tives from the securities business. In a member versus member contest, the panel consists of from three to five representatives from securities industry.

Although there are obvious differences between the securities industry and its problems and the computer industry and its problems, NASD constitutes a valid precedent for the type of self-regulatory industry agency proposed herein. By adopting a NASD-type approach, the computer industry can assure the creation of a rational and orderly legal framework for resolving the increasing pressing problem of privacy in the context of the computer revolution and, at the same time, assure that regulation will be in the hands of persons thoroughly cognizant of the complexities of the situation and the need for protection of individual rights and proprietary interests in data and programs-all to the benefit of the public interest.

FOOTNOTES

*Member, District of Columbia Bar, B.A. 1954, Manhattan College; L.L.B. 1959, Harvard Law School. 1 FCC Notice of Inquiry, Docket. No. 16979, 7 F.C.C. 2d 11, 16-17, 8 P & F Radio Reg. 2d 1567, 1572 (Nov. 9, 1966) [hereinafter cited as Computer Inquiry].

2 See generally Hearings on the Computer and Invasion of Privacy Before a Subcomm. of the House Comm. on Gov't Operations, 89th Cong.. 2d Sess. (1966) [hereinafter cited as Gallagher Hearings]; Note, Privacy and Efficient Government: Proposals for a National Data Center, 82 Harv. L. Rev. 400 (1968): Research Project-Computerization of Government Files, What Impact on the Individual?, 15 U.C.L.A.L. Rev. 1371 (1968).

3 Gallagher Hearings 122.

See Ware, Security and Privacy in Computer Systems, Proceedings, 1967 Spring Joint Computer Conference 279, 280 figure 1. Effective protection of both individual privacy and proprietary data also demands control over the amount and character of the data input entering the system. See Miller. Personal Privacy in the Computer Age: The Challenge of a New Technology in an Information-Oriented Society, 67 Mich. L. Rev. 1091, 1214-71. 1229-30 (1969) [hereinafter cited as Miller]. Regulation of data input is beyond the scope of this article which is directed solely to controls in the storage and utilization of the data previously collected.

5 An obvious example of the latter is the automated credit bureau. Credit Data Corporation maintains a large scale, on-line computerized credit information system with data centers located in Los Angeles and New York City. Response of Credit Data Corp. to FCC Computer Inquiry, March 5, 1968. See generally Miller 1140–54.

See notes 54-61 infra and accompanying text.

7 This paper does not deal with the problems presented by the voluntary disclosure by the system operators of private information about individuals stored in computer systems or questions relating to the accuracy of information about individuals contained in such systems. For discussions of some of the problems involved in the storage of inaccurate information about individuals and the voluntary disclosure of information about individuals, whether accurate or inaccurate, by the custodians of such information, see Karst. "The Files": Legal Controls Over the Accuracy and Accessibility of Stored Personnel Data, 31 Law & Contemp. Prob. 342 (1966) Sills, Automated Data Processing and the Issue of Privacy, 1 Seton Hall L. Rev. 7 (1970): Note Credit Investigations and the Right to Privacy: Quest for a Remedy, 57 Geo. L.J. 509 (1969).

8 What constitutes "legitimate" voluntary disclosure of information by the information service company is beyond the scope of this paper. See not 7 supra. See generally Miller 1156-73.

10 See Lickson. Protection of the Privacy of Data Communications by_Contract: Another Case Study on the Impact of Computer Technology on the Law, Bus. Law, July 1968, at 979-80.

11 Under certain variations of these examples, the contractual rights of the computer service company's customer may also be involved.

12 See generally Restatement of Contracts §§ 133-47 (1932).

13 The Supreme Court of Georgia is considered to have laid the foundation for recognition of a right to privacy as a fundamental, legally protectible interest in Pavesich v. New England Life Ins. Co., 122 Ga. 190, 50 S.E. 68, 69-70 (1905). Of course, the intellectual foundation for recognition of invasion of privacy as a separate tort had been laid in Warren & Brandeis, The Right to Pricacy, 4 Harv. L. Rev. 193 (1890).

14 Prosser, Privacy, 48 Calif. L. Law. 383. 389 (1960).

15 See e.g., Le Crone v. Ohio Bell Tel. Co., 120 Ohio App. 129, 201 N.E. 2d 533 (1963) (wiretapping of an individual's telephone).

16 See, e.g., Flake v. Greensboro News Co., 212 N.C. 780, 195 S.E. 55 (1938) (photograph of an actress used in a bread advertisement).

17 See, e.g., Brents v. Morgan, 221 Ky. 765, 299 S.W. 967 (1927) (sign in garage window stating that the plaintiff's account with the garage has been unpaid for a long time).

18 See, e.g., Peay v. Curtis Publishing Co.. 78 F. Supp. 305 (D.D.C. 1948) (newspaepr article on the alleged practices of Washington cab drivers in cheating the public on fares, making use of the plaintiff's photograph to illustrate the article).

19 For example, Congress is now considering legislation which would regulate the activities of credit bureaus and credit investigating agencies, a field in which the computer has been playing an ever-increasing role. S. 823, 91st Cong., 1st Sess. (1969): H.R. 7874, 91st Cong., 1st Sess. (1969); H.R. 9150, 91st Cong.. 1st Sess. (1969): H.R. 9888, 91st Cong., 1st Sess. (1969). The Senate passed S. $23 on Nov. 6. 1969, 115 Cone. Rec. 13.905-11 (daily ed. Nov. 6, 1969) and reported it to the House Committee on Banking and Currency on Nov. 12. 1969. Hearings have been held this spring before the House Committee.

20 These states are Nebraska. Rhode Island. Texas, and Wisconsin. Restatement (Second) of Torts, ch. 28A, at 100 (Tent. Draft No. 13, 1967).

21 381 U.S. 479 (1965).

22 See also Tehan v. Shott, 382 U.S. 406 (1966), where the Court pointed out that the fifth amendment guarantee against self-incrimination is really in part an extension of an individual's right to privacy and "our respect for the inviolability of the human personality and of the right of each individual to a private enclave where he may lead a private life.'" Id. at 414 n. 12.

23 57 Misc. 2d 301, 292 N.Y.S. 2d 514 (Sup. Ct. 1968), aff'd 298 N.Y.S. 2d 137 (App. Div. 1969).

24 Id, at 305, 292 N.Y.S. 2d at 518.

25 The Appellate Division, in affirming the trial court's refusal to discuss the case, held that it need not pass upon the constitutional grounds advanced by the trial court, 298 N.Y.S. 2d at 141. We shall have to await further litigation to test the implications of Nader.

28 See generally A. Westin, Privacy and Freedom (1967); Gallagher Hearings, supra note 2; Pipe, Privacy; Establishing Restrictions on Government Inquiry, 18 Am. U.L. Rev. 516 (1969); Note, Credit Investigations and the Right to Privacy; Quest for a Remedy, 57 Geo. L.J. 509 (1969); Research Project-Computerization of Government Files, What Impact on the Individual? 15 U.C.L.A.L. Rev. 1371, 1375 (1968) (foreward by Mr. Justice Douglas).

Note, Credit Investigations and the Right to Privacy: Quest for a Remedy, 57 Geo. L.J. 509 (1969).

28 Id. at 532.

Comment, Privacy, Property, Public Use, and Just Compensation, 41 S. Cal. L. Rev. 902, 909 (1968).

30 Id. at 913. The author's main point is made in the following statements:

In

"It can be argued that all large public corporations, such as Time, Inc., whose activity has as great a societal impact as does most governmental action, should be subject to the same constitutional limitations as is the government. Their activity should be labelled 'public,' rather than 'private,' in contradistinction to an individual's activity. . . . short, most corporations are, at least in part, fulfilling interests of the state, and no longer fulfilling the traditional justifications of private property. In these instances they ought to be subject to the same constitutional limitations as are imposed that private property cannot be taken for a public use without payment of just compensation." Id. at 913-14. And, as noted, the author would equate the "right of privacy" to "private property" and would require the payment of just compensation for any action which results in a destruction or diminution of an individual's right of privacy.

31 The American Law Institute, in a tentative draft of a portion of a new Restatement of Torts, commented that new forms of the tort of invasion of privacy in addition to the four basic types already generally recognized by the courts may emerge, especially in light of recent decisions by the United States Supreme Court. Restatement (Second) of Torts $652A, comment c (Tent. Draft No. 13, 1967). See also Westin, Science, Privacy, and Freedom: Issues and Proposals for the 1970's, Pt. II: Balancing the Conflicting Demands of Privacy, Disclosure, and Surveillance, 66 Colum. L. Rev. 1205, 1232 (1966).

This might prove true whether the companies are service bureaus, information services, or some other type of computer service company.

Early manifestations of the theory of strict liability are shown in Huthringer v. Moore, 31 Cal. 2d 489. 19 P.2d 1 (1948) Ball v. Nye, 99 Mass. 582 (1863) (percolation of filthy water); Cahill v. Eastman, 18 Minn. 324 (1872) (underground water tunnel). For an example of statutory extension of this principle, see the relevant portions of the Federal Safety Appliance Act, 45 U.S.C. §§ 1-60 (1964).

34 See, for example, situations 1, 2, and 3, text at 497. See, for example, situation 4, text at 497-98.

38 Symposium: Computers, Data Banks, and Individual Privacy, 53 Minn. L. Rev. 211, 225-27 (1967). The growing concern over protecting privacy in our era of technological explosion is evidenced by the fact that most of the May-June 1969 issue of Think, the very informative magazine published by IBM, is devoted to a special report on privacy. The articles include Miller, Psychological Testing: Can We Minimize the Perils?, Think, May-June 1969, at 24; Ruggles. How a Data Bank Might Operate, id. at 22; Westin, Life, Liberty, and the Pursuit of Privacy, id. at 12; Westin, New Lines Will Protect Your Privacy, id. at 27. Professor Westin's concluding remarks in his first article are especially illuminating: "American Society now seems ready to face the impact of science on privacy. Failure to do so would be to leave the foundations of our free society in peril." Westin, Life, Liberty, and the Pursuit of Privacy, id. at 21. In his second article, Professor Westin points out that many organizers of private data banks, in growing recognition of the privacy problem presented by the computer revolution, are etablishing administrative controls to assure the protection of privacy. Westin, New Laws Will Protect Your Privacy,

id. at 31.

3 See Erie R.R. v. Tompkins, 304 U.S. 64 (1938), which laid to rest the notion that there is any generally applicable federal common law to be applied by the federal courts in considering "general" issues in diversity cases. For a more thorough discussion of the Erie line of cases, see 1 A. J. Moore, Federal Practice 0.318 (2d ed. 1965); Friendly, In Praise of Erie-And of the New Federal Common Law, 39 N.Y.U.L. Rev. 383 (1964).

38 Computer Inquiry, Report and Further Notice of Inquiry, 17 F.C.C. 2d 587, 592, 16 P & F Radio Reg. 2d 1505, 1510 (1969); Computer Inquiry, Notice of Proposed Rule Making and Tentative Decision, 18 P & F Radio Reg. 2d 1713, 1718 (1970). The regulatory authority of the FCC in this area may, of course, be limited in the absence of additional legislation. 39 18 U.S.C. §§ 2510-20 (Supp. IV, 1969).

40 Id. §§ 2511, 2515-19.

41 47 U.S.C. § 605 (Supp. IV, 1969).

428803, 82 Stat. 212, 223 (1968) (reprinted in full following 18 U.S.C. § 2510 (Supp. IV, 1969)).

43 § 804, Stat. 212, 223-25 (1968) (reprinted in full following 18 U.S.C. § 2510 (Supp. IV, 1969)).

44 18 U.S.C. § 2520 (Supp. IV, 1969).

45 As used in the statute, "wire communication" means:

any communication made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception furnished or operated by any person engaged as a common carrier in providing or operating such facilities for the transmission of interstate or foreign communications. Id. § 2510 (1).

An "oral communication" means: "any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation. Id. § 2510(2).

40 See Miller 1201.

47 18 U.S.C. § 2510(4) (Supp. IV. 1969) (emphasis added). It remains to be seen how the definition will be interpreted. The legislative history of the Act shows clearly that Congress was preoccupied with the interception of voice communications, whether by wiretapping or other electronic devices. See S. Rep. No. 1097, 90th Cong., 2d Sess. 217-218 (1968). The few cases that have cited Title III of the Act have all been criminal cases or civil antitrust cases closely related to criminal cases and have all dealt with voice communications. See, e.g., Alderman v. United States, 394 U.S. 165, 175 & nn. 8-9 (1969): United States v. McCarthy, 292 F. Supp. 937, 943 (S.D.N.Y. 1968); Philadelphia Housing Authority v. American Radiator & Standard Sanitary Corp., 291 F. Supp. 247. 249-50 (E.D. Pa. 1968): United States v. Schipani, 289 F. Supp. 43. 60 (E.D.N.Y. 1968); United States v. American Radiator & Standard Sanitary Corp., 288 F. Supp. 701, 706-07 (W.D. Pa. 1968).

45 For example, the courts might arguably distinguish between interception of data transmitted by the regular analog telephone network and that carried over a special digital network. See generally Miller 1206.

49 See Chaney, Data Transmission Basics, Communications, Mar. 1969, at 27; cf. Irwin, Computers and Communications: The Economics of Interdependence, 34 Law & Contemp.

Prob. 360, 361 (1969).

Note, Computer Services and the Federal Regulation of Communications, 116 U. Pa. L. Rev. 328 (1967).

51 See notes 13-17 supra and accompanying text.

52 The respondents to the FCCS Computer Inquiry, including the Department of Justice. generally agreed that the computer service industry should be permitted to develop in the free competitive economy, and not as a regulated utility. See L. Krause, Analysis of Policy Issues in the Responses to the FCC Computer Inquiry, Standard Research Institute Report No. 7379B-2. at 22-26 (1969). The author agrees. For a thorough discussion of the issues involved, see S. Mathison & P. Walker, Computers and Telecommunications: Issues in Public Policy 16-19 (1970). The FCC as of this time, agrees. See Computer Inquiry, Tentative Decision, 1718-22.

53 These standards should be defined to the greatest extent possible.

54 For a discussion of the limitation imposed by the federal antitrust laws on schemes of self-regulation within an industry, see Silver v. New York Stock Exchange, 373 U.S. 341 (1963), where the Court cautioned that such schemes will be closely scrutinized because of their potential effect on competition within the industry. See generally G. Lamb & S. Kittelle. Trade Association Law and Practice §§ 11.1-9 (1956): Baum, Self-Regulation and Antitrust: Suppression of Deceptive Advertising by the Publishing Media, 12 Syracuse L. Rev. 289 (1961); Rockefeller, Industry, Efforts at Self-regulation, 10 Antitrust Bull. 555 (1965); Developments in the Law-Deceptive Advertising, 90 Harv. L. Rev. 1005, 1159-63 (1967).

55 Such a procedure would afford roughly the same right to comment as is now granted by section 4 of the Administrative Procedure Act, 5 U.S.C. § 553 (Supp. IV, 1969), which provides for the filing of written comments, after appropriate notice, in the case of administrative agency rule making.

56 The author has deliberately refrained at this time from suggesting what government agency should undertake this function. The FCC, with its broad expertise in the communications field, might be the most logical candidate. Perhaps a new agency under the Department of Commerce might best do the job. In any event, the Congress, in selecting or creating the agency to do the job, should take meticulous care to assure that the agency and the whole regulatory scheme will work in tandem with a well defined national communications policy, as well as in furtherance of national policy in the privacy area. See generally Miller 1236-39.

57 f. Silvr v. New York Stock Exchange, 373 U.S. 341 (1963), where the Court utilized the federal antitrust laws as a basis for its review of the procedural integrity of a system of industrial self-regulation.

58 It may be appropriate to provide for binding arbitration of such disputes instead of merely conciliation. This would be feasible, however, only if the industry agency were a truly independent authority and had such status and reputation for objectivity that nonmembers of the computer service industry would regard it as a fair tribunal.

69 See generally W. Gellhorn & C. Byse. Administrative Law 649-51 (4th ed. 1960). For a discussion of the utility of the conciliation process in an analogous context, see 1968 Duke L.J. 1000 (conciliation procedure in an Equal Employment Opportunity Commission proceeding).

Theft of a computer program might be ground for such expulsion. In at least one case. a court has held that computer programs are "property" subject to "theft" under state law, and an employee of a computer company who stole such programs was guilty of felony theft. Hancock v. State. 402 W. 2d 906 (Tex. Crim. App. 1966).

01 To reiterate, there should be no statutory exemption from liability in the case of voluntary and deliberate acts by the computer service company including companies offering computerized information services. At least as this author now envisions the proposed industry association, it would not deal with criteria for the voluntary release of information to "interested persons, government agencies, or other individuals, groups, or organizations. It may well be that, as the system develops and considerable experience is gained with the arrangement proposed in this article, it will eventually be appropriate for the industry association to promulgate standards governing the voluntary disclosure of information. Of course, to be really effective, especially against the federal government itself. the association should have specific federal statutory authority to promulgate and enforce such standards, and the statute should expressly make them applicable to governmental agencies.

62 For example, three excellent papers summarizing some of the problems involved in achieving privacy and security of data in multi-programmed computer systems were presented at the 1967 Spring Joint Computer Conference. Proceedings, Spring Joint Computer Conference 279-90 (1967). The individual articles were Peters, Security Consid erations in a Multi-Programmed Computer System, id. at 283; Ware, Security and Privacy in Computer Systems, id. at 279; Ware, Security and Privacy: Similarities and Differences, id. at 287. The terms "security" and "privacy" are used in special senses in those papers. as summarized by Willis Ware in the last-cited paper: "For the purposes of this paper we will use the term 'security' when speaking about computer systems which handle classified defense information which nonetheless must be protected because it is in some respect

sensitive." Id. The term "security" has been used in a broader sense throughout this article.

See, e.g., Response of United States Department of Justice (Mar. 5, 1968), filed in Computer Inquiry, FCC Docket No. 16.979.

See Irwin, supra note 49, at 360-61 (1969); Miller 1099-1103.

However, if the carriers utilize separate subsidiaries to engage in computer service operations which would be subject to regulation by the industry association if performed by computer companies not related to communications common carriers. such carriers or their computer service subsidiaries should be subject to industry regulation in the privacy area.

Even if the FCC might be able to act pursuant to its existing general powers under the Communications Act of 1934, 47 U.S.C. §§ 151-609 (1964), there may be considerable advantage in spelling out the FCC's jurisdiction in this situation and perhaps providing for special streamlined procedures.

If the FCC is to become involved in a significant way in this situation, perhaps it should be the agency to review actions of the computer industry agency although Congress might wish to consider other alternatives before determining whether to give such jurisdiction to the FCC. See note 56 supra and accompanying text.

67 This description of the NASD and its activities is taken from the 1968 NASD President's Report. 1968 NASD Ann. President's Rep. Of interest to the computer industry in formulating its system of self-regulation might be the NASD's statement of purposes: (1) To promote the investment and securities business, to standardize its principles and practices, to promote . . . high standards of commercial honor, and to promote among members observance of Federal and State securities laws; (2) To provide a medium through which its membership may consult, and cooperate with governmental and other agencies in the solution of problems affecting investors. the public, and [this business] (3) To adopt and enforce rules of fair practice [in the securities business] and in general to promote just and equitable principles of trade for the protection of investors;

(4) To promote self-discipline among members, and to investigate and adjust grievances between the public and members CCH NASD Manual ¶ 1003.

With some slight change in terminology, many of these statements might be substantially adopted by the computer industry.

[From the Congressional Record, Senate, Oct. 10, 1972]

INTERNATIONAL DECLARATION OF PRINCIPLE ON COMPUTERS AND

PRIVACY

Mr. ERVIN. Mr. President, for many years the Constitutional Rights Subcommittee has been studying the impact of computers and Government data collection on individual rights and privacy. The subcommittee's studies have resulted in a series of hearings, recently published, entitled "Federal Data Banks, Computers, and the Bill of Rights." It was at those hearings that the subcommittee, among other issues, investigated the Army surveillance program.

The hearings attracted an extraordinary amount of public interest. Since that time it is clear that the public is beginning to focus on the potential dangers to individual privacy posed by the introduction of new technologies to aid Government in its insatiable curiosity for information about citizens. It is illustrative of this public concern that the platforms of both major parties this year take stands which recognize the issue and promise steps to prevent unwarranted invasions of privacy by Government data banking.

"Computers and privacy" is not only an issue to Americans. Other Western countries also see that computers can have a profound impact on economic, social, and political conditions, and that they can disturb the existing relationship between Government and citizen to the detriment of individual freedom.

In recognition of these potential consequences, a French foundation, L'Institut De La Vie or, the Institute of Life-scheduled a conference on "Man and the Computer" last month in Bordeaux, France. The institute is dedicated to insuring that the science and technology are used for the benefit of mankind.

The institute's Conference on Man and the Computer, its second, was particularly concerned with the impact of computers on individuals. The Conference brought together over 150 experts in medicine, law, sociology, government, law enforcement, industry, communications, education, and other fields from over 22 countries, including 14 nations from Western Europe, plus Turkey, Algeria, Mexico, Israel, Canada, and even Yugoslavia, Japan, and the Soviet Union. Five special reports were prepared-on education, medicine, urban affairs, planning, and on individual life. Among the noteworthy results of the Conference was a declaration of principle on fundamental human rights. The declaration of principle stresses first of all the individual's right to privacy. In its words:

"The Right to Privacy. We believe that there is an interest shared by all people to have some control over the information that is collected, stored, and circulated about them. We believe it essential that consideration of this issue be an integral part of the creation of any information system."

A second right, and one which is not underlined in the United States as often as it should be, is the right to information. Since information can be considered a resource, the monopolization of information is to be avoided just as we prohibit monopolization of any other natural resource.

The declaration outlines a series of operating principles which should be observed in the creation of every computer data bank. These six principles are: "The need to determine whether information to be collected is relevant to the purpose for which it is sought and whether it is required to be collected at all; "The need to give the individual notice of and access to information stored about him;

"The need to limit information systems to specific uses;

"The need to regulate the use and transfer of information in such systems; "The need to check and update information contained in these systems, supervise operation of the systems, and monitor their expansion into new areas or enlarged data-sharing operations; and

"The need for sanctions to enforce the safeguards established."

Finally, the declaration recognizes that in order to effectuate these principles, there must be first, acceptance on the part of those who operate data banks of the rights to privacy and to information; second, full public knowledge and review of all important aspects of every record system by a public authority charged especially with protecting individual rights; and third, the creation of a forum for the resolution of individual complaints arising from these systems.

This declaration of principle is unique not only because it states in clear, simple and moving terms the rights which are clear to every American, but because it demonstrates the universality of the concern for privacy. It is noteworthy that this declaration of principle was drafted by a group with widely divergent cultural and political traditions. Yet the result is one which can serve as a guide for the United States in its treatment of the problems of computers and privacy.

I ask unanimous consent that the declaration of principle adopted by the Institute De La Vie at its Conference on Man and Computer be printed in the Record.

There being no objection, the declaration was ordered to be printed in the Record.

[The dedication follows:]

CONCLUSIONS AND RECOMMENDATIONS

Presented at the final session of La Conference Internationale, "L'Homme et L'Informatique", L'Institut de la Vie, Bordeaux, France, 16 September, 1972.

DECLARATION OF PRINCIPLE

We believe that there are fundamental human rights which deserve reaffirmation in the comuuter age. It is not that threats to human rights are new in the computer age but rather that the computer is changing the economics and nature of the information processing systems of society in ways that could lead to increased encroachments on these rights. In reaffirming these rights, we do so with the hope that by making the possible opportunities and dangers more visible, the use of computer technology will result n the enhancement of these rights rather than their diminution.

Among these rights are the following:

The Right to Privacy. We believe that there is an interest shared by all people to have some control over the information that is collected, stored, and circulated about them. We believe it essential that consideration of this issue be an integral part of the creation of any information system.

The Right to Information. We believe that information gathered and stored in computers wil become as important a resource as any man has sought to employ. In each country there needs to be an integrated national policy on the availability of this resource. We believe that the individual has a fundamental human right to have access to information, not only about himself, but about his community and government and other things that impact upon his life.

At the same time, we recognize that the individual's right to privacy can conflict with society's right to know and use information. Similarly, the right to informaton of one individual can conflict with the right to privacy of another. The balance to be struck between these conflicting interests will depend on the setting, the nature of the information, and the use to be made of it. The ultimate