10 November 1999 Source: http://gpo.sailor.lib.md.us/bin/GPOAccess.cgi ---------------------------------------------------------------------------------- [Page S14533-S14571] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr10no99pt2-41] STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS By Mr. KOHL (for himself and Mr. Torricelli): S. 1901. A bill to establish the Privacy Protection Study Commission to evaluate the efficacy of the Freedom of Information Act and the Electronic Freedom of Information Act Amendments of 1996, to determine whether new laws are necessary, and to provide advice and recommendations; to the Committee on the Judiciary. the privacy protection study commission act of 1999 Mr. KOHL. Mr. President, I rise today to introduce the Privacy Protection Study Commission Act of 1999 with my colleague Senator Torricelli. This legislation addresses privacy protection by creating an expert Commission charged with the duty to explore privacy concerns. We cannot underestimate the importance of this issue. Privacy matters, and it will continue to matter more and more in this information age of high speed data, Internet transactions, and lightning-quick technological advances. There exists a massive wealth of information in today's world, which is increasingly stored electronically. In fact, experts estimate that the average American is ``profiled'' in up to 150 commercial electronic databases. That means that there is a great deal of data--in some cases, very detailed and personal--out there and easily accessible courtesy of the Internet revolution. With the click of a button it is possible to examine all sorts of personal information, be it an address, a criminal record, a credit history, a shopping performance, or even a medical file. Generally, the uses of this data are benign, even beneficial. Occasionally, however, personal information is obtained surreptitiously, and even peddled to third parties for profit or other uses. This is especially troubling when, in many cases, people do not even know that their own personal information is being ``shopped.'' Two schools of thought exist on how we should address these privacy concerns. There are some who insist that we must do something and do it quickly. Others urge us to rely entirely on ``self-regulation''-- according to them most companies will act reasonably and, if not, consumers will demand privacy protection as a condition for their continued business. Both approaches have some merit, but also some problems. For example, even though horror stories abound about violations of privacy, Congress should not act by anecdote or on the basis of a few bad actors. Indeed, enacting ``knee-jerk,'' ``quick-fix'' legislation could very well do more harm than good. By the same token, however, self-regulation alone is unlikely to be the silver bullet that solves all privacy concerns. By itself, we have no assurance that it will bring the actors in line with adequate privacy protection standards. Because it is better to do it right--in terms of addressing the myriad of complicated privacy concerns--than to do it fast, perhaps what is needed is a cooling off period. Such a ``breather'' will ensure that our action is based on a comprehensive understanding of the issues, rather than a ``mishmash'' of political pressures and clever soundbites. For those reasons, and recognizing that there are no quick and easy answers, I suggest that we step back to consider the issue of privacy more thoughtfully. Let's admit that neither laws nor self-regulation alone may be the solution. Let's also concede that no one is going to divine the right approach overnight. But given the time and resources, a ``Privacy Protection Study Commission'' composed of experts drawn from the fields of law, civil rights and liberties, privacy matters, business, or information technology, may offer insights on how to address and ensure balanced privacy protection into the next millennium. The bill I am introducing today would do just that. The Commission would be comprised of nine bright minds equally chosen by the Senate, the House, and the Administration. As drafted, the Commission will be granted the latitude to explore and fully examine the current complexities of privacy protection. After 18 months, the Commission will be required to report back to Congress with its findings and proposals. If legislation is necessary, the Commission will be in the best position to recommend a balanced course of action. And if lawmaking is not warranted, the Commission's recognition of that fact will help persuade a skeptical Congress and public. This is not a brand new idea. Twenty-five years ago, Congress created a Privacy Protection Commission to study privacy concerns as they related to government uses of personal information. That Commission's findings were seminal. A quarter of a century later, because so much has changed, it is time to re-examine this issue on a much broader scale. The uses of personal information that concerned the Commission 25 years ago have exploded today, especially in this era of e-commerce, super databases, and mega-mergers. People are genuinely worried-- perhaps they shouldn't be--but their concerns are real. For example, a Wall Street Journal survey revealed that Americans today are more concerned about invasions of their personal privacy than they are [[Page S14536]] about world war. Another poll cited in the Economist noted that 80 percent are worried about what happens to information collected about them. William Afire summed it up best in a recent New York Times essay: ``We are dealing here with a political sleeper issue. People are getting wise to being secretly examined and manipulated and it rubs them the wrong way.'' One final note: given that privacy is not an easy issue and that it appears in so many other contexts, I invite all interested parties to help us improve our legislation to create a Commission. We need to forge a middle ground consensus with our approach, and the door is open to all who share this goal. Mr. President, I ask unanimous consent that the previously cited material be printed in the Record. There being no objection, the material was ordered to be printed in the Record as follows: [From the Economist--May 1, 1999] The End of Privacy Remember, they are always watching you. Use cash when you can. Do not give your phone number, social-security number or address, unless you absolutely have to. Do not fill in questionnaires or respond to telemarketers. Demand that credit and datamarketing firms produce all information they have on you, correct errors and remove you from marketing lists. Check your medical records often. If you suspect a government agency has a file on you, demand to see it. Block caller ID on your phone, and keep your number unlisted. Never use electronic tollbooths on roads. Never leave your mobile phone on--your movements can be traced. Do not use store credit or discount cards. If you must use the Internet, encrypt your e-mail, reject all ``cookies'' and never give your real name when registering at websites. Better still, use somebody else's computer. At work, assume that calls, voice mail, e-mail and computer use are all monitored. This sounds like a paranoid ravings of the Unabomber. In fact, it is advice being offered by the more zealous of today's privacy campaigners. In an increasingly wired world, people are continually creating information about themselves that is recorded and often sold or pooled with information from other sources. The goal of privacy advocates is not extreme. Anyone who took these precautions would merely be seeking a level of privacy available to all 20 years ago. And yet such behaviour now would seem obsessive and paranoid indeed. That is a clue to how fast things have changed. To try to restore the privacy that was universal in the 1970s is to chase a chimera. Computer technology is developing so rapidly that it is hard to predict how it will be applied. But some trends are unmistakable. The volume of data recorded about people will continue to expand dramatically (see pages 21- 23). Disputes about privacy will become more bitter. Attempts to restrain the surveillance society through new laws will intensify. Consumers will pay more for services that offer a privacy pledge. And the market for privacy-protection technology will grow. Always observed Yet there is a bold prediction: all these efforts to hold back the rising tide of electronic intrusion into privacy will fail. They may offer a brief respite for those determined, whatever the trouble or cost, to protect themselves. But 20 years hence most people will find that the privacy they take for granted today will be just as elusive as the privacy of the 1970s now seems. Some will shrug and say: ``Who cares? I have nothing to hide.'' But many others will be disturbed by the idea that most of their behaviour leaves a permanent and easily traceable record. People will have to start assuming that they simply have no privacy. This will constitute one of the greatest social changes of modern times. Privacy is doomed for the same reason that it has been eroded so fast over the past two decades. Presented with the prospect of its loss, many might prefer to eschew even the huge benefits that the new information economy promises. But they will not, in practice, be offered that choice. Instead, each benefit--safer streets, cheaper communications, more entertainment, better government services, more convenient shopping, a wider selection of products--will seem worth the surrender of a bit more personal information. Privacy is a residual value, hard to define or protect in the abstract. The cumulative effect of these bargains--each attractive on their own--will be the end of privacy. For a similar reason, attempts to protect privacy through new laws will fail--as they have done in the past. The European Union's data protection directive, the most sweeping recent attempt, gives individuals unprecedented control over information about themselves. This could provide remedies against the most egregious intrusions. But it is doubtful whether the law can be applied in practice, if too many people try to use it. Already the Europeans are hinting that they will not enforce the strict terms of the directive against America, which has less stringent protections. Policing the proliferating number of databases and the thriving trade in information would not only be costly in itself, it would also impose huge burdens on the economy. Moreover, such laws are based on a novel concept: that individuals have a property right in information about themselves. Broadly enforced, such a property right would be antithetical to an open society. It would pose a threat not only to commerce, but also to a free press and to much political activity, to say nothing of everyday conversation. It is more likely that laws will be used not to obstruct the recording and collection of information, but to catch those who use it to do harm. Fortunately, the same technology that is destroying privacy also makes it easier to trap stalkers, detect fraud, prosecute criminals and hold the government to account. The result could be less privacy, certainly--but also more security for the law-abiding. Whatever new legal remedies emerge, opting out of information-gathering is bound to become ever harder and less attractive. If most urban streets are monitored by intelligent video cameras that can identify criminals, who will want to live on a street without one? If most people carry their entire medical history on a plastic card that the emergency services come to rely on, a refusal to carry the card could be life-threatening. To get a foretaste of what is to come, try hiring a car or booking a room at a top hotel without a credit card. leaders In a way, the future may be like the past, when few except the rich enjoyed much privacy. To earlier generations, escaping the claustrophobic all-knowingness of a village for the relative anonymity of the city was one of the more liberating aspects of modern life. But the era of urban anonymity already looks like a mere historical interlude. There is, however one difference between past and future. In the village, everybody knew everybody else's business. In the future, nobody will know for certain who knows what about them. That will be uncomfortable. But the best advice may be: get used to it. the surveillance society New information technology offers huge benefits--higher productivity, better crime prevention, improved medical care, dazzling entertainment, more convenience. But it comes at a price: less and less privacy ``The right to be left alone.'' For many this phrase, made famous by Louis Brandeis, an American Supreme Court justice, captures the essence of a notoriously slippery, but crucial concept. Drawing the boundaries of privacy has always been tricky. Most people have long accepted the need to provide some information about themselves in order to vote, work, shop, pursue a business, socialise or even borrow a library book. But exercising control over who knows what about you has also come to be seen as an essential feature of a civilised society. Totalitarian excesses have made ``Big Brother'' one of the 20th century's most frightening bogeyman. Some right of privacy, however qualified, has been a major difference between democracies and dictatorships. An explicit right to privacy is now enshrined in scores of national constitutions as well as in international human-rights treaties. Without the ``right to be left alone,'' to shut out on occasion the prying eyes and importunities of both government and society, other political and civil liberties seem fragile. Today most people in rich societies assume that, provided they obey the law, they have a right to enjoy privacy whenever it suits them. They are wrong. Despite a raft of laws, treaties and constitutional provisions, privacy has been eroded for decades. This trend is now likely to accelerate sharply. The cause is the same as that which alarmed Brandeis when he first popularized his phrase in an article in 1890; technological change. In his day it was the spread of photography and cheap printing that posed the most immediate threat to privacy. In our day it is the computer. The quantity of information that is now available to governments and companies about individuals would have horrified Brandeis. But the power to gather and disseminate data electronically is growing so fast that it raises an even more unsettling question: in 20 years' time, will there be any privacy left to protect? Most privacy debates concern media intrusion, which is also what bothered Brandeis. And yet the greatest threat to privacy today comes not from the media, whose antics affect few people, but from the mundane business of recording and collecting an ever-expanding number of everyday transactions. Most people know that information is collected about them, but are not certain how much. Many are puzzled or annoyed by unsolicited junk mail coming through their letter boxes. And yet junk mail is just the visible tip of an information iceberg. The volume of personal data in both commercial and government databases has grown by leaps and bounds in recent years along with advances in computer technology. The United States, perhaps the most computerized society in the world, is leading the way, but other countries are not far behind. Advances in computing are having a twin effect. They are not only making it possible to collect information that once went largely unrecorded, but are also making it relatively easy to store, analyze and retrieve this information in ways which, until quite recently, were impossible. Just consider the amount of information already being collected as a matter of routine--any spending that involves a credit or [[Page S14537]] bank debit card, most financial transactions, telephone calls, all dealings with national or local government. Supermarkets record every item being bought by customers who use discount cards. Mobile-phone companies are busy installing equipment that allows them to track the location of anyone who has a phone switched on. Electronic toll-booths and traffic-monitoring systems can record the movement of individual vehicles. Pioneered in Britain, closed-circuit tv cameras now scan increasingly large swathes of urban landscapes in other countries too. The trade in consumer information has hugely expanded in the past ten years. One single company, Acxiom Corporation in Conway, Arkansas, has a database combining public and consumer information that covers 95% of American households. Is there anyone left on the planet who does not know that their use of the Internet is being recorded by somebody, somewhere? Firms are as interested in their employees as in their customers. A 1997 survey by the American Management Association of 900 large companies found that nearly two- thirds admitted to some form of electronic surveillance of their own workers. Powerful new software makes it easy for bosses to monitor and record not only all telephone conversations, but every keystroke and e-mail message as well. Information is power, so its hardly surprising that governments are as keen as companies to use data-processing technology. They do this for many entirely legitimate reasons--tracking benefit claimants, delivering better health care, fighting crime, pursuing terrorists. But it inevitable means more government surveillance. A controversial law passed in 1994 to aid law enforcement requires telecoms firms operating in America to install equipment that allows the government to intercept and monitor all telephone and data communications, although disputes between the firms and the FBI have delayed its implementation. Intelligence agencies from America, Britain, Canada, Australia and New Zealand jointly monitor all international satellite-telecommunications traffic via a system called ``Echelon'' that can pick specific words or phrases from hundreds of thousands of messages. America, Britain, Canada and Australia are also compiling national DNA databases of convicted criminals. Many other countries are considering following suit. The idea of DNA databases that cover entire populations is still highly controversial, but those databases would be such a powerful tool for fighting crime and disease that pressure for their creation seems inevitable. Iceland's parliament has agreed a plan to sell the DNA database of its population to a medical- research firm, a move bitterly opposed by some on privacy grounds. To each a number The general public may be only vaguely aware of the mushrooming growth of information-gathering, but when they are offered a glimpse, most people do not like what they see. A survey by America's Federal Trade Commission found that 80% of Americans are worried about what happens to information collected about them. Skirmishes between privacy advocates and those collecting information are occurring with increasing frequency. This year both intel and Microsoft have run into a storm of criticism when it was revealed that their products--the chips and software at the heart of most personal computers-- transmitted unique identification numbers whenever a personal-computer user logged on to the Internet. Both companies hastily offered software to allow users to turn the identifying numbers off, but their critics maintain that any software fix can be breached. In fact, a growing number of electronic devices and software packages contain identifying numbers to help them interact with each other. In February an outcry greeted news that image Data, a small New Hampshire firm, had received finance and technical assistance from the American Secret Service to build a national database of photographs used on drivers' licenses. As a first step, the company had already bought the photographs of more than 22m drivers from state governments in South Carolina, Florida and Colorado. Image Data insists that the database, which would allow retailers or police across the country instantly to match a name and photograph, is primarily designed to fight cheque and credit-card fraud. But in response to more than 14,000 e-mail complaints, all three state moved quickly to cancel the sale. It is always hard to predict the impact of new technology, but there are several developments already on the horizon which, if the recent past is anything to go by, are bound to be used for monitoring of one sort or another. The paraphernalia of snooping, whether legal or not, is becoming both frighteningly sophisticated and easily affordable. Already, tiny microphones are capable of recording whispered conversations from across the street. Conversations can even be monitored from the normally imperceptible vibrations of window glass. Some technologists think that the tiny battlefield reconnaissance drones being developed by the American armed forces will be easy to commercialize. Small video cameras the size of a large wasp may some day be able to fly into a room, attach themselves to a wall or ceiling and record everything that goes on there. Overt monitoring is likely to grow as well. Intelligent software systems are already able to scan and identify individuals from video images. Combined with the plummeting price and size of cameras, such software should eventually make video surveillance possible almost anywhere, at any time. Street criminals might then be observed and traced with ease. The burgeoning field of ``biometrics'' will make possible cheap and fool-proof systems that can identify people from their voices, eyeballs, thumbprints or any other measurable part of their anatomy. That could mean doing away with today's cumbersome array of security passes, tickets and even credit cards. Alternatively, pocket-sized ``smart' cards might soon be able to store all of a person's medical or credit history, among other things, together with physical data needed to verify his or her identity. In a few years' time utilities might be able to monitor the performance of home appliances, sending repairmen or replacements even before they break down. Local supermarkets could check the contents of customers' refrigerators, compiling a shopping list as they run out of supplies of butter, cheese or milk. Or office workers might check up on the children at home from their desktop computers. But all of these benefits, from better medical care and crime prevention to the more banal delights of the ``intelligent'' home, come with one obvious drawback--an ever-widening trail of electronic data. Because the cost of storing and analysing the data is also plummeting, almost any action will leave a near-permanent record. However ingeniously information-processing technology is used, what seems certain is that threats to traditional notions of privacy will proliferate. This prospect provokes a range of responses, none of them entirely adequate. More laws. Brandeis's article was a plea for a right to sue for damages against intrusions of privacy. It spawned a burst of privacy statutes in America and elsewhere. And yet privacy lawsuits hardly ever succeed, except in France, and even there they are rare. Courts find it almost impossible to pin down a precise enough legal definition of privacy. America's consumer-credit laws, passed in the 1970s, give individuals the right to example their credit records and to demand corrections. The European Union has recently gone a lot further. The EU Data Protection directive, which came into force last October, aims to give people control over their data, requiring ``unambiguous'' consent before a company or agency can process it, and barring the use of the data for any purpose other than that for which it was originally collected. Each EU country, is pledged to appoint a privacy commissioner to act on behalf of citizens whose rights have been violated. The directive also bars the export of data to countries that do not have comparably stringent protections. Most EU countries have yet to pass the domestic laws needs to implement the directive, so it is difficult to say how it will work in practice. But the Americans view it as Draconian, and a trade row has blown up about the EU's threat to stop data exports to the United States. A compromise may be reached that enables American firms to follow voluntary guidelines; but that merely could create a big loophole. If, on the other hand, the EU insist on barring data exports, not only might a trade war be started but also the development of electronic commerce in Europe could come screeching to a complete halt, inflicting a huge cost on the EU's economy. In any case, it is far from clear what effect the new law will have even in Europe. More products or services may have to be offered with the kind of legalistic bumf that is now attached to computer software. But, as with software, most consumers are likely to sign without reading it. The new law may give individuals a valuable tool to fight against some of the worst abuses, rather on the pattern of consumer-credit laws. But, also as with those laws--and indeed, with government freedom of information laws in general-- individuals will have to be determined and persistent to exercise their rights. Corporate and government officials can often find ways to delay or evade individual requests for information. Policing the rising tide of data collection and trading is probably beyond the capability of any government without a crackdown so massive that it could stop the new information economy in its tracks. Market solutions. The Americans generally prefer to rely on self-regulation and market pressures. Yet so far, self- regulation has failed abysmally. A Federal Trade Commission survey of 1,400 American Internet sites last year found that only 2% had posted a privacy policy in line with that advocated by the commission, although more have probably done so since, not least in response to increased concern over privacy. Studies of members of America's Direct Marketing Association by independence researchers have found that more than half did not abide even by the association's modest guidelines. If consumers were to become more alarmed about privacy, however, market solutions could offer some protection. The Internet, the frontline of the privacy battle-field, has already spawned anonymous remailers, firms that forward e- mail stripped of any identifying information. One website (www.anonymizer.com) offers anonymous Internet browsing. Electronic digital cash, for use or off the Internet, may eventually provide some anonymity but, like today's physical cash, it will probably be used only for smaller purchases. [[Page S14538]] Enter the infomediary John Hagel and Marc Singer of McKinsey, a management consulting firm, believe that from such services will emerge ``informediaries'', firms that become brokers of information between consumers and other companies, giving consumers privacy protection and also earning them some revenue for the information they are willing to release about themselves. If consumers were willing to pay for such brokerage, infomediaries might succeed on the Internet. Such firms would have the strongest possible stake in maintaining their reputation for privacy protection. But it is hard to imagine them thriving unless consumers are willing to funnel every transaction they make through a single infomediary. Even if this is possible--which is unclear--many consumers may not want to rely so much on a single firm. Most, for example, already have more than one credit card. In the meantime, many companies already declare that they will not sell information they collect about customers. But many others find it possible profitable not to make--to--or keep--this pledge. Consumers who want privacy must be ever vigilant, which is more than most can manage. Even those companies which advertise that they will not sell information do not promise not to buy it. They almost certainly know more about their customers than their customers realize. And in any case, market solutions, including informediaries, are unlikely to be able to deal with growing government databases or increased surveillance in public areas. Technology. The Internet has spawned a fierce war between fans of encryption and governments, especially America's, which argue that they must have access to the keys to software codes used on the web in the interests of the law enforcement. This quarrel has been rumbling on for years. But given the easy availability of increasingly complex codes, governments may just have to accept defeat, which would provide more privacy not just for innocent web users, but for criminals as well. Yet even encryption will only serve to restore to Internet users the level of privacy that most people have assumed they now enjoy in traditional (i.e., paper) mail. Away from the web, the technological race between snoopers and anti-snoopers will also undoubtedly continue. But technology can only ever be a partial answer. Privacy will be reduced not only by government or private snooping, but by the constant recording of all sorts of information that individuals must provide to receive products or benefits-- which is as true on as off the Internet. Transparency. Despairing of efforts to protect privacy in the face of the approaching technological deluge, David Brin, an American physicist and science-fiction writer, proposes a radical alternative--its complete abolition. In his book ``The Transparent Society'' (Addision-Wesley, $25) he argues that in future the rich and powerful--and most ominously of all, governments--will derive the greatest benefit from privacy protection, rather than ordinary people. Instead, says Mr. Brin, a clear, simple rule should be adopted: everyone should have access to all information. Every citizen should be able to tap into any database, corporate or governmental, containing personal information. Images from the video-surveillance cameras on city streets should be accessible to everyone, not just the police. The idea sounds disconcerting, he admits. But he argues that privacy is doomed in any case. Transparency would enable people to know who knows what about them, and for the ruled to keep any eye on their rulers. Video cameras would record not only criminals, but also abusive policemen. Corporate chiefs would know that information about themselves is as freely available as it is about their customers or workers. Simple deterrence would then encourage restraint in information gathering--and maybe even more courtesy. Yet Mr. Brin does not explain what would happen to transparency violators or whether there would be any limits. What about national-security data or trade secrets? Police or medical files? Criminals might find these of great interest. What is more, transparency would be just as difficult to enforce legally as privacy protection is now. Indeed, the very idea of making privacy into a crime seems outlandish. There is unlikely to be a single answer to the dilemma posed by the conflict between privacy and the growing power of information technology. But unless society collectively turns away from the benefits that technology can offer-- surely the most unlikely outcome of all--privacy debates are likely to become very more intense. In the brave new world of the information age, the right to be left alone is certain to come under siege as never before. ____ Nosy Parker Lives [William Safire, Washington] A state sells its driver's license records to a stalker; he selects his victim--a Hollywood starlet--from the photos and murders her. A telephone company sells a list of calls; an extortionist analyzes the pattern of calls and blackmails the owner of the phone. A hospital transfers patient records to an insurance affiliate, which turns down a policy renewal. A bank sells a financial disclosure statement to a borrower's employer, who fires the employee for profligacy. An Internet browser sells the records of a nettie's searches to a lawyer's private investigator, who uses ``cookie''-generated evidence against the nettie in a lawsuit. Such invasions of privacy are no longer far-out possibilities. The first listed above, the murder of Rebecca Schaeffer, led to the Driver's Privacy Protection Act. That Federal law enables motorists to ``opt out''--to direct that information about them not be sold for commercial purposes. But even that opt out puts the burden of protection on the potential victim, and most people are too busy or lazy to initiate self-protection. Far more effective would be what privacy advocates call opt in--requiring the state or business to request permission of individual customers before selling their names to practioners of ``target marketing.'' In practical terms, the difference between opt in and opt out is the difference between a door locked with a bolt and a door left ajar. But in a divided appeals court--under the strained rubric of commercial free speech--the intrusive telecommunications giant US West won. Its private customers and the public are the losers. Corporate mergers and technologies of E-commerce and electronic surveillance are pulverizing the walls of personal privacy. Belatedly, Americans are awakening to their new nakedness as targets of marketers. Your bank account, you health record, your genetic code, your personal and shopping habits and sexual interests are your own business. That information has a value. If anybody wants to pay for an intimate look inside your life, let them make you an offer and you'll think about it. That's opt in. You may decide to trade the desired information about yourself for services like an E-mail box or stock quotes or other inducement. But require them to ask you first. We are dealing here with a political sleeper issue. People are getting wise to being secretly examined and manipulated and it rubs them the wrong way. Politicians sense that a strange dissonance is agitating their constituents. But most are leery of the issue because it cuts across ideologies and party lines--not just encrypted communication versus national security, but personal liberty versus the free market. That's why there has been such Sturm und Drang around the Financial Services Act of 1999. Most pols think it is bogged down only because of a turf war between the Treasury and the Fed over who regulates the new bank-broker-insurance mergers. It goes deeper. The House passed a bill 343 to 86 to make ``pretext calling'' by snoops pretending to be the customer a Federal crime, plus an ``opt out'' that puts the burden on bank customers to tell their banks not to disclose account information to marketers. The bank lobby went along with this. The Senate passed a version without privacy protection because Banking Chairman Phil Gramm said so. But in Senate- House conference, Republican Richard Shelby of Alabama (who already toughened drivers' protection at the behest of Phyllis Schlafly's Eagle Forum and the A.C.L.U.) is pressing for the House version. `` `Opt out' is weak,'' Shelby tells me, ``but it's a start.'' The groundswelling resentment is in search of a public champion. The start will gain momentum when some Presidential candidate seizes the sleeper issue of the too-targeted consumer. Laws need not always be the answer: to avert regulation, smart businesses will complete to assure customers' right to decide. The libertarian principle is plain: excepting legitimate needs of law enforcement and public interest, control of information about an individual must rest with the person himself. When the required permission is asked, he or she can sell it or trade it--or tell the bank, the search engine and the Motor Vehicle Bureau to keep their mouths shut. ____ Privately Held Concerns [Oct. 22, 1999--Wall Street Journal] Congress has been paddling 20 years to get a financial- service overhaul bill, and now the canoe threatens to run aground on one of those imaginary concerns that only sounds good in press release--``consumer privacy.'' In the column alongside, Paul Gigot describes the hardball politics behind the financial reform bill's other sticking point--the Community Reinvestment Act. Our subject here is Senator Richard Shelby's strange idea of what, precisely, should constitute ``consumer privacy'' in the new world. ``It's our responsibility to identify what is out of bounds,' '' declared the identity confused Republican as he surfaced this phantom last spring. Privacy concerns are a proper discussion point for the information age, but financial reform would actually end to alleviate some of them. If a single company were allowed to sell insurance, portfolio advice and checking accounts, there would be less incentive to peddle information to third parties. Legislative reform and mergers in the financial industry were all supposed to be aimed at the same goal, using information efficiently within a single company to serve customers. Yet to Mr. Shelby, this is a predatorial act. He's demanding language that would mean a Citigroup banker, say, couldn't tell a Citigroup insurance agent that Mr. Jones is a hot insurance prospect--unless Mr. Jones gives his permission in writing first. Mr. Shelby threatens to withhold his crucial [[Page S14539]] vote unless this deal-breaker is written into the law. To inflict this inconvenience on Mr. Jones is weird enough: He has already volunteered to have a relationship with Citigroup. But even weirder is the urge to cripple a law whose whole purpose is to modernize an industry structure that forces consumers today to chase six different companies around to get a full mix of financial services. In essence, financial products all do the same thing: shift income in time. You want to go to college now based on your future earnings, so you take out a loan. You want to retire in 20 years based on your present earnings, so you get an IRA. And if a single cry goes up from modern man, it's ``Simplify my life.'' A vote last Friday seemed, to put Mr. Shelby's peeve to rest. Under the current language, consumers would have an ``opt out'' if they don't want their information shared. But Mr. Shelby won't let go, and joining his chorus are Ralph Nader on the left, Phyllis Schlafly on the right and various gnats buzzing around the interest-group honeypot. He claims to be responding to constituent complaints about telemarketing, not to mention a poll showing that 90% of consumers respond favorably to the word ``privacy.'' Well, duh. Consumers don't want their information made available indiscriminately to strangers. But putting up barriers to free exchange inside a company that a customer already has chosen to do business with is a farfetched application of a sensible idea. Mr. Shelby was a key supporter of language that would push banks to set up their insurance and securities operations as affiliates under a holding company. Now he wants to stop these affiliates from talking to each other. Maybe he's just confused, but it sounds more like a favor to Alabama bankers and insurance agents who want to make life a lot harder for their New York competitors trying to open up local markets. ____ Growing Compatibility Issue: Computers and User Privacy [By John Markoff, New York Times, March 3, 1999] San Francisco, March 2--The Intel Corporation recently blinked in a confrontation with privacy advocates protesting the company's plans to ship its newest generation of microprocessors with an embedded serial number that could be used to identify a computer--and by extension its user. But those on each side of the dispute acknowledge that it was only an initial skirmish in a wider struggle. From computers to cellular phones to digital video players, everyday devices and software programs increasingly embed telltale identifying numbers that let them interact. Whether such digital fingerprints constitute an imminent privacy threat or are simply part of the foundation of advanced computer systems and networks is the subject of a growing debate between the computer industry and privacy groups. At its heart is a fundamental disagreement over the role of electronic anonymity in a democratic society. Privacy groups argue fiercely that the merger of computers and the Internet has brought the specter of a new surveillance society in which it will be difficult to find any device that cannot be traced to the user when it is used. But a growing alliance of computer industry executives, engineers, law enforcement officials and scholars contend that absolute anonymity is not only increasingly difficult to obtain technically, but is also a potential threat to democratic order because of the possibility of electronic crime and terrorism. ``You already have zero privacy--get over it,'' Scott McNealy, chairman and chief executive of Sun Microsystems, said at a recent news conference held to introduce the company's newest software, known as Jini, intended to interconnect virtually all types of electronic devices from computer to cameras. Privacy advocates contend that software like Jini, which assigns an identification number to each device each time it connects to a network, could be misused as networks envelop almost everyone in society in a dense web of devices that see, hear, and monitor behavior and location. ``Once information becomes available for one purpose there is always pressure from other organizations to use it for their purposes,'' said, Lauren Weinstein, editor of Privacy Forum, an on-line journal. This week, a programmer in Massachusetts found that identifying numbers can easily be found in word processing and spreadsheet files created with Microsoft's popular Word and Excel programs and in the Windows 95 and 98 operating systems. Moreover, unlike the Intel serial number, which the computer user can conceal, the numbers used by the Microsoft programs--found in millions of personal computers--cannot be controlled by the user. The programmer, Richard M. Smith, president of Phar Lap Software, a developer of computer programming tools in Cambridge, Mass., noticed that the Windows operating system contains a unique registration number stored on each personal computer in a small data base known as the Windows registry. His curiosity aroused, Mr. Smith investigated further and found that the number that uniquely identifies his computer to the network used in most office computing systems, known as the Ethernet, was routinely copied to, each Microsoft Word or Excel document he created. The number is used to create a longer number, known as a globally unique identifier. It is there, he said, to enable computer users to create sophisticated documents comprising work processing, spreadsheet, presentation and data base information. Each of those components in a document needs a separate identity, and computer designers have found the Ethernet number a convenient and widely available identifier, he said. But such universal identifiers are of particular concern to privacy advocated because they could be used to compile information on individuals from many data bases. ``The infrastructure relies a lot on serial numbers,'' Mr. Smith said. ``We've let the genie out of the bottle.'' Jeff Ressler, a Microsoft product manager, said that if a computer did not have an Ethernet adapter then another identifying number was generated that was likely to be unique. ``We need a big number, which is a unique identifier,'' he said. ``If we didn't have, it would be impossible to make our software programs work together across networks.'' Indeed, an increasing range of technologies have provisions for identifying their users for either technical reasons (such as connecting to a network) or commercial ones (such as determining which ads to show to Web surfers). But engineers and network designers argue that identify information is a vital aspect of modern security design because it is necessary to authenticate an individual in a network, thereby preventing fraud or intrusion. Last month at the introduction of Intel's powerful Pentium III chip, Intel executives showed more than a dozen data security uses for the serial number contained electronically in each of the chips, ranging from limiting access to protecting documents or software against piracy. Intel, the largest chip maker, had recently backed down somewhat after it was challenged by privacy advocates over the identity feature, agreeing that at least some processors for the consumer market would be made in a way that requires the user to activate the feature. Far from scaling back its vision, however, Intel said it was planning an even wider range of features in its chips to help companies protect copyrighted materials. It also pointed to software applications that would use the embedded number to identify participants in electronic chat rooms on the Internet and thereby, for example, protect children from Internet stalkers. But in achieving those goals, it would also create a universal identifier, which could be used by software applications to track computer users wherever they surfed on the World Wide Web. And that, despite the chip maker's assertions that it is working to enhance security and privacy, has led some privacy advocates to taunt Intel and accused it of a ``Big Brother Inside'' strategy. They contend that by uniquely identifying each computer it will make it possible for marketers or Government and law enforcement officials to track the activities of anyone connected to a computer network more closely. They also say that such a permanent identifier could be used in a similar fashion to the data, known as ``cookies,'' that are placed on a computer's hard drive by Web site to track the comings and goings of Internet users. putting privacy on the defensive Intel's decision to forge ahead with identity features in its chip technology may signal a turning point in the battle over privacy in the electronic age. Until now, privacy concerns have generally put industry's executives on the defensive. Now questions are being raised about whether there should be limits to privacy in an Inernet era. ``Judge Brandeis's definition of privacy was `the right to be left alone,' not the right to operate in absolute secrecy,'' said Paul Saffo, a researcher at the Institute for the Future in Menlo Park, Calif. Some Silicon Valley engineers and executives say that the Intel critics are being naive and have failed to understand that all devices connected to computer networks require identification features simply to function correctly. Moreover, they note that identifying numbers have for more than two decades been a requirement for any computer connected to an Ethernet network. (Although still found most widely in office settings, Ethernet connections are increasingly being used for high-speed Internet Service in the home via digital telephone lines and cable modems.) All of Apple Computer's popular iMac machines come with an Ethernet connection that has a unique permanent number installed in the factory. The number is used to identify the computer to the local network. While the Ethernet number is not broadcast over the Internet at large, it could easily be discovered by a software application like a Web browser and transmitted to a remote Web site tracking the identities of its users, a number of computer engineers said. Moreover, they say that other kinds of networks require identify numbers to protect against fraud. Each cellular telephone currently has two numbers: the telephone number, which can easily be changed, and an electronic serial number, which is permanently put in place at the factory to protect against theft or fraud. The serial number is accessible to the cellular telephone network, and as cellular telephones add Internet browsing and E-mail capabilities, it will potentially have the same [[Page S14540]] identity capability as the Intel processor serial number. Other examples include DIVX DVD disks, which come with a serial number that permits tracking the use of each movie by a centralized network-recording system managed by the companies that sell the disks. fearing the misuse of all those numbers Industry executives say that as the line between communications and computing becomes increasingly blurred, every electronic device will require some kind of identification to attach to the network Making those numbers available to networks that need to pass information or to find a mobile user while at the same time denying the information to those who wish to gather information into vast data bases may be an impossible task. Privacy advocates argue that even if isolated numbers look harmless, they are actually harbingers of a trend toward ever more invasive surveillance networks. ``Whatever we can do to actually minimize the collection of personal data is good,' said March Rotenberg, director of the Electronic Privacy Information Center, one of three groups trying to organize a boycott of Intel's chips. The groups are concerned that the Government will require ever more invasive hardware modifications to keep track of individuals. Already they point to the 1994 Communications Assistance for Law Enforcement Act, which requires that telephone companies modify their network switches to make it easier for Government wiretappers. Also, the Federal Communications Commission is developing regulations that will require every cellular telephone to be able to report its precise location for ``911'' emergency calls. Privacy groups are worried that this feature will be used as a tracking technology by law enforcement officials. ``The ultimate danger is that the Government will mandate that each chip have special logic added'' to track identifies in cyberspace, said Vernor Vinge, a computer scientist at San Diego State University. ``We're on a slide in that direction.'' Mr. Vinge is the author of ``True Names'' (Tor Books, 1984), a widely cited science fiction novel in the early 1980's, that forecast a world in which anonymity in computer networks is illegal. Intel executives insist that their chip is being misconstrued by privacy groups. ``We're going to start building security architecture into our chips, and this is the first step,'' said Pat Gelsinger, Intel vice president and general manager of desktop products. ``The discouraging part of this is our objective is to accomplish privacy. That quandry--that it is almost impossible to compartmentalize information for one purpose so that it cannot be misused--lies at the heart of the argument. Moreover providing security while at the same time offering anonymity has long been a technical and a political challenge. ``We need to find ways to distinguish between security and identity,'' said James X. Dempsey, a privacy expert at the Center for Democracy and Technology, a Washington lobbying organization. So far the prospects are not encouraging. One technical solution developed by a cryptographer, David Chaum, made it possible for individuals to make electronic cash payments anonymously in a network. In the system Mr. Chaum designed, a user employs a different number with each organization, thereby insuring that there is no universal tracking capability. But while Mr. Chaum's solution has been widely considered ingenious, it has failed in the marketplace. Last year, his company, Digicash Inc. based in Palo Alto, Calif., filed for bankruptcy protection. ``Privacy never seems to sell,'' said Bruce Schneier, a cryptographer and a computer industry consultant. ``Those who are interested in privacy don't want to pay for it.'' ____ Privacy Isn't Dead Yet [By Amitai Etzioni] It seems self-evident that information about your shoe size does not need to be as well guarded as information about tests ordered by your doctor. But with the Federal and state governments' piecemeal approach to privacy protection, if we release information about one facet of our lives, we inadvertently expose much about the others. During Senate hearings in 1987 about Robert Bork's fitness to serve as a Supreme Court justice, a reporter found out which videotapes Mr. Bork rented. The response was the enactment of the Video Privacy Protection Act. Another law prohibits the Social Security Administration (but hardly anybody else) from releasing our Social Security numbers. Still other laws limit what states can do with information that we provide to motor vehicle departments. Congress is now seeking to add some more panels to this crazy quilt of narrowly drawn privacy laws. The House recently endorsed a bill to prohibit banks and securities and insurance companies owned by the same parent corporation from sharing personal medical information. And Congress is grappling with laws to prevent some information about our mutual-fund holdings from being sold and bought as freely as hot dogs. But with superpowerful computers and vast databases in the private sector, personal information can't be segmented in this manner. For example, in 1996, a man in Los Angeles got himself a store card, which gave him discounts and allowed the store to trace what he purchased. After injuring his knee in the store, he sued for damages. He was then told that if he proceeded with his suit the store would use the fact that he bought a lot of liquor to show that he must have fallen because he was a drunkard. Some health insurers try to ``cherry pick'' their clients, seeking to cover only those who are least likely to have genetic problems or contract costly diseases like AIDS. Some laws prohibit insurers from asking people directly about their sexual orientation. But companies sometimes refuse to insure those whose vocation (designer?), place of residence (Greenwich Village?) and marital status (single at 40-plus?) suggest that they might pose high risks. Especially comprehensive privacy invaders are ``cookies''-- surveillance files that many marketers implant in the personal computers of people who visit their Web sites to allow the marketers to track users' preferences and transactions. Cookies, we are assured, merely inform marketers about our wishes so that advertising can be better directed, sparing us from a flood of junk mail. Actually, by tracing the steps we take once we gain a new piece of information, cookies reveal not only what we buy (a thong from Victoria's Secret? Antidepressants?) but also how we think. Nineteen eighty-four is here courtesy of Intel, Microsoft and quite a few other corporations. All this has led Scott McNealy, the chairman and chief executive of Sun Microsystems, to state, ``You already have zero privacy--get over it.'' This pronouncement of the death of privacy is premature, but we will be able to keep it alive only if we introduce general, all-encompassing protections over segmented ones. Some cyberspace anonymity can be provided by new technologies like anti-cookie programs and encryption software that allow us to encrypt all of our data. Corporate self-regulation can also help. I.B.M., for example, said last week that it would pull its advertising from Web sites that don't have clear privacy policies. Other companies like Disney and Kellogg have voluntarily agreed not to collect information about children 12 or younger without the consent of their parents. And some new Government regulation of Internet commerce may soon be required, if only because the European Union is insisting that any personal information about the citizens of its member countries cannot be used without the citizen's consent. Especially sensitive information should get extra protection. But such selective security can work only if all the other information about a person is not freely accessible elsewhere. ____ A Middle Ground in the Privacy War? [By John Schwartz--March 29, 1999] Jim Hightower, the former agriculture commissioner of Texas, is fond of saying that ``there's nothing in the middle of the road but yellow stripes and dead armadillos.'' It's punchy, and has become a rallying cry of sorts for activists on all sides. But is it right? Amitai Etzioni, a professor at George Washington University, thinks not. He thinks he has found a workable middle ground between the combatants in one of the fiercest fights in our high-tech society: the right of privacy. Etzioni has carved out a place for himself over the decades as a leader in the ``communitarian'' movement. Communitarianism works toward a civil society that transcends both government regulation and commercial intrusion--a society where the golden rule is as important as the rule of law, and the notion that ``he who has the gold makes the rules'' does not apply. What does all that have to do with privacy? Etzioni has written a new book, ``The Limits of Privacy,'' that applies communitarian principles to this thorny issue. For the most part, the debate over privacy is carried out from two sides separated by a huge ideological gap--a gap so vast that they seem to feel a need to shout just to get their voices to carry across it. So Etzioni comes in with a theme not often heard, that middle of the road that Hightower hates so much. What he wants to do is to forge a new privacy doctrine that protects the individual from snooping corporations and irresponsible government, but cedes individual privacy rights when public health and safety are at stake--``a balance between rights and the common good,'' he writes. In the book, Etzioni tours a number of major privacy issues, passing judgment as he goes along. Pro-privacy decisions that prohibited mandatory testing infants for HIV, for example, take the concept too far and put children at risk, he says. Privacy advocates' campaigns against the government's attempts to wiretap and unscramble encrypted messages, he says, are misguided in the face of the evil that walks the planet. The prospect of some kind of national ID system, which many privacy advocates view as anathema, he finds useful for catching criminals, reducing fraud and ending the crime of identity theft. The broad distribution of our medical records for commercial gain, however, takes too much away from us for little benefit to society. I called Etzioni to ask about his book. He said civil libertarians talk about the threat of government intrusion into our lives, and government talks about the threat of criminals, but that the more he got into his research, the more it seemed that the two [[Page S14541]] sides were missing ``the number one enemy--it's a small group of corporations that have more information about us than the East German police ever had about the Germans.'' He's horrified, for example, by recent news that both Microsoft Corp. and Intel Corp. have included identifier codes in their products that could be used to track people's online habits: ``They not only track what we are doing,'' he says. ``They track what we think.'' His rethinking of privacy leads him to reject the notions that led to a constitutional right of privacy, best expressed in the landmark 1965 case Griswold v. Connecticut. In that case, Justice William O. Douglas found a right of privacy in the ``penumbra,'' or shadow border, of rights granted by other constitutional amendments--such as freedom of speech, freedom from unreasonable search and seizure, freedom from having troops billeted in our homes. Etzioni scoffs at this ``stretched interpretation of a curious amalgam of sundry pieces of various constitutional rights,'' and says we need only look to the simpler balancing act we've developed in Fourth Amendment cases governing search and seizure, which give us privacy protection by requiring proper warrants before government can tape a phone or search a home. ``We cannot say that we will not allow the FBI under any conditions, because of a cyberpunk dream of a world without government, to read any message.'' He finds such a view ``so ideological, so extreme, that somebody has to talk for a sense of balance.'' I was surprised to see, in the acknowledgements in his book, warm thanks to Marc Rotenberg, who heads the Electronic Privacy Information Center. Rotenberg is about as staunch a privacy advocate as I know, and I can't imagine him finding much common ground with Etzioni--but Etzioni told me that ``Marc is among all the people in this area the most reasonable. One can talk to him.'' So I called Rotenberg, too. He said he deeply respects Etzioni, but can't find much in the book to agree with. For all the talk of balance, he say, ``we have invariably found that when the rights of the individual are balanced against the claims of the community, that the individual loses out.'' We're in the midst of a ``privacy crisis'' in which ``we have been unable to come up with solutions to the privacy challenges that new business practices and new technologies are creating,'' Rotenberg told me. The way to reach answers, he suggested, is not to seek middle ground but to draw the lines more clearly, the way judges do in deciding cases. When a criminal defendant challenges a policeman's pat-down search in court, Rotenberg explained, ``the guy with the small plastic bag of cocaine either gets to walk or he doesn't. . . . Making those lines fuzzier doesn't really take you any closer to finding answers.'' As you can see, this is one argument that isn't settled. But I'm glad that Etzioni has joined the conversation--both for the trademark civility he brings to it, and for the dialogue he will spark. Mr. TORRICELLI. Mr. President, I rise today to introduce the Privacy Protection Study Commission Act of 1999 with my colleague, Senator Kohl. This legislation creates a Commission to comprehensively examine privacy concerns. This Commission will provide Congress with information to facilitate our decision making regarding how to best address individual privacy protections. The rise in the use of information technology--particularly the Internet, has led to concerns regarding the security of personal information. As many as 40 million people around the world have the ability to access the Internet. The use of computers for personal and business transactions has resulted in the availability of vast amounts of financial, medical and other information in the public domain. Information about online users is also collected by Web sites through technology which tracks an individual's every interaction with the Internet. Despite the ease of availability of personal information, the United States is one of the few countries in the world that does not have comprehensive legal protection for personal information. This is in part due to differences in opinion regarding the best way to address the problem. While some argue that the Internet's size and constantly changing technology demands government and industry self-regulation, others advocate for strong legislative and regulatory protections. And, still others note that such protections, although necessary, could lead to unconstitutional consequences if drafted without a comprehensive understanding of the issue. As a result, congressional efforts to address privacy concerns have been patchwork in nature. This is why Senator Kohl and I are proposing the creation of a Commission with the purpose of thoughtfully considering the range of issues involved in the privacy debate and the implications of self- regulation, legislation, and federal regulation. The Commission will be comprised of experts in the fields of law, civil rights, business, and government. After 18 months, the Commission will deliver a report to Congress recommending the necessary legislative protections are needed. The Commission will have the authority to gather the necessary information to reach conclusions that are balanced and fair. Americans are genuinely concerned about individual privacy. The Privacy Commission proposed by Senator Kohl and myself will enable Congress and the public to evaluate the extent to which we should be concerned and the proper way to address those concerns. The privacy debate is multifaceted and I encourage my colleagues to join Senator Kohl and myself in our efforts to gain a better understanding of it. Senator Kohl and I look forward to working with all those interested in furthering this debate and giving Americans a greater sense of confidence in the security of their personal information. ______ By Mr. SHELBY (for himself and Mr. Bryan): S. 1903. A bill to amend the privacy provisions of the Gramm-Leach- Bliley Act; to the Committee on Banking, Housing, and Urban Affairs. consumer's right to financial privacy act Mr. SHELBY. Mr. President, I rise today to offer the ``Consumer's Right to Financial Privacy Act'' for myself and Senator Bryan. This bill would address the significant deficiencies in the Financial Services Modernization Act passed by this very body last week. Our bill would provide that consumers have (1) notice of the categories [[Page S14548]] of nonpublic personal information that institutions collect, as well as the practices and policies of that institution with respect to disclosing nonpublic information; (2) access to the nonpublic personal information collected and shared; (3) affirmative consent, that is that the financial institution must receive the affirmative consent of the consumer, also referred to as an opt-in, in order to share such information with third parties and affiliates. Lastly, my provision would require that this federal law not preempt stronger state privacy laws. This bill is drafted largely after the amendment Senator Bryan and I offered in the Conference on Financial Services Modernization, but failed to get adopted due to the Conference's rush to pass a financial modernization bill, no matter what the cost. I know some think that opt-in is extreme, but I have to tell you that is what the American people want. Over the past year I have learned a great deal about the activities of institutions sharing sensitive personal information. Many may not be aware, but it had become a common practice for state department of motor vehicles to sell the drivers license information, including name, height, weight, social security number, vehicle identification number, motor vehicle record and more. Some states even sold the digital photo image of each driver's license. I was not aware of this practice going on. When I learned about it and studied it a little closer, I found several groups who were outraged by this practice. One such group was Eagle Forum. Another such group was the ACLU. Still another group was the Free Congress Foundation. Before I knew it, there was an ad hoc coalition of groups not only supporting the issue of driver's license privacy, but demanding it. Thanks to the hard work of these groups, I was able to include an opt-in provision for people applying for drivers licenses at their state department of motor vehicles. That provision sailed through the Senate and then the House. That bill was signed into law by President Clinton. Despite significant lobbying by the direct marketing industry, not one member of the House or Senate took to the floor and said, ``I believe we should not allow consumers to choose whether or not their drivers license information, including their picture, should be sold or traded away like an old suit.'' No, no one objected to the opt-in. As a result, I believe very strongly that Congress has already set the bar on this issue. Opt-in is not just reasonable, it is the right thing to do. Meanwhile, the ad hoc coalition, which is continuing to grow and includes every ideology from conservative to liberal, has signed on to four basic principles with regard to financial privacy. The principles include notice, access and consent, but also a requirement that weak federal laws not preempt stronger state laws. Our amendment incorporates those four basic principles. Now my basic question is this, why would anyone oppose this bill? Only if you believe the financial services industry cannot make money by doing business above the table and on the level for everyone to see in the ``sunshine'' if you will. If you believe that financial institutions make money only by deceiving their customers or leaving those customers in the dark, then maybe you should oppose this bill. I do not subscribe to such a belief. Industry will tell you that if they are required to include an opt- in, consumers will not, and therefore business will shut down. What does that tell you that consumers won't choose to opt-in? It means people don't want their information shared. If that is such a problem, it seems to me the business would spend more time educating the consumer as to the benefits of information sharing. That is where the burden to convince the consumer to buy the product should be--on the business. During the financial modernization debate, the financial industry, along with Citigroup communicated to Congress that they would not be able to operate or function appropriately with an opt-in requirement. I find that very difficult to comprehend, seeing as Citibank signed an agreement with their German affiliates in 1995 affording German citizens the opportunity to tell Citibank ``no,'' they did not want their personal data shared with third parties. I have a copy of the contract to prove it. Entitled, Agreement on ``Interterritorial Data Protection'' one can see this is an agreement on the sharing of customer information between Citibank (South Dakota), referred in the document as CNA, and its German affiliates. On page two paragraph 4, entitled, Use of Subcontractors, Transmission of Data to Third Parties, number 2 reads: For marketing purposes, the transfer of personal data to third parties provided by the Card Service Companies (that is Citicorp of Germany and Citicorp Card Operations of Germany) is prohibited, except in those cases where such personal data is transferred to affiliated companies engaged in banking business in order to market financial services; the transfer of such data beyond the aforementioned scope to third parties, shall require the Card Service Companies' express approval. Such approval is limited to the scope of the Card Customers' consent as obtained on the application form. That ladies and gentlemen, is an opt-in to operate in Germany, by none other than Citigroup, the number one proponent of financial modernization. Now if they can offer financial privacy to individuals in Germany, why on God's green earth can't they agree to an opt-in here in America? Do Germans have special rights over Americans? I should hope not. Mr. President, simply put, this bill is what Americans want. This bill is workable as proven in the Citicorp agreement. The truth is that the American people do not understand the intricacies of banking law or securities regulation. They probably do not know or care much about affiliates or operating subsidiaries. What I do know, is that if you walked outside and polled people from New York City to Los Angeles, CA, and everywhere in between, they would not only understand financial privacy, 90 percent of them would demand financial privacy and the ability to tell an institution ``no.'' Mr. President, in passing the financial modernization bill, Congress gave mammoth financial services companies significant expanded powers and unprecedented ability to collect, share, buy and sell a consumers nonpublic personal financial information. During the debate, many members promised they would address privacy, but only in a separate bill at a later time. Well, Mr. President, the time is now and the bill is the ``Consumer's Right to Financial Privacy Act.'' The financial industry may have won the battle by keeping stronger financial privacy provisions out of the financial modernization bill. But I assure you they have not won the war. They cannot win the war on financial privacy because the American people just won't allow it. Mr. President, I ask unanimous consent that the agreement on ``International Data Protection'' be printed in the Record. There being no objection, the material was ordered to be printed in the Record, as follows: Agreement on Interterritorial Data Protection by and between 1. Citicorp Kartenservice GmbH, Wilhelm-Leuschner-Str. 32, 60329 Frankfurt/M, Germany (CKS) 2. Citicorp Card Operations GmbH, Bentheimer Strae 118, 48529 Nordhorn, Germany (CCO) (CKS and CCO hereinafter collectively referred to as: Card Service Companies) 3. Citibank (South Dakota), N.A., Attn.: Office of the President, 701 E. 60th Street North, Sioux Falls, South Dakota 57117 (CNA) 4. Citibank Privatkunden AG, Kasernenstrae 10, 40213 Dusseldorf, Germany (CIP) recital 1. CIP has unrestricted authority to engage in banking transactions. As a license of VISA International, CIP issues the Citibank Visa Card''. Additionally, since July 1st, 1995, CIP has been cooperating with the Deutsche Bahn AG in issuing the ``DB/Citibank BahnCard'' with a cash-free payment function--hereinafter referred to as ``DB/Citibank- BahnCard''--on the basis of a Co-Branding Agreement concluded between Deutsche Bahn AG and CIP on November 18th, 1994. After the conclusion of the Agreement, the co-branding business was extended to include the issuance of the DB/ Citibank BahnCard without a cash-free payment function, known as BahnCard ``pure''. 2. CIP transferred to CKS the operations of the Citibank Visa credit card business, including accounting and electronic data processing, on the basis of the terms of a Service Agreement (non-gratuitous contract for services) dated March 24, 1998, supplemented as of June 1, 1989 and November 30, 1989. Details are contained in the ``CKS Service [[Page S14549]] Agreement'', according to which CKS performs for CIP all services pertaining to the Citibank Visa card business. Concurrent with the application for a Citibank Visa Card, the Citibank Visa Card customers agree to the transfer of their personal data to CKS and to those companies entrusted by CKS with such data processing. 3. In the Co-Branding Agreement with the Deutsche Bahn AG dated November 18, 1994, CIP assumed responsibility for the issuance of the DB/Citibank BahnCard as well as for the entire management and operations associated with this business. 4. On the basis of a Service Agreement dated April 1, 1995, CIP transferred the entire operations of the DB/Citibank- BahnCard business, including data processing and accounting, to the Card Service Companies. Details are contained in the ``BahnCard Service Agreement''. Concurrent with the application for issuing a DB/Citibank BahnCard, the BahnCard customers agree to the transfer of their personal data to CCO and to those companies entrusted by CCO with such data processing. 5. Due to reasons of efficiency, service and centralization, the Card Service Companies have entrusted CNA with the processing of the Citibank Visa card business and of the DB/Citibank BahnCard business as of July 1, 1995. In light of such considerations, the Card Service Companies--as principals--and CNA--as contractors--concluded the ``CNA Service Agreement'', to which CIP expressly consented. 6. The performance of the CNA Service Agreement requires the Card Service Companies to transfer the personal data of the Citibank Visa card customers and the DB/Citibank BahnCard customers--hereinafter collectively referred to as ``Card Customers''--to CNA and further requires CNA to process and use these data. In order to protect the Card Customers' rights with respect to both the data protection law, as well as the banking secrecy, and in order to comply with the banking supervisory and data protection requirements. The contractual parties agree and covenant as follows: Sec. 1 Basic Principles The parties hereto undertake to safeguard the Card Customers' right to protection against unauthorized capture, storage and use of their personal data and their right to informational self-determination. The scope of such protection shall be governed by the standards as laid down in the German Federal Data Protection Law (Bundesdatenschutzgesetz, abbreviated to ``BDSG''). The parties hereto additionally agree to comply with the banking secrecy regulations. Sec. 2 instructions of the card service companies 1. CNA shall process the data provided by the Card Service Companies solely in accordance with the Card Service Companies' instructions and rules, and the provisions contained in this Agreement. CNA undertakes to process and use the data only for the purpose for which the data have been provided by the Card Service Companies to CNA, said purposes including those as described in the CNA Service Agreement. The use of such data for purposes other than described above requires the Card Service Companies' express written consent. 2. At any time, the Card Service Companies may make inquiries to CNA about the personal data transferred by the Card Service Companies and stored at CNA, and the Card Service Companies may require CNA to perform corrections, deletions or blockings of such personal data transferred by the Card Service Companies to CNA. Sec. 3 inspection rights of the Card Service Companies At regular intervals, an (joint) agent appointed by the Card Service Companies shall verify whether CNA complies with the terms and conditions of this Agreement, and in particular with the data protection law as well as the banking secrecy regulations. CNA shall grant the Card Service Companies' agent supervised unimpeded access to the extent necessary to accomplish the inspection and review of all data processing facilities, data files and other documentation needed for processing and utilizing the personal data transferred by the Card Service Companies in a fashion which is consistent with the CNA Operational Policies. CNA shall provide the agent with all such information as deemed necessary to perform this inspection function. Sec. 4 use of subcontractors, transmission of data to third parties 1. CNA may not appoint non-affiliated third parties, in particular subcontractors, to perform and fulfill CNA's commitments and obligations under this Agreement. 2. For marketing purposes, the transfer of personal data to third parties provided by the Card Service Companies is prohibited, except in those cases where such personal data is transferred to affiliated companies engaged in the banking business in order to market financial services; the transfer of such data beyond the aforementioned scope to third parties shall require the Card Service Companies' express approval. Such approval is limited to the scope of the Card Customers' consent as obtained on the application form. The personal data of customers having obtained a BahnCard ``pure'' may only be used or transferred for BahnCard marketing purposes. CNA and the Card Service Companies undertake to institute and maintain the following data protection measures: 1. Access control of persons CNA shall implement suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment where the data transferred by the Card Service Companies are processed. This shall be accomplished by: a. Establishing security areas; b. Protection and restriction of access paths; c. Securing the decentralized data processing equipment and personal computers; d. Establishing access authorizations for employees and third parties, including the respective documentation; e. Identification of the persons having access authority; f. Regulations on key-codes; g. Restriction on keys; h. Code card passes; i. Visitors books; j. Time recording equipment; k. Security alarm system or other appropriate security measures. 2. Data media control CNA undertake to implement suitable measures to prevent the unauthorized reading, copying, alteration or removal of the data media used by CNA and containing personal data of the Card Customers. This shall be accomplished by: a. Designating the areas in which data media may/must be located; b. Designating the persons in such areas who are authorized to remove data media; c. Controlling the removal of data media; d. Securing the areas in which data media are located; e. Release of data media to only authorized persons; f. Control of files, controlled and documented destruction of data media; g. Policies controlling the production of back-up copies. 3. Data memory control CNA undertakes to implement suitable measures to prevent unauthorized input into the data memory and the unauthorized reading, alteration or deletion of the stored data on Card Customers. This shall be accomplished by: a. An authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data; b. Authentication of the authorized personnel; c. Protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data, d. Utilization of user codes (passwords); e. Use of encryption for critical security files. f. Specific access rules for procedures, control cards, process control methods, program cataloging authorization; g. Guidelines for data file organization; h. Keeping records of data file use; i. Separation of production and test environment for libraries and data files j. Providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked, k. Automatic log-off of user ID's that have not been used for a substantial period of time. 4. User control CNA shall implement suitable measures to prevent its data processing systems from being used by unauthorized persons by means of data transmission equipment. This shall be accomplished by: a. Identification of the terminal and/or the terminal user to the DP system; b. Automatic turn-off of the user ID when several erroneous passwords are entered, log file of events, (monitoring of break-in-attempts); c. Issuing and safeguarding of identification codes; d. Dedication of individual terminals and/or terminal users, identification characteristics exclusive to specific functions; e. Evaluation of records. 5 Personnel control Upon request, CNA shall provide the Card Service Companies with a list of the CNA employees entrusted with processing the personal data transferred by the Card Service Companies, together with a description of their access rights. 6. Access control to data CNA commits that the persons entitled to use CNA's data processing system are only able to access the data within the scope and to the extent covered by the irrespective access permission (authorization). This shall be accomplished by: a. Allocation of individual terminals and/or terminal user, and identification characteristics exclusive to specific functions; b. Functional and/or time-restricted use of terminals and/ or terminal users, and identification characteristics; c. Persons with function authorization codes (direct access, batch processing) access to work areas; d. Electronic verification of authorization; e. Evaluation of records. 7. Transmission control CNA shall be obligated to enable the verification and tracing of the locations/destinations to which the Card Customers' data are transferred by utilization of CNA's data communication equipment/devices. This shall be accomplished by: a. Documentation of the retrieval and transmission programs; [[Page S14550]] b. Documentation of the remote locations/destinations to which a transmission paths (logical paths). 8. Input control CNA shall provide for the retrospective ability to review and determine the time and the point of the Card Customers' data entry into CNA's data processing system. This shall be accomplished by: a. Proof established within CNA's organization of the input authorization; b. Electronic recording of entries. 9. Instructional control The Card Customers' data transferred by the Card Service Companies to CNA may only be processed in accordance with instructions of the Card Service Companies. This shall be accomplished by: a. Binding policies and procedures for CNA employees, subject to the Card Service Companies' prior approval of such procedures and policies, b. Upon request, access will be granted to those Card Service Companies' employees and agents who are responsible for monitoring CNA's compliance with this Agreement (c.f. Sec. 3 hereof.) 10. Transport control CNA and the Card Service Companies shall implement suitable measures to prevent the Card Customers' personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This shall be accomplished by: a. Encryption of the data for on-line transmission, or transport by means of data carriers, (tapes and cartridges); b. Monitoring of the completeness and correctness of the transfer of data (end-to-end check). II. Organization control CNA shall maintain its internal organization in a matter that meets the requirements of this Agreement. This shall be accomplished by: a. Internal CNA policies and procedures, guidelines, work instructions, process descriptions, and regulations for programming, testing, and release, insofar as they relate to data transferred by Card Service Companies; b. Formulation of a data security concept whose content has been reconciled with the Card Service Companies; c. Industry standard system and program examination; d. Formulation of an emergency plan (back-up contingency plan). Sec. 6 Data Protection Supervisor 1. CNA undertakes to appoint a Data Protection Supervisor and to notify the Card Service Companies of the appointee(s). CNA shall only select an employee with adequate expertise and reliability necessary to perform such a duty, and provide the Card Service Companies with appropriate evidence thereof. 2. The Data Protection Supervisor shall be directly subordinate/accountable to CNA's General Management. He shall not be bound by instructions which obstruct or hinder the performance of his duty in the field of data protection. He shall cooperate with the Card Service Companies' agent--as indicated in Sec. 3 hereof--in monitoring the performance of this Agreement and adhering to the data protection requirements in conjunction with the data in question. In the event that CNA chooses to change the person who serves as a Data Protection Supervisor, CNA shall give timely notice to the Card Service Companies of such change. The Data Protection Supervisor shall be bound by confidentiality obligations. 3. The Data Protection Supervisor shall be available as the on-site contact for the Card Service Companies. Sec. 7 Confidentiality Obligation CNA shall impose a confidentiality obligation on those employees entrusted with processing the personal data transferred by the Card Service Companies. CNA shall furthermore obligate its employees to adhere to the banking and data secrecy regulations and document such employees' obligation in writing. Upon request, CNA shall provide the Card Service Companies with satisfactory evidence of compliance with this provision. Sec. 8 Rights of Concerned Persons 1. At any time, Card Customers whose data are transferred by CIP to the Card Service Companies, and thereafter further transferred by the Card Service Companies to CNA, shall be entitled to make inquiries to CNA (who are required to respond) as to: the stored personal data, including the origin and the recipient of the data; the purpose of storage; and the persons and locations/destinations to which such data are transferred on a regular basis. The requested information shall generally be provided in writing. 2. The Card Service Companies shall honour the concerned person's request to correct his personal data at any time, provided that the stored data are incorrect. The same shall apply to data stored at CNA. 3. The concerned person may claim from the responsible Card Service Companies the deletion or blocking of any data stored at the Card Service Companies or CNA, in the event that: such storage is prohibited by law; the data in question relate to information about health criminal actions, violations of the public order, or religious or political opinions, and its truth/correctness cannot be proved by the Card Service Companies; and such data are processed to serve Card Service Companies' own purposes, and such data are no longer necessary to serve the purpose of the data storage under the agreement with the respective Card Customers. Notwithstanding the foregoing, the parties hereto submit to the provisions of Sec. 35 of the German Federal Data Protection Law (BDSG), and agree to be familiar with such provisions. 4. The concerned person may demand that the responsible Card Service Companies block his or her personal data, if he or she contests the correct nature thereof and if it is not possible to determine whether such data is correct or incorrect. This shall also apply to such data stored by CNA. 5. If CIP. the Card Service Companies or CNA should violate the data protection or banking secrecy regulations, the person concerned shall be entitled to claim damages caused and incurred thereby as provided in the German Federal Data Protection Law (BDSG). CIP's and the Card Service Companies' liability shall moreover extend to those claims arising from breach of this Agreement and asserted against CNA and/or its employees in performance of this Agreement. 6. CNA acknowledges the obligation assumed by CIP and the Card Service Companies towards the concerned person, and undertakes to comply with all Card Service Companies' instructions concerning such person. The concerned person may also directly assert claims against CNA and file an action at CNA's applicable place of jurisdiction. Sec. 9 Notification to the Concerned Person The Card Service Companies undertake to appropriately notify the concerned Card Customers of the transfer of their data to CNA. Sec. 10 Data Protection Supervision 1. According to the German Federal Data Protection Law (BDSG), the Card Service Companies and CIP are subject to public control exercised by the respective responsible supervisory authorities. 2. Upon request of CIP or either of the Card Service Companies, CNA shall provide the respective supervisory authorities with the desired information and grant them the opportunity of auditing to the same extent as they would be entitled to conduct audits at the Card Service Companies and CIP; this includes the entitlement to inspections at CNA's premises by the supervisory authorities or their nominated agents, unless barred by binding instructions of the appropriate U.S. authorities. Sec. 11 Banking Supervision 1. Any vouchers, commercial books of accounting, and work instructions needed for the comprehension of such documents, as well as other organizational documents shall physically remain at the Card Service Companies, unless electronically archived by scanning devices in a legally permissible fashion. 2. The Card Service Companies and CNA undertake to adhere to the principles of proper accounting practice applicable in Germany for computer-aided processes and the auditing thereof, in particular FAMA 1/1987. 3. The Card Service Companies undertake to submit a data processing concept and a data security concept to the German Federal Authority for the Supervision of Banks (Bundesaufsichtsamt fur das Kreditwesen) prior to commencing transfer of data to CNA. 4. The remote processing of the data shall be subject to the internal audit department of CIP and the Card Service Companies. CNA agrees to cooperate with the internal auditors of CIP and the Card Service Companies, who shall have the right to inspect the files of CNA's internal auditors, insofar as they relate to the data files transferred by the Card Service Companies to CNA. The internal auditors of the Card Service Companies and of CIP shall conduct audits of CNA as required by due diligence. 5. In a joint declaration to the Federal Banking Supervisory Authority; CIP, the Card Service Companies and CNA shall undertake to allow the inclusion of CNA in audits in accordance with the provisions of Sec. 44 of the Banking Law (Kreditwesengesetz abbreviated to KWG) at any time and not to impede or obstruct such audits, provided that legal requirements and/or instructions of U.S. authorities bind CNA to the contrary. 6. CNA shall request the US banking supervisory authorities' confirmation in writing to the effect that no objections will be raised against the intended remote data processing concept. In the event that CNA cannot procure such written confirmation upon the Card Service Companies' request, the Card Service Companies and CIP may withdraw from this Agreement and the underlying CNA Service Agreement. 7. CIP, the Card Service Companies and CNA undertake to abide by the requirements for interterritorial remote data processing in bank accounting as set forth in the letter of the Federal Authority for the Supervision of Banks dated October 16, 1992. This letter is appended as a Schedule hereto and forms an integral part of this Agreement. Sec. 12 Indemnification Claim 1. CNA shall indemnify the Card Service Companies within the scope of their internal and contractual relationship from any claims of damages asserted by the Card Customers, and resulting from CNA's incompliance with the terms and conditions of this Agreement. 2. The Card Service Companies shall indemnify CNA within the scope of their internal and contractual relationship from any claims of damages asserted by the Card Customer, and resulting from one or both of the [[Page S14551]] Card Service Companies' incompliance with the terms and conditions of this Agreement. Sec. 13 Term of the Agreement 1. This Agreement is effective as of July 1st, 1995, until terminated. It may be terminated by any party hereto at the end of each calendar year upon 12 months notice prior to the expiration date, subject to each party's right of termination of the Agreement for material, unremedied breach hereof. The termination of this Agreement by any one of the parties shall result in the termination of the entire Agreement with respect to the other parties. 2. CNA commits to return and delete all personal data stored at the time of termination hereof in accordance with the Card Service Companies' instructions. Sec. 14 Confidentiality The parties hereto commit to treat strictly confidential any trade, business and operating secrets or other sensitive information of the other parties involved. This obligation shall survive termination of this Agreement. Sec. 15 Data protection Agreement with Deutsche Bahn AG (DB AG) 1. The Deutsche Bahn AG captures personal data at its counters and appears as a joint issuer of the DB/Citibank BahnCard. The parties hereto agree that the Deutsche Bahn AG therefore bears responsibility for such data. 2. The Deutsche Bahn AG and CIP concluded a Data Protection Agreement as of February 13, 1996, defining the scope of data protection obligations and commitments between the parties. The parties hereto are familiar with said Data Protection Agreement and acknowledge the obligations arising for CIP thereunder. 3. The parties hereto authorize CIP to provide DB AG with written notification of this Agreement on Interterritorial Data Protection. Sec. 16 General Provisions 1. This Agreement sets forth the entire understanding between the parties hereto in conjunction with the subject matter as laid down herein and none of the parties hereto has entered into this Agreement in reliance upon any representation, warranty or undertaking of any other party which is not contained in this Agreement or incorporated by reference herein. Any subsequent amendments to this Agreement shall be in writing duly signed by authorized representatives of the parties hereto. 2. If one or more provisions of this Agreement becomes invalid, or the Agreement is proven to be incomplete, the validity and legality of the remaining provisions hereof shall not be affected or impaired thereby. The parties hereto agree to substitute the invalid part of this Agreement by such a legally valid provision which constitutes the closest representation of the parties' intention and the economical purpose of the invalid term, and the parties hereto further agree to be bound by such a valid term. An incompleteness of this Agreement shall be bridged in a similar fashion. 3. The Parties hereto submit to the jurisdiction and venue of the courts of Frankfurt/M. 4. This Agreement shall be governed by, interpreted and construed in accordance with German law. What are the main features of the International Agreement? 1. The parties on both sides of the Atlantic agree to apply German Data Protectional Law to their handling of cardholders' data (Sec. 1). 2. Customer data may only be processed in the United States for the purpose of producing the cards (Sec. 2). 3. Citibank in the United States and in Europe is not allowed to transfer personal data to third parties for marketing purposes except in two cases: (a) Data of applicants for a RailwayCard with payment function may be transferred to other Citibank companies in order to market financial services; (b) Data of applicants for a pure RailwayCard may only be used or transferred for BahnCard marketing purposes, i.e., to try to convince the cardholder that he should upgrade his RailwayCard to have a ``better BahnCard'' with credit card function (Sec. 4 II). 4. The technical requirements on data security according to German law are spelt out in detail in Sec. 5. 5. The American Citibank subsidiary has to appoint data protection supervisors again following the German legal requirements (Sec. 6). 6. The German card customers have all individual rights against the American Citibank subsidiary which they have under German law. They can ask for inspection, claim deletion, correction or blocking of their data and they can bring an action for compensation under the strict liability rules of German law either against German Railway, the German Citibank subsidiary or directly against the American Citibank subsidiary (Sec. 8). 7. The Citibank subsidiaries in the United States accept on-site audits by the German data protection supervisory authority, i.e., the Berlin Data Protection Commissioner, or his nominated agents, e.g. an American consulting or auditing firm acting on his behalf (Sec. 10 II). This very important provision contains a restriction in case US authorities instruct Citibank in their country not to allow foreign auditors in. However, this restriction is not very likely to become practical. On the contrary, US authorities have already declared by way of a diplomatic note sent to the German side that they will accept these audits. This follows an agreement between German and United States banking supervisory authorities on auditing the trans-border processing of accounting data (cf. Sec. 11). Indeed this previous agreement very much facilitated the acceptance of German data protection audits by Citibank in the United States. As far as data security concepts are concerned the Federal Banking Supervisory Authority and the Berlin Data Protection Commissioner will be working hand in glove. 8. Finally--and this is not reproduced in the version of the Agreement which you have received--German Railway has been linked to this agreement between Citibank subsidiaries in a specific provision. ______ By Mr. DODD: S. 1908. A bill to protect students from commercial exploitation; to the Committee on Health, Education, Labor, and Pensions. Student Privacy Protection Act Mr. DODD. Mr. President, I rise today to offer legislation, ``the Student Privacy Protection Act,'' to provide parents and their children with modest, but appropriate, privacy protection from questionable marketing research in the schools. There are few images as enduring as those we experienced as school- children: the teachers and chalkboards, the principal's office, children at play during recess, school libraries, and desks organized around a room. All define a school in our memories and continue to define schools today. Clearly, there have been changes and many of those for the good. Computers have become more common and are now in a majority of classrooms. Students with disabilities are routinely included in regular classes rather than segregated in separate classrooms or schools. However, some changes in my view have not been for the best. More and more schools and their classrooms are becoming commercialized. Schools, teachers and their students are daily barraged with commercial messages aimed at influencing the buying habits of children and their parents. A 1997 study from Texas A&M, estimated that children, aged 4-12 years, spent more than $24 billion themselves and influenced their parents to spend $187 billion. Marketing to children and youth is particularly powerful however, because students are not just current consumers, they will be consumers for decades to come. And just as we hope that what students learn in schools stays with them, marketers know their messages stick--be it drinking Coke or Pepsi, or wearing Nikes or Reeboks, these habits continue into adulthood. There is no question that advertising is everywhere in our society from billboards to bathroom stalls. But what is amazing is how prevalent it has become in our schools. Companies no longer just finance the local school's scoreboard or sponsor a little league team, major national companies advertise in school hallways, in classrooms, on the fields and, even, in curriculum which they have developed specifically to get their messages into classrooms. One major spaghetti sauce firm has encouraged science teachers to have their student test different sauces for thickness as part of their science classes. Film makers and television studios promote new releases with special curriculum tied to their movies or shows. In one school, a student was suspended for wearing a Pepsi T-shirt on the school's Coke Day. In another, credit card applications were sent home with elementary school students for their parents and the school collected a fee for every family that signed up. Mr. President, this is not to say that companies cannot and should not be active partners in our schools. Indeed, business leaders have been some of the strongest advocates for school improvement. Many corporations partner with schools to contribute to the educational mission of the schools, be it through mentoring programs or through donations of technology. Other businesses have become well-known for their scholarship support of promising students. And one cannot imagine a successful, relevant vocational education program without the participation of business. Each of these activities meets the central test of contributing to student learning. Unfortunately, too much commercial activity in our schools does not. These issues are not black and white. Channel One which is in many, many of our nation's secondary schools offers high quality programming on the news of the day and issues of importance. They provide televisions, VCR's, and satellite dishes along with other significant educational programming. But Channel One is a business; in exchange for all that is good comes advertising. Teachers, principals and parents are on the front lines of this issue; each day making decisions on what goes in and what stays out of classrooms. In my view, too often these decisions are made in the face of very limited resources. I believe most educators recognize the potential down-sides of exposing children to commercial messages--but too often they have no choice. They are faced with two poor choices: provide computers, current events or other activities with corporate advertising or not at all. The legislation I offer today does not second guess these hard decisions. This bill, which is a companion to legislation introduced in the other body by Congressman George Miller, would prohibit schools from letting students participate in various forms of market research without their parents' written permission. This bill would also provide for a study of the extent and effect of commercialism in our schools. This is, I believe, a modest proposal that deals with one of the most disturbing commercial trends in our schools. Existing school privacy laws protect official records and educational research. Current law leaves a loophole for companies to go into classroom and get information directly from children--information about family income, buying habits, preferences, etc. --without the consent of their parents. Marketers and advertisers use this information to target and better hone their message to reach youngsters and their families. This is not some scenario from a science fiction novel. Elementary school students in New Jersey filled out a 27-page booklet called ``My All About Me Journal'' as part of a marketing survey for a cable television channel. A technology firm provides schools with free computers and Internet access, but monitors students' web activity by age, gender and ZIP code. Children in a Massachusetts school did a cereal taste test and answered an opinion poll. This legislation does not presume that these activities are bad or unrelated to learning--it simply requires parents give their permission before their children participate. Mr. President, public education is not a new topic for discussion here on the Senate floor. But we rarely think about the actual words we use--``Public education''--and what they mean. These are schools that belong to us, to the public as a whole: schools that serve all children, schools that are the central element in their communities, and that are financed by all of us through our taxes--local, state and federal. This bill helps ensure that they remain true to their name. I ask unanimous consent that a copy of this legislation be printed in the Record. There being no objection, the bill was ordered to be printed in the Record, as follows: S. 1908 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Student Privacy Protection Act''. SEC. 2. PRIVACY FOR STUDENTS. Part E of title XIV of the Elementary and Secondary Education Act of 1965 (20 U.S.C. 8891 et seq.) is amended by adding at the end the following: ``SEC. 14515. PRIVACY FOR STUDENTS. ``(a) In General.--None of the funds authorized under this Act may be used by an applicable program to allow a third party to monitor, receive, gather, or obtain information intended for commercial purposes from any student under 18 years of age without prior, written, informed consent of the parent of the student. ``(b) Intention of Third Party.--Before a school, local educational agency, or State, as the case may be, enters into a contract with a third party, the school, agency, or State shall inquire whether the third party intends to gather, collect, or store information on students, the nature of the information to be gathered, how the information will be used, whether the information will be sold, distributed, or transferred to other parties and the amount of class time, if any, that will be consumed by such activity. ``(c) Consent Form.--The consent form referred to in subsection (a) shall indicate the dollar amount and nature of the contract between a school, local educational agency, or State, as the case may be, and a third party, including the nature of the information to be gathered, how the information will be used, if the information will be sold, distributed, or transferred to other parties, and the amount of class time, if any, that will be consumed by such activity.''. SEC. 3. GAO STUDY. (a) In General.--The Comptroller General of the United States shall conduct a study in accordance with subsection (b) regarding the prevalence and effect of commercialism in elementary and secondary education. (b) Contents.--The study shall-- (1) document the nature, extent, demographics, and trends of commercialism (commercial advertising, sponsorships of programs and activities, exclusive agreements, incentive programs, appropriation of space, [[Page S14557]] sponsored educational materials, electronic marketing, market research, and privatization of management) in elementary and secondary schools receiving funds under the Elementary and Secondary Education Act of 1965; (2) consider the range of benefits and costs, educational, public health, financial and social, of such commercial arrangements in classrooms; and (3) consider how commercial arrangements in schools affect student privacy, particularly in regards to new technologies such as the Internet, including the type of information that is collected on students, how it is used, and the manner in which schools inform parents before information is collected. ______ By Mr. FRIST (for himself, Mr. McCain, and Mr. Bingaman): S. 1912. A bill to facilitate the growth of electronic commerce and enable the electronic commerce market to continue its current growth rate and realize its full potential, to signal strong support of the electronic commerce market by promoting its use within Federal government agencies and small and medium-sized businesses, and for other purposes; to the Committee on Commerce, Science, and Transportation. the electronic commerce technology promotion act Mr. FRIST. Mr. President, I rise today to introduce the Electronic Commerce Technology Promotion Act. I am very pleased to be joined by Senators McCain and Bingaman. Electronic commerce has fundamentally changed the way we do business, promising increased efficiency and improved quality at lower cost. It has been widely embraced by industry, both in the United States and abroad. This is evident in the growth of the electronic commerce market, which though almost non-existent just a few years ago, is expected to top a staggering $1 trillion by 2003, according to market research reports. The basis for the growth of electronic commerce is the potential that electronic transactions can be completed seamlessly and simultaneously, regardless of geographical boundaries. Inherent in this is the ability of different systems to communicate and exchange data, commonly referred to as ``system interoperability''. The continued growth of global electronic commerce depends on a fundamental set of technical standards that enable essential technologies to interoperate, and on a policy and legal framework that supports the development that the market demands in a timely manner. The United States is leading this global revolution. Our industries are at the forefront in every sector, continually evolving their businesses and developing new technologies to adapt to changing market needs. Continued growth of the overall electronic commerce market is vital to our economy as well as the global market. For the electronic commerce market to sustain its current phenomenal growth rate, companies must be allowed to be agile and flexible in responding to market needs, their activities unfettered by cumbersome and static regulations. The federal government must allow the private sector to continue to take the lead in developing this dynamic global market, and refrain from undue regulatory measures wherever possible. At the same time, the federal government must unambiguously signal its strong desire to promote and facilitate the growth of the electronic commerce market by adopting and deploying relevant electronic commerce technologies within the federal agencies, as well as widely promoting their use by small and medium-sized enterprises. Usage of these technologies in the federal agencies enables us to share in the benefits of the electronic commerce revolution and participate more effectively as an active contributor in the private sector efforts to develop the frameworks and specifications necessary for systems and components to interoperate. This has the added advantage of allowing the government to intercede in a timely manner, either in failure conditions or to remove barriers erected by foreign governments. Furthermore, we would be strengthening our global leadership position, while at the same time establishing a model for other governments and enabling the growth of the global electronic commerce market. Small and medium-sized businesses have traditionally been the fastest growing segment of our economy, contributing more than 50 percent of the private sector output in the United States. Electronic commerce has the potential to enable these enterprises to enter the market with lower entry costs, yet extend their reach to a much larger market. The federal government has an inherent interest in helping them to maintain their global competitiveness. It is in response to these needs that I introduce today the Electronic Commerce Technology Promotion Act. The legislation establishes a Center of Excellence for Electronic Commerce at the National Institute of Standards and Technologies (NIST) that will act as a centralized resource of information for federal agencies and small and medium-sized businesses in electronic commerce technologies and issues. My [[Page S14560]] intention is not to create yet another program at NIST which will require substantial appropriations, but to create an office that focuses solely on electronic commerce by building upon existing expertise and resources. We have proposed that the Center be organized as a matrix organization that will coordinate existing as well as future activities at the Institute on electronic commerce. The Center will also coordinate its activities with the Department of Commerce's Manufacturing Extension Program (MEP) and the Small Business Administration to provide assistance to small and medium-sized enterprises on issues related to the deployment and use of electronic commerce technologies, including developing training modules and software toolkits. In working jointly, the Center can build upon the existing MEP infrastructure to reach out to these businesses. It is important to note that my intention is not to enlarge or modify the charter of the MEP program. Mr. President, I believe that the growth of the electronic commerce market is vital to our economic growth. It is our responsibility to facilitate this growth as well as do our best to enable the market to sustain its current phenomenal growth rate. Therefore, I urge my colleagues to support timely passage of this legislation so that we can give our unambiguous support for the development of electronic commerce as a market-driven phenomenon, and signal our strong desire to promote and facilitate the growth of the electronic commerce market. Mr. BINGAMAN. Mr. President, I am very pleased to join Senators Frist and McCain today in introducing the ``Electronic Commerce Technology Promotion Act.'' This bill, which sets up a center of Excellence in Electronic Commerce at the National Institutes of Standards and Technology, or NIST, is a solid step towards adapting an important federal agency to the digital economy we see blooming around us. NIST was established in 1901 as the National Bureau of Standards during a time of tremendous industrial development, when technology became a key driver of our economic growth. Making those technologies literally fit together reliably through standards became crucial, and Congress realized that one key to sustaining our industrial growth and the quality of our products would be a federal laboratory devoted to developing standards. The Bureau of Standards is a classic example of how the federal government can support technical progress that undergirds economic growth and enables the competitive marketplace to work. Around ten years ago, Congress modified the Bureau's charter in response to the problems of the 1980's, increasing its focus on competitiveness, adding efforts like the highly regarded Manufacturing Extension Program (MEP), and changing the name to NIST. Turning to the challenges of today's growing digital economy, this bill makes NIST a focal point in the federal government for promoting electronic commerce throughout our economy by establishing a Center of Excellence in Electronic Commerce there. While the challenges of making things fit together in a digital economy are different--and now go under the un- melodic term ``interoperability''--they are just as crucial as they were in the industrial economy of 1901. And, NIST remains an excellent place to lead the work. I'm particularly pleased that this bill includes the fundamental idea behind my bill S. 1494, the Electronic Commerce Extension Establishment Act of 1999. That is, NIST ought to lead an electronic commerce extension program or service to provide small businesses with low cost, impartial technical advice on how to enter and succeed in e-commerce. This service will help ensure that small businesses in every part of the nation fully participate in the unfolding e-commerce revolution through a well-proven policy tool--a service analogous to the Department of Agriculture's Cooperative Extension Service and NIST's own MEP. I believe such a service would help both small businesses and our entire economy as the productivity enhancements from e-commerce are spread more rapidly, and I recently asked Secretary Daley for a report on how such a service should work. So, I thank Senator Frist for including my basic policy idea in his bill and look forward to working with him to flesh it out, particularly in light of the report we should get from the Commerce Department. Mr. President, I urge my colleagues to join Senators Frist, McCain, and myself in supporting this bill, as one step the Congress can take to make sure an important federal agency, NIST, continues its strong tradition of helping our economy--our growing digital economy--to be the most competitive in the world. ______ By Mr. LEVIN (for himself and Mr. Specter): S. 1920. A bill to combat money laundering and protect the United States financial system by addressing the vulnerabilities of private banking to money laundering, and for other purposes; to the Committee on Banking, Housing, and Urban Affairs. money laundering abatement act of 1999 Mr. LEVIN. Mr. President, today I am introducing, along with Senator Specter, the Money Laundering Abatement Act of 1999. The Senate Permanent Subcommittee on Investigations, of which I am the ranking member, is currently holding hearings on problems specific to private banking, a rapidly-growing financial service in which banks provide one-on-one services tailored to the individual needs of wealthy individuals. The Subcommittee's investigation and hearings show that private bankers have operated in a culture which emphasizes secrecy, impeding account documentation for regulators and law enforcement entities. This culture makes private banking peculiarly susceptible to money laundering. The Money Laundering Abatement Act is intended to supplement and reinforce the current anti-money-laundering laws and bolster the efforts of regulators and law enforcement bodies in this nation and around the world and the efforts of others in Congress. The Subcommittee's year-long investigation and testimony by distinguished financial experts, regulators, and banking industry personnel, revealed that private bankers regularly create devices such as shell corporations established in offshore jurisdictions to hide the source of and movement of clients' funds. The motives may be benign or they may be questionable but one thing is certain: they make it harder for regulators and law enforcement personnel to track the ownership and flow of funds and avert or apprehend laundering of the proceeds of drug and weapons trafficking, tax evasion, corruption, and other malfeasance. To make matters worse, many activities which Americans find reprehensible and which can destabilize regimes and economies are not currently illegal under foreign laws. Therefore, as the current money laundering laws are written, transactions in funds derived from such activities do not constitute money laundering, but they ought to constitute money laundering punishable under United States laws. My bill would patch these holes, particularly as they apply to private banking activities, the volume of which experts predict will grow exponentially as more and more wealth is created and banks compete for this lucrative line of business. Accordingly, I am today introducing legislation that would significantly increase the transparency of our banking system and make it possible for law enforcement and civil process to pierce the veil of secrecy that for too long has made it possible for institutions and individuals operating in largely unregulated off-shore jurisdictions to gain unfettered access to the U.S. financial system for purposes of legitimizing the proceeds of illegal or unsavory activity. A great problem in detecting money laundering is that many private banking transactions are conducted through fictitious entities or under false names or numbered accounts in which the actual or beneficial owner is not identified. The bill requires a financial institution that opens or maintains a U.S. account for a foreign entity to identify and maintain a record in the U.S. of the identity of each direct or beneficial owner of the account. The bill would further help banks in verifying customers' identities by making it illegal to misrepresent the true ownership of an account to a bank. The bill also imposes a ``48-hour rule'' under which, within 48 hours of a request by a federal banking agency, a financial institution would have to provide account information and documentation to the agency. Our investigation into private banking has shown that money launderers may launder their transactions by commingling the proceeds in so-called ``concentration accounts'' and aggregate the funds from multiple customers and transactions. The bill curtails the illicit use of these accounts by prohibiting institutions from using these accounts anonymously. The bill also prohibits U.S. financial institutions from opening or maintaining correspondent accounts with so-called ``brass plate'' banks--most often in off-shore locations--that are not licensed to provide services in their home countries and are not subject to comprehensive home country supervision on a consolidated basis, reducing the likelihood that U.S.-based institutions will receive funds that may derive from illicit sources. The bill would also eliminate significant gaps in current U.S. law by expanding the list of crimes committed on foreign soil that can serve as predicate offenses for money laundering prosecutions in the U.S., including corruption and the misappropriation of IMF funds. It would expand the jurisdiction of U.S. courts, by including transactions in which money is laundered through a foreign bank as a U.S. crime if the transaction has a ``nexus'' in the United States. The bill addresses the reality that governmental corruption weakens economies [[Page S14570]] and causes political instability and when U.S. banks profit from the fruits of such corruption they run counter to U.S. interests in ending such corruption. Another problem that we have encountered repeatedly in our investigation is that many private banks have written policies that repeatedly stress that the banker must know a customer's identity and source of funds. Yet in practice, many private bankers do not comply with their own bank's policies. To rectify this, the bill requires financial institutions to develop and apply due diligence standards for accounts for private banking customers to verify the customers' identity and source of wealth, both when opening such accounts and on an ongoing basis. Finally, the bill would authorize funding for FinCEN to develop an automated ``alert database.'' FinCEN, an arm of the Department of the Treasury, tracks Currency Transaction Reports and Suspicious Activity Reports, important tools in fighting money laundering. However, FinCEN officials have told me that they lack a database which will automatically alert them to patterns of suspicious activity that could indicate money laundering or other illicit activity. Such a database is imperative to enable FinCEN to adequately serve the law enforcement bodies that it supplies information to. This bill will close gaps in our anti-money-laundering laws and regulations. I ask unanimous consent that the bill and a summary of the bill be printed in the Record. There being no objection, the material was ordered to be printed in the Record, as follows: S. 1920 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Money Laundering Abatement Act of 1999''. SEC. 2. FINDINGS AND PURPOSE. (a) Findings.--Congress makes the following findings: (1) Money laundering is a serious problem that enables criminals to reap the rewards of their crimes by hiding the criminal source of their profits. (2) When carried out by using banks, money laundering erodes the integrity of our financial institutions. (3) United States financial institutions are a critical link in our efforts to combat money laundering. (4) In addition to organized crime enterprises, corrupt government officials around the world increasingly employ sophisticated money laundering schemes to conceal wealth they have plundered or extorted from their nations or received as bribes, and these practices weaken the legitimacy of foreign states, threaten the integrity of international financial markets, and harm foreign populations. (5) Private banking is a growing activity among financial institutions based in and operating in the United States. (6) The high profitability, competition, high level of secrecy, and close relationships of trust developed between private bankers and their clients make private banking vulnerable to money laundering. (7) The use by United States bankers of financial centers located outside of the United States that have weak financial regulatory and reporting regimes and no transparency facilitates global money laundering. (b) Purpose.--The purpose of this Act is to eliminate the weaknesses in Federal law that allow money laundering to flourish, particularly in private banking activities. SEC. 3. IDENTIFICATION OF ACTUAL OR BENEFICIAL OWNERS OF ACCOUNTS. (a) Transactions and Accounts With or on Behalf of Foreign Entities.--Subchapter II of chapter 53 of title 31, United States Code, is amended by adding at the end the following: ``Sec. 5331. Requirements relating to transactions and accounts with or on behalf of foreign entities ``(a) Definitions.--Notwithstanding any other provision of this subchapter, in this section the following definitions shall apply: ``(1) Account.--The term `account'-- ``(A) means a formal banking or business relationship established to provide regular services, dealings, and other financial transactions; and ``(B) includes a demand deposit, savings deposit, or other asset account and a credit account or other extension of credit. ``(2) Correspondent account.--The term `correspondent account' means an account established to receive deposits from and make payments on behalf of a correspondent bank. ``(3) Correspondent bank.--The term `correspondent bank' means a depository institution that accepts deposits from another financial institution and provides services on behalf of such other financial institution. ``(4) Depository institution.--The term `depository institution' has the same meaning as in section 19(b)(1)(A) of the Federal Reserve Act. ``(5) Foreign banking institution.--The term `foreign banking institution' means a foreign entity that engages in the business of banking, and includes foreign commercial banks, foreign merchant banks, and other foreign institutions that engage in banking activities usual in connection with the business of banking in the countries where they are organized or operating. ``(6) Foreign entity.--The term `foreign entity' means an entity that is not organized under the laws of the Federal Government of the United States, any State of the United States, the District of Columbia, or the Commonwealth of Puerto Rico. ``(b) Prohibition on Opening or Maintaining Accounts Belonging to or for the Benefit of Unidentified Owners.--A depository institution or a branch of a foreign bank (as defined in section 1 of the International Banking Act of 1978) may not open or maintain any account in the United States for a foreign entity or a representative of a foreign entity, unless-- ``(1) for each such account, the institution completes and maintains in the United States a form or record identifying, by a verifiable name and account number, each person having a direct or beneficial ownership interest in the account; or ``(2) some or all of the shares of the foreign entity are publicly traded. ``(c) Prohibition on Opening or Maintaining Correspondent Accounts or Correspondent Bank Relationship With Certain Foreign Banks.--A depository institution, or branch of a foreign bank, as defined in section 1 of the International Banking Act of 1978, may not open or maintain a correspondent account in the United States for or on behalf of a foreign banking institution, or establish or maintain a correspondent bank relationship with a foreign banking institution (other than in the case of an affiliate of a branch of a foreign bank), that-- ``(1) is organized under the laws of a jurisdiction outside of the United States; and ``(2) is not subject to comprehensive supervision or regulation on a consolidated basis by the appropriate authorities in such jurisdiction. ``(d) 48-Hour Rule.--Not later than 48 hours after receiving a request by the appropriate Federal banking agency (as defined in section 3 of the Federal Deposit Insurance Act) for information related to anti-money laundering compliance by a financial institution or a customer of that institution, a financial institution shall provide to the requesting agency, or make available at a location specified by the representative of the agency, information and account documentation for any account opened, maintained, or managed in the United States by the financial institution.''. (b) Technical and Conforming Amendment.--The table of sections for subchapter II of chapter 53 of title 31, United States Code, is amended by inserting after the item relating to section 5330 the following: ``5331. Requirements relating to transactions and accounts with or on behalf of foreign entities.''. (c) Effective Date.--The amendments made by this section shall apply-- (1) with respect to any account opened on or after the date of enactment of this Act, as of such date; and (2) with respect to any account opened before the date of enactment of this Act, as of the end of the 6-month period beginning on such date. SEC. 4. PROPER MAINTENANCE OF CONCENTRATION ACCOUNTS AT FINANCIAL INSTITUTIONS. Section 5318(h) of title 31, United States Code, is amended by adding at the end the following: ``(3) Availability of certain account information.--The Secretary shall prescribe regulations under this subsection that govern maintenance of concentration accounts by financial institutions, in order to ensure that such accounts are not used to prevent association of the identity of an individual customer with the movement of funds of which the customer is the direct or beneficial owner, which regulations shall, at a minimum-- ``(A) prohibit financial institutions from allowing clients to direct transactions that move their funds into, out of, or through the concentration accounts of the financial institution; ``(B) prohibit financial institutions and their employees from informing customers of the existence of, or means of identifying, the concentration accounts of the institution; and ``(C) require each financial institution to establish written procedures governing the documentation of all transactions involving a concentration account, which procedures shall ensure that, any time a transaction involving a concentration account commingles funds belonging to 1 or more customers, the identity of, and specific amount belonging to, each customer is documented.''. SEC. 5. DUE DILIGENCE REQUIRED FOR PRIVATE BANKING. The Federal Deposit Insurance Act (12 U.S.C. 1811 et seq.) is amended by inserting after section 10 the following: ``SEC. 5A. DUE DILIGENCE. ``(a) Private Banking.--In fulfillment of its anti-money laundering obligations under section 5318(h) of title 31, United States Code, each depository institution that engages in private banking shall establish due [[Page S14571]] diligence procedures for opening and reviewing, on an ongoing basis, accounts of private banking customers. ``(b) Minimum Standards.--The due diligence procedures required by paragraph (1) shall, at a minimum, ensure that the depository institution knows and verifies, through probative documentation, the identity and financial background of each private banking customer of the institution and obtains sufficient information about the source of funds of the customer to meet the anti-money laundering obligations of the institution. ``(c) Compliance Review.--The appropriate Federal banking agencies shall review compliance with the requirements of this section as part of each examination of a depository institution under this Act. ``(d) Regulations.--The Board of Governors of the Federal Reserve System shall, after consultation with the other appropriate Federal banking agencies, define the term `private banking' by regulation for purposes of this section.''. SEC. 6. SUPPLEMENTATION OF CRIMES CONSTITUTING MONEY LAUNDERING. Section 1956(c)(7)(B) of title 18, United States Code, is amended-- (1) by striking clause (ii) and inserting the following: ``(ii) any conduct constituting a crime of violence;''; and (2) by adding at the end the following: ``(iv) fraud, or any scheme to defraud, committed against a foreign government or foreign governmental entity under the laws of that government or entity; ``(v) bribery of a foreign public official, or the misappropriation, theft, or embezzlement of public funds by or for the benefit of a foreign public official under the laws of the country in which the subject conduct occurred or in which the public official holds office; ``(vi) smuggling or export control violations involving munitions listed in the United States Munitions List or technologies with military applications, as defined in the Commerce Control List of the Export Administration Regulations; ``(vii) an offense with respect to which the United States would be obligated by a multilateral treaty either to extradite the alleged offender or to submit the case for prosecution, if the offender were found within the territory of the United States; or ``(viii) the misuse of funds of, or provided by, the International Monetary Fund in contravention of the Articles of Agreement of the Fund or the misuse of funds of, or provided by, any other international financial institution (as defined in section 1701(c)(2) of the International Financial Institutions Act) in contravention of any international treaty or other international agreement to which the United States is a party, including any articles of agreement of the members of such international financial institution;''. SEC. 7. PROHIBITION ON FALSE STATEMENTS TO FINANCIAL INSTITUTIONS CONCERNING THE IDENTITY OF A CUSTOMER. (a) In General.--Chapter 47 of title 18, United States Code (relating to fraud and false statements), is amended by inserting after section 1007 the following: ``Sec. 1008. False statements concerning the identity of customers of financial institutions ``(a) In General.--Whoever knowingly in any manner-- ``(1) falsifies, conceals, or covers up, or attempts to falsify, conceal, or cover up, the identity of any person in connection with any transaction with a financial institution; ``(2) makes, or attempts to make, any materially false, fraudulent, or fictitious statement or representation of the identity of any person in connection with a transaction with a financial institution; ``(3) makes or uses, or attempts to make or use, any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry concerning the identity of any person in connection with a transaction with a financial institution; or ``(4) uses or presents, or attempts to use or present, in connection with a transaction with a financial institution, an identification document or means of identification the possession of which is a violation of section 1028; shall be fined under this title, imprisoned not more than 5 years, or both. ``(b) Definitions.--In this section: ``(1) Financial institution.--In addition to the meaning given to the term `financial institution' by section 20, the term `financial institution' also has the meaning given to such term in section 5312(a)(2) of title 31. ``(2) Identification document and means of identification.--The terms `identification document' and `means of identification' have the meanings given to such terms in section 1028(d).''. (b) Technical and Conforming Amendments.-- (1) Title 18, united states code.--Section 1956(c)(7)(D) of title 18, United States Code, is amended by striking ``1014 (relating to fraudulent loan'' and inserting ``section 1008 (relating to false statements concerning the identity of customers of financial institutions), section 1014 (relating to fraudulent loan''. (2) Table of sections.--The table of sections for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1007 the following: ``1008. False statements concerning the identity of customers of financial institutions.''. SEC. 8. APPROPRIATION FOR FINCEN TO IMPLEMENT SAR/CTR ALERT DATABASE. There is authorized to be appropriated $1,000,000, to remain available until expended, for the Financial Crimes Enforcement Network of the Department of the Treasury to implement an automated database that will alert law enforcement officials if Currency Transaction Reports or Suspicious Activity Reports disclose patterns that may indicate illegal activity, including any instance in which multiple Currency Transaction Reports or Suspicious Activity Reports name the same individual within a prescribed period of time. SEC. 9. LONG-ARM JURISDICTION OVER FOREIGN MONEY LAUNDERERS. Section 1956(b) of title 18, United States Code, is amended-- (1) by redesignating paragraphs (1) and (2) as subparagraphs (A) and (B), respectively; (2) by inserting ``(1)'' after ``(b)''; (3) by inserting ``, or section 1957'' after ``or (a)(3)''; and (4) by adding at the end the following: ``(2) For purposes of adjudicating an action filed or enforcing a penalty ordered under this section, the district courts shall have jurisdiction over any foreign person, including any financial institution authorized under the laws of a foreign country, that commits an offense under subsection (a) involving a financial transaction that occurs in whole or in part in the United States, if service of process upon such foreign person is made under the Federal Rules of Civil Procedure or the laws of the country in which the foreign person is found. ``(3) The court may issue a pretrial restraining order or take any other action necessary to ensure that any bank account or other property held by the defendant in the United States is available to satisfy a judgment under this section.''. SEC. 10. LAUNDERING MONEY THROUGH A FOREIGN BANK. Section 1956(c)(6) of title 18, United States Code, is amended to read as follows: ``(6) the term `financial institution' includes-- ``(A) any financial institution described in section 5312(a)(2) of title 31, or the regulations promulgated thereunder; and ``(B) any foreign bank, as defined in section 1(b)(7) of the International Banking Act of 1978 (12 U.S.C. 3101(7)).''. SEC. 11. EFFECTIVE DATE. Except as otherwise specifically provided in this Act, this Act and the amendments made by this Act shall take effect 90 days after the date of enactment of this Act. ____ Summary of the Money Laundering Abatement Act of 1999 A United States depository institution or a United States branch of a foreign institution could not open or maintain an account in the United States for a foreign entity unless the owner of the account was identified on a form or record maintained in the United States. A United States depository institution or branch of a foreign institution in the United States could not maintain a correspondent account for a foreign institution unless the foreign institution was subject to comprehensive supervision or regulation. Within 48 hours of receiving a request from a federal banking agency, a financial institution would be required to provide account information and documentation to the requesting agency. The Secretary of the Treasury would be required to issue regulations to ensure that customer funds flowing through a concentration account (which comingles funds of an institution's customers) were earmarked to each customer. The list of crimes that are predicates to money laundering would be broadened to include, among other things, corruption or fraud by or against a foreign government under that government's laws or the laws of the country in which the conduct occurred, and misappropriation of funds provided by the IMF or similar organizations. Institutions that engage in private banking would be required to implement due diligence procedures encompassing verification of private banking customers' identities and source of funds. It would be a federal crime to knowingly falsify or conceal the identity of a financial institution customer. An appropriation would be authorized for FinCEN, which tracks reports filed by financial institutions under the Bank Secrecy Act, to establish an automated system of alerting authorities when multiple reports are filed regarding the same customer. United States courts would be given ``long-arm'' jurisdiction over foreign persons and institutions that commit money laundering offenses that occur in whole or part in the United States. The definition of money laundering in current statutes would be expanded to include laundering money through foreign banks. ____________________