[The statement of Mr. Laudon follows:]

PREPARED STATEMENT of Prof. Kenneth C. LAUDON, NEW YORK UNIVERSITY, GRADUATE SCHOOL OF BUSINESS, COMPUTER APPLICATIONS AND INFORMATION SYSTEMS

My name is Kenneth C. Laudon. I am a sociologist and Professor in the Department of Computer Applications and Information Systems at the Graduate School of Business, New York University, where I teach on management information systems, and courses on the social and organizational impacts of information systems. I welcome this opportunity to testify before the Subcommittee on the question of civil liberties, security, and information technology.

I have worked in the area of information systems since the late 1960's when, with Alan Westin at Columbia University, I began a study of how third generation computers changed public decision making at state, local and federal levels. This resulted in a book entitled Computers and Bureaucratic Reform. Since this time I have participated as a consultant, researcher, and director in many of the major technology assessments concerned with information technology, organizational power, and civil liberties.

At the federal level I was a consultant to the Office of Technology Assessment's 1977 project on the Internal Revenue Service's Tax Administration System; in 1978 I was a member of the research group which examined the civil liberties implications of the Social Security Administration's proposed "Future Process" System. And, in 1979 I began a three year effort as a major contractor to the Office of Technology Assessment's study of the FBI's proposed national computerized criminal history system (CCH).

In a forthcoming book I have described my experiences with national information systems-especially the FBI's criminal history system. This book is titled "Security, Freedom, and Efficiency. Value Choices in the Design of National Information Sys

tems.'

I am delighted that you are interested in these subjects. In the hula hoop atmosphere which surrounds the marvelous technology of micro computers and integrated circuits it is frequently forgotten that the most important questions of the information age center about how people will be treated by information systems and the organizations which use them.

In my view, we, and members of Congress in particular have some difficult decisions to make about which values will reign supreme in the design of systems: international and domestic security, efficiency, or civil liberties. In my experience with specific national information systems, I found many aspects which were threatening to civil liberties:

-Major extensions in the data surveillance capability of central bureaucracies for minuscule gains in security and efficiency.

It is unclear to me, for instance, that the FBI really needs a file on 30 million criminals, one-third of the labor force, as opposed to a much smaller file on say a million serious criminals.

-Major enhancements in the ability to merge information from segregated files through data base management technology creating in some instances "general purpose" systems not authorized by Congress.

The 200 or so matching programs being carried out at the federal level are nothing but primitive applications of data base management technology in which information from diverse sources is pooled into a single "data base." Matching programs create shadow data bases. Yet, whenever Congress is given the opportunity to vote yes or no on general purpose data base systems like the National Data Center (1968) or the FEDNET (1972), Congress has rejected such systems.

A National Benefit System has been proposed by HHS several times in recent years, combining information on recipients of any federal aid-including college loans. In conjunction with a truly integrated Tax Information System which contained private market consumption data, a modernized social security system, and a fully capable national criminal history system, we would have the technical ele ments of a powerful surveillance apparatus.

These kinds of systems are only a few years off. They are far more powerful than anything this government or society has dealt with in the past. For reasons of eff:ciency in the administration of data, and for reasons of program efficiency and effectiveness, it may be desirable to build these systems. But powerful checks and bar ances and oversight mechanisms must also be installed to assure their accountability.

Other troubling aspects of some recent designs of national systems are:

-A lack of concern for due process enfringements created by poor data quality

-A lack of understanding of how equity and fairness should or could be built into systems

-Inability to conform to existing law and regulation to assure the accountability of the system to managers and Congress.

I have come to the general conclusion that it is not computer technology per se which is the villain. Computer technology cannot of course be separated from its uses-any more than nuclear technology can be discussed without considering the bomb. Still, as with other technologies, the underlying problem is learning how to control and regulate the technology to assure its accountability to democratic insti

tutions.

In the 1970's we made a start at controlling information technology in the Privacy Act of 1974-and related legislation. Since then, changes in technology have made this positive start technologically obsolete. Since 1984, we have developed micro computers that sit on a desk top which are as powerful as main frame computers I used as a graduate student in the 60's. In a few years, I can put on this table a computer equal in capability to today's large mini computers. In telecommunications we have gone from twisted copper wire, to optic fiber and satellites which transfer data in the mega and geiga bit range-that's millions and billions of bits per second. In a few years, we will put the Library of Congress on this table and connect you to most of the other libraries in the world.

Along with this technical change, the appetite of large bureaucracies-both public and private-for more and more data on individuals has also grown. There is no longer a meaningful distinction between physical surveillance, electronic surveillance, and data surveillance. Give me the right telephone numbers, a few of my graduate students, and my IBM XT personal computer and I will tell you where many of the members of the Subcommittee were last evening. In a few hours I could also find out a host of interesting details about your background-military records, medical, social security, employment, taxation, criminal and deviant behavior of you or any of your relatives. These capabilities are not lost on the large public bureaucracies-they are after all charged by Congress and the American public to give us efficiency, security, and effective administration.

The difficult question is this: in order to be maximally efficient, in order to protect against any and all foreign intelligence activity, in order to maximize the apprehension of domestic criminals, is it necessary to infringe on the traditionally defined civil liberties of Americans? To some extent this has already happened-few Americans have an expectation of privacy in foreign mails, telex, telephone or digital transmissions. Few knowledgeable Americans even have such expectations about domestic telecommunications-I don't. These rights have been sacrificed to national security-surely a laudable goal in itself.

In the 1970's we thought we had put the information technology genie in a bottle. The Privacy Act after all did have a very important clause the routine use clause-which said in essence the federal government could develop whatever systems it wanted to within functional areas defined by Congress but it could not create general purpose information systems in which information collected for one purpose would be used for entirely different purposes. An efficient tax system was permitted, but not a system_which merged tax information with Social Security data, Department of Defense Data, Veterans Data, and on and on.

The information technology genie is out of the bottle again and its time Congress takes another bipartisan look at how the federal government uses information technology.

In closing, let me say that I do not believe we can go backward in history or prevent the federal government from utilizing advance information technology. Neither must we sit idly by as our civil liberties are sacrificed. I believe we can have systems which are accountable to Congress, which advance not retard civil liberties, and which achieve high levels of efficiency and security. These systems are not easy to build, they are more expensive to design and operate, but they are appropriate to a democratic society.

In order to build these systems for the 1990's we need to encourage our graduate schools to train experts and conduct research on information systems and organization. It is ridiculous that no major school of public administration has a program in information systems, and only two or three major business schools have such a program. There is literally only a handful of scholars in this bountiful country who work in this area. We need a National Defense Information Systems Education and Research Act so that we have the expertise to answer the kinds of questions you and other members of Congress are raising today. We need a Privacy Protection

Commission just to give Americans a sense that some one group has authority and interest in protecting their rights in an information age just like we have agencies to protect us as consumers and to protect our environment. We need to amend the "routine use" clause of the Privacy Act so that data surveillance can be more closely monitored.

Above all we need to ask some tough questions of executive proposals for information systems. Is this system really needed or is it just icing on a bureaucratic cake, a proposal to preserve prior bureaucratic investments. Will it work and how well? Some systems upon examination offer minuscule gains in efficiency and security at great cost in public treasure and civil liberties. Are there alternative ways to achieve the same goals? And last, can the proposed system be held accountable to Congress and operate within existing law?

Without finding answers for these questions the preservation of our civil liberties will be left to technicians and bureaucrats concerned only with efficiency and security. As important as these goals are, so too is our liberty. After all, the idea of America in the beginning was freedom from surveillance and control so that we could be free to express, create, and live our lives. Let us not forsake liberty out of fear for our security or decrease our freedom in pursuit of efficiency.

Mr. KASTENMEIER. Thank you very much, Professor Laudon, for that excellent presentation.

When you say we need a National Defense Information Systems Education and Research Act, you are not talking about national defense in the military sense, I take it?

Mr. LAUDON. It seems to me, our national defense is threatened insofar as we, as citizens, are not exposed in any way to what an information system is.

This is an age of, unfortunately, computer literacy, in which people learn how to play with an Atari computer; that is very nice. And that is what our public schools, the most advanced public schools, are teaching right now. Even in our graduate schools we are teaching that to a broad array of undergraduates. We are all giving them microcomputers. That is well.

But there is a vast difference between a microcomputer and an information system, let alone a national information system. An information system involves large segments of organizations, they are infinitely more complex; they involve things such as how information gets into a computer in the first place; all of the information procedures, requirements and uses. Information systems are just incredibly more complex than a small computer.

So, therefore, I think a society that is moving into the information age ought to know something about information systems, which supposedly serve it. And that distinction between information system and a computer, unfortunately, is lost on most Americans, because our schools haven't really picked it up yet. We haven't paid enough attention to it. We don't have research programs in it; which is why it is so difficult, I think, to find experts to write about, and to monitor a large national information systems in either the public or private sector.

So I think our national defense is involved.

I could point to the Worldwide Military Command and Control System, which is known in the profession of computer processing, data processing people, as the world's largest mistake in the system. That is a $5 billion national defense effort which was faulty in design from the beginning. We have given up on systems like that, in the private sector. Perhaps if we had had the right expertise there to chasten the Pentagon and to warn them of the failures that it was looking at, somebody might have saved them a lot

of money that they could have used elsewhere in the national defense.

The so-called WIMEX system stands out as perhaps a direct link between information systems knowledge and national defense.

Mr. KASTENMEIER. Information which I take it that because of pervasive data collection, the distinction of personal and sensitive people would traditionally consider a privilege in the legal sense and would naturally protect as a matter of privacy, is blurred. Computers and designers of computers really do not distinguish any longer what is personal and sensitive, they just collect everything they can collect on a person, notwithstanding the personal differences that might have existed at another time.

Mr. LAUDON. One of the things I didn't address in my testimony is the revolution in home telecommunications. We have cable companies, two-way cable companies, now offering shopping services and we have banks offering financial services, and soon we will have national tax preparation services offering tax preparation. And as the array of personal information services offered through PBX or ordinary telephone tie-ins, or cable, or satellite dish, as these services expand I think you are opening up the possibility that whatever information the consumer reveals by using these services takes on a monetary value and will be sold by the purveyor of those services.

So that you will be giving financial information to Chemical Bank or whatever your bank is; for instance, they may be paying all of your debts, you may have them pay your mortgage and your electrical bills, and book bills, and so forth. Pretty soon, that bank becomes the holder, not simply of your checking records, but also of all of your financial records that you clear through their system. And they can sell that information, just as two-way cable companies are now selling information on purchases that you make through the home through their two-way cable systems.

So that, indeed, as we become more reliant on these microcomputer based products and telecommunications products in the home, we open up new opportunities to reveal ourselves to outside organizations.

Some States have protections against that, but most States don't. Mr. KASTENMEIER. Do you think that might be the subject of Federal legislation as long as some States do and some States don't? Would you have us make it uniform as a national question?

Mr. LAUDON. I think Congress ought to consider the possibility of a National Consumer Privacy Protection Act which would not necessarily be dependent upon cable technology and would, therefore, not necessarily be a piece of "cable" legislation but would be a part of a broader effort to protect the rights of Americans who interact with these systems as consumers.

Federal legislation isn't the only way that we can go. As we will hear from private industry, one of the things that could put a stop to a lot of the sales of data, certainly the sales of data to the IRS, would be if people found out that the IRS is indeed collecting this information, to refuse to participate; refuse to participate in home financial services; refuse to purchase things with your credit card. Now, that kind of a movement wouldn't take much in certain circles to get started, perhaps a few well placed magazine articles rec

ommending it as a strategy. In other words, I don't think that we have to rely on legislation only to protect our rights.

Another possibility is to consider attaching a cost to information by legislation, permitting people to charge for the uses of their names. Information obviously does have a value, there is no reason why we can't create a private market in it. We can create a private market in bundles of currency, we can certainly create markets in bundles of information and trade them in Kansas City. And all we have to do is attach a few cents per use for every use of my name, or any information to do with it, and have a national information clearinghouse established by Congress to take care of the checkclearing process at the end of the year. It is like a royalty statement. Instead of royalties, I would be paid for the uses of my name made in the year by any number of organizations, mail organizations, banks, manufacturers, so forth and so on.

So we could develop legislation which attaches a cost to information.

Mr. KASTENMEIER. It could also, of course, discourage that sort of collection?

Mr. LAUDON. Yes, yes.

Mr. KASTENMEIER. I want to thank you very much for your appearance here today, Professor Laudon. You have been very helpful to the committee and I hope you won't have as much difficulty getting back.

Mr. LAUDON. I hope not. Thank you.

Mr. KASTENMEIER. I would like to call as our next witness Mr. Alexander Hoffman, chairman of the board of directors of Direct Marketing Association.

I have asked Mr. Hoffman to appear before us today to discuss an issue brought to light in an article in the New York Times. The article reported that the IRS had asked the Direct Marketing Association to provide the Government with so-called lifestyles of persons with certain income levels suggested by marketing information collected from a variety of sources.

Mr. Hoffman is welcome here. I believe he has appeared before this committee in the past. He has been interested in copyright and publishing and many other worthy activities; he has been a patron of the arts in this community, and he has sponsored symposia with distinguished authors and others in which he has made a very substantial contribution. So we are very pleased to have you here, Mr. Hoffman.

TESTIMONY OF ALEXANDER C. HOFFMAN, CHAIRMAN, DIRECT MARKETING ASSOCIATION, INC.

Mr. HOFFMAN. Thank you. I appreciate the opportunity to testify before the committee on this very compelling subject.

I will be dealing with perhaps the more mundane side of it, the relatively simple use of information in mailing lists. I am going to try to truncate my written testimony since your counsel has suggested there are certain areas you perhaps would like to pursue with me in more detail. But I do think it is important to establish the fundamentals of how the commercial market in mailing lists