Good afternoon, Mr. Chairman and members of the Committee. My name is Nicole Wong and I am an attorney with the law firm of Perkins Coie in its San Francisco and Silicon Valley offices. I am delighted to have the opportunity to appear before you today on this important issue of the Fourth Amendment and the Internet.

The core of my practice is Internet law and advising clients about doing business on the Web. My clients include Yahoo!, Dell, Go2Net, General Electric Company, Los Angeles Times, Third Voice, Octopus.com and Zero Knowledge. Today, I am not representing any of those or other cutting-edge companies, but only appear as one who spends the bulk of her time advising many of them about online privacy and other Internet-related issues.

As you are probably aware, online privacy has been a dominant business and legal issue for Internet companies and bricks-and-mortar companies moving online. In late 1996, the Federal Trade Commission released a report on the state of consumer privacy on the World Wide Web, and the findings were not encouraging. The clear thrust of the FTC’s report was that information provided by users to Web sites should be presumptively private and should be treated accordingly. This same concern was echoed in the international community. In 1998, the European Union passed its Directive on Data Protection to ensure the privacy of EU residents’ personal information (under far more stringent standards than in the U.S.), and other nations are following suit. In the last year, this Congress and a number of federal agencies announced new privacy laws and regulations to protect children’s online information, consumer’s financial information, and health and medical information. Furthermore, in the last six months, more than ten major lawsuits have been filed arising from the alleged unfair or deceptive data collection practices of several large Internet companies.

Against the background of this intense scrutiny over the protection of user information, federal, state and local law enforcement and other government agencies began requesting personal information about users that is collected, maintained and stored by many Internet companies. While both this government and the public seek greater protections for the information provided online, law enforcement agents demand access to the same information, even where the law does not clearly authorize such access.

My purpose in speaking to you today is to give you a sense of the difficulties faced by these Internet companies as they try to navigate the course between cooperating with law enforcement and other government agencies and protecting the privacy of their users. The advances in technology over the last five years are reshaping our notions of personal privacy and demanding reconsideration of our privacy and search and seizure laws.

II. "Persons, Houses, Papers and Effects"

The Fourth Amendment imposes limits on government interference with personal autonomy by protecting "persons, houses, papers and effects" from unreasonable search and seizure. As an initial matter, it may be helpful for me to explain the types of services and information, the cyber-equivalent of "persons, houses, papers and effects," available on and through the Internet.

For those of you who regularly surf the Web, you probably know that just about any good or service you want can be found on the Internet. You can get an e-mail account accessible from anywhere in the world. You can sign up for news bulletins specifically tailored to your interests. You can maintain a personal calendar on the Web and share it with others. You can record your own music and perform it for others. You can find a date or a rock climbing partner. You can seek expert advice in any range of areas from taxes to astrology. You can order groceries. You can order prescription drugs. You can bank or trade. You can make travel arrangements. You can sell all that old junk in your garage. You can create a private club to discuss anything from presidential politics to Pokemon. The list goes on.

In general, the information collected by Web sites can be placed in four categories:

1. Specifically Requested Information. Most Internet Service Providers, Web sites and other online services ask users for some personally identifying information, either for purposes of registration, participating in contests or surveys, or making purchases. Such information may include name, address, e-mail address and credit card information.

2. Navigational and Transactional Data. In addition to direct requests for information, most online services also use some form of tracking technology to collect information while a user "surfs" their site or the Internet generally. This data can be used to create a record of a user’s online communications, transactions and other activities, including Web sites visited, pages and ads viewed, purchases made, and more. This record of a user’s travel through the Internet is sometimes called "clickstream data." Specific types of such data include:

a. Cookies. "Cookies" are small data text files that are sent from a server computer to a recipient computer during a browsing session. Cookies allow a Web site server to remember what the user did when he or she visited the site; for example, when the last visit occurred and which pages were viewed at that time. While a cookie identifies an individual user’s computer in the sense it can distinguish one from another, it typically does not know the actual identity of the user. Generally, cookies do not pose a threat to either destroy or compromise a system.

b. IP Address. When a user connects to the Internet, its ISP assigns the computer a numeric Internet Protocol Address. The IP Address allows the user’s computer to communicate with the servers of the Web sites he or she visits, and may be traced to the ISP or, in some cases, computer owner. Generally, IP addresses are automatically gathered and maintained by the Web site.

c. Referrers. Some online services may collect a "referrer" from the user’s Web browser which references the URL that the user is visiting. Such information is generally used to identify and track a user’s travel across the Web.

d. GUID. A Globally Unique Identifier is an alphanumeric identifier for a unique installation of software. GUIDs may be used to identify software or other files created or downloaded on the user’s hard drive.

By themselves, cookies and other tracking technology typically do not reveal the actual identity of an individual. When matched with personal information provided by the user (such as registration data), however, the data can be used to create a profile of a specific user. Cookies and other tracking technology enhance the browsing experience by identifying the user with his or her previously selected preferences or activities during earlier visits, which "personalizes" the site for the user’s repeated visits.

3. Public Communications. Many Web sites host message boards or chat rooms that are open to site members or the public generally. Such public postings are equivalent to taking out an ad in the local newspaper. These messages are, for all intents and purposes, "public" communications and users have no reasonable expectation of privacy in such communications.

4. Private Content. Many online services also offer private communication tools, such as e-mail or instant messaging or private "club" platforms, or simply private storage facilities for users to keep and access data. In general, these communications are intended for the eyes of the sender, recipient or storage holder alone.

Your activity on the Web -- in whole or part -- may be collected, used for internal analysis, marketing or other purposes, or rented, sold or disclosed to another company. The routine logging of user activity information can produce highly granular and powerful information about your interests, preferences and habits. For example, an e-commerce site may track not only what you purchase, but also the Web pages you look at and for how long. This is equivalent to someone not merely reviewing your receipt of purchases from the store, but following you through the aisles of the store and recording all of the goods or promotions that catch your eye. In this new cyberworld, it is still unclear what expectation of privacy users have. As the class action lawsuits described above indicate, many users do believe that they have a privacy right in the data regarding the Web sites they visit, what Web pages they click on, and what software they use.

III. Internet Users’ Expectation of Privacy

The new technologies demand a new look at the Internet user’s reasonable expectation of privacy, the touchstone of the Fourth Amendment. While data reflecting one’s "communications, personality, politics and thoughts" is more accessible than ever, the legal protection for such data has not evolved with the technology. If the right of privacy is to have any meaning, then the mere fact that techology makes access to personal information both possible and easy should not eviscerate the individual’s expectation of privacy.

As described above, the Internet -- by its networking nature -- challenges existing laws predicated on the old-fashioned belief that a person’s most private possessions are in the home, and that privacy ends at the property line. In cyberspace, however, we must recognize that the traditional notions of "place" and "possession" do not exist in a network of computers that function on the basis of sharing and passing along data. When an individual logs onto her computer at home, however, she suddenly connects to a vast network of computers and data which appears on her computer screen is not "in" her home. Yet, most users would argue that the bank statements, personal correspondence, personal calendars and address books are personal and private and should be accorded the same degree of protection from government intrusion as if those "papers and effects" were kept in the home.

And there are other interests involved. For example, a user who anonymously posts on a public message board may have an expectation that she will remain anonymous and, furthermore, may have a First Amendment right to speak anonymously. Similarly, a user may have an expectation of privacy in her membership in an online "club" for her church group, chess club, or political association, and a right to freely associate with those groups without the oversight of the government. Based on similar notions of privacy and the First Amendment, Congress previously passed a law establishing a privacy right in an individual’s video rentals. Substantially similar privacy interests are implicated on the Internet.

IV. Gaps in the Law

There are three principal federal statutes governing the interception and disclosure of electronic information:

1. Electronic Communications Privacy Act of 1986 ("ECPA"), Title I, 18 U.S.C. §§ 2510 et seq. ("Wiretap Act"), makes it unlawful to listen to or observe the contents of a private communication without the permission of at least one party to the communication or a probable cause order.

2. ECPA, Title II, 18 U.S.C. §§ 2701 et seq. ("Stored Information Act"), generally prohibits the disclosure of the content of electronically stored communications or user information to the government unless an appropriate warrant, court order or subpoena is obtained.

3. ECPA, Title II, 18 U.S.C. §§ 3121 et seq. ("Pen RegisterAct") prohibits the installation or use of a pen register or trap and trace device without first obtaining a court order.

In addition, online service providers should be aware of various discovery statutes, privacy and other state laws and their contractual obligations to their users (i.e., Terms of Service) that may bear on the disclosure of user information and electronic communications.

The ECPA was enacted in 1986 recognizing that "despite the efforts by both Congress and the courts, legal protection against the unreasonable use of newer surveillance techniques has not kept pace with technology." Now in the year 2000, the technology has again outpaced the law, resulting in uncertainty for online services, Internet users and the government as to what information may or may not be disclosed and under what circumstances. By way of example, here are some issues not directly addressed by current law:

Are web sites covered by the ECPA? Is a website an electronic communication service ("any service which provides to users thereof the ability to send or receive ... electronic communications") or a remote computing service ("provision to the public of computer storage or processing services by means of an electronic communications service")? If a Web site is simply a "bill board" with advertising, must it disclose user information about its advertisers? If a Web site sells goods on credit card transactions, are those transactions "communications?"

Is transactional data content of communications or user information? Is an Internet Protocol address the content of a communication or something pertaining to user information? What about clickstream data?

Does the Pen Register Act apply to e-mail or other Web-based communications? What are the impulses to be recorded that "identify the numbers dialed" or "identify the originating number" of the device from which the communication is transmitted?

To what extent must the online service provider assist law enforcement in obtaining information? If an online service is not designed to capture the type of information that the government requests, what assistance must the service provider offer? Can the service provider be required to create new programming code or to redesign the site for a use not intended by -- or useful to -- the business?

The lack of clarity in the existing laws calls for new legislation to update the protection of personal data from the unwarranted intrusion of the government in light of new technology.

V. Conclusion

Notwithstanding battles with certain government agents as to what information may be disclosed, online services and government agencies are almost always on the same side. Both have an interest in ensuring the protection of the public and the security and growth of e-Business. This is achieved, not only by ensuring that Internet criminals are caught, but that regular ‘Netizens are confident of their privacy.