From: Marc Rotenberg [rotenberg@epic.org]
Sent: Monday, December 15, 2003 10:12 PM
To: voipforum
Cc: hoofnagle@epic.org; cadei@epic.org
Subject: EPIC Comments on VOIP

December 15, 2003

The Honorable Michael K. Powell
Chairman
Federal Communications Commission
445 12th St. SW
Washington, DC 20554

Dear Chairman Powell

The Electronic Privacy Information Center (EPIC) 
writes to the FCC to urge the Commission to address 
the privacy implications of VOIP services and to 
ensure the establishment of strong privacy safeguards 
for users of advanced network services.

For almost twenty years, the staff of EPIC has been 
involved in many of the cutting edge privacy issues 
addressed by the FCC, including Caller ID, the 
TCPA, CALEA, CPNI, location privacy, and most 
recently the adoption of the Do Not Call regulations.

It is our view that a central requirement of a 
functional and trustworthy communications network 
is the assurance of privacy protection for users of the 
network. The failure to establish strong and effective 
privacy safeguards for those who transmit personal 
messages, confidential business information, financial 
and medical records, (by way of example) will almost 
certainly reduce the utility of the nation's 
communications infrastructure. Moreover, the 
adoption of genuine privacy techniques -- as opposed 
to those which enable widespread surveillance -- will 
be critical to privacy protection in the years ahead.

The Commission must take affirmative steps to 
ensure strong privacy protections for users of VoIP 
service.  Such steps would be consistent with the 
history of privacy law in the United States, which is 
largely marked by efforts of Congress and regulators 
to erect safeguards for technologies as they emerge. 
Privacy safeguards ensure that the data collection is 
fair, transparent, and subject to law. This approach 
builds consumer confidence, establishes a stable 
business environment, and allows for the benefits of 
new technology while safeguarding key interests.

The prospective benefits must not be unencumbered 
by threats to privacy that would prevent consumer 
adoption of the new service. Specifically, we urge the 
FCC to consider technical and legal safeguards to 
protect communications traffic (content and routing
information) and user location information, and to 
ensure that those expert in privacy law and regulation 
participate in the work of the FCC on VOIP.

One of the great achievements of the American legal 
system has been our strong commitment to protecting 
the privacy of personal communications. This can be 
traced back at least as far as Benjamin Franklin, who 
in establishing the national postal service recognized 
the need to enact federal law to protect the privacy of 
communications.

In the mid-1980s. the growth of the Internet and new 
communications services was apparent. Individuals 
used desktop computers to send messages to one 
another by means of electronic mail. New industries 
were emerging and new services were being offered. 
But questions about privacy protection in the new 
communications environment arose. Congress wisely 
amended the federal wiretap law and enacted the 
Electronic Communications Privacy Act, which 
extended privacy protection to electronic 
communications and stored messages and helped 
establish public support for new network services.

Similarly, in 1984, Congress passed the Cable 
Communications Policy Act long before widespread 
adoption of cable television or two-way interactive 
communications.  That law established strong privacy 
safeguards, including opt-in protections for subscriber 
privacy, thereby encouraging adoption of the 
technology by consumers without the risk that every 
second of viewing behavior would be collected, sold, 
or delivered to law enforcement.

In 1991, well before cellular phones were widely 
distributed, Congress acted to shield the devices from 
unwanted telemarketing. Subsequent FCC regulations 
set a high standard for protection of cellular phones, 
thus allowing wide adoption of the technology while 
avoiding interruption and privacy invasion caused by 
unwanted telemarketing. In 1994, those regulations 
were supplemented by the Telemarketing Act, which 
resulted in greater consumer protections for telephone 
privacy.

In the context of VoIP, many services, including 
"presence sensing" and E911 services, will raise 
privacy issues.  It is important that moving forward, 
standards are set that limit retention and secondary, 
improper uses of location information derived from 
VoIP use.  Location information should only be used 
to provide services to users.  It is inappropriate for it 
to be used for secondary purposes, such as marketing 
based on an individual's location.

In a commercial context, improper use of location 
information may lead to a loss of anonymity in our 
daily activities as companies attach a marketing value 
to individuals' location.  Used by government for law 
enforcement and national security purposes, 
unregulated access to location data threatens to create 
a society of "dataveillance," where data such as 
location information is routinely collected for 
surveillance, without any investigatory predicate.

EPIC maintains our strong reservations regarding the 
application of the Communications Assistance to Law 
Enforcement Act (CALEA) requirements to this 
service. It is simply not coherent to argue that VOIP 
services should be free of government regulation and 
then for the government to require that 
communication service providers, hardware 
manufacturers, and network developers incorporate 
the most extreme communications surveillance 
requirements of the Federal Bureau of Investigation. 
CALEA, if applied to VOIP, would establish 
unprecedented regulation for new communications 
services.

Communications technologies like VoIP should be 
designed for precisely what they are intended for: to 
enable communication between people, not to allow 
surveillance on private citizens.  The requirement that 
VoIP contain surveillance mechanisms for 
government usage also may create security holes in 
VoIP technology that unauthorized persons may use 
to eavesdrop on private persons.

EPIC maintains online resources on VOIP and other 
privacy issues at http://www.epic.org; we urge the 
FCC to consult those resources as issues surrounding 
VoIP are studied.

Privacy issues must be addressed at the outset. The 
consequences of failing to establish privacy 
protections for users of VOIP-based services will be 
staggering.

We look forward to working with the FCC on these 
important issues.

Sincerely,

Marc Rotenberg
Executive Director

Christopher J. Hoofnagle
Associate Director
-- 

======================================
============================
Marc Rotenberg, exec director          +     +1 202 483 
1140 (tel)
Electronic Privacy Information Center  +     +1 202 
483 1248 (fax)
1718 Connecticut Ave NW Suite 200      +        
rotenberg@epic.org
Washington DC 20009  USA               +       
http://www.epic.org
======================================
============================