Downloaded from the National Library for the Environment
spacer.gif

98-67: Internet: An Overview of Key Technology Policy Issues
Affecting Its Use and Growth

Marcia S. Smith, Richard M. Nunno, John D. Moteff, and Lennard G. Kruger

Resources, Science, and Industry Division

Updated December 31, 2000

CONTENTS

Summary

The growth of the Internet may be affected by issues being debated by Congress. This report summarizes several key technology policy issues that were under consideration by the 106th Congress.

1. The long-running encryption debate concerns balancing the interests of personal privacy, competitiveness of U.S. computer companies, and law enforcement and national security requirements in setting limits on what encryption products can be exported.

2. Electronic signatures are of congressional interest both in terms of the respective roles of federal versus state laws governing their use and requiring government use of electronic signatures to enable electronic filing of information.

3. Concerns about computer security, particularly unauthorized access or "hacking," are prevalent both in government and the private sector. Issues also have been raised about the vulnerability of the nation's critical infrastructure (e.g., electrical power grids and telecommunications) to cyber attacks.

4. Individuals and businesses considering whether to use the Internet are increasingly concerned about Internet privacy, particularly of personally identifiable information. While many in Congress and the Clinton Administration hope industry self-regulation will solve these problems, others believe that legislation is needed.

5. How to protect children from unsuitable material on the World Wide Web has been a major focus of concern but attempts to restrict content on the Internet have encountered legal challenges on First Amendment grounds. A new law passed by the 106th Congress requiring most schools and libraries receiving federal funds to use technology to block Web sites with certain content on computers used by minors, and in some cases, adults, is also expected to be challenged in the courts.

6. Unsolicited commercial electronic mail (UCE), or "junk e-mail" or "spam," aggravates many computer users because it is a nuisance and the cost may be passed on to consumers through higher charges from Internet service providers who must upgrade their systems to handle the traffic. Proponents of UCE insist it is a legitimate marketing technique and protected by the First Amendment.

7. The administration and governance of the Internet's domain name system (DNS) is currently under transition. Issues for the 106th Congress included how domain name trademark disputes should be resolved, and the progress of the federal government's efforts to transfer control of the DNS to the private sector.

8. Broadband Internet access gives users the ability to send and receive data at speeds far greater than current Internet access over traditional telephone lines. With deployment of broadband technologies beginning to accelerate, Congress is seeking to ensure fair competition and timely broadband deployment to all sectors and geographical locations of American society.

Introduction

The continued growth of the Internet for personal, government, and business purposes may be affected by a number of issues being debated by Congress. Among them are establishing "trustworthiness" by authenticating and verifying the origin and content of messages, safeguarding system security, ensuring the privacy of information collected by Web site operators, protecting children from unsuitable material, limiting unsolicited commercial electronic mail, the administration and governance of the Internet domain name system, and access to broadband services. This report provides short overviews of each of these issues from a technology policy perspective, referencing other CRS reports for more detail. This edition of the report reflects activity through the end of the 106th Congress. The next edition will focus on issues expected to be debated in the 107th Congress and should be available in February 2001.

Summary of Legislation Passed by the 106th Congress

The 106th Congress had many bills under consideration regarding the issues in this report, and several were enacted into law. This section briefly summaries the bills that became law. More detailed discussion of the issues can be found in later sections of the report.

Electronic Signatures

The Millennium Digital Commerce Act (P.L. 106-229) regulates Internet electronic commerce by permitting and encouraging its continued expansion through the operation of free market forces, including the legal recognition of electronic signatures and electronic records.

Computer Security

The Computer Crime Enforcement Act (P.L. 106-572) establishes Department of Justice grants to state and local authorities to help them investigate and prosecute computer crimes. The law authorizes the expenditure of $25 million for the grant program through FY2004. The FY2001 Department of Defense Authorization Act (P.L. 106-398) includes language that originated in S. 1993 to modify the Paperwork Reduction Act and other relevant statutes concerning computer security of government systems, codifying agency responsibilities regarding computer security.

Internet Privacy

Language in the FY2001 Transportation Appropriations Act (P. L. 106-246) and the FY2001 Treasury-General Government Appropriations Act (included as part of the Consolidated Appropriations Act, P.L. 106-554) addresses Web site information collection practices by departments and agencies in the Treasury-General Government Appropriations Act. Section 501 of the FY2001 Transportation Appropriations Act prohibits funds in the FY2001 Treasury-General Government Appropriations Act from being used by any federal agency to collect, review, or create aggregate lists that include personally identifiable information (PII) about an individual's access to or use of a federal Web site, or enter into agreements with third parties to do so, with exceptions. Section 646 of the FY2001 Treasury-General Government Appropriations Act requires Inspectors General of agencies or departments covered in that act to report to Congress within 60 days of enactment on activities by those agencies or departments relating to the collection of PII about individuals who access any Internet site of that department or agency, or entering into agreements with third parties to obtain PII about use of government or non-government Web sites.

The Social Security Number Confidentiality Act (P.L. 106-433) prohibits the display of Social Security numbers on unopened checks or other Treasury-issued drafts. (Although this is not an Internet issue, it is related to concerns about consumer identity theft, a topic addressed in this report.)

The Internet False Identification Prevention Act (P.L. 106-578) updates existing law against selling or distributing false identification documents to include those sold or distributed through computer files, templates, and disks. It also requires the Attorney General and Secretary of the Treasury to create a coordinating committee to ensure that the creation and distribution of false IDs is vigorously investigated and prosecuted.

Protecting Children from Unsuitable Material

The Children's Internet Protection Act (Title XVII of the FY2001 Labor-HHS Appropriations Act, included in the FY2001 Consolidated Appropriations Act, P.L. 106-554) requires most schools and libraries that receive federal funding through Title III of the Elementary and Secondary Education Act, the Museum and Library Services Act, or "E-rate" subsidies from the universal service fund, to use technology protection measures (filtering software or other technologies) to block certain Web sites when computers are being used by minors, and in some cases, by adults. When minors are using the computers, the technology protection measure must block access to visual depictions that are obscene, child pornography, or harmful to minors. When others are using the computers, the technology must block visual depictions that are obscene or are child pornography. The technology protection measure may be disabled by authorized persons to enable access for bona fide research or other lawful purposes.

Internet Domain Names

The Anticybersquatting Consumer Protection Act (part of the FY2000 Consolidated Appropriations Act, P.L. 106-113) gives courts the authority to order the forfeiture, cancellation, and/or transfer of domain names registered in "bad faith" that are identical or similar to trademarks. The Act provides for statutory civil damages of at least $1,000, but not more than $100,000 per domain name identifier.

Encryption (1)

Encryption and decryption are methods of applying the science of cryptography to ensure the privacy of data and communications. The long-running encryption debate concerns balancing the interests of personal privacy, competitiveness of U.S. computer companies, and law enforcement and national security requirements.

Cryptography traditionally has been the province of those seeking to protect military secrets, and until the 1970s relied on "secret key" cryptography where the sender and the recipient both had to have the same key. Thus a trusted courier or some other method was required to get the key from the sender to the recipient. The advent of "public key cryptography" in 1976 made it possible for encryption to be used on a much broader scale. In this form of cryptography, each user has a pair of keys: a public key available to anyone with which a message can be encrypted, and a private key known only to that user with which messages are decrypted. The "key pair" is electronically generated by whatever encryption product is used. In a hypothetical example, if Bob wants to sent a private e-mail message to Carol and ensure that no one else can read it, he obtains Carol's public key from Carol herself or from a publicly available list. Using Carol's public key, Bob encrypts his message. When Carol receives the message, she uses her private key to decrypt it. To reply to Bob, Carol gets Bob's public key from Bob or from a publicly available list and uses it to encrypt her response. When Bob receives the message, he uses his private key to decrypt it.

Use of strong (difficult to break) encryption is considered vital to the growth in use of the Internet, particularly for electronic commerce, because businesses and consumers want to protect the privacy of information exchanged via computer networks. When a message is encrypted, it is referred to as "ciphertext." That message is called "plaintext" before it is encrypted and after it has been decrypted. The Clinton Administration wants to ensure that authorized law enforcement officials and government entities can access the plaintext of a message if undesirable activity is suspected (terrorism, drug trafficking, and child pornography are often cited as examples). If the message is encrypted, they either have to break the encryption by "brute force" (trying all possible combinations until they get the right one), or get access to the decryption key.

Export Restrictions and Domestic Use

The congressional debate over U.S. encryption policy has evolved from a time when the competing interests diverged widely concerning individual rights to privacy, the global competitiveness of U.S. companies selling encryption products, the promotion of secure electronic commerce, and law enforcement and national security needs to monitor undesirable behavior. The Clinton Administration originally supported the wide use of strong encryption as long as it had a feature called "key recovery" to allow authorized law enforcement agents to access the plaintext in a timely manner by getting access to the decryption key. This raised privacy issues. The Administration also sought to influence what type of products are available domestically by limiting exports, knowing that companies would not sell strong encryption products domestically and weak ones for export. This raised industry concerns about placing U.S. computer hardware and software companies at a competitive disadvantage because they were subject to export restraints.

In December 1996, the Clinton Administration released temporary (two-year) export regulations designed to encourage computer hardware and software manufacturers to develop and implement key recovery technologies. Although there are other factors that affect the strength of an encryption product, the number of binary digits (bits) in the key has been used as the benchmark in this debate. The larger the number of bits, the more difficult it is to break the encryption. Under the interim regulations, companies were allowed to export 56 bit encryption products if they agreed to incorporate key recovery features into the product within the two years. If they already incorporated key recovery into the product, there was no limit on the bit length that could be exported (with some exceptions for banking.) Previously, only 40 bit encryption could be legally exported.

In September 1998, the Clinton Administration announced plans to permanently reduce its restrictions on the use and export of encryption. The policy allowed the export of 56-bit encryption products without requiring provisions for key recovery, after a one-time review, to all users outside of seven "terrorist countries." The policy applied only to U.S. companies in the finance, health care, insurance, and electronic commerce industries. Export of encryption products of any strength was permitted to 42 designated countries if key recovery or access to plaintext was provided to an approved third party. The Administration also supported the FBI's technical support center to help law enforcement in keeping abreast of encryption technologies.

On September 16, 1999, the Administration again announced changes to its encryption policy, making encryption products of any key length, after a technical review, exportable without a license to users in any country except seven "terrorist countries". Exporters must report to the government on where the encryption product is exported, reflecting industry business models and distribution channels. In addition, the President proposed legislation that would ensure that law enforcement agencies maintain their ability to access decryption information stored with third parties, and allow information on techniques used in decryption to be withheld in court. The bill would have authorized $80 million over four years for the FBI Technical Support Center, to serve as a technical resource in responding to the use of encryption by criminals. No Member introduced that legislation.

The regulations implementing the Administration's new encryption export policy were issued by the Department of Commerce's Bureau of Export Administration (BXA) on January 14, 2000. According to the rules, retail encryption commodities and software of any key length can be exported without a license to any non-government end user in any country except the seven state supporters of terrorism, and can be re-exported to anyone (including Internet and telecommunications service providers). Exports previously allowed only for a company's internal use can now be used for communication with other firms, supply chains, and customers. Exports to most government end-users still require a license, but, on July 17, 2000, the Administration updated its policy to enable exports without a license to European Union and certain other governments. Exporters must report to BXA where the encryption product is exported, and BXA will determine whether products qualify as retail by reviewing their functionality, sales volume, and distribution methods. While the computer industry is satisfied with these rules, some privacy rights groups argue that ambiguities in the rules make them overly cumbersome for individuals. Because the regulations could be reversed by a future Administration, some still advocate the passage of legislation to codify the changes in U.S. encryption policy. Based on the decrease in congressional activity on the issue, however, these rules may have struck a balance among competing interests regarding U.S. encryption policy.

Key Recovery

The term "key recovery" (formerly called key escrow) refers to a system whereby a party external to the user holds a copy of the decryption key. (Other mechanisms could also be employed to achieve the same result--e.g., the key could be split among two or more key recovery agents for added security). Having access to such a "spare key" through a key recovery agent could be desirable for a user if a key is lost, stolen, or corrupted. Most parties to the encryption debate agree that market forces will drive the development of key recovery-based encryption products for stored computer data because businesses and individuals will want to be sure they can get copies of keys in an emergency. The debate is on the role of the government in "encouraging" the development of key recovery-based encryption, whether key recovery agents should be required to provide keys to duly authorized law enforcement officials, and the government's role in determining who can serve as key recovery agents. Since 1998, key recovery business plans are no longer required, and the regulatory requirements for key recovery agents have been reduced.

Another element needed for the widespread use of encryption is certificate authorities to issue and manage electronic certificates (electronic records that identify a user within a secure information system) and verify that a particular individual is associated with a particular public key. This is especially important for the conduct of electronic commerce, for example, where buyers and sellers want to be assured of each other's identities. Privacy rights advocates argue that the ability to issue certificates should be independent from the debate over key recovery, making controversial any linkage between certificate authorities and key recovery. The combination of public key encryption and certificate authorities (some would add key recovery agents) is referred to as a "public key infrastructure" (PKI). The establishment of one or more PKIs globally is expected to add the requisite element of "trust" to the Internet needed for its use to expand. H.R. 2413 (Sensenbrenner), introduced July 1, 1999, called for a National Research Council study of PKIs. The bill did not pass.

The Clinton Administration did not change its policy that allows any type of encryption to be sold in or imported into the United States. However, on September 3, 1997, FBI Director Louis Freeh discussed domestic use restrictions at a hearing before the Senate Judiciary Committee's Subcommittee on Technology, Terrorism and Government Information. He expressed the point of view that only encryption products with key recovery be sold or imported for sale in the United States. Apparently the FBI also had drafted legislation along those lines (reportedly for a House committee) and the issue of domestic use restraints has become an integral part of the encryption debate. The Administration never proposed domestic use restraints, but it did not prevent the FBI Director from promoting that course of action. Civil liberties groups in particular are opposed to domestic use controls.

106th Congress Legislation

Divisions remained throughout the 106th Congress between those who oppose a liberal encryption policy (national security and law enforcement officials) and those who advocate it (computer industry representatives and privacy rights advocates). Several bills were introduced and debated, but none passed.

The Security and Freedom Through Encryption Act (H.R. 850, Goodlatte), introduced February 25, 1999 (similar to H.R. 695 from the 105th Congress), would foster the widespread use of the strongest encryption, with additional provisions to create criminal penalties for the use of encryption to conceal criminal conduct, and direct the Attorney General to compile examples in which encryption has interfered with law enforcement. The bill was reported (without amendment) by the Judiciary Committee (H.Rept. 106-117 part I), and was referred jointly and sequentially to the Committees on International Relations, Commerce, Armed Services, and Permanent Select on Intelligence. The bill was reported (amended) by the each of those Committees (Parts II, III, IV, and V).

The five versions of H.R. 850 differed significantly, and provisions written into some versions completely opposed other versions. The versions passed by the Committees on the Judiciary, Commerce, and International Relations codified the policy of unrestricted domestic use and sale of encryption, prohibited the government from mandating key escrow practices for the public, and liberalized the controls governing the export of strong encryption. The Armed Services and Intelligence Committee versions, in contrast, had minimal or no mention of domestic use of encryption, and increase the authority of the President in restricting the controls governing the export of strong encryption. All of the bills, except for the version by the Armed Services Committee, established criminal penalties for the use of encryption in the furtherance of a criminal act (the Intelligence Committee version provided greater details than the others in that area).

In addition, each Committee added provisions for specific agencies and circumstances. For example, the Commerce Committee established a National Electronic Technologies (NET) Center in the Department of Commerce to promote the exchange of information regarding data security techniques and technologies, and the International Relations Committee directed the Secretary of Commerce to consult with the Attorney General, the Federal Bureau of Investigation, and the Drug Enforcement Administration before approving any license to export encryption products to any country identified as being a major drug producer. The Intelligence Committee authorized appropriations for the Technical Support Center, at the FBI.

In the Senate, S. 798 (McCain) was introduced on April 14, 1999, containing similar provisions as the original version of H.R. 850, except that it only allowed the export of encryption products with 64 bit key lengths or less, and established an Encryption Export Advisory Board that could recommend allowing the export of stronger products in the future. S. 798 also set a deadline of January 1, 2002 for the federal adoption of the Advanced Encryption Standard (which uses a 128 bit key length) and allowed the export of products employing AES at that date. S. 798 allowed the export of strong (greater than 64 bit) encryption products with key recovery features, as well as the export of strong encryption products to "legitimate and responsible entities," including publicly traded firms, U.S. corporate subsidiaries or affiliates, firms required by law to maintain plaintext records, and others. S. 798 did not contain criminal provisions for the use of encryption in the furtherance of a crime, and prohibited domestic controls and mandatory plaintext access.

Reaching a compromise on some of the differences (such as key escrow and export policies) would have been difficult, and the lack of support by parts of Clinton Administration (the Defense and Justice Departments) further complicated the prospects for enacting legislation. On July 27, 1999, two more encryption policy-related bills were introduced: H.R. 2616 (Goss), which reflects the House Intelligence Committee's mark-up of H.R. 850, and H.R. 2617 (Goss), which proposes a tax incentive for the nation's encryption software manufacturers to develop products with recoverability features. After the Administration's relaxation of encryption regulations, the pressure dissipated to bring H.R. 850 to the floor in the House.

Electronic Signatures/Digital Signatures

An electronic signature is a means of uniquely identifying (authenticating) the user of a computer to control access or authorize a transaction. Electronic signatures can use several technologies including personal identification numbers, smart cards, biometrics (i.e., digital fingerprints, retinal scans, or voice recognition), or digital signatures (an encrypted set of bits that identify the user). Electronic signatures can be used for access or control of either stand-alone computers or of Internet-based transactions. The most common electronic signature technology in use today is the digital signature, which is unique to each individual and to each message, and can be used in conjunction with certificate authorities to verify that the individuals on each end of a communication are who they claim to be and to authenticate that nothing in the message has been changed. Through the use of digital signatures, legally recognized signatures can be produced for use in electronic commerce. A digital signature is distinguished from an encryption product in that a digital signature does not provide confidentiality (preventing transmitted data from being monitored by unwanted parties).

Electronic signatures are of congressional interest both in terms of the respective roles of federal, state, and international laws governing their use and requirements for government use of electronic signatures to enable electronic filing of information. While neither law enforcement nor national security organizations oppose the use of electronic signatures, many question whether a standard for electronic signatures should be established to enhance electronic commerce. With the exception of Arkansas, South Carolina, and South Dakota, all states have considered or enacted some form of electronic authentication law. Thirty-six states have introduced or are considering 76 electronic signature initiatives. Twenty-six states have enacted one or more of these initiatives into law. In the area of digital signatures or PKI technologies, 20 states have introduced or considered 36 different initiatives or regulations with 10 states adopting some form into law. Seven states are examining laws that address both digital and electronic signatures. These laws are summarized in Survey of State Electronic & Digital Signature Legislative Initiatives by Albert Gidari and John Morgan of Perkins Cole. The article, and links to state laws, are provided by the Internet Law and Policy Forum http://ilpf.org/digsig/survey.htm.

According to Gidari and Morgan, three models have developed at the state level: the "Utah" or "prescriptive" model with a specific public key infrastructure scheme including state-licensed certificate authorities; the "California" or "criteria-based" model that requires digital or electronic signatures to satisfy certain criteria of reliability and security; and the "Massachusetts" or "signature enabling" model that adopts no specific technological approach or criteria, but recognizes electronic signatures and documents in a manner parallel to traditional signatures. Some of the proposed state laws are general, applying to a wide range of government or private sector activities, while others are more narrowly cast. One controversial aspect of the debate over electronic and digital signatures is whether there should be a single federal law in place of the various state laws.

Laws Enacted Prior to the 106th Congress

In the 105th Congress, the Government Paperwork Elimination Act was enacted as part of the FY1999 Omnibus Appropriations Act (P.L. 105-277). This measure directs the Office of Management and Budget (OMB) to establish procedures for executive branch agencies to accept electronic submissions using electronic signatures, and requires agencies to accept those electronic submissions except where found to be impractical or inappropriate. By October 2003, executive branch agencies must provide for the option of electronic maintenance, submission, or disclosure of information as a substitute for paper. In April 2000, OMB released procedures to permit private employers to electronically store and file with executive agencies forms pertaining to their employees. In addition, OMB, together with the National Telecommunications and Information Administration, is conducting a study of the use of electronic signatures, including an analysis of its impact on paperwork reduction, electronic commerce, individual privacy, and the security and authenticity of electronic transactions, and will report to Congress on these issues. Electronic records generated from this law will have full legal effect, and information collected from an executive agency using electronic signature services may only be used or disclosed by those using the information for business or government practices. These provisions do not apply to the Department of Treasury if the provisions conflict with internal revenue laws or codes. On March 5, 1999, OMB released proposed procedures to implement the Act, outlining actions for specific federal agencies. Some of those who commented on the OMB proposal were concerned about a potential over-reliance on "identity-based" authentication techniques that could lead to larger storehouses of information collected by the government and its contractors.

Another issue is whether the government should use commercial standards for electronic or digital signatures. Since 1993, the federal government had adopted only the federally developed Digital Signature Algorithm (DSA), which does not support confidentiality. In December 1998, however, after the enactment of the National Technology Transfer Act of 1995 (P.L. 104-113) and with policies established in OMB Circular A-119 (revised February 10, 1998), the National Institute of Standards and Technology (NIST) announced approval of an interim Federal Information Processing Standard (FIPS) to allow federal agencies to use the RSA digital signature standard (the de facto commercial standard) in addition to the DSA standard. Permanent adoption of the RSA standard could increase its use by firms that conduct business with the federal government. NIST is also reviewing a third digital signature standard, called Elliptic Curve Cryptography (ECC), which, if adopted, could result in a more competitive market for digital signature software.

Legislation in the 106th Congress

In the 106th Congress, several bills were introduced regarding electronic and digital signatures. The Millennium Digital Commerce Act (S. 761, Abraham and its companion H.R. 1320, Eshoo) was introduced March 25, 1999 to regulate interstate electronic commerce by permitting and encouraging its continued expansion through the operation of free market forces, including the legal recognition of electronic signatures. S. 761 (S.Rept. 106-131) passed the Senate (amended) November 19, 1999. H.R. 1320 was referred to the House Commerce and Government Reform Committees, and no further action was taken on that bill. Another similar bill, Electronic Signatures in Global and National Commerce Act (H.R. 1714, Bliley) was introduced May 6, 1999 to facilitate the use of electronic signatures and records (i.e., a document created, stored, generated, received, or communicated by electronic means) in interstate and foreign commerce. Two different amended versions of H.R. 1714 were reported by the House Commerce Committee (H.Rept. 106-341 part I) and the House Judiciary Committee (H.Rept. 106-341 part II), and the bill passed the House on November 9, 1999.

Businesses generally favored both House and Senate versions of this legislation, but the Administration and some consumer and privacy advocates were concerned that the language in the House bill was overly broad or undefined, and could create disadvantages for consumers who do not have access to computers or the Internet. Furthermore, the National Conference of Commissioners on Uniform State Laws expressed concern that the legislation could interfere with the efforts of some states to adopt electronic signature laws. The conference report (H.Rept. 106-661) passed the House June 14, 2000, and the Senate June 16, and was signed by the President (P.L. 106-229) on June 30.

Other bills with electronic signature provisions, introduced but not enacted, include: (1) the Paperwork Elimination Act of 1999 (H.R. 439, Talent), to minimize the burden of federal paperwork demands upon small businesses, educational and nonprofit institutions, federal contractors, state and local governments, and other persons through the sponsorship and use of electronic signatures and records, including over the Internet (passed House February 9, 1999); (2) the Digital Signature Act (H.R. 1572, Gordon), to require the adoption and utilization of digital signatures by federal agencies and establish a national policy panel for digital signatures, with government, academic, and industry representatives, to study the use of digital signatures in private sector electronic transactions, such as over the Internet; (3) the Internet Growth and Development Act of 1999 (H.R. 1685, Boucher), contained a provision to provide for the recognition of electronic signatures for the conduct of interstate and foreign commerce; (4) the Computer Security Enhancement Act of 1999 (H.R. 2413, Sensenbrenner) contains a provision directing the National Institute of Standards and Technology to develop electronic authentication infrastructure guidelines and standards for use by federal agencies to effectively utilize electronic authentication technologies in a manner that is sufficiently secure and interoperable to meet the needs of those agencies and their transaction partners (passed House October 24, 2000); and (5) the Electronic Securities Transactions Act (S. 921, Abraham), to facilitate and promote electronic commerce in securities transactions involving broker-dealers, transfer agents and investment advisers.

Computer Security

Although unauthorized access to computer networks ("hacking") is by no means a new problem, growing use of the Internet increases the threat and risk. Hacking or "cracking"(hacking with the intent to do harm) is perceived to be a growing problem both for the government and the private sector. The extent of the problem is difficult to quantify because many institutions do not want the negative publicity associated with public acknowledgment of hacking attempts (whether successful or not). Also, many attempts to hack into a computer system may go undetected.

A 1996 report by the Senate Governmental Affairs Permanent Select Subcommittee on Investigations, together with a related series of hearings and a General Accounting Office report (GAO/AIMD-96-84) have provided some estimates. The GAO study referenced an assessment by the Defense Information Systems Agency that Department of Defense computers may have been attacked 250,000 times during 1995. The assessment added that the number may represent just a small fraction of the attempts because only an estimated 1 in 150 attacks are detected and reported. What constitutes an "attack" must be defined, however. Some "attacks" may be someone "pinging" a system to get an idea of how a system is structured or looking for weak access points (like walking down the hall in a hotel and checking the doors to see if they are locked) and may never result in an intrusion per se. Regarding the private sector, the subcommittee's report cited an estimate from one private security company that the private sector had lost $800 million in 1995 due to computer intrusions. Most losses probably are not publicly acknowledged, however.

In its most recent survey (2000) conducted in cooperation with the FBI, the Computer Security Institute (CSI) reported that of the 643 responses from commercial, government, and academic security practitioners, 70% reported security breaches (a slight increase from the 62% reported in the 1999 survey). Breaches included theft of proprietary information, sabotage, insider abuse of Internet access, financial fraud, spoofing, denial of service, viruses, telecommunications fraud, wiretapping, eavesdropping, and laptop theft. (2) Of those reporting security breaches, 74% reported that they suffered financial losses. However, only 42% were willing or able to estimate those losses, totally $265 million. The most serious losses occurred as a result of losing proprietary information. Financial losses include not only direct costs (theft of funds, costs to repair databases) but also indirect costs such as system "down-time" and, if measurable, losses due to loss of confidence. The CSI report and a press release are available at http://www.gocsi.com/prelea_000321.htm.

Rules and regulations governing the security of federal computer systems are guided by the Computer Security Act of 1987 (P.L. 100-235), and OMB Circular A-130, Annex III. The Act authorizes the National Institute of Standards and Technology (NIST) to set security standards for all civilian unclassified government systems. The National Security Agency (NSA) does the same for the federal government's classified computer systems. The Act requires each agency to develop a security plan for those computer systems containing sensitive information, pursuant to the guidelines developed by NIST and promulgated by the Secretary of Commerce. In addition, the OMB Circular requires agencies to solicit independent advice and comment on their plans before they are implemented. A summary of the plan is to be included in the agency's Information Resource Management strategic plan. OMB chairs an interagency committee of Chief Information Officers (CIOs) in which a subcommittee is devoted to security issues. In addition, NIST and NSA have formed a partnership, along with a few other foreign countries, that is providing common criteria for certifying security products. This partnership facilitates an international market in security products.

Various federal agencies also have groups that will perform vulnerability analyses on federal systems, recommend fixes to problems identified, and to assist in integrating those fixes into systems. A variety of agencies have also set up computer emergency response teams (CERTs) that help system administrators deal with intrusions and the problems that might arise. The CERT at Carnegie Mellon University was established to provide such services to Internet users anywhere in the country and has signed a contract with the General Services Administration to provide similar services to government agencies that may not have their own capability.

Of growing concern is the risk hacking poses to America's basic infrastructures (e.g., transportation systems, electric utilities), which increasingly rely on networked computer systems. The President's Commission on Critical Infrastructure Protection (PCCIP) issued a report in November 1997 regarding the "cyberthreat" to five of the nation's basic infrastructures--information and communications, banking and finance, energy (including electric power, oil, and gas), physical distribution, and vital human services. While not finding an immediate crisis, the PCCIP concluded that the nation's infrastructures are vulnerable and the consequences threatening to the security of the nation. The report, Critical Foundations: Protecting America's Infrastructures, led to a Presidential Decision Directive (PDD-63) that was released May 22, 1998. PDD-63 sets as a national goal the ability to protect critical infrastructures from intentional attacks (both physical and cyber) by 2003 (see CRS Report RL30153, Critical Infrastructures: Background and Early Implementation of PDD-63).

One of the institutional structures established by PDD-63 was the National Infrastructure Protection Center (NIPC). The NIPC is an interagency organization set up within the Federal Bureau of Investigation to act as the operational focal point for coordinating federal response to infrastructure "attacks." The Directive also makes the NIPC the central federal point of contact for developing threat analyses, issuing warnings and sharing information regarding intrusions, hacking methods and fixes. The NIPC draws upon expertise found throughout the federal government. The PDD encourages the private sector to set up a parallel centers to interact with the NIPC.

One of the capabilities that the Directive wants established is the ability to detect when an intrusion has occurred. Dubbed the federal intrusion detection network (FIDNET), initial proposals for establishing this capability raised privacy issues both inside and outside the Administration. Since then the proposal has changed. The network would be decentralized, each agency being responsible for installing intrusion detection hardware and software on its systems, analyzing the data, and only forwarding concerns if suspicious behavior has been detected. Those concerns and any supporting analysis would be forwarded first to the General Services Administration (GSA). The NIPC would only be contacted if it was determined that criminal activity had occurred.

From a law enforcement point of view, the federal computer fraud and abuse statute, 18 U.S.C. 1030, addresses protection of federal and bank computers, and computers used in interstate and foreign commerce. CRS Report 97-1025, Computer Fraud & Abuse: An Overview of 18 U.S.C. 1030 And Related Federal Criminal Laws, provides more information on the statute. In general, it prohibits trespassing, threats, damage, espionage, and using computers for committing fraud. While many experts believe these statutes to be sufficient to fight computer intrusions, many also believe that statues governing procedural issues (such pursuing hackers across jurisdictional lines in "cyberspace") need modification.

In December 1997, acknowledging the growing problem of crime on the Internet, the United States, Britain, Canada, France, Germany, Italy, Japan, and Russia agreed on steps to fight computer crimes. Among some of the steps agreed upon were to: establish high-tech crime contacts available on a 24-hour basis; preserve information on computer networks so computer criminals cannot alter or destroy electronic evidence; review legal systems to ensure they appropriately criminalize computer wrongdoing and facilitate investigation of high-tech crimes. In addition, the 41-country Council of Europe is negotiating a treaty to facilitate tracking cyber criminals across their national boundaries. The latest draft of the treaty was released in December 2000. A discussion of the draft can be found on the Council's web page http://conventions.coe.int/treaty/EN/cadreprojets.htm.

The 106th Congress continued to be interested in the issue of computer security, especially as it affects critical infrastructures and national security. Congressional action in the first session consisted primarily of oversight hearings. A few bills were introduced. Of these only two made into law during the second session. H.R. 2816 (P.L. 106-572) authorized the Department of Justice to offer grants to states and localities to help them investigate and prosecute computer crimes. The law authorizes the expenditure of $25 million for the grant program through FY2004. S. 1993 modified the Paperwork Reduction Act and other relevant statutes concerning computer security of government systems, putting into statute a number of agency responsibilities some of which are already required by OMB Circular A-130, Appendix III. S. 1993 was passed as part of the FY2001 defense authorization bill (H.R. 4205, P.L. 106-398).

The opening weeks of the second session of the 106th Congress witnessed the wide-spread denial-of-service attacks on major Web sites including Yahoo, Amazon, CNN, and E-Trade. A few months later, the world experienced the LoveBug virus, leading to the disruption of e-mail service around the world. A number of new bills were subsequently introduced addressing different aspects of Internet security, including increasing the penalties associated with 18 USC 1030. None of the bills introduced in the second session, however, made it into law.

The broadest of the bills introduced in the second session, and one that may form the basis for renewed action in the Senate in the 107th Congress, was S. 2448. The original version of S. 2448 included modifications to the definitions of what constitutes a computer crime and subsequent penalties (including damages and forfeiture), the issuance of pen registers and trap and trace devices to allow for cross jurisdictional investigations of specific computer crimes, and assistance to state and local governments to fight computer crime, including the establishment of a National Cyber Crime Technical Support Center. The bill also addressed privacy issues, called for a public awareness campaign regarding computer security, established within the Department of Justice a new position of Deputy Assistant Attorney General for Computer Crime and Intellectual Property and addressed international computer crime enforcement issues. The bill was amended (with the sections related to trap and trace, privacy, and international issues dropped) and was attached to H.R. 46 (an act to provide a national medal for public safety officers who act with extraordinary valor) and passed the Senate in December 2000, but was not reconsidered in the House.

Internet Privacy (3)

More than 30 bills in the 106th Congress addressed Internet privacy in whole or in part, (4) although the only legislation that cleared Congress and was signed into law were amendments to the FY2001 Transportation Appropriations Act (P.L. 106-346) and the FY2001 Treasury-General Government Appropriations (including in the Consolidated Appropriations Act, P.L. 106-554) addressing the use of "cookies"on certain federal agency Web sites.

The range of legislation reflects the various approaches Members of Congress are taking in addressing Internet privacy issues. Some bills approached Internet privacy in a broader context of consumer privacy concerns, while others were narrowly focused on a particular issue. Perhaps the most often discussed approach was whether to require Web sites to adhere to four "fair information practices" proposed by the Federal Trade Commission: notice, access, choice, and security. The 107th Congress is expected to focus on that issue. CRS Report RL30784 (pdf) provides more detailed information on fair information practices in the Internet context.

Although not an Internet privacy issue per se, Congress also devoted considerable attention to consumer identity theft concerns. Many worry that consumer identity theft is growing because they believe the Internet allows ready access to Social Security numbers. Hence this topic is often discussed in the context of Internet privacy and is briefly described here. The 106th Congress passed and the President signed into law one bill (P.L. 106-433) that limits the display and use of Social Security numbers, and another (P.L. 106-578) to reduce the likelihood that the Internet is used for creating and distributing false identification documents (P.L. 106-578).

Several hearings were held in the 106th Congress on Internet privacy: House Commerce, July 13, 1999, and October 11, 2000; House Government Reform, May 15-16, 2000; House Judiciary, May 27, 1999, and September 6, 2000; Senate Commerce, July 27, 1999, and May 25, June 13, and October 3, 2000; and Senate Judiciary, April 21, 1999 and May 25, 2000.

Collection of Data by Web Site Operators

The Internet ("online") privacy debate concerns whether industry self regulation or legislation is the best approach to assuring consumer privacy. Although many in Congress and the Clinton Administration prefer self regulation, the 105th Congress passed legislation to protect the privacy of children under 13. There concerns about information children might divulge not only about themselves, but about their parents, in response to questions asked at various Web sites. Congress therefore passed and the President signed into law the Children's Online Privacy Protection Act (COPPA) as Title XIII of Division C of the FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act (P.L. 105-277). The law requires operators of World Wide Web sites to obtain verifiable parental consent before collecting, using, or disseminating information about children under 13, and allows parents to "opt out" of dissemination of information already collected about that child. The FTC issued a final rule http://www.ftc.gov/privacy/index.html implementing the Act on October 20, 1999, which became effective April 21, 2000 (see CRS Report RL30784 (pdf) for further information).

Passage of the law followed years of debate on the need for legislation versus relying on industry self regulation. In its July 1997 report, A Framework for Global Electronic Commerce, the Clinton Administration endorsed industry self regulation for protecting consumer Internet privacy, but stressed that if industry did not self-regulate effectively the government might have to step in, particularly regarding children. On May 14, 1998, Vice President Gore called for an "electronic bill of rights" to protect consumers' privacy. He encouraged Congress to pass medical records privacy legislation (see CRS Issue Brief IB98002), and announced the establishment of an "opt-out" Web site http://www.consumer.gov by the FTC to allow individuals to indicate they do not wish personal information passed on to others. At a June 23-24, 1998 "summit" on Internet privacy, then-Secretary of Commerce Daley warned industry that the Administration would seek legislation to protect all online consumers if industry did not accelerate its privacy protection efforts in general. On July 31, 1998, Vice President Gore addressed a wide range of privacy issues, reiterating his call for Congress to pass legislation requiring parental consent before information is collected about children under 13. Vice President Gore renewed the Administration's emphasis on industry self regulation, but noted the test of success would be the degree of industry participation.

In a July 17, 2000 speech, Clinton White House Chief of Staff Podesta proposed legislation to update existing wiretap laws covering telephone and other types of communications to include electronic communications such as e-mail, and enhance electronic privacy and civil liberties. At about that time, though, controversy erupted over an FBI software program called Carnivore that the FBI, with a court order, can install on Internet Service Providers' equipment to intercept e-mail. The extent to which Carnivore can differentiate between e-mail involving a subject of an investigation and other people's e-mail is of considerable debate, with critics claiming that Carnivore violates the privacy of innocent e-mail users. A House Judiciary subcommittee held a hearing on Carnivore on July 24. Legislation (H.R. 4987, Barr; and H.R. 5018, Canady) that would have, inter alia, required law enforcement to report on its use of e-mail intercepts was discussed at a September 6, 2000 House Judiciary hearing. H.R. 5018 was reported from House Judiciary on October 4 (H.Rept. 106-932). There was no further action.

Another controversy, dubbed "Cookiegate" in the press, arose over federal agencies' use of computer "cookies"(small text files placed on users' computers when they access a particular Web site) to track activity at their Web sites. Federal agencies have been directed by the President and the Office of Management and Budget (OMB) to ensure that their information collection practices adhere to the Privacy Act of 1974. In June 2000, however, the White House announced that it had just learned that contractors for the Office of National Drug Control Policy (ONDCP) had been using cookies to collect information about those using ONDCP's Web site during an anti-drug campaign wherein users clicking on anti-drug ads on various Web sites were taken to an ONDCP site. Cookies then were placed on users' computers to count the number of users, what ads they clicked on, and what pages they viewed on the ONDCP site. The White House directed ONDCP to cease using cookies, and OMB issued a memorandum reminding agencies to post and comply with privacy policies and detailing the limited circumstances under which agencies should collect personal information.

In response, Congress passed Section 501 of the FY2001 Transportation Appropriations Act (P.L. 106-346), which prohibits funds in the FY2001 Treasury-General Government Appropriations Act from being used by any federal agency to collect, review, or create aggregate lists that include personally identifiable information (PII) about an individual's access to or use of a federal Web site or enter into agreements with third parties to do so, with exceptions. Section 646 of the FY2001 Treasury-General Government Appropriations Act, as included in the FY2001 Consolidated Appropriations Act (P.L. 106-554), requires Inspectors General of agencies or departments covered in that appropriations act to report to Congress within 60 days of enactment on activities by those agencies or departments relating to collection of PII about individuals who access any Internet site of that department or agency, or entering into agreements with third parties to obtain PII about use of government or non-government Web sites.

The FTC has been very active on Internet privacy issues for several years. Two FTC surveys of Web sites, in December 1997 and June 1998, to assess how the industry was responding to privacy concerns showed that many Web sites collected personally identifiable information but few disclosed their information collection practices or posted privacy policies. Frustrated at the survey results, the FTC announced that it would seek legislation protecting children's privacy on the Internet by requiring parental permission before a Web site could request information about a child. COPPA was enacted four months later.

Two industry-sponsored studies conducted by Georgetown University http://www.msb.edu/faculty/culnanm/gippshome.html in the spring of 1999 found a larger percentage (66%) of the Web sites in those surveys posting a privacy policy or an information practice statement, up from 14% in the 1998 FTC survey, but only 36% posted both types of disclosures. Of the top 100 Web sites, 93% posted either type of disclosure, but only 20% provided the four elements of fair information practices (notice, choice, access, and security). The Georgetown statistics thus provided ammunition to both sides in the debate. For its part, the FTC concluded that additional legislation was not needed at that time.

However, in May 2000, the FTC released another survey that only 20% of randomly visited Web sites with at least 39,000 unique monthly visitors, and 42% of the 100 most popular Web sites, had implemented all four fair information practices (notice, choice, access, and security). The FTC concluded that self regulation had not yet established "a significant presence on the Web." The FTC voted 3-2 to propose legislation that would allow it to establish regulations requiring Web site operators to follow the four fair information practices. The close vote underscored the controversial nature of the FTC's reversal of position, which was further illuminated at a Senate Commerce Committee hearing on May 25, 2000.

The Internet industry prefers self regulation, and one action it took to demonstrate its intention to self regulate was the formation of the Online Privacy Alliance (OPA). OPA developed a set of privacy guidelines and its members are required to adopt and implement posted privacy policies. The Better Business Bureau (BBB), TRUSTe, and WebTrust, have established "seals" for Web sites. To display a seal from one of those organizations, a Web site operator must agree to abide by certain privacy principles (some of which are based on the OPA guidelines), a complaint resolution process, and to being monitored for compliance. Advocates of self regulation argue that these seal programs demonstrate industry's ability to police itself. Advocates of legislation argue that while the seal programs are useful, they do not carry the weight of law, limiting remedies for consumers whose privacy has been violated. They also point out that while a site may disclose its privacy policy, that does not necessarily equate to having a policy that protects privacy. Two studies, one by the Center for Democracy and Technology http://www.cdt.org/privacy/990727privacy.pdf and one by the Electronic Privacy Information Center http://www.epic.org/reports/surfer-beware3.html explore that viewpoint.

Public interest groups have become particularly concerned about online profiling where companies collect data about what Web sites are visited by a particular user and develop profiles of that user's preferences and interests for targeted advertising. Following a one-day workshop on online profiling, FTC issued a two-part report in the summer of 2000 that also heralded the announcement by a group of companies that collect such data, the Network Advertising Initiative (NAI), of self-regulatory principles. The FTC also called on Congress, however, to enact legislation to ensure consumer privacy vis a vis online profiling. Such legislation has not yet been passed.

European Data Directive

One factor in the U.S. debate over the merits of self regulation versus legislation is the need for the United States to address policies adopted in Europe concerning data privacy. The European Union (EU) adopted a policy in 1995 referred to as the "European data directive" that requires member countries to pass laws prohibiting the transfer of personal data to countries that are not members of the EU ("third countries") unless the third countries ensure an "adequate level of protection" for personal data. The directive went into force on October 25, 1998. Since the United States does not have such laws, the U.S. Department of Commerce (DOC) negotiated with the EU to accept "safe harbor" certifications developed by DOC and U.S. industry whereby U.S. companies can satisfy the intent of the EU data directive through adhering to certain self regulatory principles. After two years of negotiations, the agreement was approved by the European Commission (the "executive arm" of the EU) in May 2000. The European Parliament, consisting of elected representatives of the EU countries, subsequently disapproved it, however, asking for further negotiations with the United States. The European Parliament's decision was not binding on the EC, though, and the EC decided to proceed with implementing the agreement after conveying to the United States the concerns expressed by the European Parliament. The text of the safe harbor agreement is at http://europa.eu.int/comm/internal_market/en/media/dataprot/news/safeharbor.htm. It became effective November 12, 2000. See CRS Report RL30748 (pdf) for a summary of its provisions.

Consumer Identity Theft

The widespread use of computers for storing and transmitting information is thought to be contributing to consumer identity theft, in which one individual assumes the identity of another using personal information such as credit card and Social Security numbers. Whether the Internet is responsible for the increase in consumer identity theft cases is debatable, however. Some attribute the rise instead to carelessness by businesses in handling personally identifiable information, and by credit issuers that grant credit without proper checks. The Federal Trade Commission (FTC) has a toll free number (877-ID-THEFT) to help victims of identity theft.

The 105th Congress passed the Identity Theft and Assumption Deterrence Act (P.L. 105-318), which sets penalties for persons who knowingly, and with the intent to commit unlawful activities, possess, transfer, or use one or more means of identification not legally issued for use to that person. Hearings in the 106th Congress discussed continuing issues and new legislation was introduced focusing mainly on limiting the display and/or use of Social Security numbers (SSNs). One is now law--the Social Security Number Confidentiality Act (P.L. 106-433, H.R. 3218). It prohibits display of SSNs on unopened checks or other Treasury-issued drafts. Another bill that addressed SSNs, S. 2554, was enacted as part of the FY2001 Commerce-Justice-State (CJS) Appropriations Act (P.L. 106-553), but only after Congress had agreed to strike it in another appropriations bill (the FY2001 Consolidated Appropriations Act, P.L. 106-554). Hence, it is not law. Called Amy Boyer's Law, it would have prohibited the display and certain uses of SSNs without the holder's permission, with exceptions, including by professional and commercial users as long as they did not display the SSN to the public. Proponents said it would limit access to SSNs, protecting potential victims like Amy Boyer who was stalked and killed by someone who purchased her SSN over the Internet. Opponents argued that it left open the use of SSNs by commercial companies, undermining attempts to protect privacy. President Clinton threatened to veto the CJS appropriations bill partially because of its inclusion of Amy Boyer's Law. He signed the CJS bill after Congress agreed to strike the language in the Consolidated Appropriations Act. That Act includes the Miscellaneous Appropriations Act (H.R. 5666), Division A, Chapter 2, Section 213(a)(6) of which strikes Amy Boyer's Law.

Separately, the 106th Congress passed S. 2924 (P.L. 106-578 ). It updates existing law against selling or distributing false IDs to include those sold or distributed through computer files, templates, and disks. It also requires the Attorney General and Secretary of the Treasury to create a coordinating committee to ensure that the creation and distribution of false IDs is vigorously investigated and prosecuted.

Protecting Children from Unsuitable Material (5)

Concern is growing about what children are encountering over the World Wide Web, particularly in terms of indecent material or contacts with strangers who intend to do them harm. The private sector has responded by developing filtering and tracking software to allow parents either to prevent their children from visiting certain Web sites or to provide a record of what sites their children have visited.

Congress passed the Communications Decency Act (CDA) as part of the 1996 Telecommunications Act (P.L. 104-104). Among other things, CDA would have made it illegal to send indecent material to children via the Internet. In June 1997, the Supreme Court overturned the portions of the CDA dealing with indecency and the Internet. (Existing law permits criminal prosecutions for transmitting obscenity or child pornography over the Internet.) Congress passed a replacement law, the Child Online Protection Act, in 1998, but it also is being challenged in the courts.

The Child Online Protection Act (P.L. 105-277)

Congress passed the Child Online Protection Act (COPA) as part of the FY1999 Omnibus Appropriations Act (P.L. 105-277, Title XIV of Division C). The law prohibits commercial distribution of material over the Web to children under 17 that is "harmful to minors." Web site operators are required to ask for a means of age verification such as a credit card number before displaying such material. It replaces provisions of the 1996 Communications Decency Act that were overturned by the Supreme Court. By limiting the language to commercial activities and using the court-tested "harmful to minors" language instead of "indecent" as was used in the 1996 Act, the sponsors had hoped to have drafted a law that would survive court challenges. The American Civil Liberties Union (ACLU) and others filed suit against the provisions regarding the "harmful to minors" language in the new law in the U.S. District Court for the Eastern District of Pennsylvania on October 22, the day after President Clinton signed the bill into law. A temporary restraining order preventing enforcement of the relevant sections of the Act was issued in November 1998 and a preliminary injunction was issued in February 1999. The U.S. Court of Appeals for the 3rd Circuit upheld the preliminary injunction on June 22, 2000. (See CRS Report 98-670 A, Obscenity, Child Pornography, and Indecency: Recent Developments and Pending Issues.)

COPA established a Commission on Online Child Protection to study technologies and methods to help reduce access by children to material on the Web that is harmful to minors. (This part of the Act was not affected by the injunction.) The Commission, composed of 16 industry members appointed by the Republican and Democratic congressional leaders plus one ex officio representative each from the Federal Trade Commission (FTC) and Departments of Commerce and Justice, issued its report on October 20, 2000 [available at http://www.copacommission.org]. The report did not make recommendations for new legislation. It surveyed various technologies and other means by which children's access to certain materials on the Internet can be restricted, concluding that no single solution exists. Recommendations focused on the need for public education, consumer empowerment efforts, vigorous enforcement of existing laws, and voluntary industry actions. Separately, P.L. 105-314 (see next section) requires the Attorney General to contract with the National Research Council (NRC) to conduct a two-year study on the capabilities of computer-based technologies and other approaches to the problem of the availability of pornographic material to children on the Internet. NRC anticipates that the study will be completed in late 2001.

Filtering Technologies: The Children's Internet Protection Act (P.L. 106-554)

After several years of debate, the 106th Congress passed legislation requiring most schools and libraries that receive federal funds to using filtering technologies to screen out objectionable material on computers used by minors, and in some cases, adults. The law, the Children's Internet Protection Act, is Title XVII of the FY2001 Labor-HHS Appropriations Act, included in the FY2001 Consolidated Appropriations Act (P.L. 106-554). Detailed information on the provisions of this law are discussed in CRS Report RS20036. A brief summary of the issues and of the Act are provided below.

Background. Software products to filter or block access to Web sites or e-mail addresses has existed for many years. Links to information about these and other products and other tools for protecting children on the Web are available at http://www.GetNetWise.org. Some filtering products screen sites based on keywords, while others use ratings systems based on ratings either by the software vendor or the Web site itself.

Existing filtering software products have received mixed reviews because they cannot effectively screen out all objectionable sites on the ever-changing Web, or because they inadvertently screen out useful material. The Electronic Privacy Information Center (EPIC) released a report on filtering software in November 1997 http://www2.epic.org/reports/filter-report.html after it tested a filtering program called Net Shepard, searching the Web for sites it expected to be useful to and suitable for children. For example, EPIC searched for Web sites about the "American Red Cross" with and without Net Shepard activated. EPIC reported that Net Shepard prevented access to 99.8% of the sites. From this and other examples, EPIC concluded that in the effort to protect children from a small amount of unsuitable material, they were being denied access to a large amount of suitable information.

Congress and the Clinton Administration debated for several years whether to require schools and libraries to use filtering technology when children are using computers with Internet access, or to require Internet Service Providers (ISPs) to offer such technology to subscribers in general. A section of the Child Online Protection Act that was not overturned by the Supreme Court requires interactive computer services to advise customers that parental control protections are commercially available.

On May 5, 1999, Vice President Gore held a press conference with representatives of the Internet industry to announce that by July 1999 a "Parents' Protection Page" would appear automatically on most Web sites to help parents identify tools already available for them to guide their children in using the Internet, including filtering software. The GetNetWise Web site mentioned above, sponsored by the Internet industry and public interest groups, debuted in August 1999 providing "one click" tools for parents to guide their children when using the Internet and to report trouble. Many ISPs already were providing parents with tools and information voluntarily.

Despite these efforts at industry-sponsored solutions, debate continued over whether schools and libraries should be required by law to use filtering technology on computers that have Internet access when children are using them. Policies adopted by local communities reflect the spectrum of attitudes on this topic. Some allow children to use computers at local libraries only with parental permission, some use filtering software, and others impose no restrictions. Quality Education Data reported in October 1999 (Communications Daily, October 25, 1999, p. 2-3) that 58.3% of schools use filtering software and 90.5% have "acceptable use" policies where adults and children have an agreement regarding how the children should behave when using the Internet.

Supporters of attempts to pass a law argued that children must be protected from inappropriate material, particularly when their parents are not present to supervise them. Critics assert that it is censorship, prevents access to appropriate sites, and that such decisions should be left to the local community. Some believe "acceptable use" or "Internet use" policies are preferable.

Passage of the Children's Internet Protection Act. The Children's Internet Protection Act requires most schools and libraries to use "technology protection measures" to filter or block unsuitable Web sites. The Act blends approaches that would have required schools receiving federal technology funds under the Elementary and Secondary Education Act (ESEA) or schools and libraries receiving "E-rate" subsidies through the universal service fund to use "technology protection measures" to block access to certain material on the Internet. (For information on universal service and the E-rate, see CRS Issue Brief IB98040, Telecommunications Discounts for Schools and Libraries: the "E-Rate" Program and Controversies.)

The Children's Internet Protection Act includes the following provisions.

  • Funds made available to schools under Title III of ESEA, and funds made available to libraries under section 224 of the Museum and Library Services Act, to schools or libraries that do not receive E-rate funds, may not be used to purchase computers used to access the Internet or to pay for direct costs of accessing the Internet, unless the school, school board, local educational agency, or other authority, or library, has an Internet safety policy for minors that includes the operation of a technology protection measure with respect to any of its computers with Internet access that protects against access through such computers to visual depictions that are obscene, child pornography, or harmful to minors. A similar requirement is made to protect against access by other users to visual depictions that are obscene or are child pornography. The technology protection measure may be disabled by an administrator, supervisor, or other authorized person to enable access for bona fide research or other lawful purposes.

If a school does not comply, the Secretary of Education may withhold further funding under Title III, issue a cease and desist order, or enter into a compliance agreement. If a library does not comply, the Director of the Institute of Museum and Library Services has the same options. No recovery of funds is permitted in either case.

  • Elementary and secondary schools and libraries that receive E-rate funding must be certified by the Federal Communications Commission (FCC) that they have adopted and implemented an Internet safety policy for computers with Internet access and are using those computers in accordance with the certifications. This requirement does not apply to schools and libraries that receive E-rate funds only for purposes other than the provision of Internet access, Internet service, or internal connections.

Each school, school board, or other authority responsible for administering the school, or library, shall provide reasonable public notice and hold at least one public hearing or meeting to address the proposed Internet safety policy. If a school does not meet the definition of an elementary or secondary school under ESEA, the notice and hearing may be limited to members of the public with a relationship to the school.

The certification must certify that the school or library is enforcing a policy of Internet safety for minors that includes monitoring the online activities of minors and the operation of a technology protection measure with respect to any computer with Internet access that protects against access to visual depictions that are obscene, child pornography, or harmful to minors, and is enforcing operation of the technology protection measure. A similar requirement is made for adult users against access to material that is obscene or child pornography. The technology protection measure may be disabled during adult use to enable access for bone fide research or other lawful purpose.

If schools and libraries do not comply, they must reimburse any funds or discounts they received during the period covered by the certification. The FCC is required to prescribe regulations to implement this section within 120 days of enactment.

  • Funding available under Title VI of ESEA or section 231 of the Library Services and Technology Act may be used to obtain necessary technology protection measures.
  • Each school or library receiving E-rate funds shall adopt and implement an Internet safety policy that addresses access by minors to inappropriate matter on the Internet and World Wide Web, the safety and security of minors when using e-mail, chatrooms, and other forms of direct electronic communications; unauthorized access and other unlawful activities by minors online; unauthorized disclosure, use, and dissemination of personal identification information regarding minors; and measures designed to restrict minors' access to materials harmful to minors, and provide reasonable public notice and hold at least one public hearing or meeting to address the proposal Internet safety policy. Determining what is inappropriate for minors shall be made locally. The FCC shall prescribe regulations for purposes of this section no later than 120 days after the date of enactment.
  • Any civil action challenging the constitutionality, on its face, of the Act would be heard first by a district court of three judges convened pursuant to 28 U.S.C. 2284. Appellate review would be by direct appeal to the Supreme Court.

According to the Washington Times ( December 20, 2000, p. B7), the American Library Association and the American Civil Liberties Union have indicated that they will challenge the law in court, as will the Free Congress Foundation, which opposes the Act because it overrides local laws. The Electronic Privacy Information Center (EPIC) and the Center for Democracy and Technology (CDT) also have criticized passage of the Act.

Unsolicited Commercial Electronic Mail ("Junk E-Mail" or "Spam") (6)

One aspect of increased use of the Internet for electronic mail (e-mail) has been the advent of unsolicited advertising, or "junk e-mail" (also called "spam," "unsolicited commercial e-mail," or "unsolicited bulk e-mail"). The Report to the Federal Trade Commission of the Ad-Hoc Working Group on Unsolicited Commercial Email http://www.cdt.org/spam reviews the issues in this debate.

In 1991, Congress passed the Telephone Consumer Protection Act (P.L. 102-243) that prohibits, inter alia, unsolicited advertising via facsimile machines, or "junk fax" (see CRS Report RL30763, Telemarketing: Dealing with Unwanted Telemarketing Calls). Many question whether there should be an analogous law for computers, or at least some method for letting a consumer know before opening an e-mail message whether or not it is unsolicited advertising and to direct the sender to cease transmission of such messages. At a November 3, 1999 hearing of the House Commerce telecommunications subcommittee, a representative of SBC Internet Services, a subsidiary of SBC Communications, Inc., stated that 35% of all the e-mail transmitted over SBC's Internet systems in its Pacific Bell and Southwestern Bell regions is UCE.

Opponents of junk e-mail such as the Coalition Against Unsolicited Commercial Email (CAUCE) argue that not only is junk e-mail annoying, but its cost is borne by consumers, not marketers. Consumers are charged higher fees by Internet service providers that must invest resources to upgrade equipment to manage the high volume of e-mail, deal with customer complaints, and mount legal challenges to junk e-mailers. According to the May 4, 1998 issue of Internet Week, $2 of each customer's monthly bill is attributable to spam http://www.techweb.com/se/directlink.cgi?INW19980504S0003. Some want to prevent bulk e-mailers from sending messages to anyone with whom they do not have an established business relationship, treating junk e-mail the same way as junk fax. Proponents of unsolicited commercial e-mail argue that it is a valid method of advertising. The Direct Marketing Association (DMA), for example, argues that instead of banning unsolicited commercial e-mail, individuals should be given the opportunity to notify the sender of the message that they want to be removed from its mailing list -- or "opt-out." In January 2000, the DMA launched a new service, the E-mail Preference Service, where any of its members that send UCE must do so through a special Web site where consumers who wish to "opt out" of receiving such mail can register themselves http://www.e-mps.org. Each DMA member is required to check its list of intended recipients and delete those consumers who have opted out. While acknowledging that the service will not stop all spam, the DMA considers it "part of the overall solution" http://www.the-dma.org/aboutdma/release4.shtml. Critics argue that most spam does not come from DMA members, so the DMA plan is insufficient.

To date, the issue of restraining junk e-mail has been fought primarily over the Internet or in the courts. Some Internet service providers will return junk e-mail to its origin, and groups opposed to junk e-mail will send blasts of e-mail to a mass e-mail company, disrupting the company's computer systems. Filtering software also is available to screen out e-mail based on keywords or return addresses. Knowing this, mass e-mailers may avoid certain keywords or continually change addresses to foil the software, however. In the courts, Internet service providers with unhappy customers and businesses that believe their reputations have been tarnished by misrepresentations in junk e-mail have brought suit against mass e-mailers.

Although several bills were debated in both the 105th and 106th Congresses, no legislation has cleared Congress yet. Some states are passing their own legislation. According to the National Conference of State Legislatures, as of March 2000, 15 states had enacted such laws and 16 introduced spam bills during their 2000 legislative sessions.

Internet Domain Names (7)

The 106th Congress continued to monitor issues related to the Internet domain name system (DNS). Internet domain names were created to provide users with a simple location name for computers on the Internet, rather than using the more complex, unique Internet Protocol (IP) number that designates their specific location. As the Internet has grown, the method for allocating and designating domain names has become increasingly controversial.

The Internet originated with research funding provided by the Department of Defense Advanced Research Projects Agency (DARPA) to establish a military network. As its use expanded, a civilian segment evolved with support from the National Science Foundation (NSF) and other science agencies. While there are no formal statutory authorities or international agreements governing the management and operation of the Internet and the DNS, several entities have played key roles in the DNS. The Internet Assigned Numbers Authority (IANA) makes technical decisions concerning root servers, determines qualifications for applicants to manage country code Top Level Domains (TLDs), assigns unique protocol parameters, and manages the IP address space, including delegating blocks of addresses to registries around the world to assign to users in their geographic area. IANA operates out of the University of Southern California's Information Sciences Institute and has been funded primarily by the Department of Defense.

Prior to 1993, NSF was responsible for registration of nonmilitary generic Top Level Domains (gTLDs) such as .com, .org, .net, and .edu. In 1993, the NSF entered into a 5-year cooperative agreement with Network Solutions, Inc. (NSI) to operate Internet domain name registration services. In 1995, the agreement was modified to allow NSI to charge registrants a $50 fee per year. Since the imposition of fees in 1995, criticism arose over NSI's sole control over registration of the gTLDs. In addition, there was an increase in trademark disputes arising out of the enormous growth of registrations in the .com domain. With the cooperative agreement between NSI and NSF due to expire in 1998, the Administration, through the Department of Commerce (DOC), began exploring ways to transfer administration of the DNS to the private sector.

In the wake of much discussion among Internet stakeholders, and after extensive public comment on a previous proposal, the Department of Commerce (DOC), on June 5, 1998, issued a final statement of policy, Management of Internet Names and Addresses (also known as the "White Paper"). The White Paper stated that the U.S. government was prepared to recognize and enter into agreement with "a new not-for-profit corporation formed by private sector Internet stakeholders to administer policy for the Internet name and address system." Accordingly, Internet constituencies from around the world held a series of meetings during the summer of 1998 to discuss how the New Corporation might be constituted and structured. On October 2, 1998, the Department of Commerce accepted a proposal, authored primarily by IANA and NSI, for an Internet Corporation for Assigned Names and Numbers (ICANN). Nine members of ICANN's interim board were chosen (four Americans, three Europeans, one from Japan, and one from Australia). The proposal was criticized by some Internet stakeholders, who claimed that ICANN did not adequately represent a consensus of the entire Internet community. On November 25, 1998, DOC and ICANN signed an official Memorandum of Understanding (MOU), whereby DOC and ICANN agreed to jointly design, develop, and test the mechanisms, methods, and procedures necessary to transition management responsibility for DNS functions to a private-sector not-for-profit entity.

The White Paper also signaled DOC's intention to ramp down the government's Cooperative Agreement with NSI, with the objective of introducing competition into the domain name space while maintaining stability and ensuring an orderly transition. During this transition period, government obligations will be terminated as DNS responsibilities are transferred to ICANN. Specifically, NSI committed to a timetable for development of a Shared Registration System that permits multiple registrars to provide registration services within the .com, .net., and .org gTLDs. To date, 152 companies have either been accredited as a registrar by ICANN, or have qualified for accreditation; currently, 70 registrars are operational. NSI will continue to administer the root server system until receiving further instruction from the government.

Significant disagreements between NSI on the one hand, and ICANN and DOC on the other, arose over how a successful and equitable transition would be made from NSI's previous status as exclusive registrar of .com, org. and net. domain names, to a system that allows multiple and competing registrars. Of particular controversy was NSI's refusal to sign ICANN's accreditation agreement. On September 28, 1999, after nearly a year of negotiations, DOC, NSI, and ICANN announced a series of formal agreements. NSI agreed to sign an accreditation agreement with ICANN, but with certain limits and conditions placed on ICANN decisions that could affect NSI's business. NSI will retain control of the .com registry for at least four years; if ownership of NSI's registry and registrar operations is fully separated within 18 months (via spinoff or sale to a third party for example), the term would be extended for four additional years. NSI and all accredited registrars will provide public access to the full database of registered domain names (the "WhoIs" database). Competing registrars will pay NSI a wholesale price of $6 per registered name per year. Finally, NSI will pay ICANN $1.25 million upon signing the agreement, and agrees to approve an ICANN registrar fee policy as long as NSI's share does not exceed $2 million.

While the agreement was hailed by DOC, NSI, and ICANN, opposition was voiced by competing registrars, who asserted that the agreement gives NSI too many advantages in the competition for new registrations and renewals of existing ones. Others objected to the limits placed on ICANN with regard to making decisions that might affect NSI. At its November 1999 board meeting, ICANN agreed to modifications of the agreement which addressed some of the concerns raised. On November 10, 1999, ICANN, NSI, and DOC formally signed the agreements.

On September 4, 2000, ICANN and the Department of Commerce agreed to extend their MOU until September 30, 2001 or sooner, if both parties agree that the work set under the MOU has been completed. Remaining tasks, many of which are underway, include: creating new Internet top-level domains, completing selection of the ICANN Board of Directors, enhancing the architecture of the root-name server system, formalizing contractual relationships between ICANN and the regional Internet Protocol address registries, and establishing stable arrangements between ICANN and the organizations responsible for the operation of country-code TLDs.

Until the full transition to a private sector controlled DNS system is completed, the Department of Commerce remains responsible for monitoring the extent to which ICANN satisfies the principles of the White Paper as it makes critical DNS decisions. Congress remains keenly interested in how the Administration manages and oversees the transition to private sector ownership of the DNS. The conference report (H.Rept. 106-479) accompanying the FY2000 Consolidated Appropriations Act (P.L. 106-113, signed November 29, 1999) directs the General Accounting Office (GAO) to review the legal basis and authority for DOC's relationship with ICANN (including the possible transfer of the authoritative root server to private sector control), the possibility of shifting federal oversight responsibilities from NTIA to the National Institute of Standards and Technology (NIST), and the adequacy of existing security arrangements safeguarding critical hardware and software underlying the DNS. The GAO report, released on July 7, 2000, concluded that the DOC does have legal authority to enter into its current agreements and cooperative activities with ICANN. GAO noted that while it is unclear whether DOC has the authority to transfer control of the authoritative root server to ICANN, the Department has no current plans to do so.

Two issues currently being addressed by ICANN are the addition of new top level domains and the election of At-Large Board members. At its July 16, 2000 meeting in Yokohama, the ICANN Board of Directors adopted a policy for the introduction of new top-level domains (TLDs). Additional TLDs - such as .shop, .xxx, or .kids, for example - will significantly expand the number of domain names available for registration by the public. The policy involves a process in which those interested in operating or sponsoring new TLDs may apply to ICANN. During September 2000, a total of 47 applications were received. At its November 16, 2000 annual meeting, ICANN selected seven companies or organizations each to operate a registry for one of seven new TLDs, as follows: .biz, .aero, .name, .pro, .museum, .info, and .coop. ICANN's selections are subject to approval by the Department of Commerce. Following contractual discussions between ICANN and selected applicants, at least some of the new TLDs could become operational during the first half of 2001.

Regarding the composition of ICANN's board of directors, ICANN bylaws call for an international and geographically diverse 19-member board of directors, composed of a president, nine at-large members, and nine members nominated by three Supporting Organizations representing Domain Name, Address, and Internet Protocol constituencies. During October 1999, the three Supporting Organizations each selected three directors for the permanent board. Terms of service range from one to three years. Of the nine directors, four are from Europe (Britain, France, Netherlands, and Spain), two from Canada, one from Mexico, one from Hong Kong, and one from the United States. The nine new directors joined the ten sitting interim directors, who serve until an additional nine directors are elected to the permanent board by ICANN's At-Large membership. At ICANN's March 2000 meeting in Cairo, the sitting board agreed to a plan whereby five At-Large board members, one from each of five geographic regions of the world, would be directly elected by Internet users. Eligible to vote was anyone over 16 years old with an active email and postal address who registered as an ICANN member. On October 10, 2000 ICANN announced the five new At-Large board members elected by over 34,000 Internet users. At the November 2000 annual meeting, ICANN initiated a study to determine how to select the remaining At-Large board members. Meanwhile, the sitting board has extended the terms of four of its interim members until 2002 to serve with the five newly elected At-Large board members.

Another issue surrounding the DNS is the resolution of trademark disputes that arise in designating domain names. In the early years of the Internet, when the primary users were academic institutions and government agencies, little concern existed over trademarks and domain names. As the Internet grew, however, the fastest growing number of requests for domain names were in the .com domain because of the explosion of businesses offering products and services on the Internet. Since domain names have been available from NSI on a first-come, first-serve basis, some companies discovered that their name had already been registered. The situation was aggravated by some people (dubbed "cybersquatters") registering domain names in the hope that they might be able to sell them to companies that place a high value on them.

The increase in conflicts over property rights to certain trademarked names has resulted in a number of lawsuits. Under previous policy, NSI did not determine the legality of registrations, but when trademark ownership was demonstrated, placed the use of a name on hold until the parties involved could resolve the domain name dispute. The White Paper called upon the World Intellectual Property Organization (WIPO) to develop a set of recommendations for trademark/domain name dispute resolutions, and to submit those recommendations to ICANN. At ICANN's August 1999 meeting in Santiago, the board of directors adopted a dispute resolution policy to be applied uniformly by all ICANN-accredited registrars. Under this policy, registrars receiving complaints will take no action until receiving instructions from the domain-name holder or an order of a court or arbitrator. An exception is made for "abusive registrations" (i.e. cybersquatting and cyberpiracy), whereby a special administrative procedure (conducted largely online by a neutral panel, lasting 45 days or less, and costing about $1000) will resolve the dispute. Implementation of ICANN's Domain Name Dispute Resolution Policy commenced on December 9, 1999. As of August 18, 2000, 1492 proceedings (encompassing the disposition of 2608 domain names) have been initiated.

Meanwhile, the 106th Congress took action, passing the Anticybersquatting Consumer Protection Act (incorporated into P.L. 106-113, the FY2000 Consolidated Appropriations Act). The Act gives courts the authority to order the forfeiture, cancellation, and/or transfer of domain names registered in "bad faith" that are identical or similar to trademarks. The bill would also provide for statutory civil damages of at least $1,000, but not more than $100,000, per domain name identifier. The legislation was supported by corporate entities and others who wish to protect their trademarks and names from abusive or bad-faith domain name registrations. The legislation was opposed by civil libertarians who assert that the law threatens free expression on the Internet. The Clinton Administration also opposed the legislation, arguing that ICANN's dispute resolution procedure should not be circumvented.

Finally, the 106th Congress was concerned about the disposition of the Intellectual Infrastructure Fund. The rapid growth of domain name registrations and the associated increase in costs to NSF led to the decision to charge a registration and maintenance fee to domain name holders. In 1995, NSI was authorized through an amendment to the cooperative agreement to charge $100 to initially register a domain name and $50 a year to maintain it in the database. According to the contract, 70% of the monies collected were to be retained by NSI to cover its costs; the remaining 30% were deposited by NSI in an account for the purpose of reinvestment in the Intellectual Infrastructure Fund (IIF) of the Internet. As of March 31, 1998, when fee collection was discontinued, approximately $60 million had been collected. The VA/HUD/Independent Agencies FY1998 Appropriations Act (P.L. 105-65) directed NSF to credit up to $23 million of the funds to NSF's Research and Related Activities account for Next Generation Internet activities. A class action suit filed in October 1997 challenged NSF's authority to allow NSI to collect fees. A May 14, 1999 ruling by the U.S. Court of Appeals upheld an earlier court ruling that affirmed the legality of the IIF. Meanwhile, the Home Page Tax Repeal Act (H.R. 2797/S. 705), introduced by Representative Terry and Senator Ashcroft, sought to ensure refunds of all fees collected into the IIF. On March 24, 1999, the Basic Research Subcommittee of the House Committee on Science held a hearing on the Home Page Tax Repeal Act. On November 2, 1999, the Basic Research Subcommittee marked up H.R. 2797. No action was subsequently taken on this legislation.

Broadband Internet Access (8)

Broadband or high-speed Internet access is provided by a series of technologies that give users the ability to send and receive data at volumes and speeds far greater than current Internet access over traditional telephone lines. In addition to offering speed, broadband access provides a continuous "always on" connection (no need to dial-up) and a "two-way" capability, that is, the ability to both receive (download) and transmit (upload) data at high speeds.

Broadband access, along with the content and services it might enable, has the potential to transform the Internet--both what it offers and how it is used. For example, a two-way high speed connection could be used for interactive applications such as online classrooms, showrooms, or health clinics, where teacher and student (or customer and salesperson, doctor and patient) can see and hear each other through their computers. An "always on" connection could be used to monitor home security, home automation, or even patient health remotely through the Web. The high speed and high volume that broadband offers could also be used for bundled services, where for example, cable television, video on demand, voice, data, and other services are all offered over a single line. In truth, it is possible that many of the applications that will best exploit the technological capabilities of broadband, while also capturing the imagination of consumers, have yet to be developed.

Many offices and businesses now have Internet broadband access. A major remaining challenge is providing broadband over "the last mile" to consumers in their homes. Currently, approximately 5 million homes in the United States are wired for broadband access. However, the changeover to residential broadband has begun, as companies have started to offer different types of broadband service in selected locations. Indeed, throughout the telecommunications and information industry, companies have been investing, acquiring, and merging in order to position themselves for what is felt to be a coming explosion in broadband Internet use. No one knows exactly how many consumers will be willing to pay for broadband service. Current costs to consumers range from about $40 and upward per month, plus up to several hundred dollars for installation and equipment.

Broadband Technologies

There are multiple transmission media or technologies which can be used to provide broadband access. These include cable modem technology, an enhanced telephone service called digital subscriber line (DSL), satellite technology, terrestrial wireless technologies, and others. Cable modems and DSL are generally acknowledged by many observers as the most promising technologies for providing broadband access, at least within the next couple of years. Both require the modification of an existing physical infrastructure that is already connected to the home (i.e. cable television and telephone lines). Each technology has its respective advantages and disadvantages, and will likely compete with each other based on performance, price, quality of service, geography, user friendliness, and other factors.

The same cable network that currently provides television service to consumers is being modified to provide broadband access. Because cable networks are shared by users, access speeds can decrease during peak usage hours, when bandwidth is being shared by many customers at the same time. Network sharing has also led to security concerns and fears that hackers might be able to eavesdrop on a neighbor's Internet connection. According to Kinetic Strategies Inc., an estimated 3.8 million households in North America subscribed to cable modem services by the end of September 2000, with service available to an estimated 62 million households. Kinetic Strategies projects 20 million installed cable modem customers in North America by the end of 2004.

Digital Subscriber Line, or DSL, is a modem technology which converts existing copper telephone lines into two-way high speed data conduits. While there are a number of types of DSL technologies, the most used currently is ADSL, or Asymmetric Digital Subscriber Line ("asymmetric" because transmission speed is higher from the Internet to the home than from the home to the Internet). ADSL is only available, at present, to homes within 18,000 feet (about three miles) of a central office facility. According to TeleChoice Inc., 1.7 million DSL lines were in service in the United States by the end of September 2000. TeleChoice estimates that the number of U.S. DSL lines in service will grow to 2.1 million by the end of 2000, with further growth to 9.6 million DSL lines by the end of 2003.

Policy Issues

Section 706 of the Telecommunications Act of 1996 (P.L. 104-104) requires the FCC to determine whether "advanced telecommunications capability [i.e. broadband or high-speed access] is being deployed to all Americans in a reasonable and timely fashion." On January 28, 1999, the FCC adopted a report (FCC 99-5) pursuant to Section 706. The report concluded that "the consumer broadband market is in the early stages of development, and that, while it is too early to reach definitive conclusions, aggregate data suggests that broadband is being deployed in a reasonable and timely fashion." The FCC announced that it would continue to monitor closely the deployment of broadband capability in annual reports and that, where necessary, it would "not hesitate to reduce barriers to competition and infrastructure investment to ensure that market conditions are conducive to investment, innovation, and meeting the needs of all consumers."

The Commission's second Section 706 report was approved on August 3, 2000. Based on data collected from telecommunications service providers, an ongoing Federal-State Joint Conference to promote advanced broadband services, and the public, the report concluded that advanced telecommunications capability is being deployed in a reasonable and timely fashion overall, although certain groups of consumers were identified as being particularly vulnerable to not receiving service in a timely fashion. Those groups include rural, minority, low-income, and inner city consumers, as well as tribal areas and consumers in U.S. territories. The FCC acknowledges that more sophisticated data are still needed in order to portray a thoroughly accurate picture of broadband deployment.

While the FCC's position is not to intervene at this time, some assert that legislation is necessary to ensure fair competition and timely broadband deployment. Currently, the debate centers on three approaches. Those are: 1) compelling cable companies to provide "open access" to competing ISPs; 2) easing certain legal restrictions and requirements (imposed by the Telecommunications Act of 1996) on incumbent telephone companies that provide high-speed data (broadband) access; and 3) providing federal financial assistance for broadband deployment in rural and economically disadvantaged areas. Hearings on broadband access were held by a number of committees during the 106th Congress, including House Commerce, House Judiciary, Senate Commerce, and Senate Judiciary.

Open Access. Legislation introduced into the 106th Congress (H.R. 1685 and H.R. 1686) sought to prohibit anticompetitive contracts and anticompetitive or discriminatory behavior by broadband access transport providers. Neither bill passed Congress. The legislation would have had the effect of requiring cable companies that provide broadband access to give "open access" (also referred to as "forced access" by its opponents) to all Internet service providers. Currently, customers using cable broadband must sign up with an ISP affiliated or owned by their cable company. If customers want to access another ISP (such as America Online for example), they must pay extra--one monthly fee to the cable company's service (which includes the cable ISP) and another to their ISP of choice. In effect, the legislation would have enabled cable broadband customers to subscribe to their ISP of choice without first going through their cable provider's ISP. At issue is whether cable networks should be required to share their lines with, and give equal treatment to, rival ISPs who wish to sell their services to consumers. Supporters argue that open access is necessary to prevent cable companies from creating "closed networks," limiting access to content, and stifling competition. Opponents of open access counter that an open access mandate would inhibit the cable industry's ongoing nationwide investment in broadband technology, and assert that healthy competition does and will exist in the form of alternate broadband technologies such as DSL and satellites.

The arguments for and against open access have been heard on the local level, as cities, counties, and states have taken up the issue of whether to mandate open access requirements on local cable franchises. In June 1999, a federal judge ruled that the city of Portland, OR, had the right to require open access to the Tele-Communications Incorporated (TCI) broadband network as a condition for transferring its local cable television franchise to AT&T. AT&T appealed the ruling to the U.S. Court of Appeals for the Ninth Circuit. On June 22, 2000, the Court ruled in favor of AT&T, thereby reversing the earlier ruling. The court ruled that high-speed Internet access via a cable modem is defined as a "telecommunications service," and not subject to direct regulation by local franchising authorities.

The debate thus moves to the federal level, where many interpret the Court's decision as giving the FCC authority to regulate broadband cable services as a "telecommunications service." However, the FCC also has the authority not to regulate if it determines that such action is unnecessary to prevent discrimination and protect consumers. To date, the FCC has chosen not to mandate open access, citing the infancy of cable broadband service and the current and future availability of competitive technologies such as DSL and satellite broadband services. However, in light of the June 22 court decision, the FCC announced, on June 30, 2000, that it would conduct a formal proceeding to determine whether or not cable-Internet service should be regulated as a telecommunications service, and whether the FCC should mandate open access nationwide. On September 28, 2000, the FCC formally issued a Notice of Inquiry (NOI) which will explore whether or not the Commission should require access to cable and other high- speed systems by Internet Service Providers (ISPs). (9)

Developments within the cable industry also could have an impact on the open access debate. On December 6, 1999, AT&T (the nation's largest cable company after its purchase of TCI and merger with MediaOne) announced an agreement to provide Mindspring (now EarthLink, the nation's second largest ISP) access to its broadband cable system starting in mid-2002 (i.e. when AT&T's contract with its affiliated ISP, Excite@Home, expires). AT&T has pointed to the agreement with EarthLink as evidence that access issues should be left to market forces and need not be mandated by government regulation. In November 2000, AT&T Broadband began a series of field trials which would allow multiple ISPs, for a monthly fee, to access its cable platform. If technically feasible, AT&T Broadband's proposal is to allow access for any ISP that passes reliability tests. While some critics see the AT&T approach to open access as a positive step, others remain concerned that open access will not be achieved as quickly or as equitably without a government mandate.

On January 10, 2000, AOL announced plans to merge with Time Warner, Inc. If approved by the federal government, the merger would give AOL access to the second largest cable television system in the U.S., and a share in Roadrunner, one of the two major cable modem ISPs. Since the merger announcement, AOL has said it intends to open Time Warner's broadband cable platform to other ISPs. While still supporting the principle of open access, AOL has stated that it now prefers market solutions to a government mandate for open access. Many supporters of open access have asserted that AOL's post-merger position, favoring market over government solutions, will ultimately leave many of the nation's 6000 ISPs without broadband access. On February 29, 2000, AOL and Time Warner took a further step toward open access by signing a memorandum of understanding (MOU) that commits the company to provide access to as many ISPs as is technically possible. The MOU pledges no restrictions on video streaming, no discrimination based on affiliation, and no restrictions on ISP direct billing and collections. On November 20, 2000, Time Warner announced an agreement to provide EarthLink access to its high-speed cable system. On December 14, 2000, the Federal Trade Commission (FTC) announced its approval of the AOL-Time Warner merger with conditions. Under the terms of the proposed consent order, AOL Time Warner would be required to open its cable systems to competing ISPs, and prohibited from interfering with the content passed along the bandwidth contracted for by non-affiliated ISPs. Specifically, AOL Time Warner would be required to make available to subscribers at least one non-affiliated cable broadband ISP service before AOL itself began offering service, followed by two other non-affiliated ISPs within 90 days (and a requirement to negotiate in good faith with others after that). Meanwhile, the FCC's approval process had been suspended, pending the FTC's decision. The FCC is now expected to rule in early 2001.

Easing Restrictions and Requirements on Incumbent Telephone Companies. Legislative proposals in the 106th Congress (H.R. 1685, Boucher; H.R. 1686, Goodlatte; H.R. 2420, Tauzin; S. 877, Brownback; and S. 1043, McCain) sought to ease certain legal restrictions and requirements imposed by the Telecommunications Act of 1996 on ILECs (incumbent local exchange companies such as Bell Atlantic, US West, or GTE). Included among the proposed legislative remedies were allowing Bell operating companies (BOCs) to offer data services across local access and transport area (LATA) boundaries, (10) and easing requirements for ILECs to share (via unbundling and resale) their high speed networks with competing companies. (11) None of the bills passed.

Those supporting these provisions, primarily the BOCs, claimed they were needed to promote the deployment of broadband services, particularly in rural and under served areas. Present regulations contained in the 1996 Telecommunications Act, they claim, are overly burdensome and discourage needed investment in broadband services. ILECs, they state, are the only entities likely to provide such services in low volume rural and other under served areas. Therefore, proponents state, until present regulations are removed the development and the pace of deployment of broadband technology and services, particularly in unserved areas, will be lacking. Furthermore, supporters state, domination of the Internet backbone (12) market is emerging as a concern and entrance by ILECs (particularly the BOCs) into this market will ensure that competition will thrive with no single or small group of providers dominating. Additional concerns that the lifting of restrictions on data would remove BOC incentives to open up the local loop to gain interLATA relief for voice services are also unfounded, they state. The demand by consumers for bundled services and the large and lucrative nature of the long distance voice market will, according to proponents, provide the necessary incentives for BOCs to seek relief for interLATA voice services.

Opponents, including long distance companies and non-incumbent local exchange companies (those competing with the ILECs to provide local service), claim that lifting such restrictions and requirements will undermine the incentives needed to ensure that the ILECs will open up their networks to competition. Present restrictions, opponents claim, were built into the 1996 Telecommunications Act to help ensure that competition will develop in the provision of telecommunications services. Modification of these regulations, critics claim, will remove the incentives needed to open up the "monopoly" in the provision of local services. Competitive safeguards such as unbundling and resale are necessary, opponents claim, to ensure that competitors will have access to the "monopoly bottleneck" last mile to the customer. Therefore they state, the enactment of this legislation to modify these regulations will all but stop the growth of competition in the provision of local telephone service. A major change in existing regulations, opponents claim, would not only remove the incentives needed to open up the local loop but would likely result in the financial ruin of providers attempting to offer competition to the ILECs. As a result, consumers will be hurt, critics claim, since the hoped for benefits of competition such as increased consumer choice and lower rates will never emerge. Concern over the inability of regulators to distinguish between the provision of voice only and data services if such restrictions are lifted has also been expressed. Opponents also dismiss arguments that BOC entrance into the marketplace is needed to ensure competition. The marketplace, opponents claim, is a dynamic and growing one, and concerns over the lack of competition and market dominance are misplaced.

Federal Assistance for Broadband Deployment. The 106th Congress considered (but did not enact) legislation that would provide financial support for broadband deployment, especially in rural and low-income areas. Bills were introduced into the 106th Congress (H.R. 4122, H.R. 4728, H.R. 5069, S. 2307, S. 2321, S. 2698) which sought to provide assistance for broadband deployment through mechanisms such as: tax credits for investment in broadband facilities, support from the FCC's universal service fund, and loans from the Rural Utilities Service (RUS) of the Department of Agriculture. For more information on federal assistance for broadband deployment, see CRS Report RL30719 (pdf), Broadband and the Digital Divide: Federal Assistance Programs.

Appendix A: Legislation Passed by the 105th Congress

The 105th Congress considered a wide variety of bills related to Internet issues, but only a few finally passed both chambers and were sent to the President. Of the issues covered in this report, legislation was enacted concerning protecting children, identity theft, intellectual property, digital signatures, and Internet domain names. (Legislation concerning Internet taxes also passed. That topic per se is not included in this report. See: Internet Tax Bills in the 105th Congress, CRS Report 98-509 (pdf) E, by Nonna Noto. However, the Act also included language relating to protecting children, so is discussed in that context). (13)

Protecting Children: Child Online Protection Act, Children's Online Privacy Protection Act, and Child Protection and Sexual Predator Protection Act

In the FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act (P.L. 105-277), Congress included several provisions related to protecting children on the Internet. Included is legislation making it a crime to send material that is "harmful to minors" to children and protecting the privacy of information provided by children under 13 over interactive computer services. Separately, Congress passed a law (P.L. 105-314) that, inter alia, strengthens penalties against sexual predators using the Internet.

The "harmful to minors" language is in the Child Online Protection Act, Title XIV of Division C of the Omnibus Appropriations Act. Similar language was also included in the Internet Tax Freedom Act (Title XI of Division C of the Omnibus Appropriations Act). Called "CDA II" by some in reference to the Communications Decency Act that passed Congress in 1996 but was overturned by the Supreme Court, the bill restricts access to commercial material that is "harmful to minors" distributed on the World Wide Web to those 17 and older. The American Civil Liberties Union (ACLU) and others filed suit against enforcement of the portion of the Act dealing with the "harmful to minors" language. In February, 1999, a federal judge in Philadelphia issued a preliminary injunction against enforcement of that section of the Act. The Justice Department has filed an appeal (see CRS Report 98-670, Obscenity, Child Pornography, and Indecency: Recent Developments and Pending Issues for further information).

The Children's Online Privacy Protection Act, also part of the Omnibus Appropriations Act (Title XIII of Division C), requires verifiable parental consent for the collection, use, or dissemination of personally identifiable information from children under 13.

The Omnibus Appropriation Act also includes a provision intended to make it easier for the FBI to gain access to Internet service provider records of suspected sexual predators (Section 102, General Provisions, Justice Department). It also sets aside $2.4 million for the Customs Service to double the staffing and resources for the child pornography cyber-smuggling initiative and provides $1 million in the Violent Crime Reduction Trust Fund for technology support for that initiative.

The Protection of Children from Sexual Predators Act (P.L. 105-314) is a broad law addressing concerns about sexual predators. Among its provisions are increased penalties for anyone who uses a computer to persuade, entice, coerce, or facilitate the transport of a child to engage in prohibited sexual activity, a requirement that Internet service providers report to law enforcement if they become aware of child pornography activities, a requirement that federal prisoners using the Internet be supervised, and a requirement for a study by the National Academy of Sciences on how to reduce the availability to children of pornography on the Internet.

Identity Theft and Assumption Deterrence Act

The Identity Theft and Assumption Deterrence Act (P.L. 105-318) sets penalties for persons who knowingly, and with the intent to commit unlawful activities, possess, transfer, or use one or more means of identification not legally issued for use to that person.

Intellectual Property: Digital Millennium Copyright Act

Congress passed legislation (P.L. 105-304) implementing the World Intellectual Property Organization (WIPO) treaties regarding protection of copyright on the Internet. The law also limits copyright infringement liability for online service providers that serve only as conduits of information. Provisions relating to database protection that were included by the House were not included in the enacted version and are being debated anew in the 106th Congress. Since database protection per se is not an Internet issue, it is not included in this report (see CRS Report 98-902, Intellectual Property Protection for Noncreative Databases).

Digital Signatures: Government Paperwork Elimination Act

Congress passed the Government Paperwork Elimination Act (Title XVII of Division C of the Omnibus Appropriations Act, P.L. 105-277) that directs the Office of Management and Budget to develop procedures for the use and acceptance of "electronic" signatures (of which digital signatures are one type) by executive branch agencies.

Internet Domain Names: Next Generation Internet Research Act

The Next Generation Internet Research Act (P.L. 105-305) directs the National Academy of Sciences to conduct a study of the short and long-term effects on trademark rights of adding new generation top-level domains and related dispute resolution procedures.

Related Legislation Passed by the 105th Congress

Title Public Law and Bill Numbers
FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act P.L. 105-277
H.R. 4328
Division C, Title XI: Internet Tax Freedom Act H.R. 1054/S. 442
Division C, Title XIII: Children's Online Privacy Protection Act S. 2326
Division C, Title XIV: Child Online Protection Act H.R. 3783/S. 1482
Division C, Title XVII: Government Paperwork Elimination Act S. 2107
Protection of Children from Sexual Predators Act P.L. 105-314
H.R. 3494/S. 2491
Identity Theft and Assumption Deterrence Act P.L. 105-318
H.R. 4151/S. 512
Digital Millennium Copyright Act P.L. 105-304
H.R. 2281/S. 2037
Next Generation Internet Research Act P.L. 105-305
H.R. 3332/S. 1609

Appendix B: Related CRS Reports

Broadband Internet Access: Background and Issues, by Lennard G. Kruger and Angele A. Gilroy. CRS Issue Brief IB10045.

Broadband Internet Access and the Digital Divide: Federal Assistance Programs, by Lennard G. Kruger. CRS Report RL30719 (pdf).

Computer Fraud & Abuse: A Sketch of 18 U.S.C. 1030 And Related Federal Criminal Laws, by Charles Doyle. CRS Report 97-1024.

Computer Fraud & Abuse: An Overview of 18 U.S.C. 1030 And Related Federal Criminal Laws, by Charles Doyle. CRS Report 97-1025.

Copyright Cases in the Courts: Napster, MP3 Digital Music, and DVD Motion Picture Encryption Technology, by Robin Jeweler. CRS Report RL30683 (pdf).

Critical Infrastructures: Background and Early Implementation of PDD-63, by John D. Moteff. CRS Report RL30153.

Digital Surveillance: the Communications Assistance for Law Enforcement Act and FBI Internet Monitoring, by Richard M. Nunno. CRS Report RL30677 (pdf).

Electronic Commerce: An Introduction, by Glenn J. McLoughlin. CRS Report RS20426.

Electronic Commerce, Info Pack. by Rita Tehan. IP539P (Updated as needed)

Electronic Communications Privacy Act of 2000 (H.R. 5018): Summary in Brief, by Gina Marie Stevens. CRS Report RS20693 (pdf).

Electronic Stock Market, by Mark Jickling. CRS Report RL30602 (pdf).

Electronic Signatures: Technology Developments and Legislative Issues, by Richard Nunno. CRS Report RS20344.

Encryption Export Controls, by Jeanne J. Grimmett. CRS Report RL30273.

Encryption Technology: Congressional Issues, by Richard Nunno. CRS Issue Brief IB96039.

Government Information Technology Management: Past and Future Issues (the Clinger-Cohen Act), by Jeffrey W. Seifert. CRS Report RL30661 (pdf).

Intellectual Property Protection for Noncreative Databases, by Dorothy Schrader and Robin Jeweler. CRS Report 98-902.

Internet and E-Commerce Statistics: What They Mean and Where to Find Them on the Web, by Rita Tehan. CRS Report RL30435.

Internet Domain Names: Background and Policy Issues, by Lennard G. Kruger. CRS Report 97-868 (pdf).

Internet Gambling: A Sketch of Legislative Proposals, by Charles Doyle. CRS Report RS20485.

Internet Gambling: Overview of Federal Criminal Law, by Charles Doyle. CRS Report 97-619.

Internet Privacy: An Analysis of Technology and Policy Issues, by Marcia S. Smith. CRS Report RL30784 (pdf).

Internet Privacy--Protecting Personal Information: Overview and Pending Legislation, by Marcia S. Smith. CRS Report RS20035.

Internet--Protecting Children from Unsuitable Material and Sexual Predators: Overview and Pending Legislation, by Marcia S. Smith. CRS Report

RS20036.

Internet Service and Access Charges, by Angele Gilroy. CRS Report RS20579.

Internet Taxation: Bills in the 106th Congress, by Nonna Noto. CRS Report RL30412.

Internet Tax Legislation: Distinguishing Issues, by Nonna Noto. CRS Report RL30667.

Internet Transactions and the Sales Tax, by Stephen Maguire. CRS Report RL30431.

Internet Voting: Issues and Legislation, by Kevin Coleman and Richard Nunno. CRS Report RS20639 (pdf).

"Junk E-mail": An Overview of Issues and Legislation Concerning Unsolicited Commercial Electronic Mail ("Spam"), by Marcia S. Smith. CRS Report

RS20037.

Legislation to Prevent Cybersquatting/Cyberpiracy, by Henry Cohen. CRS Report RS20367.

Long Distance Telephony: Bell Operating Company Entry Into the Long Distance Market, by James R. Riehl. CRS Report RL30018 (pdf).

Medical Records Confidentiality, C. Stephen Redhead, Harold C. Relyea, and Gina M. Stevens. CRS Issue Brief IB98002.

National Information Infrastructure: The Federal Role, by Glenn J. McLoughlin. CRS Issue Brief IB95051.

Noncreative Database Bills in the House, by Robin Jeweler. CRS Report RS20361 (pdf).

Obscenity, Child Pornography, and Indecency: Recent Developments and Pending Issues, by Henry Cohen. CRS Report 98-670.

Personal Privacy Protection: The Legislative Response, by Harold C. Relyea. CRS Report RL30671.

Prescription Drug Sales Over the Internet, by Christopher Sroka. CRS Report RL30456.

Spinning the Web: the History and Infrastructure of the Internet, by Rita Tehan. CRS Report 98-649 (pdf).

State Sales Taxation of Internet Transactions, by John Luckey. CRS Report RS20577.

Telecommunications Discounts for Schools and Libraries: the "E-Rate" Program and Controversies, by Angele Gilroy. CRS Issue Brief IB98040.

Telemarketing: Dealing with Unwanted Telemarketing Calls, by James R. Riehl. CRS Report RL30763.

Footnotes

1. (back) See also CRS Issue Brief IB96039, Encryption Technology: Congressional Issues, which is updated more frequently than this report.

2. (back)Reports of unauthorized access to credit card numbers stored on computers also have attracted much interest. Not only is there the risk of direct financial loss from someone using a credit card without authorization of the card owner, but increasingly people are concerned about consumer identity theft that involves use of another's personally identifiable information such as credit card numbers. That issue is addressed below.

3. (back) CRS Report RS20035, Internet Privacy--Protecting Personal Information: Overview and Pending Legislation, provides an overview of Internet privacy issues and current information on pending legislation. It is updated more frequently than this report. CRS Report RL30784 (pdf), Internet Privacy: An Analysis of Technology and Policy Issues, provides more comprehensive analysis of the issues involved in this debate. Information on financial records privacy or medical records privacy, which are not Internet privacy issues, is available in CRS Report RS20185 or CRS Issue Brief IB98002, respectively.

4. (back)For a list of the 106th Congress Internet privacy bills, see Appendix B of CRS Report RL30784 (pdf), Internet Privacy: An Analysis of Technology and Policy Issues.

5. (back)See also CRS Report RS20036, Internet--Protecting Children from Unsuitable Material and Sexual Predators: Overview and Pending Legislation.

6. (back)See also CRS Report RS20037, "Junk E-Mail": An Overview of Issues and Legislation Concerning Unsolicited Commercial Electronic Mail ("Spam"), which is updated more frequently than this report.

7. (back) See also CRS Report 97-868 (pdf), Internet Domain Names: Background and Policy Issues, which is updated more frequently than this report.

8. (back)See also CRS Issue Brief IB10045, Broadband Internet Access: Background and Issues, which is updated more frequently than this report.

9. (back)See: http://www.fcc.gov/Bureaus/Miscellaneous/Notices/2000/fcc00355.pdf

10. (back)As a result of the 1984 AT&T divestiture, the Bell System service territory was broken up into service regions and assigned to a regional Bell operating company (BOC). The geographic area in which a BOC may provide telephone services within its region was further divided into local access and transport areas, or LATAs. Telephone traffic that crosses LATA boundaries is referred to as interLATA traffic. Present restrictions contained in Section 271 of the Telecommunications Act of 1996 prohibit the BOCs from offering interLATA services within their service regions until certain conditions are met. To date one BOC, Bell Atlantic, has received approval to enter the in-region interLATA market in New York state; Bell Atlantic began to offer in-region long distance service to its New York state customers effective January 5, 2000. Another BOC, SBC Communications, has filed an application with the FCC seeking approval to offer in-region interLATA services in Texas; that application is still pending.

11. (back)Present law requires all ILECs to open up their networks to enable competitors to lease out parts of the incumbent's network. These unbundling and resale requirements, which are detailed in section 251 of the Telecommunications Act of 1996, were enacted in an attempt to open up the local telephone network to competitors. Under these provisions ILECS are required to grant competitors access to individual pieces, or elements, of their networks (e.g. a line or a switch) and to sell them at below retail prices.

12. (back)An Internet backbone is a very high speed, high capacity data conduit that local or regional networks connect to for long-distance interconnection.

13. (back)Internet gambling also was debated the 105th Congress and continues to be controversial in the 106th. That issue is not addressed in this report. See CRS Report RS20485, Internet Gambling: A Sketch of Legislative Proposals, by Charles Doyle.

Return to CONTENTS section of this Long Report.