AS THE SENATE LISTENS to arguments about the most-examined sexual encounters in U.S. history, it is becoming clear that one of the greatest legal battles at the end of the 20th century may also be personal: the fight over privacy rights.
"Privacy issues are here to stay and will only grow in importance over time," says Marcelo Halpern, an attorney at Chicago's Gordon & Glickson who has written on the pending harmonization of European and U.S. privacy laws.
"Whether through consumer pressure, government action or a need to conform with [the European Privacy Directive], the U.S. will be driven to stem" the unlimited sharing of personal data, he says.
New technologies make inadvertent privacy violations plentiful--and not just in misdirected e-mail. On Jan. 20, a Web site affiliated with Fox News displayed street and e-mail addresses of Ohio residents who had registered at the site. Only the month before, a Web site run by CBS News (www.sportsline.com), mistakenly displayed information visitors had typed into the site to enter a contest.
Many look to encryption as a way to protect against purposeful hackers--Fox News claims that its site was deliberately broken into by privacy advocates--and against accidental technical errors, which apparently were the problem with the CBS Web site. If data is stored in an encrypted format, then even if it is mistakenly or deliberately put on public view, it will appear as gibberish.
Two recent developments have encouraged the wider use of encryption. On Dec. 31, encryption regulations were implemented that reflect a "substantial liberalization" of U.S. encryption policy, says Stewart A. Baker, a partner at Washington, D.C.'s Steptoe & Johnson who heads what he calls "Team Crypto" at the firm. ("We have baseball caps and T-shirts," he boasts.)
Mr. Baker's upbeat attitude may flow from the new regulations' allowing the export of 128-bit encryption software--much stronger than before, though not as strong as some would like. "It is breakable by very determined foes who are willing to spend a quarter of a million dollars," says Mr. Baker. He added that the strong encryption will be a boon to online merchants, as well as to insurance and medical companies. The new regulations generally allow these large companies and their subsidiaries abroad to use the same level of encryption as banks do.
A few industries were left out of the new regulations. Telephone companies, wishing to encrypt cellular phone conversations, face much steeper opposition from law enforcement authorities, which want equipment to be modified at the telephone companies' expense for wiretapping needs. A copy of the rules is posted at Federal Register: December 31, 1998 (Volume 63, Number 251).
For industries included in the new encryption regulations, things are looking up. Even customer service has improved, says Mr. Baker, since the Department of Commerce took over the administration of encryption software exports last year from the Department of State. "They're actually helpful," he says. "You can call and ask what's happening with a client's [export] license, and they'll tell you. This is not something that happened often at the State Department," where encryption technology was classified and regulated as a weapon.
An even greater sign of encryption acceptance comes from France, which on Jan. 19 announced that it is dropping its onerous licensing requirements. "You needed an encryption license to install Netscape's international version and Microsoft's Internet browser, and both had some difficulties getting timely approval," recalls Mr. Baker. "In essence, you had to show the French authorities how the product worked" and guarantee access to decryption keys.
But even as encryption spreads, its problems are becoming more apparent. Decrypting messages can be time- consuming, and people use electronic media for speed. When it comes to storing data on an encrypted server, the problem is controlling access to the keys for decrypting the information. "The only way to guarantee that people will have access to the data is to give the keys away, more or less permanently," says Mr. Baker. Traditional security problems then arise with disgruntled or careless employees.
Strong encryption and controlled keys cannot prevent what are perhaps more significant privacy intrusions. In December, the Office of the Comptroller of the Currency proposed "Know Your Customer" regulations. These rules would require national banks to determine their customers' sources of funds, monitor account activity and report anything suspicious. According to a report in Wired magazine, the Federal Deposit Insurance Corp. received more than 10,800 e-mail messages--a new agency record--opposing "Know Your Customer." In February, Republican members of Congress will attempt to block the proposal.
The negative response to "Know Your Customer" may signal a rising awareness of privacy concerns in the country, and companies may have no choice but to respond. Gordon & Glickson's Mr. Halpern points to the recent imposition of the European Union's Privacy Directive, which mandates controls on transfers of personal data, as awake-up call to U.S. companies. Already, a Swedish court has barred American Airlines from transmitting details about travelers, such as whether they ordered kosher meals, to the airlines' reservation system in the United States. The case is on appeal; details are at www.privacyexchange.org.
Mr. Halpern notes that Argentina has proposed even stricter restrictions on data transfers. "It could put a real damper on Net commerce there," he notes. But privacy protection seems to be the trend.
This article is reprinted with permission from the February 1, 1999 edition of The National Law Journal. © 1999 NLP IP Company.