Related Privacy Legislation and Policy

Related Privacy Legislation and Policy

No privacy discussion is complete without investigating legal policy issues governing the industry. Most privacy discussions hinge on laws and their implications for all parties involved in the wireless circuit. Legislation is continually proposed to Congress on both sides of wireless privacy issues. Some legislation is designed to protect consumer privacy, and some is designed to protect the rights of application providers or advertisers to use and manage personal data as they see fit.

The Communications Assistance for Law Enforcement Act (CALEA)

In 1968, a federal law was instituted to permit law enforcement to conduct wiretaps, pursuant to a court order or other legal authorization, to eavesdrop on an individual's conversations. Because technology has changed since the law's enactment, the law has been amended to attempt to keep pace with technology. Congress attempts to maintain harmony among technological advances, law enforcement agencies, and consumer privacy rights advocates.

The Communications Assistance for Law Enforcement Act (CALEA) was adopted by Congress in 1994. CALEA was not designed to expand wiretapping power and use but to standardize its current implementations. Under CALEA, all telephone companies were required to build in to their systems mechanisms that allow the government to intercept communications with relative ease, if necessary. Also subject to this law are wireless service providers, local exchange providers, resellers, or anyone who offers wireless (or telecom) services for hire to the public.

Some law enforcement agencies have used the law to attempt to broaden their justifiable use of wiretapping, but expansion has been kept to a minimum for the most part. The overreaching purpose of this law was to require new technology to facilitate wiretapping and pen registers when necessary. The burden of keeping law enforcement able to use the technology is placed on the wireless carriers, not on law enforcement itself. If every time communications companies changed their technology, law enforcement had to learn it and make changes, this would be an undue burden in the pursuit of justice. Instead, wireless carriers design facilities in to the technology to aid this effort.

Wireless carriers are largely frustrated with the requirements for implementation dictated by CALEA, even several years after its enactment. They claim that they are caught between sacrificing the privacy rights of their consumers and aiding law enforcement activities. They struggle to find a clearly defined set of boundaries inside which they should operate.

E-911

What role does the FCC play in the privacy debate over issues concerning wireless devices? The FCC recognized that it could use information on the whereabouts of thousands of people to help find them in cases of emergency. This information is very valuable. It would be tough to argue that people would not want this information shared with a fire department when they are caught in a fire. Perhaps the most well-known piece of wireless privacy policy is E-911. E-911 rules require that cellular phone service providers maintain information about users' locations and be able to pinpoint users within a certain range. The availability of this information for use in emergency is a great advantage to anyone with a wireless device. The presence of this information also presents a great risk. What else will service providers do with this information, and what does the FCC have to say about it?

The bill forbids cellular carriers with access to location information from using it without the explicit consent of individual cell phone users. Should the information be available at all times or only in case of emergencies? How is it determined that someone is in an emergency? Can you disable transmitting your location? What is the information used for besides emergency assistance? Although the technology will undoubtedly be put to valuable uses, the idea that large corporations and the government know where you are every time you use a wireless device is daunting. If you are an application developer and have appropriately planned for security, privacy must be considered as well.

E-911 applies to wireless carriers but not specifically to application providers. Wireless industry advocates are lobbying for the same restrictions and limitations to be placed explicitly on application providers and all other parties with access to consumer information in the wireless realm. Most of the E-911 discussion concerns cell phone usage, but there are crossovers into PDAs and Global Positioning System (GPS) arenas as well. Service providers who provide Internet access or other wireless services to PDA users should also be responsible for managing consumer-identifying information. GPS constantly transmits location information about users another body of information that should be guarded carefully and disseminated only with user consent and justified need for disclosure.

The E-911 rules required that by October 1, 2001, companies had to produce handsets equipped with location-identifying technology or must change their networks to allow for location determination by signal strength. This deadline to complete a portion of the implementation was extended, and requirements and timelines will continue to evolve. The final deadline for compliance still looms ahead, in December 2005. The rules, however, leave it up to providers to figure out how to pay for providing location information to emergency services. (This could encourage providers to sell this information to recoup some of their costs.)

E-911 specifies mandatory conditions for nationwide carriers. Each carrier proposed upgrades that will help it approach compliance with the E-911 requirement that it be able to identify the location of 95 percent of its users. For all carriers, their devices and networks must be capable of identifying a user's location within a certain distance over a certain percentage of time. Some carriers chose to implement device-based solutions, and others chose network-based solutions.

The deadline of October 1, 2001, came and went without any carrier meeting the deadline. Extensions have been granted, and eventually this capability will be status quo for all national carriers. With the new capabilities implemented, emergency services will pinpoint a cellular phone or wireless device user from anywhere in the country without the use of a powerful locator tool such as a directional antenna.

E-911 will continue to affect wireless projects and applications and will, it is hoped, provide help in emergency situations without inciting violations of consumer privacy.

The Wireless Communications and Public Safety Act of 1999

The gist of the Wireless Communications and Public Safety Act is twofold. First, it establishes an official framework for guaranteeing universal access to 911 for all Americans with wireless phones. Second, it provides privacy protection in a general sense for an individual's location information. Before this legislation, location information was not included in consumer information protected under any privacy statutes. This legislation marks an important Congressional opinion that wireless privacy is inherently different from other forms of privacy because of the nature and amount of information potentially stored and revealed about users.

The law restricts telecom companies from selling location information about consumers without their consent. It provides privacy protection explicitly for mobile wireless location information. The law is full of holes. Companies are hard-pressed not to test the boundaries of this law. Policing the abuse of location-based technology is difficult. If location information is used as a basis for decision making but is properly hidden as such, it is difficult to detect and prevent. Enforcing this policy is left to astute consumers who recognize the abuse of power that some wireless companies could exert. Companies and the government will press the boundaries of the law. To remain in compliance with the law and future legislation, it is extremely important to consider protecting location information about consumers by offering only opt-in programs for disclosing this information for profit.

The Wireless Communications and Public Safety Act serves as an impetus for expediting the implementation of E-911 regulations nationwide. This causes relief and angst alike. Another piece of legislation that forwards the case for governmental collection of personal communications information is the U.S.A. Patriot Act of 2001.

The U.S.A. Patriot Act of 2001

How does September 11, 2001, affect wireless privacy legislation? There was a marked concern across the nation that our intelligence-gathering and communications-interception capabilities were not up to par. Analysis of data collected from wiretapping (or wireless tapping, as the case may be) is at a premium and comes with a high cost. The desire to compensate for this terrible incident is driving legislation that will facilitate government collection of a wide selection of all forms of communication.

Many privacy advocates are concerned that privacy will take a backseat to patriotism and efforts to stamp out terrorism. The jury is still out. Certainly it is essential to provide law enforcement with the means necessary to track down terrorist activity in any medium, but this must be done within a system of expeditious checks and balances. On October 11, 2001, Congress passed the U.S.A. Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) of 2001. The law is termed the Anti-Terrorism Act in some drafts and is referred to by this name when being used familiarly.

The U.S.A. Patriot Act of 2001, enacted in the wake of September 11, assigns new provisions to existing laws and renders moot some points in others. The driving force behind the law is the need to ensure that officials have procedures in place to facilitate the detection, prevention, and eradication of terrorism and that there are no procedures that could slow down progress in this quest.

One feature of the law, which was signed by President George W. Bush, stipulates that law enforcement's use of pen registers and wiretapping devices can include any communications medium, including the Internet, for the purpose of helping detect or combat terrorism. The language of the law is person-specific, rather than device-specific or phone line specific. All communications of an individual can now be monitored if that person is suspected of illegitimate activities. Although the expansion includes new mediums, it does not provide for the interception of the communication's content (for example, the text of an e-mail, dollar amounts in financial transactions, dialog in a wireless phone conversation). The discoverable information is limited to higher-level information, such as dialing, routing, signaling, and addressing information.

The U.S.A. Patriot Act allows the FBI to use its DCS1000 technology for monitoring e-mail and other communication, to avoid placing undue burden on wireless carriers to implement technical solutions in a costly and rapid manner. This may worry staunch privacy supporters and will have to be monitored closely. If ISPs or independent parties keep tabs on the operations, the DCS1000 system can be used effectively for fighting terrorism but not for invading consumer privacy.

The U.S.A. Patriot Act may have implications for smaller operations than national ISPs, however. Applications that serve any sort of communication or transaction function could be subject to governmental observation. It is important to define clear privacy policies and explicitly detail for customers which information about them is stored and for how long, who has access to it, and under what conditions it is disseminated.