HB 273 - INTERNET SERVICE PROVIDERS CHAIRMAN KOTT announced that the first order of business would be HOUSE BILL NO. 273, "An Act relating to the disclosure of subscriber information by Internet service providers." [Before the committee was CSHB 273(L&C). However, there was a draft committee substitute (CS), Version K, dated 4/11/00.] Number 0090 REPRESENTATIVE KERTTULA, speaking as the sponsor of HB 273, noted that Bill McCauley, Acting Manager, Data Processing, Legislative Affairs Agency, was at the hearing to answer technical questions. Acknowledging that she isn't a computer expert, Representative Kerttula explained that the bill was born out of concern from constituents about the privacy of their information. Drafted "under our right to privacy" to be able to protect people, the bill essentially does four things. First, it adds disclosure of subscribers' information by an Internet service provider (ISP) to the list of unlawful practices under the consumer protection laws. Second, it prohibits ISPs from disclosing a subscriber's personal information except in certain situations - such as those involving law enforcement, Internet hacker attacks or internal network maintenance - unless the subscriber gives consent; Representative Kerttula emphasized that it is an opt-in situation. REPRESENTATIVE KERTTULA said that third, the bill will require ISPs to notify subscribers about what subscriber information would be disclosed, and how. She commended Representative Dyson's office for their work on this legislation, pointing out that one of Representative Dyson's bills had been rolled into HB 273 in the House Labor & Commerce Standing Committee; therefore, the bill now is both hers and Representative Dyson's. Finally, the bill provides for penalties when an ISP discloses the subscriber's information if that subscriber has not opted in. Number 0246 REPRESENTATIVE KERTTULA pointed out that there have been some changes made in the bill since it came out of the House Labor & Commerce Standing Committee. She explained: We've tried to be responsive to some of the Internet service providers' concerns, in terms of allowing them to get information to protect on hackers. We've broadened the definition of ["affirmative] consent," the opt-in, so you can give it by Internet. We've also defined "subscriber information." And we've also heard information that might lead to an amendment, if the committee wants to consider it, about allowing billing information, in a delinquent account referred to a collection agency, to be allowed to be given out. REPRESENTATIVE KERTTULA concluded by saying this is a broad area and has been a learning experience for her. Concerns have been raised on both sides: by ISPs concerned about their ability to deal with their affiliates appropriately, and by those concerned that the bill may not go far enough in protecting people. Number 0385 REPRESENTATIVE ROKEBERG made a motion to adopt as a work draft Version K [1-LS1156\K, Bannister, 4/11/00]. There being no objection, it was so ordered. Number 0420 DAVID J. PORTE, Vice President & General Manager, Internet Services, GCI, testified via teleconference from an off-net site in Anchorage. He stated: We at GCI really support this effort to maintain the confidentiality of consumers' private information. ... Our concerns are not over the goal that this is trying to achieve. However, we just have a few concerns over the mechanisms, one which has been addressed with [Version] K, which we appreciate. However, there [are] a few other items that we have concerns about. One is that ... we understand that the legislature doesn't want to place a burden on Alaskan businesses that national providers can just ignore; and there's a good chance that the national Internet service providers will ignore this effort because ... it's a very difficult enforcement, on the back end, regarding the privacy of information. However, one concern that we do have is that ... if the notification provisions don't have (indisc.), the local Internet services providers like GCI or Internet Alaska or Chugach Electric would comply with these; however, the national Internet service providers would not because there is no penalty for [their] not complying with the notification procedures. So we urge the legislature to revisit this, and look and see ... if there should be penalties for ... non-notification. We feel that unless this provision does have monetary penalties associated with a lack of notification, ... the national providers ... could very easily ignore the law .... Number 0547 One of the other difficulties is that the Internet has a consumer product. A lot of the interaction in setting up an account takes place over the telephone. In the course of business, many wholesale ISPs or ISPs that are using the facilities of another carrier, such as using (indisc.) system to provide Internet ... across the other providers' facilities, you need to communicate - with that other company - the person's address and telephone number, so that the underlying service can be provisioned. It's very difficult to obtain a written consent from the individual to provision these services because they would have to visit your office. Likewise, it would be difficult to obtain ... electronic permission because many times they're just getting signed up for the Internet. We feel that with some minor changes in language, this could be taken care of very easily. Once again, this could be covered by either obtaining the customer's assent telephonically to share this information or with a change in the language defining "third party" .... Currently it says a definition of "third party" to mean a person who is not the ISP, an employee of the ISP or the subscriber. By adding that the ISP can share this information with a provider of business or (indisc.) services to the ISP, that would then allow an ISP to share the necessary information with that company to get that person service. Finally, we feel that the text in section (g)(7)(B), which defines a third party as "an entity that controls, is controlled by, or [is] under common control" with the ISP, ... should probably be deleted. The reason why is because ... it makes it difficult within the definition - not so much for GCI because GCI is a single company, but if strictly applied, we would not be able to tell the cable or entertainment departments of GCI the address of the customer that wants a cable modem to be provisioned for them without getting their written or electronic consent. And this would just delay the consumers' ability to get these services. Once again, we very much support the legislature protecting the privacy of the individual. However, that needs to be balanced against the ability for the companies to deliver service in a manner that people now running on "Internet time" are used to dealing with. And, really, the work we did with Representative Kerttula's office ... in some of the other areas were covered in [Version] K. Number 0793 CHAIRMAN KOTT asked Mr. Porte to restate the section that he thought should be deleted. MR. PORTE specified that it is subparagraph (g)(7)(B) [page 4, lines 27-28], which defines a third party as an entity that controls, is controlled by, or is under common control with the ISP. As an example, he said that many times the local exchange carrier, because of regulations, has to maintain certain assets in a different company; usually they maintain a common database. Under this provision, however, it would be difficult to maintain a common database of customers because there would be information shared across departmental lines. Number 0867 REPRESENTATIVE KERTTULA thanked Mr. Porte for working with [her and Representative Dyson]. Referring to the last issue raised by him, she asked if he could provide an example of the kinds of information transmitted right now. For example, when she calls GCI and requests only Internet service, what happens at that point? Is information transmitted to other areas of the company or not? MR. PORTE answered: In most multi-service companies, we maintain a single customer billing system. So, when you sign up with GCI for Internet, you get a GCI bill, and that bill comes out of the same billing system as your local service or long distance. And so, there's only one database for your name, telephone number and address. ... GCI's just one company, so we're not really sharing it with another company because it's all one company. ... But in other cases, for example, ... we do our cable and entertainment billing out of a different system. So let's say you signed up for a cable modem. We would have to enter your name, telephone number and address in the cable billing system, because that's how we track the inventory of the cable modems, because that's tied to your ... cable subscriber ID [identification]. And then we would also add it ... into our integrated billing system, so we would bill your Internet on the integrated billing system. ... That's really the sharing that goes on, is that ... businesses are trying, more and more, to consolidate to single systems, especially integrated companies. And I can't speak for any of the other companies that are out there. Another example of it is that ... a wholesaler - someone who provides wholesale ... Internet access through GCI - enters the person's billing information on our system, because we allow them to bill through us, ... and as your bill allows for. With informed consent, and currently with either written or electronic consent, ... we can continue to do this without a problem. What I'm concerned about is that that would dilute the power of this bill because, basically, all the Internet service providers would have to have all their customers consent to all sharing of information. ... That would kind of defeat the purpose, I believe, behind this, in that you would want to be able to keep ... people's personal information from being sold to other companies or provided to marketing firms or just ... used without those people's consent for something other than the purpose of providing ... Internet access. Number 1119 PETER GOLL testified via teleconference from an off-net site in Haines. He noted that he had discussed this legislation before the House Labor & Commerce Standing Committee, testifying on behalf of the Alaska Civil Liberties Union and himself, as an interested business person who utilizes Internet commerce, as a citizen concerned with privacy, and as a former legislator and former chair of this very committee. MR. GOLL told members that he strongly supports the comments made by the previous witness. He believes it is in the common interest of all people to guarantee the privacy of Internet communication, whether it is Internet traffic to websites, e-mail or subscriber information that should not be disclosed to marketers without the subscriber's consent, for example. He said he is grateful that the legislature, in a bipartisan fashion, is supporting that concept. MR. GOLL offered specific recommendations and volunteered to work with the committee's staff or the sponsor to deal with the specific language. First, he recommended looking at disclosure of privileged information as a whole, with the goal of simplifying the language in the bill. For example, the issues defining a third party might best be treated as exceptions rather than by stating who third parties might be. The Division of Family & Youth Service, when there is an investigation of a child abuse case, is prohibited from disclosing information to anyone, he pointed out, but there are specific exceptions to that. Similarly, the use of "third party" on page 1, line 12, and in the definitions might be replaced by simply saying that "no disclosure may take place except under the following circumstances," with a list of those. In a sense, it is clerical, he said, but he believes it would be useful for the bill to begin by simply stating that the information defined as subscriber information is simply prohibited from disclosure. Number 1290 MR. GOLL next addressed the standards for disclosure. He referred to page 4, beginning at line 21, which defines "subscriber information" under paragraph (6). That language read: (B) does not include the subscriber's name, the subscriber's electronic mail address, and aggregated date that cannot be used to identify a subscriber; MR. GOLL said this is an important point: to him, it suggests that the subscriber's name and e-mail address may be disclosed to telemarketers the moment the person signs up with a given ISP. Some people have suggested to him that this information is available anyway. However, he does not believe that to be the case anymore than with a person's telephone number, which someone can request to have listed or unlisted. Keeping it in the control of the subscriber is very important, and it should not be an exception. Signing up with an ISP should not mean that the person's e-mail address is suddenly public domain. He respectfully suggested that the committee look at that issue. Number 1351 MR. GOLL drew attention to what he suggested are more important issues on page [3], noting that the language at the top half of the page describes circumstances [under which the network administrator or network contractor of the ISP is permitted to review the contents of the subscriber's e-mail or website traffic]. He proposed that the contents of e-mail should be included, as should be anything electronically noted or available due to one's activities on the Internet. All of this is privileged, private information, he emphasized, and should be treated with great care. MR. GOLL offered examples. If a person has an arrangement with a telephone company and makes telephone calls, those specific telephone numbers that have been called are not generally available; there are restrictions on government agencies and private entities with regard to accessing that information. Mr. Goll said he believes that those same restrictions should apply here. Likewise, if someone goes to a library and asks what a patron has been reading, the library will not disclose that; laws and court decisions protect one's privacy in that regard. Number 1430 MR. GOLL discussed further examples. If British Petroleum is engaging in Internet commerce, this bill, on line 9 [page 2], suggests that if a government agency is involved in some sort of inquiry for statistical purposes, that agency could demand or request from an ISP all of that oil company's correspondence - or, at least, Internet traffic - that has been used through that ISP. Likewise, if a legislator is engaged in research or communication on the Internet, Mr. Goll said this suggests to him that the Office of the Governor has 100 percent access to that legislator's Internet traffic with constituents, with government agencies and with any other private activity that occurs on the Internet, "violating not only your privacy as legislators but the privacy and integrity of communication to constituents." He explained: This is tremendously different from your letters or your phone calls. If the Department of Administration decides it wants to know whom you're writing to, they have to come and ask you. But here, it would suggest that they can simply invade your Internet records by making a request, under this bill, to your Internet service provider, and basically have access to everything you've been doing on the Internet .... MR. GOLL proposed that there should be a court order prior to an ISP giving personal information about a client, subject to both legal and clerical research. If there are circumstances where one wishes there to be less than a court order, such as when a crime has been committed and a police officer comes to one's home, the law and regulations provide legal protections all around. He suggested having that same standard provided to Internet commerce. "We don't have to reinvent the wheel," Mr. Goll added, noting that the same standard applies to library activity. What is needed is to determine that all of this information is privileged except upon an order of the court. And where information can be released without a court order, it should be very specifically stated. MR. GOLL specified that regarding criminal investigations, that language could be determined through existing laws dealing with criminal investigation and access to privileged correspondence like letters. Mr. Goll added, "When can a police officer read my mail, and when not? And that same standard should be applied here to your activities on the Internet." With regard to civil or administrative proceedings, he suggested taking a very stringent look at that, "because there you basically are saying 'any government agency that has a proceeding in place, whatever that means, has a right to invade ... the privacy of your Internet activity.'" He reiterated the suggestion that no information should be disclosed without a court order except under specific exceptions, to be developed along lines similar to those that exist for invading one's mail, library records or the privacy of one's personal life in general. Mr. Goll explained: Right now, I see too many loopholes in the language, and I think that if the legislature wishes ... to have privacy in Internet commerce and private communication, it needs to use the existing standards and not create language that implies that there is a lesser standard here just because it happens to be on that Internet, that ... that happens to be the utility that is being utilized. MR. GOLL suggested that omitting the name and e-mail address from the bill was an oversight. "Knowing you have a phone number is one thing," he said. "But requiring a phone company to divulge the phone number is another." He likened that to allowing an ISP to reveal a person's e-mail address to telemarketers; he said that is something over which he, as a subscriber, should have control. Number 1697 MR. GOLL concluded by saying the scope of what can be released should be tightened, and special attention should be given to the rights of administrative agencies in accessing this information without the same restrictions that apply to accessing one's personal, private, privileged information, whether it involves a person's doctor, correspondence, or discussions with one's legislator. Mr. Goll informed members that he has a lot of information on specific language issues that he could offer to the committee's staff. He emphasized the importance of acting promptly because everyone right now is subject to almost 100 percent invasion of the privacy of correspondence without some sort of protective statute in place. He again thanked members for taking a bipartisan approach. Number 1792 JOHN BARNHARDT, GCI, testified from an off-net site in Anchorage, noting that he was there in case Mr. Porte had had to leave prior to giving testimony. Mr. Barnhardt said he would reinforce what Mr. Porte had stated, and he commended legislators for taking up this necessary matter. REPRESENTATIVE KERTTULA asked Mr. Barnhardt how the system works now regarding a person's name and address. MR. BARNHARDT responded: I would tend to agree with ... the previous speaker, as well, in that that information should certainly be ... a decision that the consumer can make as to whether they want to make that information publicly available or not. Currently - I can speak specifically for GCI - we don't divulge customer e-mail addresses or names to anyone outside of our company, for any reason whatsoever, ... unless we're subpoenaed by ... the legal authorities or anybody like that. But it is quite possible, given the way that the Internet works, for people to determine -- once you start to interact with public servers and services on the Internet, it gets much grayer in terms of people being able to determine your e-mail address, for example, without anybody explicitly giving it out. So while I think most Internet service providers would keep that type of information close to the vest and would not, in fact, divulge it on any type of publicly available forum, or ... divulge it, by request, to anybody who ... didn't have a subpoena for it, it is rather simple for external third parties to determine that information. ... Many of our customers have an e-mail address that ends in "gci.net," and then their particular user name is pre-appended to that portion of it. Some people will go through and just blanket-send e-mails to every three-letter combination of initials at gci.net. ... And they can accomplish some fairly effective bulk mailings or what we call "spamming" customers in this fashion because the computers that they use to generate the messages are capable of processing hundreds of thousands or millions of messages .... It's an easy task for them to accomplish. So there are ... some sort of work-arounds that make it difficult to always determine whether an e-mail address has been divulged by someone or whether it's just been determined out of luck or brute force on the Internet. ... I would tend to agree that it is appropriate to require that that information not be divulged in any manner by the Internet service provider, and, in fact, can't see ... any good reason to make that publicly available, certainly without the consent of the subscriber. Number 1942 [Julia Coster of the Department of Law informed the committee that she was online to answer questions.] REPRESENTATIVE KERTTULA requested that Mr. Torkelson come forward to clarify a point. Number 1980 PETER TORKELSON, Staff to Representative Fred Dyson, Alaska State Legislature, directed a question to [Mr. Barnhardt] of GCI in order to clarify the e-mail issue: Do you have external services "spidering" your server ... to build up ... their web search databases? And, if so, couldn't you ascertain someone's e-mail address just based on their website address? For instance, ... the way that your website is laid out is ... home.gci.net\tilde and then your user name, but that user name is really your e-mail address at gci.net. Is that something that you can control? Or is that just something that's done? Number 2006 MR. BARNHARDT responded: That's a good question. I can give you two answers to that. The first is, the actual address of a person's website - and, again, I should make it clear that what I'm talking about here is the very specific way that we've chosen to configure our Internet services; it could vary significantly from provider to provider, but the fundamental plumbing is the same - in any case, the user name that people on our web service use is not necessarily the same as their e-mail address. So you can choose to have ... exactly the same one as your e- mail address and your dial-in user name, or you can choose a unique ... identifier for that. Either way is fine; it doesn't really matter to us. So ... if that was a concern, there is certainly a way that's within the customer's control to not have publicly available any portion of a user name that would make it easy to guess their e-mail address. Having said that, I believe that most customers do tend to make their e-mail address, their website name, and their dial-in authentication user name the same. And in that scenario, yes, it is definitely possible for third-party "spiders" - or "robots," they call them - that actually comb through publicly available websites, searching for e-mail address references .... It gets a little tricky there because the very nature of the World Wide Web is as a public entity .... If it is the choice of the user, the customer, to publish information on that public forum, ... we could control who accesses that, but then you're limiting its functionality, and ... that's really up to the user; they can say, "I don't want these services to be available" ... or they could have to log in before you could use them. That's totally up to the user. But, in general, most of the content on the web is just available publicly. As soon as it's available publicly, and assuming ... the reference has your e- mail name as part of the URL that you use to reference the site, then it is certainly quite possible for somebody to comb through that information, make some fairly easy guesses as to what your e-mail address may be, and then utilize that information ... in whatever fashion they would choose to. Now, we can take steps. ... Right now, we do have a page that provides links to all of our customers' websites, which we establish at the request of our customers. So it lists everybody who has a website hosted on GCI's server and says ... "click here to go to this one, click here to go to this one, click here to go to this one." So, ... it's one compact location where somebody could go and get a list of all these websites that may or may not translate directly into an e-mail address. We could certainly eliminate that piece. However, the websites are still available. ... As soon as there's a link anywhere on the Internet, essentially, to that information, then it becomes possible for somebody else to try to dig through that information and determine their e-mail address from it. ... That's [going to] be one that it's virtually impossible ... to completely eliminate. We could certainly take measures to make it slightly more difficult. ... If we were to do that, it would be something we'd want to get input from our customers [about], if that was at all possible, to see what their preferences were .... I guess, actually, the other way to do it would be we could say, "We will be happy to list your website up on this page as available; if you don't want us to, no problem." And then we would have absolutely no problem with that type of scenario either. Number 2164 MR. TORKELSON offered his summary of the foregoing testimony: We need to be very careful in holding an ISP responsible for disclosing an e-mail address when that person may have unknowingly just put up a web page and thereby divulged the essential contents of the e-mail address on the World Wide Web without meaning to. Maybe they don't know that, but it did occur. We really can't hold the ISP responsible for that, so it's just a touchy, touchy area. MR. BARNHARDT responded: I think that's a good clarification. We've tried to be as forthright with our notification process, when somebody initially gets signed up - that, ... "Here's the context you operate in; this is the type of information that is out there; if you publish your website, this is how it'll show up" - and certainly have no problem taking that even further, if that was appropriate. Number 2206 MR. GOLL pointed out that the problem just discussed goes beyond that, too. So many commercial entities are selling lists of people with whom they do business, and if that business happens to be an Internet business, then logically that business is selling e-mail addresses as well as telephone numbers and mailing addresses. Clearly, he said, the ISP cannot be held responsible for the wide range of possible disclosures that could take place. However, this legislation has a very specific point, "which is that when you sign up with your Internet service provider, just as the gentleman from GCI made so clear with the phone companies, you retain control as to the linking of your e-mail address and your actual name and who you are." Mr. Goll added: I believe that the point here - and I'm hoping that it might narrow some of the concerns a little bit - is that in the process of engaging the utility, if you will, to handle your e-mail traffic and your Internet traffic, that signing up with that utility does not automatically lead to the disclosure and linkage of your e-mail address and your personal name and information, my point being that these inadvertent disclosures, of course, need to be understood, and one cannot hold an ISP responsible for those. But the specific disclosure of not only the e-mail (indisc.-- coughing) but the association of the address with the name of the subscriber, I think, is the issue here. And it would be my hope the bill could be narrow enough to make that clear. Number 2284 CHAIRMAN KOTT asked whether anyone else wished to testify, then closed public testimony. He commented that one sees advertisements, especially in Anchorage newspapers, that offer a computer at a drastically reduced rate if one signs up and subscribes through an ISP for a period of two or three years. He surmised that the company makes money from selling advertisement space to someone advertising a product, which the purchaser of the computer will see whenever the machine is turned on. He asked Representative Kerttula how the bill addresses that, if it does. REPRESENTATIVE KERTTULA answered: The bill only goes to when someone's actually signing up for Internet service. So if they were signing up for the Internet service, ... the provider wouldn't be able to disclose subscriber information without the affirmative consent. So you'd have to be asked, "Do you want us to provide that information?" And if you said "yes," like I do when I get on the Internet and want to be able to get a broad bunch of information back, then your information would go. But if you said "no," you probably won't get the computer. Number 2376 CHAIRMAN KOTT responded, "I'm not sure ... they even acknowledge that, in order to get that computer at this rate, this is what's going to happen. But I heard that, but, again, I can't confirm that." REPRESENTATIVE KERTTULA indicated that for her private Internet sign-up at home, the providers gave a lot of information and warnings. However, she didn't read it or understand it, which is why she had thought it would be better to do it up-front, and to have people opt in to this system. In some ways, it is just a right to know, so that people recognize what they're doing and what will happen. The second part of this - and Representative Dyson's [first] concern - was that information would be provided about where the information goes; his bill, a little broader, was therefore incorporated. Representative Kerttula said she appreciates the hearing and believes that the issues raised by the witnesses are substantive and difficult. She proposed working on it and hammering out some compromises. Number 2442 CHAIRMAN KOTT commented that this is what e-commerce has brought about. He agreed that the issues appear to be workable. He inquired whether it is Representative Kerttula's intent to consult with Mr. Goll, for example. REPRESENTATIVE KERTTULA specified that she would like to consult with the witnesses, put out some proposed language, and see whether they can come up with a proposal for the committee's consideration. She thanked the witnesses for their input. CHAIRMAN KOTT announced that HB 273 should be held over. He indicated it would be brought up again if a solution were found.