HB 273-INTERNET SERVICE PROVIDERS [Portions of SSHB 410, which never had a hearing on its own, were incorporated into CSHB 273(L&C).] CHAIRMAN ROKEBERG announced that the first order of business would be HOUSE BILL NO. 273, "An Act relating to the disclosure of subscriber information by Internet service providers." Number 0287 REPRESENTATIVE FRED DYSON, Alaska State Legislature, came forward as the sponsor of SSHB 410, a significant portion of which was incorporated into HB 273 [Version H]. REPRESENTATIVE BETH KERTTULA came forward to testify as the sponsor of HB 273. She informed members that she had introduced the bill because a few constituents had explained to her the ramifications of logging on to the Internet and having Internet Service Providers [ISP] sell a person's information, which may include such things as address and telephone number. REPRESENTATIVE KERTTULA explained that the bill allows the consumer to opt in to having his or her information sold. The consumer must actually allow it. She referred to a privacy policy for America On-Line, Incorporated [AOL], included in the bill packet. AOL's privacy policy statement indicates that "you can choose not to receive such information if you don't want to by letting us know on the registration screen when you sign up for the product or service." She said this is a privacy right, to allow people to have privacy if they choose to, and it isn't an onerous requirement. REPRESENTATIVE KERTTULA noted that Representative Dyson's bill, SSHB 410, contained a section that would require not only the opt-in where the consumer says, "This is what I want to happen," but also requires the company to come back and tell [the consumer] a little bit about what the company is doing with the information. She said there are a lot of other ideas out there. Between Representative Dyson's office and hers, they felt that the two bills were so similar that they could be meshed. REPRESENTATIVE KERTTULA explained that in the original bill, a person's electronic mail address could not be disclosed. She feels that this needs to be excluded from the bill because she does not believe anyone has any "high privacy right over just that." Number 0619 REPRESENTATIVE HARRIS made a motion to adopt the proposed CS for HB 273, Version H [1-LS1156\H, Bannister, 3/24/00] as a working draft. There being no objection, it was so ordered. REPRESENTATIVE DYSON asked Peter Torkelson of his staff to explain the portions of his bill [SSHB 410] that are being incorporated into HB 273. PETER TORKELSON, Staff to Representative Fred Dyson, came forward to testify on HB 273, Version H. He explained: The portion of our bill that really fit well with Representative Kerttula's was the portion that said when you activate an account, you - the ISP, the Internet Service Provider - should tell the new subscriber a little bit about what you do with their information, about what type of information that you - the ISP - are holding that might be accessible to someone who's looking for information about people. And also, perhaps, as an ISP, you should tell people under what circumstances you'll be reading their e-mail or tracking which web sites they hit, or under what circumstances will you be disclosing that information to law enforcement. I mean, can they call and just say, "Hey, I want to read Joe's e-mail."? ... So, tell them what the deal is. That, in a way, would kind of inform people as to whether or not they have a reasonable expectation of privacy about this type of information. And I've been talking to some of the Internet service providers' security people, and they said, "Yeah, that's probably a good idea." They have assured me, just for the record, that they do not release any of that information without a court order, a search warrant for instance. ...,In a way, we're not really trying to force them into something they're not doing now. We just think it's fair for them to tell new subscribers that that is the case. And they could read your e-mail with a search warrant. It's not something that just disappears into the netherlands of cyberspace. REPRESENTATIVE KERTTULA expressed appreciation to Representative Dyson and Mr. Torkelson for working hard on the bill. She referred to page 2, lines 5 through 10, of HB 273, Version H, which read: (1) of a criminal offense, a court, upon application of the agency seeking information that is relevant to the investigation, has issued an order authorizing the disclosure of the subscriber information without the affirmative consent of the subscriber; or REPRESENTATIVE KERTTULA explained that a distinction is made between a criminal case and a civil case. A warrant is needed in a criminal case. Right now, however, in a civil, administrative case, the Office of the Attorney General would obtain a written request and get the information. She said, "If the Internet service provider said no, they would still be forced to get a subpoena or get further action, but right now they would still like to maintain the flexibility that they have in the other area of consumer protection." She thought this was reasonable enough to include in the original draft of the bill. She said she sees a difference between this and criminal prosecution. Number 0884 REPRESENTATIVE HALCRO asked whether Mr. Torkelson recalled a case involving a naval airman in Hawaii whose superiors went to AOL seeking information. They discovered he was gay and dishonorably discharged him from the Navy. The airman sued, and the courts determined that it was a blatant violation of privacy. MR. TORKELSON replied that he was not familiar with that particular case. He indicated there have been quite a number of cases in which employees have been terminated for use of the Internet through the company network, however. He believes the court has upheld those in every case. REPRESENTATIVE HALCRO noted that the gist of the case he mentioned was that the man's superiors were basically on a witch hunt. REPRESENTATIVE KERTTULA said she does not remember that case, either, but finds it disturbing. She thinks it is a good example of why persons should opt to not have their information disclosed. CHAIRMAN ROKEBERG said he recalled the case that Representative Halcro referred to. Number 1017 REPRESENTATIVE MURKOWSKI asked what form "affirmative consent" has to be in. REPRESENTATIVE KERTTULA referred to page 4, line 19, of Version H, which states that "affirmative consent" means a written statement signed by a subscriber authorizing an ISP to distribute information. REPRESENTATIVE HARRIS asked if the intent of Version H is to couple SSHB 410 and HB 273. REPRESENTATIVE KERTTULA replied yes. She then informed members that an amendment should be made on page 5, line 8, of Version H, deleting "electronic mail address". She asked Bill McCauley to explain the amendment. BILL McCAULEY, Manager, Data Processing, Legislative Affairs Agency, explained that all of the information outlined in Section 2, page 5, lines 8 through 11, is private information. The discussion of a person's e-mail address would open up a Pandora's Box if it is viewed as private information. Technically, a person's e-mail address is not private information. He noted, "If you want to deal with the issue of people distributing e-mail addresses for spamming purposes (building e-mail addresses), that probably should be addressed somewhere else, but it's not private information." REPRESENTATIVE BRICE asked, "You'd hand them out, then, to a phone number in a phone book?" MR. McCAULEY replied yes. CHAIRMAN ROKEBERG wondered if the bill has a further referral to the House Judiciary Standing Committee. REPRESENTATIVE KERTTULA answered yes. [In response to an inquiry from Chairman Rokeberg, Julia Coster, Assistant Attorney General, Commercial Section, Civil Division, Department of Law, indicated she had no testimony but was available to answer questions.] CHAIRMAN ROKEBERG called an at-ease at 4:02 p.m. and returned at 4:07 p.m. Number 1279 PETER GOLL, Board of Directors, Alaska Civil Liberties Union, testified via teleconference from Haines. He stated: I also have a personal interest in the legislation as a former member of the House and chair of the House Judiciary Committee, and as a person who uses e-mail and Internet commerce and is concerned about privacy of electronic communication as a citizen. I'd like to thank the committee very much for hearing these bills and for taking action. I'd like to respectfully thank the sponsors, Representative Dyson and Representative Kerttula, for bringing forward what I consider to be one of the most timely of all issues that the legislature has to face, that being responding to the massive changes in electronic communication and making sure that state law is adequate to manage those changes in this case with regard to the constitutional right to privacy. Essentially, I understand that the committee has -- or at least my understanding is that some of the language from Section 2 of HB 410, dealing with notification of Internet service provider subscribers of possible use of their private information, and the language in the CS ... of HB 273, dealing with the requirement that there be an affirmative agreement by the subscriber, that ... his or her information be (indisc.) before it is used. I understand that these two sections have been combined to some extent in your committee substitute. Assuming that that is correct, I guess I'd like to gratefully thank the committee for taking that action. I think it's wonderful to see you consolidating multi-partisan views on behalf of this issue and moving it forward. We certainly, as an organization - and many people around the state, as individuals, I think - would like to make clear our support for what you're doing and encourage you to continue. Number 1419 I guess I'll conclude by just stating that I'm not sure what your intentions are today with regard to HB 410, but I have come to understand that there may be a feeling that it would be appropriate to delay some of the provisions dealing with e-mail. I would like to go on record indicating that if that be necessary, then so be it, but that the issue of defining for people in private life, in business, in the workplace, what their rights and responsibilities are with regard to their correspondence and e-mail, I think it is a very important issue and one which needs to be moved forward, and that the language in the bill is fairly limited, and some of the language that we've submitted for your consideration is also fairly limited, and some of these basic provisions indicating correspondence which would otherwise be private is equally private when it's e-mail. It seems to be a pressing matter. If, in your wisdom, you see any way of incorporating some of these thoughts into legislation this year, I think it would serve the people very well. Number 1513 REPRESENTATIVE DYSON said he guesses that the portions of SSHB 410 that have not been rolled into HB 273, Version H, have very little chance of getting through two houses in the remaining time this session. He noted that it would be a high priority for his office during the next session. MR. GOLL wondered if he is correct in assuming that it is Representative Dyson's and Representative Kerttula's goal, and that of the committee, to try to bring this forward to closure this year on the portions being moved forward. REPRESENTATIVE KERTTULA replied yes. MR. GOLL said he understands the reluctance regarding moving forward too promptly on SSHB 410, given the issues raised. He stated that workplace issues will come up as a large focus of conversation, because balancing the needs of employers with the needs of employees is important. He commented that earlier sections of the bill make it clear that personal correspondence is personal even when it is electronic mail. He thinks this is something which has a great deal of pressure on it for the public interest. He respectfully urged the committee to consider this a high-priority issue. CHAIRMAN ROKEBERG referred to a letter Mr. Goll had sent regarding SSHB 410. MR. GOLL said the letter makes some specific recommendations. He thinks that one can overstate the complexities of solving the problems involved. For example, the issue of having employees and employers agree on the terms of oversight is something which already exists in much of the law and could be applied here. He clarified that the recommendations are not germane to Section 2. With regard to Section 2, the only comment the AKCLU had was that an affirmative statement by the subscriber should be required before any information is released about that subscriber. CHAIRMAN ROKEBERG wondered if Mr. Goll had an opportunity to look at HB 401. MR. GOLL indicated that he did not have any comments on HB 401. CHAIRMAN ROKEBERG wondered if any ISPs had been contacted. Number 1841 MR. TORKELSON stated that he has been in contact with the two largest ISPs in Alaska: Internet Alaska and GCI, Incorporated. He forwarded both of those providers copies of the bill and requested input. He received an informal response from both. Both indicated general support for the notice requirement, but were a little concerned with the portion of the bill which indicates that "they should disclose the circumstances under which they can review [electronic] mail and web site traffic on their servers." CHAIRMAN ROKEBERG wondered how the bill deals with that issue. MR. TORKELSON explained that HB 273, Version H, states that "they must notify new subscribers of the circumstances under which they will look at your e-mail and look at your web site traffic." REPRESENTATIVE DYSON commented: I think that that position - and I don't mean to sound pejorative - is like unto the post office saying they can open mail that's in their building unless they know or have suspicion and a court order that there's criminal activity; off-limits, in my opinion. Also, in the years I have been here, and partly under your tutelage, Mr. Chairman, I've become more cynical. I have no knowledge that what I'm about to say is true, but, in other related industries there are often, as a secondary market for information that comes from somebody that's providing services -- I'll be pleasantly surprised if we don't find out ... that there is an economic impact resulting from these restrictions on access to people's electronic communication. I think that the information is gleaned, gets marketed, and our efforts here to protect people's freedom of privacy will restrict the marketing, in my view, perhaps, sometimes unethical marketing, of private information. I'll be surprised, if we get down the road on this bill, if we don't hear about that. Number 1969 REPRESENTATIVE HALCRO stated: I think what Peter [Torkelson] just said was that they feel that it's on their property, so they should have free will to look at it. I think [it] highlights the need for not only information being supplied to consumers when they sign up, as far as when they can look at it, but I think we should put in here that they can't look at it. If you say an Internet service provider, ... that's just not some faceless organization. ... Those are employees that can look in your e-mail. And if something ever happened, what's the argument? They're just going to say, "Hey, it's on our property. We can look at it." MR. TORKELSON replied: They have indicated at times that this occurs it's generally to try and protect their network. There have been highly publicized occurrences of, for instance, in Alaska some page being replaced with a fraudulent page to try and defraud people and ... for obvious reasons that is a direct threat to their business. ... To protect the integrity of their network, they pursue that type of stuff with vigor. I think they would say, in all fairness, that the only times they get into this is when they are reacting to a direct threat to their actual network. They have indicated they have a pretty rigorous review process before they're allowed to put what's called a "sniffer" on your account, where it just records where you're going, and they do not save e-mail from the past. They only collect e-mail forward from a particular date, and it's signed by an administrator. It goes through an internal review process. There is some protection for reasons that if the word got out they were looking, it's bad for business. Number 2074 MR. McCAULEY stated that he agrees with what Mr. Torkelson said. He pointed out that it is not exactly analogous to a post office situation. It is his sense that only commercial ISPs are being discussed. He wondered about other organizations, though, such as the Legislative Affairs Agency and the Department of Administration. He said, "When you have problems, you have tools to go in and investigate the problems. [If] you have problems with the network, these tools allow you to see this information. So, it's a necessary tool." He agreed that a privacy problem exists, but when a problem needs to be resolved, tools are necessary. CHAIRMAN ROKEBERG asked, "Doesn't the Legislative Affairs Agency and (indisc.) group monitor all of the traffic on our server in our program?" MR. McCAULEY replied, "Yes, we have the ability to. It's not anything that we do constantly. But if we have a problem, yes, we go out and see what's happening." CHAIRMAN ROKEBERG wondered, "We have a privacy agreement, do we not?" MR. MCCAULEY said yes and explained that there is a policy which every employee signs. CHAIRMAN ROKEBERG asked if this puts the employees on notice that he or she is being eavesdropped upon. MR. McCAULEY pointed out that they only look when there is a problem. CHAIRMAN ROKEBERG wondered if certain "traffic patterns" can be discerned and then looked into. MR. McCAULEY responded, "Absolutely." REPRESENTATIVE BRICE referred to a comment Representative Dyson had made regarding the economic impacts of the bill and the potential to dampen the use of information for marketing. Representative Brice said he would not be so quick to say that it would have a tremendous impact on the secondary market for the sale of information. He pointed out that telemarketing has procedures that allow a person to have his or her name removed from a calling list. He commented: More or less, that's what we're doing here. We're setting up a system by which people can tell their provider that, "No, I don't want to be on those marketing lists." I don't think it'll have that much of a negative impact down the road. Number 2190 MR. TORKELSON indicated that he is assured by Internet Alaska that they do not resell people's information in any form. CHAIRMAN ROKEBERG asked whether Mr. Torkelson had checked with Double Click. MR. TORKELSON replied no. REPRESENTATIVE KERTTULA explained: There's a bill going through on driver's license registrations to allow you to remove from their list, and its got a negative $200,000 fiscal note. So, what Representative Dyson is talking about, in some arenas, has had an impact; but if Internet Alaska isn't doing it, it shouldn't have any. CHAIRMAN ROKEBERG responded: I am concerned that the monitoring of traffic is undertaken by ISPs, particularly for denial-of-service attack situations that we experienced about a month or so ago, and it's one of the reasons we have a bill that I introduced, when an ISP or system can be attacked on a worldwide basis - when Yahoo! was put out of business for four or five hours. It's my understanding, when those types of situations occur, the need to defend yourself as a system and the actual integrity (indisc.) of the World Wide Web requires a certain amount of monitoring as well as other more sophisticated programs for the (indisc.), but part of that is monitoring the traffic. CHAIRMAN ROKEBERG asked Mr. McCauley to discuss denial-of-service attacks and security issues. Number 2264 MR. McCAULEY stated that security is a huge problem. "Hackers" have the means of finding ways into systems and using the systems for their own personal purposes. Security is an issue that needs to be addressed more than it has been already. CHAIRMAN ROKEBERG asked if anyone could speak to the level of monitoring that needs to occur for security purposes. MR. TORKELSON said he is out of his league, technically speaking, with respect to that. He did have a specific question for the security officer at Internet Alaska, who indicated that they monitor general traffic, but they do not know where the requests are going. He said: That's the "sniffing" difference that requires, for lack of a better word, the authorization of the supervisor. They'll just go through and pick up traffic. They don't know whose it is or what it's doing when that occurs, and that that is, actually, ...,a very small portion of all traffic. There's just too much. CHAIRMAN ROKEBERG indicated that traffic can be tracked down. REPRESENTATIVE CISSNA said she had a situation occur when she logged onto a site which then transferred her to an obscene site. She could not close down her computer as a result. She wished that she had been able to track it. She said it is a form of violation. CHAIRMAN ROKEBERG asked for an explanation of "cookies". REPRESENTATIVE KERTTULA pointed out that HB 273 does not address that. MR. TORKELSON explained that HB 273 addresses ISPs, which provide the "post office." Cookies are sent by the vendors whose sites people visit. CHAIRMAN ROKEBERG said he is concerned because there are both good and bad cookies. He asked Mr. Torkelson to define what a cookie is. MR. TORKELSON explained that a cookie is a small amount of information sent to a person's computer and stored on the hard drive. The information is generally assigned some type of unique identifying number. The next time a person visits a site, the site will recognize the identifying number and will remember what type of sites a person visited. For example, he said, "The last time they were here, they went to sites about baseball, and, all of a sudden, you see ads that have to do with baseball products on your screen." He further explained: Also, if you log in for, perhaps, Yahoo! Finance, one of the most popular sites on the [Inter]net, ... it says, "Remember who I am". You check a little box. ... It implants a cookie. And the next time you come back, it says, "Welcome, Peter Torkelson. Here are your stocks." You don't have to type anything in. That's the operation of a cookie. REPRESENTATIVE HALCRO wondered what a bad cookie is. CHAIRMAN ROKEBERG indicated a bad cookie is one that is implanted without a person's knowledge. REPRESENTATIVE DYSON stated that he did not previously know the technical term for a bad cookie. He said he had been doing some research on the Internet and accidentally visited a lesbian pornography site. TAPE 00-35, SIDE B REPRESENTATIVE DYSON further explained that the next time he logged on to the Internet, that is the site which "popped up". He said, "It gave me an immense amount of problems explaining this to my wife." CHAIRMAN ROKEBERG reiterated that it is a problem. He asked Mr. Torkelson to explain the controversy with Double Click. Number 0043 MR. TORKELSON noted that cookies can be very convenient. Web site providers would be the first to say this. He said: Double Click chose to build a system where cookies that were set on your machine recorded the types of sites you went to and then reported back to them, unknownst to you. That's really the rub, because Yahoo!, you say, "Yeah, I want my stock information." But Double Click had it set up so that while you're just surfing, at different intervals, ... you would transmit data to them saying, "This is so and so, and I am back looking at baseball cards again." And Double Click had a computer saying, "Bob's looking at baseball cards again. Send him more baseball ads." They could, over time, build up, as you can imagine, a very large and very, very valuable database. CHAIRMAN ROKEBERG commented that Double Click is probably one of the largest advertisers and traffic managers on the World Wide Web. REPRESENTATIVE DYSON said he thinks the efforts being made to protect privacy will have an impact on a secondary market of the selling of data. The ability to build a profile on a person will be restricted. CHAIRMAN ROKEBERG wondered: In essence here, it's good if we can consent to have a good cookie. We know it's there, but if it's nonconsensual, is that good or bad? Should we remove that? Now, is there an obligation on the part of the ISP to police that which cause a significant burden on them to conduct their business in your service? That's why I'm concerned about it. Number 0145 REPRESENTATIVE KERTTULA said she thinks interstate commerce is one of the major problems that has been encountered. In her opinion, it will be left to Congress to control. She stated, "We early on decided to focus on something in-state, limited impact, and stake out something that we really can understand and begin with and go that route." She indicated she shares many of the same concerns with respect to cookies. She would like to work on that issue during the interim. CHAIRMAN ROKEBERG asked Representative Kerttula if she is comfortable enough with HB 273 not being intrusive on that issue. REPRESENTATIVE KERTTULA explained that the Office of the Attorney General has looked at the bill and is comfortable with it. REPRESENTATIVE CISSNA said it seems Alaskans are waking up to some of the privacy issues with respect to the Internet. She would like to help promote local ISPs in Alaska. She said it would be nice to be able to promote Alaskan providers as being really secure. CHAIRMAN ROKEBERG replied, "We're just adding to their costs by passing this bill." He asked Representative Dyson if it is correct that ISPs will not be overburdened to the extent of inhibiting commerce with this bill. REPRESENTATIVE DYSON answered, "That's what we understand that they have told us informally. CHAIRMAN ROKEBERG asked that the bill sponsors continue talking with statewide ISPs. Number 0274 REPRESENTATIVE MURKOWSKI made a motion for a conceptual amendment [Amendment 1] on page 5, line 8, deleting "electronic mail address". There being no objection, Amendment 1 was adopted. REPRESENTATIVE MURKOWSKI made a motion to move CS for HB 273, Version H [1-LS1156\H, Bannister, 3/24/00], as amended, out of committee with individual recommendations and the attached zero fiscal note. There being no objection, CSHB 273(L&C) moved from the House Labor and Commerce Standing Committee.