes concerns for many privacy advocates and consumers was critical in tracking down the alleged perpetrator of the Melissa virus. There is a wringing of hands over the difficulty of reconciling the duality of the technology. On the one hand, it is a threat to privacy. And on the other, it may help solve crimes, or make transactions more secure. My response to them is that it is indeed very difficult to reconcile the two, but only if you rely solely upon the technology. If there are no rules that articulate permissible uses, and consumers rights, "yes," I tell them, "it is quite difficult for consumers to know handle this." Again, that is why WE NEED RULES. We need rules so companies know how to handle their -- we need rules governing how law enforcement can get access to this information.

Now on industry self-regulation. I want to salute the laudable efforts of certain segments of the industry in trying to develop so called self-regulatory solutions. I want to commend those companies associated with online privacy initiatives: seal programs, such as TRUSTe, and BBB online, as well as the growing number of companies taking steps to better inform consumers and offer better privacy protection on their own additions. These undertakings are critical to increasing to consumer confidence and trust in the medium, and will be an important component in any comprehensive set of privacy protection for consumers. Many members of the online community have posted privacy policies on their web sites in the last year. I am sure that any conducted will indicate that there is a growth in the number of web sites that host such privacy policy.

I want to make clear, however, that a posted privacy policy is not synonymous with a good privacy policy. Everyone who has taken the time to develop and post a privacy policy gets a gold star and pat on the back, except of course, those who took the extra time and effort to find the most obscure and remote part of the web site to post the notice, with the link in the smallest size font available, and who then who proceeded to lawyer up a plain language privacy notice in a way that would warm the heart of any general counsel of any company in the United States of America. [Applause.]

For any online privacy notice to work it must be designed to serve consumers by being clear, conspicuous, concise, and common sense in its approach. It will not do the industry any good to gleefully trumpet an increase in the number of sites posting privacy notices, if it turns out that many of such postings are either hard to find, hard to understand, or both. In addition, as technology changes, sites will inevitably be able to glean more information electronically and surreptitiously from consumers.

In such a context, merely informing consumers that a site may have already gathered personal information electronically, and providing notice about how it intends to use such information, IS UNACCEPTABLE. That is like saying burglary is OK, as long a the thief leaves behind a note clearly indicating what was stolen, and how the thief intends to use the stolen items. Company executives often ask me, "What if I post on my site a notice about what information I am gathering, and how I am going to use it. Is that OK?" The answer is "almost." A key ingredient is missing, consumer consent. Notice alone is insufficient. Consumers must have an effective opportunity to grant or deny consent. To be fair, I am giving the critique of the work of people in companies who are at least trying to be constructive, and are trying to be part of the solution.

Today, our public policy has set up an inverse system of rewards and punishments. If a company takes the time to develop and post a privacy policy, and then at some point violates it in some way, the FTC can go after that company, and seek to address consumer grievances. On the other hand, if a company posts no policy at all, and then engages in personal information hijacking, on a daily basis, it is legally free and clear to do just that and to continue on it merry way. That makes no sense at all. The company without a posted privacy policy is clearly being unfair to consumers, and such a legal dynamic is also unfair to all of those other companies taking steps to deal forthrightly with consumers.

We have got to address this issue. The way to do so is with rules covering all companies, and having the FTC enforce them. My belief is that industry self-regulation is clearly going to be part of any comprehensive privacy policy for the United States. Consumers should be able to go out, negotiate for the best privacy protection in the marketplace. And companies ought to compete on terms and conditions of personal information use. But no consumers should be completely bereft of any basic privacy protection when they visit a site. And again, although I have long been a big believer in utilizing technology to solve some of the problems that technology creates, I don't believe at this time that technological tools will be ubiquitously available and affordable, or universally honored by information hunters, and data gatherers, to solve the problem through technology alone. Our national privacy policy must, and I believe inevitably will, include a governmental role. Congress can put rules on the books in a way that factors in new technology, that encompasses what industry self-regulation can offer, but that also -- feels flexible, realistically and pragmatically, with the limitations of technology and self-regulation in fully protecting consumers.

I do not accept the notion that the Internet is too complex is too complex, and technology is changing so rapidly, that we cannot develop enforceable privacy protections for consumers. As technologies change, and business plans for online commerce adjust, consumers' privacy principles remain a constant.

In addition to an overarching privacy bill of rights, which I just outlined for electronic commerce, one that doesn't just cover those who are twelve and under, which Senator Bryan and I were able to put on the books, and the FTC is in the rule making, but for everyone thirteen and over, I also believe that it is essential to enhance the protections offered in two key areas: financial services and health care.

I have recently introduced more detailed legislation addressing these two areas, because I believe that financial data and health data warrant a greater degree of protection, and I think there is general consensus of that notion. Today, the convergence of the banking, the securities, and insurance industry, in to giant financial service conglomerate is making it possible construct a detailed record of consumers' credit card purchases, checking or savings account deposits or withdrawals, brokerage accounts, mutual fund holdings, and insurance coverage. If we fail to give financial services consumers effective privacy protections soon, we may enter a world in which loans are denied when an insurance company informs an affiliated bank that the consumer has a serious medical condition; in which highly vulnerable groups, such as seniors, the widows, who have have just received life insurance beneficiary checks, get cold calls by stockbrokers based on information provided by an insurance company or a bank; and, in which virtually every purchase a consumer makes becomes part of a digital dossier that is used for cross marketing purposes.

The lack of a federal law to protect the privacy of our medical records leaves us vulnerable to collapses of confidentiality regarding our most personal and sensitive information. Recently, there was an article in the newspaper about a company that is, quote, seeking the mother lode in health data mining. The goal of this company is to compile medical data on millions of Americans, and sell this data to any buyer. Everyone's personal health information has become a valuable to be traded like soybeans, or pork bellies, except this commodity contains your families most personal and intimate secrets. With no federal law to prevent unfettered access to your medical information, patient confidentiality has become a virtual myth, and the sale of your secrets a virtual reality.

The Hippocratic Oath provides that "all who may come to my knowledge in the exercise of my profession or in daily commerce with men which ought not to be spread abroad I will keep secret and will never reveal." I believe that this is a firm basis, not only for good medicine, but also for good public policy on patient privacy. But without a federal medical law, not only is your personal information at risk, but also your quality of health care. We can't let privacy slide to the point where the only way for a person to insure confidentiality is to avoid to medical treatment altogether.

While threats to your privacy in this information age compel us to debate the implementation of a privacy medical law, Congress has another reason to address medical privacy. A provision in the Health Insurance Portability and Accountability Act, HIPA, has imposed an August 1999 deadline for Congress to enact medical privacy legislation. Now is the time to work expeditiously to pass a strong and effective bill.

On March 10 I introduced the Medical Information Privacy and Security Act of 1999. Its companion in the Senate was introduced on the same day by Senators Leahy and Kennedy. Congressman Jim McDermott now, has introduced it in the House. This bill provides strong privacy measures while respecting the health care profession's need to share information for treatment and diagnosis. It limits the amount of personal health information required for billing and payment purposes. And, it gives patients the opportunity to control access to their medical information by third parties. Furthermore, the bill will prevent law enforcement agents from browsing through medical records without a warrant. And, would close the existing gaps in federal privacy rules to ensure protection of personally identifiable health information by creating a federal law.

The bill would not preempt any state law or regulation that offers greater privacy safe caps. And, we propose this for two reasons. First, a strong federal privacy law will eliminate much of the current patchwork of state laws governing the exchange of medical information, and will replace the patchwork with strong clear standards that will apply to everyone. And second, MIPSA makes room for possible future threats to medical privacy that we may not even anticipate today.

As medical information technology moves forward into the next century, we must maintain the public trust to seek stronger medical privacy laws closer by each of our homes. These elements are essential to any strong medical privacy act.

I want to encourage anyone here today, with any thoughts or insights on online privacy, of banking privacy, or health care privacy, to give me a call, or to contact my staff. Collin Crowell, who is on my staff -- Can you raise your hand back there Collin? -- Collin is the person who is without question the primary staffer on the House side who thinks most about all of these privacy related issues. If there are any of you want to have your thoughts included in any debate on privacy, please give Collin or me a call personally. And I want to especially encourage the online industry to think about how to address these issues in a comprehensive way. Do not wait for a privacy meltdown of Chernobyl like proportion before you endorse some government overhaul.

I will be introducing an updated privacy bill of rights legislative initiative in the coming weeks, and I would appreciate any input or comment people may have. What you believe should be included in such legislation. And I would solicit from you any help, any support, that you can give to the movement of this legislation. We have reached a point now where we can in fact lobby electronically. Where we can contact every Congressional office over and over again with national networks that care about the issues.

When the issue of encryption, the battle between the FBI and the computer, and software, and individual, individuals in our society, that EPIC seeks to protect, was before the Commerce Committee last year, we had Louie Freeh and the National Security Agency brief us in private, the entire committee, and we weren't even allowed to bring in our staffs into the briefing, because they wanted us to understand how important it was for the law enforcement industry, uh, uh, individuals, to have a back door to every piece of software, every computer, that was sold in the United States and around the globe. On the other hand, as I was making this amendment, to take the privacy point of view the next morning, there were tens of thousands of individuals across the country, who were for the first time using their electronic capacity to be able reach our committee who were inundating our committee members, and by a vote of 32 to 14 I won, which would have been absolutely unpredictable two weeks before when the FBI, the CIA and the National Security Council, saying to our committee members that this was essential. If you want to in group involve yourself, your company, your associations in this issue, I promise you that you can make a huge difference.

Let us put these safeguards on the books in an anticipatory way. Let us not wait until it becomes obvious because of 20/20 or 60 Minutes or Front Page exposés, in newspaper after newspaper across the country, that this has turned into a national crisis.

I want to thank all of you for all the work that you do on this issue. I especially want to thank Mark and all of the people who work with him for putting together this critical conference. And I want to work with all of you in the year ahead to put these laws on the books. Thank you all so so much. [Applause.]

[Rep. Markey did not take any questions from the audience.]