Torricelli Bill Seeks "National Dialogue"
The recent notoriety of real or perceived abuses of privacy online by web sites has revived congressional interest in legislative solutions. Now pending are more than half a dozen serious proposals all generally intended to deter the collection or disclosure of information about visitors to web sites without their knowledge or consent.
The most recent bill, as of this writing, was introduced in February by Senators Torricelli (D-NJ) and Feingold (D-Wis). Their "Secure Online Communication Enforcement Act of 2000” (S. 2063) would extend the "stored communications” sections of the Electronic Communications Privacy Act to web site registrations and clickstream data.
S. 2063 has two major parts. The first would prohibit a web site operator from disclosing the "contents” of any "electronic communication” to the government in the absence of a proper warrant or subpoena. The bill would also require service of the warrant or subpoena on the subscriber or customer no later than the time of service on the web site.
Some definitional problems, however, may limit the scope of these protections against governmental inspection. For example, it is not clear whether the "contents” of an electronic communication necessarily would include such personally identifiable information as e-mail or physical addresses. Nor does this part of the bill clarify whether "content' of an electronic communication necessarily would include "clickstream data” consisting of the pages of a web site viewed by a customer. Other issues arise in applying these "governmental” provisions of the bill to web site "chat rooms” or message boards that use registration pseudonyms, but that do not show actual addresses or other contact information. S. 2063 appears to offer the strange possibility that the government could obtain access to personal information without a warrant, while needing a subpoena to see the content of a communication.
The second major part of S. 2063 applies to disclosures to non-governmental entities. This, the heart of the bill, generally would prohibit web sites (or "other third parties”) from "disclosing” information to non-governmental entities except in five specified circumstances. Three of these instances protect the web site operator by allowing disclosure to third parties (1) when "necessary” to provide or bill for Internet service, (2) to protect the ISP or web site's "rights or property,” or (3) where required by law.
S. 2063 would otherwise allow web sites to disclose to third parties only with the "opt in” consent of the customer/subscriber, and in only two situations. The first is upon the request of the subscriber or customer. The second arises with the "affirmative consent of the subscriber or customer given at the time the disclosure is sought.” Absent such consent, no disclosure could occur.
Under S. 2063, these limitations on disclosure to non-governmental entities would apply to the following information: (1) "a record . . . pertaining to a subscriber to or customer of” a web site, and (2) "information generated in the process of accessing or otherwise using the Internet.” The first category presumably would encompass personally identifiable information such as name and contact data. It apparently also would include "preferences” stored by the consumer on the site and traffic information.
The second category reaches more broadly to "clickstream data.” This clarification made for non-governmental disclosures may carry a contrary implication with respect to disclosures to the government, for which the bill does not separately mention "accessing” or "using” the Internet.