EPIC Testimony on Wireless Directory Privacy Issues

I appreciate the opportunity to appear before the Committee today to discuss privacy issues raised by a proposed wireless directory for customers of wireless telephone services. My name is Marc Rotenberg. I am the Executive Director of the Electronic Privacy Information Center in Washington, and I have taught the Law of Information Privacy at Georgetown since 1990. As both an advocate and academic, I have participated in many of the leading privacy debates in this country. With me this morning is Chris Jay Hoofnagle, Associate Director of EPIC.

Summary

As the wireless industry develops a directory of numbers for wireless devices, Congress should act to safeguard privacy and to create legally enforceable rights with respect to data in the wireless directory.� We believe the industry shares our concerns that privacy protection will be important for this information, and also recognizes that many other new wireless services could be jeopardized if strong privacy standards are not established.� However, we are not persuaded that wireless directories can be administered fairly without legal rights for the millions of individuals who will be enrolled in the system.� These new directories raise the privacy risks of unwanted telemarketing, SMS spam, junk faxes, and contacts from undesirable callers, including stalkers.

It is clear that there are very high levels of public support for strong privacy safeguards for telephone services. More than 60 million American households signed up for the Do Not Call service so that they would not receive telemarketing calls at dinnertime. Millions of American household have unlisted and/or unpublished telephone numbers. According to one survey, 35% of households nationwide do list or publish telephone numbers. In major metropolitan areas in California, nearly 70% of telephone numbers are unlisted.[1]

The modern history of privacy protection is one where Congress acts in advance to safeguard privacy while allowing emerging technologies to develop. Enacting privacy protections for the wireless directories is both consistent with Congress' prior actions on privacy issues, and necessary in this case to ensure that consumers have substantive rights in their personal information.� The �Wireless 411 Privacy Act,� S. 1963, is a first step toward addressing privacy issues presented by wireless directories.� However, we believe this Committee should strengthen the Wireless Privacy Act in several aspects before it is presented to the full Senate.� In particular, we believe that the standard for enrollment should be a consumer friendly, opt-in system that ensures adequate notice and requires affirmative consent. In the third part of our testimony, we raise objections to a related telecommunications privacy issue, Junk Faxes.� This Committee recently reported out the Junk Fax Prevention Act of 2004, S. 2603, without a hearing.� We urge the members to take a closer look at this proposal. The Senate should not enact that bill, as currently drafted, as it will likely exacerbate the junk fax problem.

I) Congress Has Safeguarded Privacy as New Telecommunications Technologies Emerge

The recent history of privacy law in the United States is largely a story of efforts by Congress to pass laws to safeguard privacy as new technologies emerge. There are, for example, the privacy subscriber provisions of the Cable Act of 1984 (cable television), the Video Privacy Protection Act (video rental records), the Electronic Communications Privacy Act of 1998 (electronic mail), the Polygraph Protection Act of 1988 (lie detectors), and the Children's Online Privacy Protection of 1999 (Children's data obtained by companies operating on the Internet).�

The Telephone Consumer Protection Act of 1991 is especially relevant to this debate, as that law shielded individuals from auto dialers, junk faxes, and telemarketing to wireless phones long before the devices were adopted on a widespread level.� It is because of that 1991 law that individuals have a sanctuary from commercial interruption when it comes to their wireless phones.� Because Congress acted early to shield wireless devices, they continue to be adopted by millions of Americans.� If Congress had not acted to protect privacy, wireless services probably would not be as successful as they are.

These privacy laws have come about in response to challenges posed by new technologies. However, the aim is rarely to limit the technology or to stifle a new business; it is instead to ensure that the data collection is fair, transparent, and subject to law. This approach builds consumer confidence, establishes a stable business environment, and allows for the benefits of new technology while safeguarding key interests.

It has been our experience that in a self-regulatory environment, even reputable companies are swayed by forces that result in watering down privacy protections.� Without legal protections, privacy provisions in the wireless directory may be changed at will by the wireless industry.

In other contexts where businesses operate in a self-regulatory privacy atmosphere, there has been a race to the bottom, even among profitable companies.� For instance, eBay changed users' preferences on receiving marketing and watered-down their privacy policy in 2001.� The company changed the privacy choices of six million registered eBay members who had expressed that they did not want to receive spam or telemarketing.� Amazon.com, a popular online bookseller, changed its privacy policy in December 2000.� Amazon reneged on its promise to never reveal customers' transactional information. Yahoo, a popular Internet portal and free e-mail service, changed its policies so that the company could send more spam to customers.�� The change required Yahoo users to re-opt-out in order to avoid the new marketing messages.� Drkoop.com, a popular medical website founded by former Surgeon General C. Everett Koop, sold its e-mail list as a bankruptcy asset to vitacost.com in July 2002.� Drkoop.com gave individuals one week to opt-out of the sale, despite making guarantees of opt-in protections for transfer of personal data.

Congressional action is warranted here because privacy is more likely to be invaded when creating a wireless directory than a wireline one. Consumers tend to treat their wireless phones as personal devices.� Often, consumers take their wireless phones everywhere they go, making the devices an avenue for disruption in contexts where wireline phones cannot reach. Consumers are also charged for the calls and SMS messages received on their phones. An improperly implemented wireless directory could result in both more personal, but also more costly, disruption to consumers.

In the past, unfortunately, phone companies have sided against privacy and consumers when implementing protections for CPNI, Customer Proprietary Network Information.� CPNI is the data collected by telecommunications corporations about a consumer's telephone calls. It includes the time, date, duration, and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill.� Although Congress in passing 47 U.S.C. � 222(c)(1) specified that phone companies should obtain the "approval of the customer" before using CPNI, the companies interpreted "approval" to mean opt-out, and used the data unless a consumer specifically objected.�

Finally, establishing a right of privacy in law does not require extensive regulation. There are many privacy laws of only a few pages that are extraordinarily effective. The subscriber privacy provision in the Cable Act of 1984, for example, is one of the most effective privacy laws in the US. It provides a very good model for emerging privacy issues in the commercial world.

II. The Wireless 411 Privacy Act, S. 1963, Is a Good Start But Could Be Improved

We applaud the Members for introducing the Wireless 411 Privacy Act, S. 1963, and the Chairman and Ranking Member for holding a hearing on this important issue.� The Wireless Privacy Act is a good starting point for addressing the privacy issues implicated by wireless directories.� We have detailed the major provisions of the bill below while suggesting critical improvements

Section 3 of S. 1963 amends the Communications Act of 1934, 47 U.S.C. � 332(c), to create an "express prior authorization" standard for enrollment in the wireless directory for current wireless subscribers.� We strongly support this opt-in standard for enrollment in the wireless directory.

The Standard Should Be Opt-In for New Subscribers

Under Section 3 in a provision creating 47 U.S.C. � 332(c)(9)(B), new wireless subscribers would automatically be enrolled, but could opt-out through "convenient mechanisms" at the beginning of the wireless contract, in the billing of the service, and when receiving any connecting call from a wireless directory assistance service.� Here, we believe that the Committee should eliminate this provision and require opt-in before enrollment for both new and current wireless subscribers.�

An opt-in framework would better protect individuals' rights, and is consistent with most United States privacy laws.� For instance, the Family Educational Rights and Privacy Act, Cable Communications Policy Act, Electronic Communications Privacy Act, Video Privacy Protection Act, Driver's Privacy Protection Act, and Children's Online Privacy Protection Act all empower the individual by specifying that affirmative consent is needed before information is employed for secondary purposes.

Further, public opinion clearly supports an opt-in system for information collection and sharing.� A study conducted by the American Society of Newspaper Editors (ASNE) and the First Amendment Center (FAC) in April 2001 illustrated strong support for privacy and specifically for opt-in systems.� An August 2000 Pew Internet & American Life Project Poll showed that 86% of respondents supported opt-in privacy policies. Historically, polls show similar support for the right to affirmative opt-in consent. For instance, a 1991 Time-CNN Poll indicated that 93% of respondents believed that companies should gain permission from the individual before selling personal information.

Opt-in is more effective and more efficient than opt-out because it encourages companies to explain the benefits of information sharing. This allows consumers to exercise meaningful control over personal information.� Experience with opt-out has shown that companies routinely make it difficult for consumers to safeguard personal information.

In other settings, phone companies have thwarted opt-out processes by demanding excessive authentication for opting out.� For instance, the opt-out process for Customer Proprietary Network Information (CPNI) data sharing established by one major phone company is very confusing, and places the burden on individuals to navigate a five-step process in order to opt-out.

If an opt-out standard is maintained, the procedures should be clearer.� New subscribers should have the opportunity to opt out when entering the contract, by calling customer service at any time, or by checking a box on the monthly payment coupon that is mailed back to the wireless company.

The Bill May Preempt State Law

Although S. 1963 is silent on preemption, its placement at 47 U.S.C. � 332 may express a Congressional intent to supercede stronger state laws. Consumer protection is historically state-based responsibility. Federal laws in this area should establish a floor of protection rather than as a ceiling.

There are important reasons in our form of government to continue to allow the states to operate as "laboratories of democracy." Congress may fail to act or may act in such a way that reduces or limits the protections that a state might otherwise choose to provide for its citizens. States may also innovate and explore different approaches to common problems.

The California Legislature, for example, has passed legislation to protect wireless directory privacy.� The California wireless privacy bill, AB 1733, received strong bi-partisan majorities in the State's Senate and Assembly, and awaits signature by Governor Schwarzenegger.�

The California bill requires carriers to obtain affirmative consent before selling lists of phone numbers or including them in wireless directories.� The bill allows individuals to revoke consent at any time.� Carriers must comply with the unlisting within 60 days.� The bill also�prohibits carriers from charging for enrollment/refusal to enroll.

There is also a right of recourse against violators of the law.� Individuals can bring a civil suit against "deliberate violations."� Congress should adopt provisions at least as strong as the California law, especially if Congress acts in such a way as to preempt further state legislation.

Greater Technical Safeguards Could Be Encouraged

Under Section 3 in a provision creating 47 U.S.C. � 332(c)(9)(C), the bill regulates calls forwarded through wireless directory assistance by requiring "cloaking."� Calls could only be forwarded to those in the wireless directory.� Before forwarding a call, a carrier would have to disclose the caller's identity to the recipient, the recipient must be able to decline the call, and the carrier could not disclose the recipient's number to the caller.� This cloaking of the recipient's phone number would be an excellent service for callers and recipients, but it is unclear whether it is necessary for Congress to mandate this specific business model.� For instance, individuals who decide not to enroll in wireless directory may choose instead to sign up for this forwarding service with cloaking.� But the bill would prohibit carriers from offering that option.�

Carriers may develop other pro-privacy technical protections to encourage greater participation in wireless directories.� For instance, under an "announce" system, the recipient would hear the name of the caller before accepting the call, much like collect calling works today.� Again, individuals may wish to stay out of the wireless directory, but accept calls through an announce system.� Congress should not prohibit carriers from creating and offering these options.� We believe that Congress should instead encourage the FCC to develop privacy-protective technical options with the carriers. Accordingly, we recommend that this provision be stricken from the bill, and replaced with language that directs the FCC to develop options with carriers that respect individuals' privacy.

The Publication Prohibition Should Be Strengthened

Under Section 3 in a provision creating 47 U.S.C. � 332(c)(9)(C), the bill prohibits publication of the wireless directory in print or electronic form.� We think that this is a well-intentioned provision, but that it falls short of ensuring protection for the wireless directory.� While formal publication of the wireless directory would be privacy invasive, there is a strong risk of privacy invasion caused by the sale of the wireless directory to commercial data brokers or to others who traffic in personal information.� The legislation should prohibit publication, but also bulk disclosure of the numbers to telemarketers, data brokers, or to other unaccountable sellers of personal information.� We note that California AB 1733 would prohibit the sale of databases of phone numbers.

The Definition of "Wireless Telephone Number Information" Should Be Narrowed

Under Section 3 in a provision creating 47 U.S.C. � 332(c)(9)(F), S. 1963 has a broad definition of the information that can be stored in the wireless directory and disclosed to callers.� "Wireless telephone number information" includes the telephone number, electronic address (e-mail address or new form of identifier, such as Electronic Numbering, or "ENUM"), physical address, and any other identifying information by which a calling party may reach a subscriber.� We think that this definition should be narrowed to include only the name and wireless telephone number.� Consumers should have the option, but should not be required, to include other information.

A Right of Recourse is Needed

S. 1963 does not specify a clear remedy for individuals who are wrongfully included in the wireless directory.� The bill should be amended to create clear avenues for recourse against carriers that wrongfully list or otherwise fail to comply with Congress' direction.

Individuals Should Not Be Charged

Under Section 3 in a provision creating 47 U.S.C. � 332(c)(9)(E), the bill prohibits charging for enrollment or refusal to enroll.� We believe that this is an appropriate protection for individuals, and that it should be extended to the wireline context.�

Currently, wireline carriers charge individuals who wish to protect their privacy.� Here in Washington, DC, Verizon charges residential consumers $5.16 a year for an unlisted number and $9.72 for an unpublished number.� This bad wireline precedent should not be continued into the wireless realm.

III. The Junk Fax Prevention Act Will Promote Junk Faxes

We wish to comment here on a related telecommunications privacy issue, the problem of junk faxes, unsolicited commercial facsimile messages.� S. 2603, the Junk Fax Prevention Act of 2004, a bill that was reported out of this Committee favorably without amendment, will exacerbate the junk fax problem.� Section 2 of S. 2603 would amend one of the strongest consumer privacy laws, the Telephone Consumer Protection Act (TCPA), to create an "established business relationship" exemption for senders of junk faxes.� The same section would also effectively eliminate recently created Federal Communications Commissions rules that require the written consent of the recipient before junk faxes are sent.

We recognize that obtaining written consent and managing time periods of established business relationships can create paperwork burdens on businesses.� However, junk faxing is a serious consumer protection problem, and it places a greater paperwork burden on recipients of unwanted messages.� We note that last year, the primary sender of junk faxes was fined more than $5 million for violations of the TCPA.� Many consumers with fax machines unplug the devices in order to avoid junk fax broadcasting.� Others have lost sales because of fax machines clogged with junk fax transmissions while customers attempt to send orders.� In Washington State, a hospital was deluged with junk faxes, putting patients at risk.� In a lawsuit filed by law firm Covington & Burling, it was alleged that a single junk faxer sent 1,634 unsolicited advertisements in a single week.� Small businesses too are caused significant costs of ink and paper as a result of junk faxes.� S. 1603 will intensify these problems by creating an additional legal defense and justification for transmitting these unwanted messages.� On the whole, the cost of this bill on the efficient operation of business and government offices is far greater than the alleged benefits touted by proponents of S. 2603.�

We strongly urge Members of the Committee to withdraw their support for S. 2603.� The established business relationship exemption will open individuals to hundreds or even thousands of unwanted commercial fax solicitations.� Technically, every time a consumer makes a purchase or even an inquiry about products or services, they create an existing business relationship with a company.� Accordingly, the average consumer under S. 2603 will create the possibility of numerous junk faxes in their daily activities.� Merely getting an estimate from a plumber, even where the consumer declines to employ the plumber's services, would establish an open-ended business relationship that enables the sending of junk faxes.

We also believe that the Federal Communications Commission's requirement for written consent from recipients is reasonable in certain circumstances. It has been our experience that junk faxers will claim that they have obtained the consent of the recipient.� Without a writing, it is difficult for consumers to argue to a court that they, someone in their household, or even the previous owner of the phone number, did not consent to receiving junk faxes.

If the Committee does maintain support of S. 2603, we think the bill should be amended to allow the Federal Communications Commission to reinstate the written opt-in requirement and revoke the established business relationship exemption with respect to the most prolific junk faxers.� That is, when the Federal Communications Commission determines that any sender routinely violates the TCPA, the agency should be able on a case by case basis to impose a written consent requirement and revoke the established business relationship defense.� Furthermore, we support allowing the Federal Communications Commission to define the length of an established business relationship.� The standard that could be created in S. 2603 of five to seven years, is entirely too long.

Conclusion

Privacy protection remains critical for consumer acceptance of new telecommunications services. The development of wireless directors poses special risks to privacy as it will impact many new services. For this reason, we believe it is particularly important to establish guidelines that are both sensible and effective. We appreciate the work of this Committee and the sponsors of S. 1963 for their leadership in ensuring that the wireless directory is implemented fairly and respects consumer privacy. Privacy protection is critical to the adoption of the wireless directory, and to respecting the wishes of those who do not wish to be listed.

[1]� Testimony of Beth Givens, UCAN, before the California Public Utilities Commission, November 25, 1998, available at http://www.ucan.org/law_policy/teledoces/bgpacbell.html/

Last Updated: September 20, 2004
Page URL: http://www.epic.org/privacy/wireless/dirtest_904.html