Contents
RESPONDING TO TERRORISM
IDENTITY SYSTEMS
SURVEILLANCE OF COMMUNICATIONS
TRAVEL PRIVACY
AUDIO BUGGING
VIDEO SURVEILLANCE
SATELLITE SURVEILLANCE
ELECTRONIC COMMERCE
RADIO-FREQUENCY IDENTIFICATION (RFID)
PUBLIC RECORDS
CENSUS
DIGITAL RIGHTS MANAGEMENT
AUTHENTICATION AND IDENTITY DISCLOSURE
WHOIS
UN WSIS AND PRIVACY
SPY TV: INTERACTIVE TELEVISION & "T-COMMERCE"
GENETIC PRIVACY
WORKPLACE PRIVACY
E-VOTING PRIVACY
NANOTECHNOLOGY
It may take some years to fully evaluate the
effects of the terrorist attacks of the past few years on privacy and civil
liberties. In the wake of each attack, previous proposals were re-introduced,
and new policies with similar objectives were drafted to extend police
surveillance authority. Three years on from September 11 2001, the political landscape has shifted significantly in many, if not most, countries.
The policy changes were not limited to the United
States, as a large number of countries responded to the threat of terrorism.
With terrorist actions around the world, including in Madrid (Spain), Bali, Russia,
Morocco, and Saudi Arabia, governments have seized on these events as
opportunities to create and enhance their powers. The country reports in this
survey outline, in more detail, the many legislative shifts that took place
around the world. Terrorism politics is truly global.
The changes in anti-terrorism laws are not the
only policy transformations in response to terrorism. The mere threat of
terrorism has changed political discourse. In some cases, the war on terrorism
has given new life to previously failed proposals such as ID cards in the United
Kingdom. In 2003, the UK government returned to the rhetoric of terrorism to
shore up support for the cards while previously fraud and asylum seekers were
used.
Despite more recent statements by the Home Office Minister, quietly admitting
that ID cards will have no effect on combating terrorism, the policy is seen as
inseparable in the minds of the people, despite mounting evidence stating
otherwise.
When terrorism was not part of the government's official rhetoric, supporting
members of parliament and the media continued to relate ID cards with
strategies to combat terrorism.
In some cases, policies have been adopted from
other countries with little consideration to the variances in political
dynamics. Hong Kong attempted to harmonize its laws on sedition with mainland China,
requiring a standardization of criminalized groups. Malaysia decided against
repealing its Internal Security Act 1960 involving detention. South Africa and Jamaica's
draft anti-terrorism laws copy Canada's proposed definition of "terrorist
activity," even though Canada later changed its definition due to concerns
of confusing protesters and terrorists.
In other cases, the mere increase of state power
is immediately associated with the war on terrorism; whether requiring the
removal of veils for drivers license photos,
secret seizure of packages from the media,
clamping down on train-spotters and -photographers, chasing down
opposition parties,
and the equation of terrorism to separatism
and its implications,
or suppressing dissent,
amongst others. Canada is attempting to create a travelers' database for
anti-terrorism purposes, and other crimes; the United Kingdom managed to
pass data retention laws in the legislative environment of the aftermath of
September 2001; while retained data could be accessed, under another law, for
practically any crime. In the US, concerns have arisen regarding the use of
counter-terrorism powers to seize funds from foreign banks that do business in
the US for investigations that are unrelated to terrorism.
In other situations, these laws may be passed and
used to suppress dissent. In Italy, the Interior Minister warned of warned of a
growing climate of "widespread political illegality;" mixed together
Islamic terrorist groups, endogenous leftwing armed groups, anarchist
insurrectionaries, and right wing groups as a common threat. Moldova's bill to
fight extremism coincides with the government's intention to minimize dissent
as it allows the banning of political parties, public and religious
associations, and medial outlets if they promote violent overthrow of country's
territorial integrity, undermining state power, or setting up illegal armed
organizations. Georgia's bill,
drafted in consultation with European colleagues according to a state security
ministry official,
provides for restricting or suspending the activities of organizations that
receive foreign funding and whose activities "threaten Georgia's national
interests," but fails to define those interests.
While the legal landscape is shifting and
affecting many components of human rights, and not only privacy, in many cases
these policies are founded upon its curtailment.
The immediate period after September 2001 was a
time of fear, flux and uncertainty. The United Nations responded with
Resolution 1368 calling on increased cooperation between countries to prevent
and suppress terrorism.
NATO invoked Article 5, claiming an attack on any NATO member country is an
attack on all of NATO; legislatures responded accordingly. The Council of
Europe condemned the attacks, called for solidarity, and also called for
increased cooperation in criminal matters.
Later the Council of Europe Parliamentary Assembly called on countries to
ratify conventions combating terrorism, lift any reservations in these
agreements, and extend the mandate of police working groups to include
"terrorist messages and the decoding thereof." The European Union
responded similarly, pushing for a European arrest warrant, common legislative
frameworks for terrorism, increasing intelligence and police cooperation, freezing
assets and ensuring passage of the Money Laundering Directive. The OECD furthered
its support for the Financial Action Task Force on Money Laundering and, along
with the G-7
and the European Commission, called for the extension of its mandate to combat
terrorist financing.
These calls for international cooperation were perceived by many as impetus to
create new laws.
The European Commission considered requiring
every member state of the European Union to make cyber-attacks punishable as a
terrorist offence. New Zealand minimized public consultation on a proposed law
to freeze the financial assets of suspected terrorists because the government
felt it was bound by United Nations Security Council resolutions. France
expanded police powers to search private property without warrants. Germany
reduced authorization restraints on interception of communications, and
increased data sharing between law enforcement and national security agencies.
Australia and Canada both introduced laws to
redefine "terrorist activity" and to grant powers of surveillance to
national security agencies (ASIO and CSIS respectively) for domestic purposes
if terrorist activity or a terrorist affiliation is suspected. India passed a
law to allow authorities to detain suspects without trial, conduct increased
wiretapping, and seize funds and property. The United Kingdom passed a law
permitting the retention of data for law enforcement purposes in contravention
to existing data protection rules. The United States passed several laws,
including the USA-PATRIOT Act, which increases surveillance powers and
minimizes oversight and due process requirements.
Within this deluge of new policy proposals in the
immediate period after September 2001, several trends may be identified.
Almost every country that changed its laws to
reflect the environment following September 2001 increased the ability of law
enforcement and national security agencies to perform interception of
communications, and transformed the powers of search and seizure, and an
increase in the type of data that can be accessed.
The novelty in these initiatives tends to arise
in the reduced authorization requirements and oversight. This included
initiatives to weaken due process requirements; as occurred in Canada where the
first anti-terrorism bill proposed that law enforcement agencies would no
longer be required to justify the need for the wiretap. That is, in existing
law, the judge authorizing the interception would need to be satisfied that
"other investigative procedures have been tried and have failed, other
investigative procedures are unlikely to succeed or the urgency of the matter
is such that it would be impractical to carry out the investigation of the
offence using only other investigative procedures." In the law, an
exception is established for all offences that fall under the broad category of
"terrorist activity." Other parts of the law allow for interception
authorization by the Minister of Defense instead of requiring judicial
authorization.
There is also a general increase in the breadth
of application of these powers, by incorporating and including new technologies
and communications infrastructures, permitting additional government agencies
to use these powers, and formalize roving powers. The USA-PATRIOT Act codified
the use of Carnivore-style Internet surveillance technology, granting access to
sensitive traffic data with only a court order rather than a judicial warrant.
Moreover, the reporting regime in the United States was weakened with
amendments to the Foreign Intelligence Surveillance Act so that fewer warrants
would have to be requested and reported because the expiration time period was
increased, and 'generic' orders could be requested allowing one warrant to be
served on multiple service providers.
Attempts to differentiate the authorization and
oversight requirements based on the communications-technology also occurred.
The Australian government proposed in its Telecommunications Interception
Legislation Amendment Bill 2002 to grant powers to intercept and read e-mail,
SMS and voice mail messages without a warrant because these communications were
considered access to 'stored' data rather than 'intercepted' in real-time. This
proposed act was rejected in the Senate in June 2002; however, the
Government claims that it "remains of the view that the approach adopted
in the bill with respect to stored information is appropriate. However, to
avoid holding up this important package of legislation, the government has
agreed to remove these provisions from the bill and to deal with the issue at a
later date." This did not stop
a significant increase in interceptions in Australia however. According to
parliamentary findings, in 2002 there were 17,000 mail investigations, 2,514
wiretaps, and access to 733,000 telephone bills; a remarkable increase from
previous years.
In 2000, the United Kingdom proposed a policy to
require the retention of communications traffic data for up to seven years by a
central government authority.
While the proposal faced significant resistance in the public discourse at that
time, in December 2001 a similar policy was introduced and passed under the United
Kingdom's anti-terrorism law in response to the events of September 2001. The
new European Union directive on data protection in electronic services also
supports the creation of such data retention laws within the European community
and is consistent with international pressure to weaken data protection. In
October 2001, President Bush sent a letter to the President of the European
Commission requesting that the European Union "[c]onsider data protection
issues in the context of law enforcement and counterterrorism imperatives,"
and as a result to "[r]evise draft privacy directives that call for
mandatory destruction to permit the retention of critical data for a reasonable
period."
Building from previously articulated concerns that "[d]ata protection
procedures in the sharing of law enforcement information must be formulated in
ways that do not undercut international cooperation," the United States
Department of Justice submitted several recommendations to the European
Commission working group on cybercrime, including the recommendation that
Any data protection
regime should strike an appropriate balance between the protection of personal
privacy, the legitimate needs of service providers to secure their networks and
prevent fraud, and the promotion of public safety.
This perspective was reiterated in May 2002, this
time by the Group of 8 Justice and Interior Ministers, requesting that
countries
Ensure data protection
legislation, as implemented, takes into account public safety and other social
values, in particular by allowing retention and preservation of data important
for network security requirements or law enforcement investigations or
prosecutions, and particularly with respect to the Internet and other emerging
technologies.
Individuals and citizens are at the same time
losing subject access rights under data protection and freedom of information
regimes. In the interests of critical infrastructure protection, access to
information is being reduced, limiting government accountability. Meanwhile, in
order to protect sensitive investigative and intelligence data, subject access
requests are restricted as some data banks are being exempted from both data
protection and freedom of information laws.
Several policies were introduced to enable and
promote increased data sharing, both within and across government agencies, and
with the private sector. The sharing of data between agencies introduces
purpose-creep where data collected for one purpose is used for another, but
also introduces highly sensitive data to arms of government that can not be
expected to protect the data adequately.
There are significant shifts in the policies and
practices in the United States with changes to the Attorney General Guidelines
regulating the actions and capabilities of the Department of Justice and FBI,
increased sharing of information between the FBI and CIA supported by the
USA-PATRIOT Act, and proposed policies to increase sharing with local law
enforcement agencies. The United States is not alone in introducing such
policies. The United Kingdom is proposing "joined-up government"
within its consultation paper on modernizing government and public services to create
"data-sharing gateways" and provide "seamless" services. It
also tried unsuccessfully to allow practically any government agency to gain
access to the traffic data of individuals under the Regulation of Investigatory
Powers Act, including local councils and parishes.
The increased flow of data is also coming from
the private sector. The United Kingdom and Canada proposed laws to grant law
enforcement agencies access to travelers' information. The United Kingdom Home
Office has recommended that it gain access to information from every passenger
before international flights.
The Canadian policy proposed to grant both the federal law enforcement and the
intelligence agencies access to air passenger information, regardless of
domestic or international travel, and to match this data with other personal
information
for a wide number of purposes and investigations, not limited only to
terrorism.
Similarly, the European Union considered granting
Europol access to the Schengen Information System, including privileges to
change the information held on travelers.
Data sharing between financial institutions and with government agencies also
increased. New money laundering agreements and regulations have been introduced
to increase surveillance of transactions, and even expanded to include hedge
funds and money transfer firms.
Donations to charities are receiving further scrutiny as both the charities and
the donors are monitored to investigate links with terrorist groups. Some financial
institutions are also sharing personal information between themselves in order
to minimize risk of clients being terrorists, or "undesirables."
This year further information has leaked
regarding the use of the controversial private-run profiling system, MATRIX
(Multistate Anti-TerRrorism Information eXchange). This system combines
information from government databases and private-sector companies. According
to its promotional material, "When enough seemingly insignificant data is
analyzed against billions of data elements, the invisible becomes
visible."
Although many states have withdrawn from the system, it was uncovered that the
system, developed by Florida-based company Seisint, was used extensively in the
months following the attacks on the World Trade Center and Pentagon. With
funding from the US Department of Justice and Department of Homeland Security, the system
identified 120,000 people who showed a statistical likelihood of being
terrorists.
This "High-Terrorism Factor" was used to conduct investigations and
arrests after the information was submitted to state policy, former Immigration
and Naturalization Service, FBI, and the Secret Service.
Following from data sharing, there are several
proposals to create profiles or increase the existing profiles of individuals.
This occurs in several stages; the most immediate appears to be the profile of
travelers. There are proposals for a next generation computer-assisted
passenger prescreening system that will bring in data from credit-reporting
agencies and other companies,
and even previous flights and registries, set for data mining. Other proposals
include trusted-traveler programs involving biometrics in both the United
States and Germany,
similar to schemes used at Ben Gurion Airport in Tel Aviv. Some airports have
also installed face-recognition technologies, while similar technologies are
being implemented at national monuments, and even beaches.
In the longer term there are several proposals to
increase profiling of citizens and non-citizens. These proposals are typically
enhanced and complemented by national identification schemes, enhanced with
biometrics. There was considerable discussion in the United States in
introducing such a national ID card scheme but no formal policy was introduced.
Meanwhile non-citizens may already be tracked at border entry points and as
they move within the country. A system called Student and Exchange Visitor
Information System keeps track of foreign students to ensure that they are
still registered and maintains a log of their addresses.
The United Kingdom proposed the adoption of entitlement
cards in an effort to deal with immigration and illegal work and identity
theft, but also supported by the fight against terrorism. Similarly, Hong Kong
planned to introduce a biometric chip identity card to verify fingerprints to
authenticate travelers into China.
None of the above trends were necessarily new;
the novelty is the speed in which these policies gained acceptance, and in many
cases, became law in the period following September 2001.
New policies to combat terrorism continue to
emerge. The United States continues to lead with new policies, technologies,
and practices. The importance of the US policies is that they tend to influence
policies and citizens of other countries. By September 2002, the Office of
Management and Budget counted 58 new regulations responding to terrorism; by March 2003 the
General Accounting Office counted nine new National Strategies; there have been
innumerable laws passed at the federal and state levels; countless changes
in administrative measures, including the Attorney General Investigative
Guidelines; and some attention has been given to policies and projects from
various departments, not limited to the Terrorism Information Awareness Program
(TIA) and Computer Assisted Passenger Prescreening (commonly referred to as
CAPPS II).
The management of US borders continues to receive
policy attention. There are increased interviews of visa applicants,
requirements for machine-readable passports from other countries, and plans to
track foreign visitors by collecting information such as fingerprints and
photographs.
Meanwhile, US Customs officials have been meeting
with EU officials regarding the transfer of and access to passenger personal
data, as required under Aviation and Transportation Security Act 2001. The EU's
Article 29 working group on data protection noted several problems with the
proposed data sharing, including the retention time (proposed period of 7-8
years was considered unjustified), and the excessive amount of data being
requested.
The negotiations that followed over 2003 and the beginning of 2004 have
resulted in the EU's capitulation, however. The European Commission agreed
early 2004 to submit European airlines' customer information to the Department
of Homeland Security, despite numerous unresolved issues. The Department of
Homeland Security has promised to keep passenger data only for 3.5 years. The
DHS has not changed its demands regarding the amount of data requested, and has
not committed itself not to use the data later for profiling purposes. The
Commission was anxious to see an agreement emerge, and is also hoping for
reciprocity from American carriers, as the EU embarks on its own passenger
profiling scheme.
Several other programs for data-sharing and
data-mining have been developed, including the Terrorism Information Awareness
(TIA) Program, renamed in May 2003 from Total Information Awareness.
This program was one of many post-September 11 responses to terrorism. TIA is a
now-defunct program of the Defense Advanced Research Projects Agency (DARPA)
that intended to scan ultra-large databases of personal information to detect
the "information signature" of terrorists. The program was
headed by Admiral John Poindexter, and was renamed "Terrorism Information
Awareness" to pacify critics.
Congress acted to limit the project in February 2003 by requiring DARPA to
submit a detailed report on TIA and later in the year, cut funding for
Poindexter's entire Information Awareness Office.
Further data collection measures that were
controversial in 2003 included the registration of immigrants and
fingerprinting. The National Security Entry-Exit Registration System (NSEERS)
involved the registration of nearly 82,000 male immigrants and visitors from predominantly
Muslim countries, leading to possibly 13,000 deportations. The information
will be stored in a secure government database along with travel data, photos,
and will be matched against other data held on potential terrorists. Officials have admitted,
according to the New York Times, that only 11 individuals have been identified
to have links to terrorism.
Another system, the Student and Exchange Visitor Information System (SEVIS), to
track the nearly one million foreign students in the US, has also been
problematic due to poor technology and limited resources. These systems were
merged under the US-VISIT program, which began in January 2004, and will be
fully implemented at airports in the US, applying to all foreign travelers in
September 2004.
There have also been several developments in surveillance law. The use of the
USA-PATRIOT Act continues to be questioned. There have been attempts at
extending its contentious measures that are supposed to sunset at the end of
2005.
After an extensive cross-country campaign by Attorney General John Ashcroft,
the White House has exerted a great deal of pressure on Congress to prevent
laws that scale back the powers
and to extend the more invasive provisions indefinitely. A recent effort to
water down the law was rejected in the House of Representatives by a 210 to 210
tie vote, after debate was prolonged when it appeared that the law's reach
would be minimized.
Finally, in February 2003 a draft bill was
uncovered, entitled the Domestic Security Enhancement Act of 2003 that contains
several new powers including the ability to strip citizenship, wiretaps without
court orders, secret detentions, limits on the challenging of secret evidence,
increased use of DNA without court orders and consent, increased data sharing,
and increased international cooperation in search and seizure and extradition.
Other countries have found novel means of
implementing invasive policies and practices. The global legal landscape is
fragmented. In some countries there are no specific terrorism laws as yet, such
as in Belgium. Other countries have been very active in implementing laws.
Among the remarkable legal developments include
laws on increasing the powers of law enforcement and national security agencies
to arrest and detain individuals. Australia has been the leader, outside of the
US. In 2002, the Australian Parliament considered at least eight bills on
terrorism. The most controversial has been the Australian Security Intelligence
Organization Legislation Amendment (Terrorism) Bill 2002. An earlier
version of the bill gave rise to a 27-hour debate that had to be shut down by
the Prime Minister in the fall of 2002.
Reintroduced in late 2002 and debated intensely in 2003, it was passed in June
2003. The law allows for warrants to detain citizens 18 years of age and older
for seven days if it is believed that the citizen has information that may be
useful to combat terrorism; while citizens from age 16 may be detained if they
are suspected of terrorist activity. Interrogation may occur for three
eight-hour periods. The warrants may be applied successively, with no limit.
Earlier drafts of the bill gave rise to
significant concern from the opposition and civil society; many of these
concerns continue unabated. The Australian law society has articulated concerns
regarding limitations on the right against self-incrimination. The opposition
parties prevented the application of the law unto citizens of age 14 to 16. Meanwhile
amendments to limit the successive application for warrants were voted down.
The law does include a three-year sunset provision.
Similar laws on detention have arisen elsewhere. Columbia
is proposing to amend its constitution to give police forces the power to make
arrests, conduct searches without warrants, and detain individuals for 36 hours
without judicial authorization. The Senate has already approved this proposal,
while the House of Representatives is expected to do so at the end of July. Canada's
antiterrorism law, enacted in December 2001, allowed for preventative arrests
without warrant and investigative hearings. Since then, the Solicitor General
of Canada has released a report noting that the detention power has not been
used,
nor have investigative hearings been convened.
Egypt extended its emergency laws for another
three years allowing for similar powers of detention. Egypt has been applying
the extension continuously since 1981.
The US Department of State has expressed concerns regarding these powers, as
the Egyptian government applies emergency courts for cases not linked to
national security, while also referring civilians to military tribunals for
non-violent offences.
In the period following the bombings in Bali, the
Indonesian government decreed to the law enforcement agencies the power to
detain individuals without evidence.
This power evolved into law in March 2003 where individuals could be detained
for six months based on prima facie evidence, while also allowing intelligence
to be used as evidence, and increased abilities to conduct interception of
communications, among other powers.
Similar to the Egyptian situation, the US Department of State has also made
public its concerns regarding the application of state powers, particularly in
the conviction of political activist in June 2003.
Kenya has also received some terrorist attention.
Following alerts from the United Kingdom and the United States, the Kenyan
government published a Suppression of Terrorism Bill in June 2003; subsequently
published in full by the Daily Nation newspaper. The bill provides
for the power to detain any person in a place that is subject of an urgent
search permit; any police officer above rank of inspector may detain a suspect incommunicado
for up to 36 hours without access to lawyer; while also granting immunity to
the police for application of "reasonable force." In broadening
those who can be identified as terrorist, the bill includes any given
individual who "(a) wears an item of clothing; or (b) wears, carries or
displays an article, in such a way or in such circumstances as to arouse
reasonable suspicion that he is a member or supporter of a declared terrorist
organization shall be guilty of an offence and shall be liable on conviction to
imprisonment for a term not exceeding six months, or both."
South Africa's draft bill contains similar
provisions. Providing food, drink and clothing to a member of a terrorist
organization;
definition of terrorism is broad to include act "likely to intimidate the
public or a segment of the public;" media also oppose because could compel
public and journalists to become snoops.
The Philippines has also been actively
confronting terrorism and devising new policies. A proposed law provides for
longer periods of detention without a warrant, and the Anti-Terrorism Action
Council (including eight cabinet members and governor of the Central Bank) may
authorize the interception of communications and freezing of bank accounts.
There are alternative wordings for legalizing
detention and other coercive powers, however. South Africa's proposed bill also
proposes detention powers in its bail procedures, despite promises
from the government otherwise.
The Tanzanian bill requires "cooperation with the authorities" on the
basis of perceived international commitments.
Sudan is applying its powers, given to a special branch to prosecute
terrorism suspects, and particularly "religious extremists and armed
bandits."
In early 2002 some progress had been made on
legal appeals regarding detention. In the United Kingdom, a Special Immigration
Appeals Tribunal decided against the government's policy on detention because
it was specifically targeting non-British citizens, and thus in contravention
of the European Convention of Human Rights equal protection clauses. The
government quickly appealed, however, and the Court of Appeals decided in
October 2002 that detention is in fact lawful, provided that the detainees are
a threat to national security.
More initiatives have been introduced to increase
and enhance identification and enable profiling. The Philippines and the United
Kingdom
are considering ID cards in order to combat terrorism.
Canada has also considered the adoption of ID
Cards. The reasoning behind its introduction, according to the Minister of
Citizenship and Immigration is that the US will soon require the fingerprinting
of Canadians as they pass through the US-Canada border. The Public Safety
Bill 2004 grants law enforcement authorities access to travel information, even
within Canada.
This is a separate initiative from the Canadian Customs and Revenue Agency's
proposal to retain travel information for six years. Recently that proposal has
been altered to purge non-customs related data after it is no longer used, and
to implement access controls on the database of travel.
Australia has been actively pursuing the concept
of a smart passport that includes digital photos. The government has run a
trial of SmartGate application at Sydney Airport that was heavily criticized as
involving ineffective and flawed technology.
At the same time, the Australian government has also been pushing for an
advanced passenger processing system at the Asia-Pacific Economic Cooperation
forum (APEC).
In 2004 the Australian Customs agency received the approval from the EU to
access the passenger name records of EU citizens, as the Article 29 Working
Party deemed the protections adequate.
The New Zealand Customs Service began receiving
advance passenger lists in 2003 from airlines under its Customs and Excise Act.
The airlines would "feed data directly to the CS's computer system"
before landing; and this information is checked for "people of
interest." This system is seen as a first step to setting up an Advance
Passenger Processing system that will identify problematic passengers prior to
boarding flights.
In the European Union, the Spanish government put
forward a proposal for a Directive requiring carriers to collect and send data
on all passengers at the time of boarding to law enforcement agencies in
destination countries or face fines.
Some legal developments pertain directly to
information technology use. Cuba's law on combating terrorism includes hacking. New Zealand's
counter-terrorism bill could force individuals to disclose their passwords,
even in non-terrorism related investigations, or face three months in jail or a
fine of NZD 2,000.
Kenya's bill includes an offence for "collection of information for
terrorist purposes," i.e, "collects, makes or transmits a
record of information of a kind likely to be useful to a person committing or
preparing an act of terrorism; or possesses a document or record containing
information of that kind shall be guilty of an offence' term not exceeding 10
years; "transmit" includes by telephone, e-mail, voicemail, or other
telecommunications method; and make available on the Internet. "It is a
defense for a person charged with an offence under this section to satisfy the
court that he had a reasonable excuse for his action or possession."
It is increasingly difficult to identify the
sources of laws, however. Several countries have introduced new laws because of
a felt imperative to model changes in other countries. For example, Kenyan
opposition party members accuse the United Kingdom and the United States for
pressuring Kenya; and they note that the definition of terrorism in the Kenyan
bill is taken from section 802 of PATRIOT Act. This was denied by the Justice
and Constitutional Affairs assistant minister Robinson Njeru Githae, as
reported by the Nairobi-based newspaper, The Nation: "We have not to
reinvented the wheel (sic). What we have done is to pick the best of
Suppression of Terrorism Act in the Commonwealth countries and given it a
Kenyan outlook."
Another source of law includes international
treaties. Romania's recently passed law on corruption includes components of
the Council of Europe Convention on Cybercrime. Many countries are trying to
ratify and implement into law the approximately 12 United Nations conventions
on anti-terrorism. Governments report regularly to the United Nations Security
Council committee on Resolution 1373 on their progress in adopting these
conventions.
However, they are also adding to, and interpreting, these conventions. For
example, New Zealand Justice Minister Phil Goff stated in April 2003 that the
new Counter Terrorism Bill "was the final step in adopting the last of
twelve United Nations conventions aimed at fighting terrorism. . . . It will
give police and customs officers more powers to fight terrorism, including
enabling police to use tracking devices, and will allow evidence found in the
investigation of one crime to be used in the prosecution of another." These additional
powers are not included within the standard conventions.
It is therefore important to note not only the
laws in other countries, but also the activities of international governmental
organizations. These organizations have been very active in developing
counter-terrorism policy tools and mechanisms.
The African Union, formerly the Organization of
African Unity, released a convention in August 2002 in order to promote the
criminalization of terrorist acts, and extradition and mutual legal assistance
regimes.
While this convention contains controversial concepts with respect to civil
liberties, it is far from being unique considering the developments in recent
years in such conventions as the Council of Europe Convention on Cybercrime.
The Asian-Pacific Economic Cooperation forum
(APEC) held a summit in October 2002 in order to promote growth and fight
against terrorism. An agreement emerged from the Mexico summit that aims to
halt terrorist financing, and to promote cyber security. At the 2003 summit in Bangkok,
the US tried to focus the agenda on how anti-terrorism policy can support
global trade, to some concern of APEC members who wanted to focus on economic
issues.
The final declaration included a statement that APEC leaders will undertake
measures to "dismantle, fully and without delay, transnational terrorist
groups that threaten APEC economies."
The group will now create a fund, run by the Asian Development Bank, to fund
counter-terrorism initiatives including port security and money laundering. It now appears
that APEC is considering the creation of "financial intelligence
units" to combat the diversion of money from trade to terror groups.
The Association for Southeastern Asian Nations
2003 summer summit included an agreement to obtain and share evidence amongst
member countries, share bank records, cooperate in the freezing of foreign
assets, and conduct searches and seizures upon request from fellow members; all
in the aim to combat terrorism and cross-border crime. An uncommon
development, however, is the lack of agreement on extradition. Discussions have
also occurred on the issue of secure identity documents. This disagreement
continued, however, in the October 2003 summit when the summit statement paid
little attention to anti-terrorism policy.
The summit did see the establishment of the ASEAN Security Community, pushed by
Indonesia,
that would not only focus on terrorism, but also on other transnational crimes. This was followed
up with a meeting in Bangkok of the ASEAN+3 countries (ASEAN and China, South
Korea, and Japan), where ministers vowed to improve communication and enhance
intelligence sharing, "especially against the growing threat of terrorism
in the region."
This would be done through the speeding up of mutual assistance and extradition
treaties.
The Group of 8 industrialized countries (G8) is
the primary source of discussion on secure passports. At the May 2003 summit of
Justice and Home Affairs ministers in Paris, the United Kingdom reportedly
promoted computerized passports.
The ministers unanimously stressed the importance of developing biometric
technologies with the goal of developing a common framework for biometric
passports, as is being discussed by the International Civil Aviation
Organization. There was some disagreement, according to reports, that the
French and the US differed on which form of biometrics should be promoted (the US
was pushing for iris scans or "other innovative technologies," the
French were for fingerprints).
In the end, according to the ICAO, facial recognition was adopted at the end of
May 2003.
Other issues addressed by ministers included critical infrastructure
protection, child pornography, and enhancing financial investigations. In this
last issue of discussion, the G8 ministers promoted the work of experts who
"identified 29 best practice principles on tracing, freezing, seizing and
confiscating crime-related assets," while admitting that "these
principles and good practices are ambitious."
The G8 Evian summit of heads of government met in
June 2003. At this summit the G8 created the Counter-Terrorism Action Group
(CTAG), which would support the UN Counter-Terrorism Committee for
"capacity building."
The proposal was led by the US, with the goal to create a group that would deal
with "terrorist financing, customs and immigration controls, illegal arms
trafficking, police and law enforcement"; "will identify relevant
international best practices, codes, and standards in combating
terrorism"; "target counterterrorism assistance to priority
countries"; and "work with International Financial institutions to
strengthen counterterrorism financing measures."
The G8 summits for 2004, held in the US,
furthered these ideas. The Justice and Home Affairs Ministers summit called for
legislation to enable sharing of information among and between the intelligence
community, the law enforcement community and prosecutors to the fullest degree
possible, to prevent, disrupt and preempt terrorist activities; while giving
due regard to civil liberties and fundamental principles of law. The ministerial
summit also called for "special investigative techniques" that
involve undercover agents, cover filing and listening devices, and covert
interception of "all forms of electronic communications," and
"the use of other critical measures," but that they must take into
account privacy rights; while states are encouraged to change legal procedure
to allow such techniques to be used in courts. The official
Sea-Island Summit of G8-leaders, however, did not reflect much of this. That
summit included new language regarding a "Secure and Facilitated
International Travel Initiative" to protect borders through the sharing of
personal information and secure travel documents.
The Commonwealth Secretariat also engaged in work
to promote capacity building. In 2002 the secretariat developed
"Implementation Kits for International Counter-Terrorism
Conventions," a form of "do-it-yourself" manual for governments,
covering all 12 multilateral treaties drawn up between 1963 and 1999 by the UN
and other inter-governmental fora.
In September 2002, the secretariat also released "Model Legislative
Provisions on Measures to Combat Terrorism" that provides for defining
specified entities' a variety of offenses and their investigation, interception
of communications and admissibility as evidence. The model provisions also
establish procedures for trials, promotion of information sharing, ensure
extradition and mutual legal assistance, empower governments to seize evidence,
manage charities, outline refugee application refusals, and allow for the
removal of persons.
The intergovernmental policy area of financial
regulations is dominated by the output of the Financial Action Task Force
(FATF). In the early 1990s the FATF developed its 40 recommendations on
combating money laundering. In April 2002, the FATF released guidance for
financial institutions for detecting terrorist financing; and conducted
consultation on 40 recommendations for terrorist financing, thus extending its
remit beyond money laundering. In June 2003 the new recommendations were
adopted. According to the FATF:
The FATF recognises
that countries have diverse legal and financial systems and so all cannot take
identical measures to achieve the common objective, especially over matters of
detail. The Recommendations therefore set minimum standards for action for
countries to implement the detail according to their particular circumstances
and constitutional frameworks. The Recommendations cover all the measures that
national systems should have in place within their criminal justice and
regulatory systems; the preventive measures to be taken by financial
institutions and certain other businesses and professions; and international
co-operation.
The acknowledgement of flexibility is due to,
according to reports, disagreement on regulatory procedures between American
and German delegations.
The recommendations include the requirement that institutional secrecy laws are
not used to inhibit implementation, and recommend against the keeping of
anonymous accounts, with some recommendations on identification as "due
diligence." Co-operation between countries is also recommended, as is the
removal of unduly restrictive conditions for this cooperation to take place.
The scope of application also increases; non-financial businesses including
lawyers and notaries except when under privilege.
Inter-governmental organizations in the Europe
have been very active as well. The Southeastern Europe Cooperation Initiative
(SECI) Regional Center for Fight Against Cross-Border Crimes had its first
meeting of 'Mission Force for Fight Against terrorism' (sic), in June 2003.
Held in Turkey, 85 representatives attended from Albania, Bulgaria, Bosnia-Herzegovina,
Croatia, Hungary, Macedonia, Moldova, Romania, Greece, Slovenia and
Serbia-Montenegro. According to Turkish Security Director General Gokhan
Aydiner, "Turkey has been trying for years to bring the issue of terrorism
onto agenda of the world. In some countries, terrorist organizations and their
members are considered fighters of freedom. Those who staged gory actions in
which thousands of people lost their lives, continue their terrorism activities
without any punishment."
According to media reports, the task force aimed to cover organized crimes and
terrorism, development of common operational plans, financial sources of
terrorist organizations.
The Organization for Security and Cooperation in
Europe (OSCE) began a new initiative with its first annual security review
conference in June 2003. A speech by US Ambassador Cofer Black, Coordinator for
Counterterrorism, called on the OSCE to continue fighting terrorism, to
encourage FATF adherence, to implement UN conventions (noting that only 38
percent of OSCE states have become parties to all 12), and to do the utmost to
prevent spread of small arms and light weapons. He also called for closer
cooperation with the UN, G8, and ICAO to develop international standards and in
turn to encourage regional implementation. Particularly, he called for cooperation
on the issue of travel document security with G8 and ICAO. This was
supported by "several delegations," as it was felt that "this
work could make a significant, real contribution not only to the war on
terrorism, but also to the fight against organized crime and illegal
immigration, all issues that many delegations had identified as threats to
their security and stability."
The Bulgarian government, which took over the leadership of the OSCE in 2004,
promises to steer the organization towards greater international cooperation in
combating terrorism and safeguarding national borders.
The vast majority of these meetings of
inter-governmental organizations outlined above were closed. In the coming
months and years, however, their work, findings, conclusions, and conventions
will be affecting national policy discourse.
This will be particularly the case in the
European Union and primarily the output of the Council, where there is more of
a binding requirement to enact policies at the national level. As accession
countries to the EU begin their process of legal harmonization, interpretation
and guidance on EU policies will require scrutiny. The EU has been active in
all of the issues covered above. In 2001 and 2002 the Council Framework
Decision on a European arrest warrant was developed and is currently being
implemented into national law. A Working Party on Terrorism has been convening
to develop measures to exchange information between member states, the creation
computer-aided preventative searches on the basis of offender profiles
(particularly the compiling of travel patterns). These profiles
may include method and means of travel, "physical distinguishing features
(e.g., battle scars)", education, places of stay, methods of
communication, psycho-sociological features, family situation, expertise in
advanced technologies; with the aim to identify terrorists before an act is
carried out. A proposed innovation includes searching through "relevant
national databases (e.g., registers of residents, registers of
foreigners, universities etc.) subject to the provisions of national law, for
person who need to be vetted more closely by the security authorities."
The EU has also developed a "roadmap"
regarding the implementation of an "EU Action Plan in the fight against
terrorism." This roadmap includes the discussion of counter-terrorism in
political dialogues with third countries and other multilateral fora. The EU
has been particularly active in meetings with Asian countries, and in meetings
with the US on mutual legal assistance.
The roadmap also consists of enhancing preventing of crime involving the use of
electronic communications systems, measures to counter insider dealing,
transparency criteria for legal entities, initiatives to draw up a common list
of terrorist organizations, and the 'systematic transmission to Europol of any
piece of data relevant to terrorism', while complying with international
obligations regarding protection of fundamental rights and ensuring 'a balance
between data protection and police efficiency', among other initiatives.
After the bombings in Madrid, the EU rushed
forward on these initiatives. Amidst calls from the UK Home Office Secretary
David Blunkett to "cut the waffle" and to follow up on plans agreed
at the EU years ago, he called for EU member states to implement security
measures agreed after the September 11 attacks. The UK then
pushed for other countries to adopt rules on data retention and the EU-wide
arrest warrant; although some resistance arose from Sweden, Germany, and Denmark. The final
declaration reflected these sentiments, calling for rules on the retention of
communications traffic, and simplifying exchanges of information across
borders, with a view to adoption by June 2005.
While the anti-terrorism policy developments
outlined above and later in this report have shifted the legal and
technological landscape for privacy, there have been some developments in the
area of civil liberties and terrorism.
In the US, opposition to the USA-PATRIOT Act has
grown. In response to the law, some librarians have begun to tape warnings to
computer screens that usage could be subject to scrutiny by law enforcement
agencies; in some cases they are destroying records of reading habits and
sign-up logs of computer use.
There have been successful amendments on TIA and CAPPS II related policies to
call for studies of the privacy and civil liberties implications of these
programs. Finally, in many districts and cities, there is opposition to the
PATRIOT Act. More than one hundred local governments have passed laws against
the Act.
Members of Congress and Senators continue to introduce new legislation to
minimize the threats to privacy and civil liberties.
Changes in proposed and existing laws are
occurring for several reasons elsewhere in the world. In Hong Kong in 2003,
after protests including one involving over 400,000 demonstrators, the
government appears to have backed down on changes to the Basic Law to deal with
sedition.
Jordan rescinded Article 150 of its penal code, which was introduced in
response to the events of September 11. The Article had allowed for
"permanent or temporary closure" of publications that "carry
false or libelous information that can undermine national unity or the
country's reputation', and publications carrying articles that incite 'crimes,
strikes, illegal public assemblies or undermining public order."
In the most severe case, Peru has been forced to
review sentences given out to 1,800 people when the high court handed down a
decision rejecting the anti-terrorism decrees established under the Fujimori
government as unconstitutional.
These decrees included trials for treason before hooded military judges and
life sentences without review,including on free expression related offences.
The effectiveness of opposition may take some
time to take full effect. After India's antiterrorism bill became law, it has
been reported that the entire opposition to the government walked out on
parliament. Since its
enactment, however, and after its use to detain some politicians, the
parliament has constituted a Review Committee to ensure that the powers are not
misused for non-terrorism purposes.
The incoming government in India has pledged to
follow through on promises to repeal the controversial Prevention of Terrorism
Act (POTA). As stated in the President's address to Parliament in June 2004,
"My government is concerned about the misuse of POTA in the recent past.
While there can be no compromise on the fight against terrorism, the Government
is of the view that existing laws could adequately handle the menace of
terrorism. The Government, therefore, proposes to repeal POTA."
Other efforts came close, or are in the works. In
the United Kingdom House of Lords, efforts to repeal the retention of
communications data almost succeeded in November 2003. A Privy Council Report
emerged in December 2003 calling on data retention to be separated from
anti-terror legislation and given its day in Parliament for appropriate
deliberation and oversight, while also limiting retention to one year and
placing that language in the primary legislation. The European
Commission's decision to permit the flow of passenger information from European
carriers' databases to the US Department of Homeland Security has been
questioned repeatedly by the European Parliament, and most recently, the
Parliament has taken its case to the European Court of Justice. These are merely
some of the sources of change.
Non-governmental organizations around the world
have questioned draft laws, bills, and court decisions and have voiced
concerns, taken cases to courts, and responded to consultation processes. The
arising court decisions may lead to further changes, parliamentarians may
listen more, and increased attention to international organizations may lead to
more open policy-making, and as a result, better laws.
Identity (ID) cards are in use in one form or
another in virtually all countries of the world. The type of card, its
functions, and integrity vary enormously. While several countries have
official, compulsory, national ID cards that are used for a variety of
purposes, many countries do not. These include Australia, Canada, India, Ireland,
New Zealand, the United States and the Nordic countries. Those that do have
such a card include Belgium, Egypt, France, Germany, Greece, Hong Kong, Malaysia,
and South Africa.
Nationwide ID systems are established for a
variety of reasons. Race, politics and religion often drive the deployment of
ID cards.
The fear of insurgence, religious differences, immigration, or political
extremism have been all too common motivators for the establishment of ID
systems that aim to force undesirables in a State to register with the
government, or make them vulnerable in the open without proper documents.
In recent years technology has rapidly evolved to
enable electronic record creation and the construction of large commercial and
state databases. A national identifier contained in an ID card enables
disparate information about a person that is stored in different databases to
be easily linked and analyzed through data mining techniques. ID cards are also
becoming "smarter" – the technology to build microprocessors the size
of postage stamps and put them on wallet-sized cards has become more
affordable. This technology enables multiple applications such as a credit
card, library card, health care card, driver's license and government benefit
program information to be all stored on the same national ID along with a
password or a biometric identifier. Governments in Finland, Malaysia, and Singapore
have experimented with such "Smart" ID cards. In July 2002, the Labor
government in the United Kingdom launched a six-month public consultation
process on whether the United Kingdom should adopt an "entitlement
card" with similar features.
Critics contend that such cards, especially when combined with information
contained in databases, enable intrusive profiling of individuals and create a
misplaced reliance on a single document, which enables precisely the type of
fraud the cards are meant to eliminate.
In April 2004 the UK Government announced its draft bill on the identity card
and a back-end database of all residents.
In several countries, these systems have been
successfully challenged on constitutional privacy grounds. In 1998, the
Philippine Supreme Court ruled that a national ID system violated the
constitutional right to privacy.
In 1991, the Hungarian Constitutional Court ruled that a law creating a
multi-use personal identification number violated the constitutional right of
privacy.
The 1997 Portuguese Constitution states "Citizens shall not be given an
all-purpose national identity number."
In other countries, opposition to the cards
combined with the high economic cost and other logistical difficulties of
implementing the systems has led to their withdrawal. Massive protests against
the Australia Card in 1987 resulted in the near collapse of the government.
Card projects in South Korea and Taiwan were also stopped after widespread
protests. In the United States plans to convert the state driver's license into
a nationwide system of identification have stalled because of the stiff
resistance from a broad coalition of civil society groups.
Biometrics is the identification or verification
of someone's identity on the basis of physiological or behavioral
characteristics. Biometrics involves comparing a previously captured unique
characteristic of a person to a new sample provided by the person. This
information is used to authenticate or verify that a person is who they said
they were (a one-to-one match) by comparing the previously stored
characteristic to the fresh characteristic provided. It can also be used for
identification purposes where the fresh characteristic is compared against all
the stored characteristics (a one-to-many match). New biometric technology
attempts to automate the identification or verification process by converting the
provided biometric into an algorithm, which is then used for matching purposes.
The computer matching technique necessarily produces either false positives,
where a person is incorrectly identified as someone else, or false negatives,
where a person who is meant to be identified by the system is not correctly
identified. The two error rates are dependent, so for example reducing the
number of false positives increases the number of false negatives. The
tolerance level is adjusted depending on the need for security in the
application.
The most popular forms of biometric ID are
fingerprints, retina/iris scans, hand geometry, voice recognition, and
digitized (electronically stored) images. The technology is gaining interest
from governments and companies because, unlike other forms of ID such as cards
or papers, it can be more difficult to alter or tamper with one's own physical
or behavior characteristics. Important questions remain, however, about the
effectiveness of the automated biometric matching techniques, particularly for
large-scale applications.
Critics also argue that widespread deployment of biometric identification
technology could remove the veil of anonymity or pseudo-anonymity in most daily
transactions through the creation an electronic trail of people's movements and
habits.
Biometrics schemes are being implemented across
the world. The technology is widely used in small settings for access control
to secure locations such a nuclear facility or bank vault. It is increasingly
being used for broader applications such as retail outlets, government
agencies, childcare centers, police forces and automated-teller machines. Spain
has commenced a national fingerprint system for unemployment benefits and
healthcare entitlements. Russia has announced plans for a national electronic
fingerprint system for banks. Jamaicans are required to scan their thumbs into
a database before qualifying to vote in elections. In France and Germany, tests
are under way with equipment that puts fingerprint information onto credit
cards. Many computer manufacturers are considering including biometric readers
on their systems for security purposes.
The most controversial form of biometrics – DNA
identification – is benefiting from new scanning technology that can automatically
match DNA samples against a large database in minutes. Police forces in several
countries including Canada, Germany, and the United States have created
national DNA databases. Samples are being routinely taken from a larger group
of people. Initially, it was only individuals convicted of sexual crimes. Then
it was expanded to people convicted of other violent crimes and then to
arrests. Now, many jurisdictions are collecting samples from all individuals
arrested, even for the most minor offenses. Former New York City Mayor Rudolf
Giuliani even proposed that all children have a DNA sample collected at birth.
In Australia, the United Kingdom, and the United States, police have been
demanding that all individuals in a particular area voluntarily provide samples
or face being considered a suspect. United States Attorney General Ashcroft has
testified that he has asked the FBI to increase the capacity of its database
from 1.5 million to 50 million profiles.
At the same time, DNA data has been used as exculpatory
evidence in many criminal trials.
The USA-PATRIOT Act, passed by the US Congress
after the events of September 11, 2001 included the requirement that the
President certify a biometric technology standard for use in identifying aliens
seeking admission into the US, within two years. The schedule for its
implementation was accelerated by another piece of legislation, the little
known Enhanced Border Security and Visa Entry Reform Act 2002. Part of this
second law included seeking international co-operation with this standard. The
incentive to international co-operation was made clear: "By October 26,
2004, in order for a country to remain eligible for participation in the visa
waiver program its government must certify that it has a program to issue to
its nationals machine-readable passports that are tamper-resistant and which
incorporate biometric and authentication identifiers that satisfy the standards
of the International Civil Aviation Organization (ICAO).
These laws gave momentum to the standards that
were being considered at the ICAO by requiring visa waiver countries (which
include many EU countries, Australia, Brunei, Iceland, Japan, Monaco, New
Zealand, Norway, Singapore, and Slovenia) to implement biometrics into their Machine-Readable
Travel Documents (MRTDs), i.e. passports. Failure to do so, presumably,
means a removal from the program.
Moving the decision to the ICAO pushes the policy
well beyond the Visa Waiver Program countries. The ICAO is the international
standard-setter for passports already and the ICAO has been researching
biometric passports since 1995. Since then the technologies have changed
sufficiently to allow for facial recognition, fingerprints and iris scans to be
considered for implementation in passports standards.
The primary purposes of biometric use, according
to the ICAO, is to allow for verification ("confirming identity by
comparing identity details of the person claiming to be a specific living
individual against details previously recorded on that individual") and
identification ("determining possible identity by comparing identity
details of the presenting person against details previously recorded on a
number of living individuals"). Beneficial side effects include advanced
passenger information to ports of entry, and electronic tracking of passport
use.
In May 2003, the facial recognition emerged as
the primary candidate. Intellectual Property issues prevented iris scans from
being accepted; while it was felt that the facial recognition is more socially
acceptable. Multiple applications of biometrics are also considered, and
permitted. Although the use of a single biometric technology by all States is
preferred by the ICAO to ensure interoperability, "[h]owever, it is also
recognized that some States may conclude it desirable to deploy two biometrics
on the same document." Already the EU is discussing requiring fingerprints
in passports.
The ICAO is aware, however, that there are
contentious legal issues involved with the infrastructure for these passports,
including the collisions between the goals of centralizing citizens' biometrics
and protecting privacy laws, and with "cultural practices." Not only
does this involve a central data store of fingerprints and photos (and face scans)
that can be scanned against other databases for other purposes, but this
sensitive information may be transferred to other countries when verification
is required at border controls. The ICAO foresees that this information may be
retained by these other countries. In essence, this may turn into a global
distributed database of personal information.
Something that may be important to remember at
the time of national implementation is that there is some flexibility permitted
by the ICAO. Some states may interpret the ICAO standards to require
centralised databases.
The ICAO calls for central databases that allow
for additional security confirmation checks, but does not go so far as to
require such systems. It may be interesting to see if national governments recall
this option, or if they rather change their national laws to allow for
centralized storage, as allowed in other ICAO documents. Already the EU is
moving towards a centralized registry of biometrics from the passport enrolment
process.
Most countries around the world regulate the
interception of communications by governments and private individuals and
organizations. These controls typically take the form of constitutional
provisions protecting the privacy of communications and laws and regulations
that implement those requirements.
There has been great pressure on countries to
adopt wiretapping laws to address new technologies. These laws are also in
response to law enforcement and intelligence agencies pressure to increase
surveillance capabilities. In Japan, wiretapping was only approved as a legal
method of investigation in 1999. Other countries such as Australia, Belgium, Germany,
New Zealand, South Africa and the United Kingdom have all updated their laws
to facilitate surveillance of new technologies.
The United States government has been at the
forefront of promoting greater use of electronic surveillance. Former FBI
Director Louis Freeh traveled extensively around the world, promoting the use
of wiretapping in newly democratic countries such as Hungary and the Czech Republic.
At the same time, the United States has led world efforts to ensure that all
communications technologies have built-in surveillance capabilities and to
prohibit the manufacture and use of equipment that cannot be eavesdropped upon.
The United States has also been working through international organizations
such as the OECD, G-8 and the Council of Europe to promote surveillance.
It is recognized worldwide that wiretapping and
electronic surveillance are a highly intrusive form of investigation that
should only be used in limited and unusual circumstances. Nearly all major
international agreements on human rights protect the right of individuals from
unwarranted invasive surveillance.
Nearly every country in the world has enacted
laws on the interception of oral, telephone, fax and telex communications. In
most democratic countries, intercepts are initiated by law enforcement or
intelligence agencies only after it has been approved by an judge or some other
kind of independent magistrate or high level official and generally only for
serious crimes. Frequently, it must be shown that other types of investigation
were attempted and were not successful. There is some divergence on what
constitutes a "serious crime," and appropriate approval.
Several countries including France and the United
Kingdom have created special commissions that review wiretap usage and
monitor for abuses. These bodies have developed an expertise in the area that
most judges who authorize surveillance do not have, while they also have the
ability to conduct follow up investigations once a case is complete. In other
countries, the privacy commissioner or data protection authority has some ability
to conduct oversight of electronic surveillance.
An important oversight measure that many
countries employ is the requiring of annual public reporting of information
about the use of electronic surveillance by government departments. These
reports typically provide summary details about the number of uses of
electronic surveillance, the types of crimes that they are authorized for,
their duration and other information. This is a common feature of wiretap laws
in English-speaking countries and many others in Europe. Countries that issue
annual reports on the use of surveillance include Australia, Canada, France, New
Zealand, Sweden, the United Kingdom, and the United States. Meanwhile in the Netherlands,
the Minister of Justice in April 2003 announced that he saw no additional value
in maintaining a log of the frequency of wiretaps, or installing a special
functionary to oversee the warranty process.
These countries recognize that it is necessary to
allow for people outside governments to know about its uses to limit abuses.
They are widely used in many countries by the Parliaments for oversight and
also by journalists, NGOs and others to examine the activities of law
enforcement. The reports have shown an increase in the use of surveillance in
many countries including Australia,
the United States, and the United Kingdom while others such as Canada have
remained steady. Most recently, however, Canada has reduced the amount of
reporting; despite statutory requirements, annual reports from the Solicitor
General on surveillance activities have not been released since 1999.
These laws are designed to ensure that legitimate
and normal activities in a democracy such as journalism, civic protests, trade
union organizing or political opposition are free from being subjected to
unwarranted surveillance because they have different interests and goals than
those in power. It also ensures that relatively minor crimes, especially those
that would not generally involve telecommunications for facilitation, are not used
as a pretext to conduct intrusive surveillance for political or other reasons.
However, wiretapping abuses have been revealed in
most countries, sometimes occurring on a vast scale involving thousands of
illegal taps. The abuses invariably affect anyone "of interest" to a
government. Targets include political opponents, student leaders and human
rights workers.
This can occur even in the most democratic of countries such as Denmark and Sweden,
where it was recently disclosed that intelligence agencies were conducting
surveillance of thousands of left-leaning activists for nearly 40 years.
The United Nations Commissioner on Human Rights
in 1988 made clear that human rights protections on the secrecy of
communications broadly covers all forms of communications:
Compliance with
Article 17 requires that the integrity and confidentiality of correspondence
should be guaranteed de jure and de facto. Correspondence should
be delivered to the addressee without interception and without being opened or
otherwise read. Surveillance, whether electronic or otherwise, interceptions of
telephonic, telegraphic and other forms of communication, wire-tapping and
recording of conversations should be prohibited.
The need for greater protection is recognized by
many democratic countries around the world. Most recently, the German Federal
Constitutional Court has considered whether the interception laws passed in
1998 are constitutional.
In March 2004, the German Federal Constitutional Court ruled that significant
portions of the 1998 Grosser Lauschangriff
wiretapping laws infringed upon the guarantees of human dignity and the
inviobility of the home under Articles 1 and 13 of the constitution, or Basic
Law.
The court held that certain communications are protected by an absolute area of
intimacy where citizens can communicate privately without fear of government
surveillance.
This includes conversations with close family members, priests, doctors and
defense attorneys, but excludes conversations about crimes that have already
been committed or the planning of future crimes. However, to justify
surveillance between the target and such persons of trust, the government must
show "there is strong reason to believe that the content of conversation
does not fall in the area of intimacy,"
and that the crime is "particularly serious". Once a specially
protected conversation begins the eavesdropping must stop immediately and any
recordings of that portion of the conversation must be erased. The German
legislature has until June 2005 to amend Grosser Lauschangriff to comply with
the court's decision.
In the past 15 years, the United States
government has led a worldwide effort to limit individual privacy and enhance
the capability of its police and intelligence services to eavesdrop on personal
conversations. This campaign had two strategies. The first is to promote laws
that make it mandatory for all companies that develop digital telephone
switches, cellular and satellite phones and all developing communication
technologies to build in surveillance capabilities; the second is to seek
limits on the development and dissemination of products, both in hardware and
software, that provide encryption, a technique that allows people to scramble
their communications and files to prevent others from reading them.
Law enforcement agencies have traditionally
worked closely with telecommunications companies to formulate arrangements that
would make phone systems "wiretap friendly." These agreements range
from allowing police physical access to telephone exchanges, to installing
equipment to automate the interception. Because most telecommunications
operators were either monopolies or operated by government telecommunications
agencies, this process was generally hidden from public view.
Following deregulation and new entries into
telecommunications in the United States in the early 1990s, law enforcement
agencies, led by the FBI, began demanding that all current and future
telecommunications systems be designed to ensure that they would be able to
conduct wiretaps. After several years of lobbying, the United States Congress
approved the Communications Assistance for Law Enforcement Act (CALEA) in 1994. The act sets out
legal requirements for telecommunications providers and equipment manufacturers
on the surveillance capabilities that must be built into all telephone systems
used in the United States. In 1999, at the request of the Federal Bureau of
Investigation, an order was issued under CALEA requiring carriers to make
available the physical location of the antenna tower that a mobile phone uses
to connect at the beginning and end of a call.
Due to heavy lobbying, the Internet Service
Providers (ISPs) in the United States were exempted from implementing these
technical requirements under CALEA. Changes are in the wind, however as the FBI
is calling for the Federal Communications Commission to expand the law to
reconsider Voice Over IP, i.e., phone calls over the Internet and
providers as telecommunications carriers under CALEA. If these
providers are reclassified as carriers, then the requirements for intercept
capability under CALEA will also apply to them. The Senate is currently
reviewing legislation on regulating VOIP.
Intercepting content over digital services is a
common legal practice in other countries. In Australia the Telecommunications
Act 1997 places obligations on telecommunications operators to positively
assist law enforcement in the performance of their duties and to provide an
interception capability. The costs of these obligations are borne by the
operators themselves.
In the United Kingdom the Regulation of
Investigatory Powers Act 2000 requires that telecommunications operators
maintain a "reasonable interception capability" in their systems and
be able to provide on notice certain "traffic data." It also imposes
on obligation on third parties to hand over encryption keys. These requirements
were further clarified in the Regulation of Investigatory Powers (Maintenance
of Interception Capability) Order 2002. In the Netherlands, a new
Telecommunications Act was approved in December 1998 that required that ISPs
have the capability by August 2000 to intercept all traffic with a court order
and maintain users logs for three months.
The law was enacted after XS4ALL, a Dutch ISP, refused to conduct a broad
wiretap of electronic communications of one of its subscribers. In New Zealand,
the Telecommunications (Residual Powers) Act 1987 requires network operators to
assist in the operation of a call data warrant (equivalent to the United States
trap and trace or pen register warrant).
An obligation to assist in the operation of a full interception warrant is now
also being considered in New Zealand. The Telecommunications (Interception
Capabilities) Bill currently being drafted by the Government would require all
ISPs and telephone companies to upgrade their systems so that they are able to
assist the police and intelligence agencies intercept communications. It would
also require a telecommunications operator to decrypt the communications of a
customer if that operator had provided the encryption facility.In January 2002, a
new Law on the surveillance of mail and telecommunications entered into force
in Switzerland, requiring ISPs to take all necessary measures to allow for
interception.
In contrast, the Austrian Federal Constitutional Court held, in a decision in February 2003,
that the law compelling telecommunications service providers to implement wiretapping
measures at their own expense is unconstitutional. Most recently, Poland
and New Zealand have been reported as proposing and adopting new laws requiring
ISPs to monitor and record communications transactions.
International cooperation played a significant
role in the development of these standards. In 1993, the FBI began
hosting meetings at its research facility in Quantico, Virginia called the
"International Law Enforcement Telecommunications Seminar" (ILETS) .
The meetings included representatives from Canada, Hong Kong, Australia and the
European Union. At these meetings, an international technical standard for
surveillance, based on the FBI's CALEA demands, was adopted as the
"International Requirements for Interception." In January 1995, the
Council of the European Union approved a secret resolution adopting the ILETS
standards.
Following this, many countries adopted the resolution into their domestic laws
without revealing the role of the FBI in developing the standard. Following the
adoption, the European Union and the United States offered a Memorandum of
Understanding (MOU) for other countries to sign to commit to the standards.
Several countries including Canada and Australia immediately signed the MOU.
Others were encouraged to adopt the standards to ensure trade. International
standards organizations, including the International Telecommunications Union
(ITU) and the European Telecommunication Standardisation Institute (ETSI), were
then successfully approached to adopt the standards.
The ILETS group continued to meet. Several
committees were formed and developed a more detailed standard extending the
scope of the interception standards. The new standards were designed to apply
to a wide range of communications technologies, including the Internet and
satellite communications. It also set more detailed criteria for surveillance
across all technologies. The result was a document called ENFOPOL 98, the
European Union designation for documents created by the European Union Police
Cooperation Working Group.
In 1998, the document became public and generated
considerable criticism. The committees responded by removing most of the
controversial details and putting them into a secret operations manual that has
not been made publicly available. The new document, now called ENFOPOL 19,
expanded the type of surveillance to include "IP address (electronic
address assigned to a party connected to the Internet), credit card number and
E-mail address."
In April 1999, the Council proposed the new draft council resolution to adopt
the ENFOPOL 19 standards into law in the European Union. The Council of
Ministers revised the document and, in June 2000, approved a resolution calling
for countries:
to ensure that, in the
development and implementation – in cooperation with communication service
providers – of any measures which may have a bearing on the carrying out of
legally authorised forms of interception of telecommunications, the law
enforcement operational needs . . . are duly taken into account.
The annex for the document sets out detailed
guidelines for interception requirements for "all telecommunications
services, circuit and packet-switched, fixed and mobile networks and
services." It expands the coverage of the original International User
Requirements (IURs) to now include networking technologies, without
acknowledging that technologies such as computer networking generate more and
greater details of information including web browsing and mobile location
information and thus applying traditional surveillance analogies result in more
intrusive surveillance.
A related development has been the use of
"black boxes" on ISP networks to monitor user traffic. The actual
workings of these black boxes are unknown to the public. What little
information has been made public reveals that many of the systems are based on
"packet sniffers" typically employed by computer network operators
for security and maintenance purposes. These are specialized software programs
running in a computer that is hooked into the network at a location where they
can monitor traffic flowing in and out of systems. These sniffers can monitor
the entire data stream searching for keywords, phrases or strings such as net
addresses or e-mail accounts. It can then record or retransmit for further
review anything that fits its search criteria. In many of the systems, the
boxes are connected to government agencies by high-speed connections.
In April 2000, it was publicly revealed that the
FBI had developed and was using an Internet monitoring system called
"Carnivore" (now called "DCS 1000"). The system places
a PC running Windows NT at an ISP's offices and can monitor all traffic about a
user, including e-mail and browsing. Carnivore "can scan millions of
e-mails a second" and "would give the government, at least
theoretically, the ability to eavesdrop on all customers' digital
communications, from e-mail to online banking and Web surfing." In response to
the public uproar over Carnivore, Attorney General Janet Reno announced that
the technical specifications of the system would be disclosed to a "group
of experts" to allay public concerns.
In the fall of 2000, the Justice Department commissioned a team of experts at
the IIT Research Institute and the Illinois Institute of Technology
Chicago-Kent College of Law (IITRI) to undertake an independent review of the
carnivore system. The IITRI group issued its final report on Carnivore in
December 2000 and made several recommendations for changes to the system.
In some countries, there have been laws or
decrees enacted to require the systems to build in these boxes. Russia was the
first country where this requirement was made public, and according to Russian
computer experts, the United States government advised them on implementation.
In 1998, the Russian Federal Security Service (FSB) issued a decree on the
System for Operational Research Actions on the Documentary Telecommunication
Networks (SORM-2) that would require ISPs to install surveillance devices and
high-speed links to the FSB which would allow the FSB direct access to the
communications of Internet users without a warrant. ISPs are required
to pay for the costs of installing and maintaining the devices. When an ISP
based in Volgograd challenged FSB's demand to install the system, the local FSB
and Ministry of Communication attempted to have its license revoked. The
agencies were forced to back off after the ISP challenged the decision in
court. In a separate case, the Supreme Court ruled in May 2000 that SORM-2 was
not a valid ministerial act because it failed several procedural requirements.
Following the Russian lead, in September 1999, Ukrainian President Leonid
Kuchma proposed requiring that ISPs install surveillance devices on their
systems based on the Russian SORM system. The rules and a subsequent bill were
attacked by the Parliament and withdrawn. However, in August 1999, the security
service visited several of the large ISPs who were reported to have installed
the boxes.
In the Netherlands, following the passage of the
1998 Telecommunications Act (see above), the Dutch Forensics Institute developed a
"black-box" for ISPs to install on their networks. The black box
would be under control of the ISP and turned on after receiving a court order.
The box would look at authentication traffic of the person to wiretap and
divert the person's traffic to law enforcement if the person is online. Due to
the inability of ISPs to adopt the requirements of the law, however, its
implementation has been delayed.
In China, a system know as the "Great
Firewall" routes all international connections through proxy servers at
official gateways, where Ministry for Public Security (MPS) officials identify
individual users and content, define rights, and carefully monitor network
traffic into and out of the country. At a 2001 security industry conference,
the government announced an ambitious successor project known as "Golden
Shield." Rather than relying solely on a national Intranet, separated from
the global Internet by a massive firewall, China will now build surveillance
intelligence into the network, allowing it to "see," "hear"
and "think."
Content-filtration will shift from the national level to millions of digital
information and communications devices in public places and people's homes. The technology
behind Golden Shield is incredibly complex and is based on research developed
largely by Western technology firms, including Nortel Networks, Sun
Microsystems and others. The Golden Shield efforts do not signal an abandonment
of other avenues of access and content control. For example, details are only
beginning to emerge about a new "black box" device, derived from
technology previously used in airline cockpit data recorders, and broadly
similar to the Carnivore system. Chinese Internet police would use the black
box technology to monitor dissidents and collect evidence on illegal
activities.
New methods of surveillance, and in particular
those capable of circumventing encryption, are also being developed. One such
technological device is a "key logger" system. A key logger system
records the keystrokes an individual enters on a computer's keyboard. Keystroke
loggers can be employed to capture every key pressed on a computer keyboard,
including information that is typed and then deleted. Such devices can be
manually placed by law enforcement agents on a suspect's computer, or installed
"remotely" by placing a virus on the suspect's computer that will
disclose private encryption keys.
The question of such surreptitious police
decryption methods arose in the case of United States v Scarfo. There, the FBI
manually installed a key logger device on the defendant's computer in order to
capture his PGP encryption password. Once they discovered the password, the
files were decrypted, and incriminatory evidence was found. In December 2001,
the United States FBI confirmed the existence of a similar technique called
"Magic Lantern."
This device would reportedly allow the agency to plant a Trojan horse keystroke
logger on a target's computer by sending a computer virus over the Internet;
rather than require physical access to the computer as is now the case. The new
Danish Anti-Terrorism law, enacted in June 2002, appears to give law
enforcement the power to secretly install this kind of snooping software on the
computers of criminal suspects.
As new telecommunications technologies emerge,
many countries are adapting existing surveillance laws to address the
interception of networked and mobile communications. These updated laws pose
new threats to privacy in many countries because the governments often simply
apply old standards to new technologies without analyzing how the technology
has changed the nature and sensitivity of the information. It is crucial for
the protection of privacy and human rights that transactional data created by
new technologies is given greater protection under law than traditional
telephone calling records and other transactional information found in older
systems.
In the traditional telephone system,
transactional data usually takes the form of telephone numbers or telephone
identifiers, the call metrics (e.g., length of call, time and date),
countries involved, and types of services used. This data is usually collected
and processed by telephone companies for billing and network efficiency (e.g.,
fault correction) purposes. While this data is stored by telephone companies,
it is available to law enforcement authorities. Communications content, i.e.,
conversations, are not stored routinely. As a result, the obstacles to law
enforcement access to this data were minimal: traffic data was available,
legally less sensitive, and so accessible with lower authorization and
oversight requirements. The content of communications was treated as more
sensitive, and more invasive, and more difficult to collect, thus typically
requiring greater authorization and oversight mechanisms.
Different communications infrastructures give
rise to different forms of transactional data, however. When surfing the net, a
user can visit dozens of sites in just a few minutes and reveal a great deal
about their personal situation and interests. This can include medical,
financial, social interests and other highly sensitive personal information. As
the Council of Europe acknowledges in the Explanatory Report of the Convention
on Cybercrime:
The collection of this
data may, in some situations, permit the compilation of a profile of a person's
interests, associates and social context. Accordingly Parties should bear such
considerations in mind when establishing the appropriate safeguards and legal
prerequisites for undertaking such measures.
The detailed and potentially sensitive nature of
the data makes it more similar to content of communications than telephone
records.
Similarly, location information generated by
mobile communications infrastructure, such as mobile phones and mobile IP, is
more sensitive than the mere location of a fixed telephony communication. The
location information of mobile communications can provide details of an
individual's movements and activities and whom they have met with. This
location information may be combined with other transactional information such
as websites visited using the mobile device, individuals called, search engine
requests; all used to create a considerable profile. This affects a wide
variety of human rights beyond the right of privacy including the rights of
free speech and assembly.
Moreover, newer mobile communications protocols
are becoming increasingly specific about location data, and the availability of
this information is becoming part of the actual communications protocol. That
is, the means of identifying the location of a device is becoming more
precision-based, and this location information is communicated to several
parties, not necessarily only between the device and the mobile communications
operator. As a result, the location of the device can be more easily discerned,
not necessarily requiring access to the data held by the operator.
In addition to this data that naturally arises
from the functioning of a wireless network, there are other initiatives driving
the development of technologies that build in location-tracking capabilities.
For example, in the United States, the Federal Communications Commission (FCC)
directed wireless telephone service providers to begin implementing Automatic
Location Identification (ALI) for emergency (911) calls by October 1, 2001. The ALI "accuracy standards" require providers to develop capabilities that
will permit the location of users with the following degrees of precision: for
handset-based solutions – 50 meters for 67 percent of calls, 150 meters for 95
percent of calls; for network-based solutions – 100 meters for 67 percent of
calls, 300 meters for 95 percent of calls.
Other wireless devices and services increasingly are coming into use, including
wireless personal digital assistants, wireless Internet access, and automotive navigation
and assistance services (telematics), which when combined with Global
Positioning Satellite capabilities, can determine the physical locations of
users very precisely.
While there is likely to be strong commercial and
law enforcement demand for the collection and use of the location data
generated by these services, a legal framework to protect privacy specifically
with respect to location information has not yet been implemented. In the
absence of legal clarity, some operators have been keeping this kind of data
indefinitely. In October 2001, British mobile operator Virgin Mobile revealed
that that it had retained all call records since it was created in 1999.
Similarly, in November 2001, it was reported that Irish operators, Eircell and
Digifone, were holding customer records for more than six years. In both cases,
the operators, stated that they believed they were required to keep these
records under the law.
The level of legal protection afforded to other
traffic data is similarly unclear. Policies generally treat all of this
transactional data as "traffic data;" this data then bears the
protections afforded under the traditional telephone system. The United Kingdom
in its Regulation of Investigatory Powers Act 2000 accepted, after an extensive
debate, that there are varying levels of sensitivity to this data, and
separates "traffic data" (source and destination of a transaction
used for routing within a network) from the more sensitive "communications
data" that includes URLs, domain names, etc. The latter requires greater
authorization and oversight procedures. Not all countries have pursued this
line of reasoning.
Previous United States policy differentiated
between traffic data on cable and telephone communications. The Cable Act
traditionally protected traffic data to a greater degree than telephone traffic
data. Now that cable infrastructure is used for Internet communications (which
were previously used over telephone lines, and thus traditional laws applied),
successive White House administrations worked to erase this distinction,
finally succeeding with the USA-PATRIOT Act. Rather than deal with the
specifics of digital communications media and services, the changes in United
States law reduces the protections of traffic data for all communications to
what had previously existed for telephone communications data. This was clearly
intended, under the guise of technological neutrality. According to Attorney
General Ashcroft:
Agents will be
directed to take advantage of new, technologically neutral standards for
intelligence gathering . . . Investigators will be directed to pursue
aggressively terrorists on the internet. New authority in the legislation
permits the use of devices that capture senders and receivers addresses
associated with communications on the Internet.
On May 30, 2002, the European Parliament voted on
the European Union Electronic Communications and Privacy Directive. In a remarkable
reversal of their original opposition to data retention, the members voted to
allow each EU government to enact laws to retain the traffic and location data
of all people using mobile phones, SMS, landline telephones, faxes, e-mails,
chatrooms, the Internet, or any other electronic communication devices, to
communicate. The new Directive reverses the 1997 Telecommunications Privacy
Directive by explicitly allowing European Union countries to compel Internet
service providers and telecommunications companies to record, index, and store
their subscribers' communications data.
The data that can be retained includes all data generated by the conveyance of
communications on an electronic communications network ("traffic
data") as well as the data indicating the geographic position of a mobile
phone user ("location data").
The contents of communications are not covered by the data retention
measures. These requirements can be implemented for purposes varying from
national security to criminal investigations and prevention, and prosecution of
criminal offences, all without specific judicial authorization.
Although this data retention provision is
supposed to constitute an exception to the general regime of data protection
established by the directive, the ability of governments to compel ISPs and
telecommunications companies to store all data about all of their subscribers
can hardly be construed as an exception to be narrowly interpreted. The
practical result is that all users of new communications technologies are now
considered worthy of scrutiny and surveillance in a generalized and preventive
fashion for periods of time that States' legislatures or governments have the
discretion to determine. Furthermore, because of the cross-border nature of
Internet communications, this Directive is likely to have negative
repercussions for citizens of other countries. There is a significant risk that
non-European Union law enforcement agencies will seek data held in Europe that
it can not obtain at home, either because it was not retained or because their
national law would not permit this kind of access.
During the debates on the Directive, many members
of the European Parliament, and the European Union privacy commissioners
consistently opposed data retention, arguing that, these policies are in
contravention of data protection practices of deletion of data once it is no
longer required for the purpose for which it was collected; and also in
contravention of proportionality principles in accordance with constitutional
laws and jurisprudence. Similarly, the Global Internet Liberty Campaign, a
coalition of 60 civil liberties groups organized a campaign and drafted an open
letter to oppose data retention. The letter was sent to all European Parliament
members and heads of European Union institutions after more than 16,000
individuals from 73 countries endorsed it in less than a week.The
letter asserted that data retention (for reasons other than billing purposes)
is contrary to well-established international human rights conventions and case
law.
While a few other countries have already
established data retention schemes (e.g., Belgium, Denmark, France, the Netherlands,
Spain, Switzerland and the United Kingdom) the implementation phase of the
Directive's data retention provision may be bumpy in other Member States. The
German Parliament has repeatedly refused to allow for retention, finally
settling on a new Telecommunications Act, passed in May 2004 that allows
telecommunications providers to retain data, but does not require them to do
so. In the United Kingdom, after a review by a parliamentary committee,
significant questions were raised regarding the legality, invasiveness, and the
financial burdens involved in data retention. This did not
prevent the UK Government from upholding the practice in secondary legislation,
however. The Directive may be seen as being in conflict with the constitutions
of some European Union countries, with respect to fundamental rights such as
the presumption of innocence, the right to privacy, the secrecy of
communications, or freedom of expression.
In Finland, because of concerns regarding freedom of speech and privacy,
content retention requirements have been reduced to three weeks at most, and
for Internet traffic data no retention is required.
Meanwhile, the situation is uncertain in Austria,
Germany, Greece, Luxembourg, Portugal, and Sweden as they consider or
question the means through which they can establish retention policies. In Ireland,
proposals from the Department of Justice have been poorly received from the
industry, the Data Protection Commissioner, the Department of Communications,
and the Marine and Natural Resources.
Industry associations in several countries
and the International Chamber of Commerce have all announced their concerns
with general retention laws.
In all, nine states have established laws so far; while 10 out of 15 EU
governments favor a "harmonizing" EU measure. In October 2003
Privacy International released guidance that the practice of retention violates
Article 8 of the European Convention on Human Rights. This is likely to
become the key battleground as the EU moves forward on a harmonizing measure
for a deadline of June 2005, which is a direct response to the Madrid bombing
of February 2004.
Europe is not alone, however. Australia has
proposed a code of practice for ISPs to retain traffic data on a voluntary
basis.
Argentina also passed a law calling for the retention of traffic data for 10
years.
Other countries are also calling for the retention of subscriber details, and
are preventing anonymous access to the Internet through ID card requirements at
cybercafés,
while others are banning the use of anonymous mobile telephony.
Cybercrime: International Initiatives in Harmonizing Surveillance
A related effort for enhancing government control
of the Internet and promoting surveillance is also being conducted in the name
of preventing "cyber-crime," "information warfare" or
protecting "critical infrastructures." Under these efforts, proposals
to increase surveillance of the communications and activities of Internet users
are being introduced as a way to prevent computer intruders from attacking
systems and to stop other crimes such as intellectual property violations.
The international lead bodies are the Council of
Europe and the G-8, while there has also been some activity within the European
Union.
The United States has been active behind the scenes in developing and promoting
these efforts.
After meeting behind closed doors for years, these organizations finally, in
2000, made public proposals that would place restrictions on online privacy and
anonymity in the name of preventing cyber-crime.
Council of Europe
The Council of Europe (CoE) is an
intergovernmental organization formed in 1949 by West European countries. There
are now 45 member countries. Its main role is "to strengthen democracy,
human rights and the rule of law throughout its member states." Its
description also notes that "it acts as a forum for examining a whole
range of social problems, such as social exclusion, intolerance, the
integration of migrants, the threat to private life posed by new technology,
bioethical issues, terrorism, drug trafficking and criminal activities."
On September 8, 1995, the CoE approved a
recommendation
to enhance law enforcement access to computers in member states. In 1997, the
CoE formed a Committee of Experts on Crime in Cyber-space (PC-CY). The group
met in secret for several years drafting an international treaty, and in April
2000, released the "Draft Convention on Cyber-crime, version 19."Several
subsequent versions were released until version 27 was released in June 2001.
The convention has three parts. Part I proposes
the criminalization of on-line activities such as data and system interference,
the circumvention of copyright, the distribution of child pornography, and
computer fraud. Part II requires ratifying states to pass laws to increase
their domestic surveillance capabilities to cater for new technologies. This
includes the power to intercept internet communications, gain access to traffic
data in real-time or through preservation orders to ISPs, and access to secured
or "protected" data. The final part of the treaty requires all states
to cooperate in criminal investigations. So, for example, country A can request
country B to utilize any of the aforementioned investigative powers within
country B for a crime that is being investigated in country A. There is no
requirement for the crime in country A to actually qualify as a crime in
country B, i.e., no requirement for dual-criminality. In this sense, the
convention is the largest mutual legal assistance regime in criminal matters
ever created.
The draft convention text was strongly criticized
by a wide variety of interested parties including privacy and civil liberties
groups for its promotion of surveillance and lack of controls such as
authorization requirements and dual criminality; prominent
security experts for previously articulated limitations on security software; and industry for
the costs of implementing the requirements, and the challenges involved in
responding to requests from 43 different countries. The Article 29 Data
Protection Working Group has expressed concern regarding the convention's
implications upon privacy and human rights, concluding that:
The Working Party
therefore sees a need for clarification of the text of the articles of the
draft convention because their wording is often too vague and confusing and may
not qualify as a sufficient basis for relevant laws and mandatory measures that
are intended to lawfully limit fundamental rights and freedoms.
The convention text was finalized in September
2001. After the terrorist attacks on the United States, the convention was
positioned as a means of combating terrorism. A signing ceremony took place in
November 2001 where it was signed by 30 countries, and later signed by another
eight.
The convention came into force on January 7, 2004, once it was ratified by five signatory states, all members of the Council
of Europe.
The Convention was originally open to the members of the CoE and to countries
that were involved in its development, which includes Canada, Japan, South
Africa and the United States. Now that it is in force, other non-COE
countries like China and Singapore can also ask to join. The Australian
government announced in July 2001 that its bill on computer crime, which
requires users to provide encryption keys, is based on the Convention. So far only Albania,
Croatia, Estonia, Hungary, Lithuania, and Romania have ratified the
convention. Romania has incorporated some of the language of the convention
into its law on transparency and corruption.In
December the Bush Administration signaled its intention to ratify the
convention. In June, the Senate Committee on Foreign Relations began its review
of the convention
A protocol on Racism and Xenophobia was released
in November 2002. This protocol will require the criminalization of certain
forms of Internet speech that some might find offensive. The Bush
Administration has already stated that it will not support the protocol. There was some
discussion of a second protocol on "terrorist messages and the decoding
thereof," however discussion on this matter has not advanced publicly.
G-8
The G-8 is made up of the heads of state of eight
industrialized countries in the world (Canada, France, Germany, Italy, Japan, Russia,
the United Kingdom, and the United States. The European Commission participates
as an observer). The leaders have been meeting annually since 1975 to discuss
issues of importance, including economics and finance, transnational organized
crime, terrorism, and the information society.
Since 1995, the G-8 has become increasing more
involved in the issue of high-tech crime, and has created working groups and
issued a series of communiqués from the leaders and actions plans from justice
ministers. Much of this work has been coordinated by the Lyon Group,
established formally in 1997.
At the Birmingham, England summit in May 1998,
the G-8 adopted a recommendation on ten principles and a ten-point action plan
on high-tech crime. The ministers announced:
We call for close
cooperation with industry to reach agreement on a legal framework for
obtaining, presenting and preserving electronic data as evidence, while
maintaining appropriate privacy protection, and agreements on sharing evidence
of those crimes with international partners. This will help us combat a wide
range of crime, including abuse of the Internet and other new technologies.
The G-8 has met several times with industry and is
actively promoting requirements that ISPs maintain records of all of their
users' activities in case there is a future need to investigate a crime that
might have occurred. These requirements were strongly criticized at a meeting
held by the G-8 in Japan in 2001 where industry and a civil liberties group
were invited and a draft press release and guidelines that promoted data
retention had to be withdrawn after they had already been made public.
The G-8 has continued its activity in the area of
law enforcement and combating terrorism, however. Throughout 2002 several
summits involving Finance Ministers, Justice and Interior Ministers, and heads
of state have released several statements regarding increased surveillance,
traceability of communications,
and data retention.
Increased cooperation across borders was discussed at length; and as with the
Council of Europe convention, no requirements of dual-criminality are
necessary.
The European Union
In July 2000, the Commission announced plans for
a new directive for fighting cyber-crime.
A communication was released in January 2001. While similar to
the Council of Europe convention in many ways, the Commission's proposal also
included proposals regarding data retention and the reduction of anonymity. These
policies were sought within "public forums" (only with limited
invited speaking slots) in the fall of 2001, with unclear and unpublished
results.
The retention proposal was sought in the
alternative forum of the Directive on Privacy and Electronic Commerce in the
European Parliament. The substantive law measures of criminalizing data and
systems interference and defining other such offences are being pursued as a
Council Framework Decision, which was in draft mode for almost a year and
nearly forgotten,
until the Madrid bombings of 2004 when it was placed back upon the agenda with
an expected implementation date of June 2005. This initiative is designed to be
consistent with the CoE and G-8 activities.
The Organization for Economic Co-Operation and
Development
In contrast to many of these law
enforcement-driven initiatives, the Organisation for Economic Cooperation and
Development (OECD) has tended to take a broader view of security issues. In
1992, the OECD issued Guidelines for the Security of Information Systems. Containing nine
principles, the Guidelines stress the importance of ensuring transparency,
proportionality and other democratic values when establishing measures,
practices and procedures for the security of information systems. In the fall
of 2001, the OECD Working Party on Information Security and Privacy (WPISP)
established a group of experts to conduct a review of these guidelines (such a
review must take place every five years). The group of experts met four times
between December 2001 and June 2002 and recommended several changes. The OECD
Council adopted the 2002 Security Guidelines
on July 25, 2002 and they remain in effect.
Although the guidelines have been substantially revised, the need to ensure key
democratic values, such as openness, transparency and the protection of
personal information, is nonetheless reiterated in
the principles. The OECD also developed a "Culture of Security" web
site launched after the "OECD Global Forum on Information
Systems and Network Security: Towards a Global Culture of Security" held
in Oslo, Norway in October 2003.
The site provides member and non-member governments with an international
information-exchange tool on initiatives to implement the Guidelines and serves
as a portal to relevant Web sites as a first step towards creating a global
culture of security. OECD member countries adopted an implementation plan and released it to the public in January 2003. The OECD
also took a survey of OECD member countries in July 2003, analyzing measures taken
since the adoption of the Security Guidelines in July 2002 as consistent with
the OECD Implementation Plan. The survey results were released on June 7, 2004.
In the past several years, there has been
considerable attention given to mass surveillance by intelligence agencies of
international and national communications. Investigations have been opened and
hearings held in parliaments around the world about the "Echelon" system
coordinated by the United States.
Immediately following the Second World War, in
1947, the governments of the United States, the United Kingdom, Canada, Australia
and New Zealand signed a National Security pact known as the
"Quadripartite," or "United Kingdom– United States" (UKUSA)
agreement. Its intention was to seal an intelligence bond in which a common
national security objective was created. Under the terms of the agreement, the
five nations carved up the earth into five spheres of influence, and each
country was assigned particular signals intelligence (SIGINT) targets.
The UKUSA Agreement standardized terminology,
code words, intercept handling procedures, arrangements for cooperation,
sharing of information, Sensitive Compartmented Information (SCI) clearances,
and access to facilities. One important component of the agreement was the
exchange of data and personnel.
The strongest alliance within the UKUSA
relationship is the one between the United States National Security Agency
(NSA), and Britain's Government Communications Headquarters (GCHQ). The NSA
operates under a 1952 presidential mandate, National Security Council
Intelligence Directive (NSCID) Number 6, to eavesdrop on the world's
communications networks for intelligence and military purposes. In doing so, it
has built a vast spying operation that can reach into the telecommunications
systems of every country on earth. Its operations are so secret that this
activity, outside the United States, occurs with little or no legislative or
judicial oversight. The most important facility in the alliance is Menwith
Hill, a Royal Air Force base in the north of England. With over two dozen domes
and a vast computer operations facility, the base has the capacity to eavesdrop
on vast chunks of the communications spectrum. With the creation of Intelsat
and digital telecommunications, Menwith Hill and other stations developed the
capability to eavesdrop on an extensive scale on satellite-borne fax, telex and
voice messages.
The current debate over NSA activities has
focused on the existence of a signals intelligence system known as
"Echelon." United States officials have refused to confirm the
existence of this or any other surveillance systems. In May 2001, the European
Parliament's Temporary Committee on the Echelon Interception System
(established in July 2000) issued a report concluding that "the existence
of a global system for intercepting communications . . . is no longer in
doubt."
According to the committee, the Echelon system (reportedly run by the United
States in cooperation with Britain, Canada, Australia and New Zealand) was
set up at the beginning of the Cold War for intelligence gathering and has
developed into a network of intercept stations around the world. Its primary
purpose, according to the report, is to intercept private and commercial
communications, not military intelligence.
The report recommended
"self-protection" by EU citizens and companies, and encouraged
further development and use of encryption technology within Europe to protect communications
against surveillance. The report also recommended actions to be taken by the
European Parliament during its September 2001 session in Strasbourg. These
included provisions for the United States to (1) negotiate and sign an
agreement with the European Union (European Union) requiring both parties to
"observe, vis-à-vis the other, the provisions governing the
protection of the privacy of citizens and the confidentiality of business
communications applicable to its own citizens and firms;" (2) sign the
International Covenant on Civil and Political Rights so complaints by
individuals could be submitted to the Human Rights Committee created by the
covenant; (3) negotiate with Member States a code of conduct akin to that of
the European Union; and (4) begin a dialog with the European Union on economic
intelligence gathering. On this point the Committee did not find widespread
evidence of Echelon being used primarily for economic intelligence gathering.
The Committee also recommended that Germany and the United Kingdom condition
further authorization of United States communications interception operations
within their territories on United States compliance with the European
Convention on Human Rights. No further action on these recommendations has been
taken.
Prior to issuing its report, the Temporary
Committee traveled to Washington, DC to meet with senior Bush administration
government and intelligence officials to discuss Echelon. When they arrived,
however, their meetings with these officials at the Departments of State,
Commerce and Defense, the CIA and the NSA were cancelled at the last minute.
The European Parliament subsequently issued a Resolution protesting this move.
The work of the recent Temporary Committee was
based on two earlier reports of the European Parliament. The first, "An
Appraisal of the Technologies of Political Control," was published in
1997 and stated that the NSA had established an integrated communications
surveillance capability in Europe. It described Echelon as a communications
intelligence sharing sub-system capable of scanning particular communications
to detect information of interest. In 1999, the second European Parliament
report, "Interception Capabilities 2000" set out the technical
specifications of the interception system.
The report described the merger of Echelon and the (ILETS) stating that in
time, the two vast systems – one designed for national security and one for law
enforcement – would merge, and in the process will compromise national control
over surveillance activities.
These recent events have left observers
contemplating two profound conclusions. First, as long as the UK-USA SIGINT
partners police and govern their own operations outside of actual effective
parliamentary and judicial oversight, there is good reason to believe that
SIGINT can be turned against individuals and groups exercising civil and
political rights. There is ample evidence that the activities of Greenpeace,
Christian Aid, Amnesty International, the International Committee to Ban
Landmines, the Tibetan government-in-exile, various anti-globalization
movements like the Independent Media Center, and the International Committee of
the Red Cross have been targeted by UKUSA agencies. Second, there is an
increasing blurring between the activities of intelligence agencies and law
enforcement. The creation of a seamless international intelligence and law
enforcement surveillance system has resulted in the potential for a huge
international network that may, in practice, negate current rules and
regulations prohibiting domestic communications surveillance by national
intelligence agencies.
Second, there is an increasing blurring between
the activities of intelligence agencies and law enforcement. The creation of a
seamless international intelligence and law enforcement surveillance system has
resulted in the potential for a huge international network that may, in
practice, negate current rules and regulations prohibiting domestic
communications surveillance by national intelligence agencies.
The use of Echelon to
target diplomatic communications was highlighted as a result of disclosures
made in 2003 by a British intelligence employee, former United Nations
officials, and a former British Cabinet Minister concerning eavesdropping by
the US NSA and the British GCHQ over UN Secretary General Kofi Annan's
telephone communications and private conversations.
The issue of eavesdropping on the diplomatic
communications of the UN and its member nations' missions is covered by four
international conventions: the Universal Declaration of Human Rights (Article
12),
the 1961 Vienna Convention on Diplomatic Relations (Article 27), the 1947
Headquarters Agreement between the UN and the United States, and the 1946
Convention on the Privileges and Immunities of the UN (Article 2).
Since the terrorist attacks of September 11, 2001, one of the greatest fears of security officials in the world has been
that would-be terrorists would board commercial airline flights without their
malicious intentions being detected in advance. As a result, the US and many of
its international allies have placed a high priority on identifying, tracking,
and profiling travelers, especially air travelers.
Travelers and workers at transportation
facilities such as airports have come to be regarded as objects of suspicion,
potential terrorists, and targets of surveillance. Security agencies have
sought access to reservations and other travel data collected for commercial
purposes; compulsory identification of travelers and travel and transportation
workers; mandatory collection of additional traveler data and compilation of
personal travel dossiers; and deployment of new technologies for real-time
tracking and logging of travelers' movements.
Fear is not necessarily proportional to actual
danger,
and it's not clear that these policy and procedural changes are the outcome of
a considered evaluation of risks, benefits, and trade-offs. But whatever their motivation
or effectiveness for their declared purposes, these aviation and transportation
"security" measures create substantial potential for both commercial
and government misuse of personal travel data. Taken together, they could– if
successful – lead to the creation of a global infrastructure of surveillance of
the movements of persons, incorporating both the travel industry and government
agencies.
The privacy of travel records has been less well
protected than that of any comparably sensitive category of commercial data.
Existing travel industry norms for personal data handling fail to provide the
level of protection provided for other categories of data, and required by
generally accepted norms of data protection. Even in jurisdictions where data
protection laws include travel data, enforcement against violations by the
travel industry has been lax.
Reservation and transaction records created by
travel companies for commercial purposes contain intimate personal information
about airline (and sometimes intercity train and bus) travelers and their
movements, as well as personally identifiable information about third-party
ticket purchasers, travel industry personnel involved in making and changing
reservations, and other business and personal associates of travelers.
Reservation data or one or more people traveling
on the same itinerary is stored in a Passenger Name Record (PNR), which
typically contains names of travelers and details of flights, hotels, car
rentals, and other travel services. PNRs can also contain residential and
business postal and e-mail addresses and phone numbers, credit card details,
and names and personal information of emergency contacts. Through billing,
meeting, and discount eligibility codes, PNRs contain information about
memberships and organizational affiliations. Since a single PNR typically is
used for an entire travel party, PNRs contain detailed information on patterns
of association between travelers. PNRs can contain religious meal preferences
and special service requests that describe intimate details of physical and
medical conditions (e.g., "Uses wheelchair, can control bowels and
bladder") – categories of information that have special protected status
in the European Union and some other countries as "sensitive"
personal data.
Airlines and travel agencies around the world,
even those that compete with each other, have long been part of an integrated
global network of reservation systems. Most of these systems predate current
norms of data protection. While PNR formats vary, "interline"
agreements between airlines, joint industry ticketing and financial
clearinghouses, and industry-standard protocols facilitate easy global sharing
of PNR data.
Most of the world's airlines and travel agencies
outsource hosting of their PNR databases to one of four companies: Sabre,
Galileo (a division of the Cendant Corp.), Worldspan, and Amadeus. These
Computerized Reservation System (CRS) or Global Distribution System (GDS)
companies function both as data warehouses and data aggregators, and have a
relationship to travel data analogous to that of credit bureaus to financial
data. After the completion of a trip, copies of PNRs are "purged"
from live to archival storage systems, and can be retained indefinitely by
CRSs, airlines, and travel agencies.
Unlike medical and financial data, travel data
has not generally been legally recognized as posing special privacy issues, or
afforded any special protection. PNRs and ticketing records had been regarded
as simply another category of commercial transaction data.
In many countries airlines and travel agents are
overseen by different government agencies than other businesses, and few if any
aviation regulatory agencies include data protection divisions or enforcement
staff. In the US, for example, most consumer privacy policies are enforced by
state and local consumer protection authorities and the Federal Trade
Commission (FTC). But enforcement of privacy policies by airlines and travel
agencies, and of compliance by airlines and travel agencies with the EU-US Safe
Harbor arrangement,
is under the exclusive jurisdiction of the Department of Transportation (DOT).
The DOT has no staff dedicated to consumer privacy or data protection, and has
never brought an enforcement action for violation of a privacy policy or of the
Safe Harbor arrangement.
The International Civil Aviation Organization
(ICAO) has adopted a model Code of Conduct on the Regulation and Operation of
Computer Reservation Systems (CRS) that aims at safeguarding privacy.
However, the ICAO Code of Conduct on the
Regulation and Operation of Computer Reservation Systems has not been widely
adopted by ICAO member states. CRSs operate under government regulations in the
US
and Canada,[255]
but those regulations include no provisions related to privacy or data
protection.
The European Union Code of Conduct for
Computerized Reservation Systems, Article 5 (d), provides that, "personal
information concerning a consumer and generated by a travel agent shall be made
available to others not involved in the transaction only with the consent of
the consumer."[256]
But there is no record of any enforcement action ever having been taken under
this section, despite a history of widespread and systematic violations by all
four major CRSs.
National data protection authorities in Belgium
(on the complaint of data subjects, including a Member of the European
Parliament)
and France
have ruled that transfers of PNR data by airlines to US government agencies
without passengers' consent are illegal. Additional citizen complaints against
airlines for violations of national data protection laws have been made in Spain and the Netherlands. However, no
corrective action or change in data sharing practices has been ordered as a
result of any of these enforcement proceedings.
Like the ICAO standards, the recommendations of
the Passenger Services Conference of the International Air Transportation
Association (IATA) are only advisory. In addition, they relate only to the
conduct of IATA member airlines and not to travel agencies or CRSs. Even if
followed, the IATA recommendations serve more to legitimate than to limit
airlines' transfers of passenger data to government agencies.
Almost immediately after September 11, 2001, airlines and the US government – often in collaboration, and of necessity
involving the CRSs in their work – began accessing and using archived PNRs to
investigate the hijackings and to test the possibility of identifying
"suspicious" travelers through PNR profiling. Most of the major US-based airlines and CRSs, and a variety
of US government agencies and contractors, were involved in these
investigations and experiments over the next two years.[262] All of these tests were conducted
at the time in secret, without notice to, or consent of, the data subjects, and
in most cases – except the initial investigation of the events leading up to
September 11th without warrants or subpoenas. They were gradually revealed to
the public as a result of US Freedom of Information Act (FOIA) requests and
lawsuits, Congressional questioning, investigative journalism, and admissions
by airlines. Governments, airlines, and CRSs in other countries were pressured
by the US to cooperate in providing reservation data for these programs,
irrespective of national data protection laws against such use without
travelers' prior consent.
These profiling systems and tests have not been
shown to be effective in identifying would-be terrorists from reservation data,
either alone or in conjunction with other databases.[263] It's impossible to identify
from a PNR in what country(ies) the data it contains was collected, so each of
these tests probably included data subject to many international jurisdictions.
The US government proceeded with these tests without waiting for any of the
legal changes needed to harmonize them with any other countries' laws.
Nonetheless, the US and some other governments have, after the fact, sought to
modify existing data protection rules and industry standards to mandate– or
failing that, at least to permit – government access to PNR data in order to
attempt to identify "suspicious" travelers.
Currently, only the United States, Canada, Australia
and New Zealand have legislation in place that makes government access to
airline reservation data mandatory. A number of other States are exploring this
process.
In Canada, the Personal Information Protection
and Electronic Documents Act (PIPEDA) was amended in 2001 by Bill C-44 to allow
Canadian airlines to provide foreign governments with "any information . .
. relating to persons on board or expected to be on board the aircraft and that
is required by the laws of the foreign state."[265] The PIPEDA was further amended
in 2004 by Bill C-7 to expand the exemption of travel data.[266] Bill C-7 in particular provoked
considerable criticism, including opposition from the Canadian Bar Association.[267] Both bills
were widely characterized as Canada's counterparts to the USA PATRIOT Act. In
May 2004, the European Commission approved a conditional finding that the level
of protection afforded to PNR data transferred to the US Department of Homeland
Security (DHS) Bureau of Customs and Border Protection (CBP) satisfies the
standard of "adequacy" required by the EU Data Protection Directive,[268] on the basis
of which the Council of the European Community signed an agreement purporting
to authorize PNR transfers to the US, if certain conditions were met.[269]
The finding of adequacy was contrary to the
formal opinion of the working party of EU national data protection officers. Both the
agreement and the finding of adequacy of protection of PNR data in the US
prompted extraordinary public controversy within the EU and conflict between EU
institutions. Both were denounced by privacy advocates on both sides of the Atlantic. In June
2004, the President of the European Parliament moved the Court of Justice of
the European Communities, on behalf of the Parliament, to annul both the
agreement and the adequacy finding.
The stated goal of the US government is the
adoption of permanent international standards overriding existing national data
protection laws, and mandating access to PNR data by all governments worldwide.
In addition to seeking access to existing PNR's,
some governments have sought to require data in PNRs beyond that which would
otherwise be entered for commercial purposes; to modify PNR formats to
facilitate desired government uses of PNR data; and/or to require airlines to
transmit additional Advance Passenger Information (API) data collected solely
to satisfy government demands.
While API data is typically described as corresponding to the information that
could already be gleaned from travelers' tickets and passports, the majority of
the categories of PNR and API data sought by the US cannot be obtained from
current travel documents.
These governmental initiatives have been led
primarily by the US and, within the EU, by Spain. In April 2004, a Spanish proposal
that all airlines operating to, or within, the EU be required to collect and
transmit to the governments of destination countries information concerning all
passengers, was adopted by the Council of the European Union over the
objections of the European Parliament committees that had considered it.
Canadian customs and immigration agencies have
developed and deployed their own airline reservation profiling software and
algorithms, but use "risk management criteria that are common to both
countries" to determine what travel data to share with the US.
Australia has mandated that all airlines provide
the government with continuous real-time access to their reservations systems,
and has implemented an automated profiling system, based on certain elements of
PNR and API data, which selects certain reservations for review and possible
action by customs officers.
In New Zealand, government access to PNR and API
data has been limited to international flights, and law enforcement authorities
have used the advance passenger processing system developed by Australia. The New
Zealand government has sought, but has not yet obtained, legal authority to
issue "do not board" orders to airlines on the basis of automated
analysis of PNR and API data.
The US has imposed a requirement for collection
and automated transmission of API data on all international flights to the US,
and has pursued multilateral agreements on API data transfers with the EU (as
part of the PNR agreement), the G-8
and, globally, through ICAO.
The model for the global travel data regime
sought by the US is the Computer Assisted Passenger Screening System, version 2
(CAPPS-II) that was proposed by the US government for flights to, from, and
within the US
In July 2004, the US government announced its
intention to dismantle the CAPPS-II program. Department of Homeland Security
Secretary Tom Ridge said that privacy concerns surrounding the pilot program
coupled with ongoimng Congressional doubts about the effectiveness of the
program contributed to the decision. When asked whether the program could be
considered "dead," Ridge answered "yes."
However, civil liberties organizations and air
travel experts expressed skepticism about the announcement. Some said that
CAPPS was simply being renamed or merged into other programs, and that the US
government would continue to pursue its essential functionality: mandatory
identification of all air travelers, entry of identifying data into
reservations, and government access to those reservations. These goals were
also endorsed later that month by the "9/11 Commission" in the US,
whose first recommendation for how to "protect against terrorist
attacks" was "targeting travel" and expanding "travel
intelligence collection," i.e. surveillance of travelers.
The US has sought permission from other countries
including the EU and Canada for use of data collected in those countries for
CAPPS-II.
The "Undertakings" by the US, which were a condition for the European
Commission's finding of adequacy of passenger data protection in the US,
specifically declare that the US may use data from the EU in CAPPS-II tests, although
that authorization refers specifically to "CAPPS-II," and thus may be
invalidated by the change of the program's name.
CAPPS-II or its successor would be a system of
automated identity- and reservation-based profiling unlike any other airline
passenger screening or security system in the world. CAPPS-II would profile each
passenger and assign them a risk or "suspiciousness" score on the
basis of their identity as determined from their PNR. That will not be possible
unless each passenger (a) is identified, (b) has a reservation, and (c) has
sufficient information entered in their reservation to identify them uniquely.
CAPPS-II will therefore have the effect of prohibiting anonymous or unreserved
travel, and mandating entry of specified identifying information about each
passenger in his or her PNR.
The US has proposed to use secret security
directives to impose both the requirement for travelers to display evidence of
their identity and the requirement for airlines and travel agents to create a
PNR containing specified identifying information for each traveler, concealing
the details of the requirements from the public and frustrating judicial review.
As the US Communications Assistance to Law
Enforcement Act (CALEA) did with the infrastructure of transport of
information, CAPPS-II and other government travel security initiatives would
require the embedding of "intelligence gathering" capabilities into
the infrastructure of transportation of people, imposing as an unfunded mandate
on the travel industry whatever changes, at whatever cost, are required to
provide that surveillance functionality. Even airlines that support CAPPS-II
have been concerned about the cost of the changes it would require to
reservation data structures, messaging formats and protocols, and business
procedures worldwide, especially if those costs are not reimbursed by
governments.
While the US government has suggested that it might cut back on the use of
other, non-travel commercial databases in the profiling component of its
revised and/or renamed successor to CAPPS-II, the intelligence gathering
component and its required changes to airline databases would remain as extensive
and costly as ever.
CAPPS-II would incorporate existing US
"no-fly" and other airline passenger "watch lists." As part
of its international initiatives for government access to, and trans-border
sharing of, PNR and API data, the US government has sought to establish a
global system for exchanges of traveler watch list information, and to exempt
it from requirements of disclosure, due process, and judicial review. PNR data
obtained through CAPPS-II would also be included in the lifetime
"biographic and biometric travel history" created and maintained on
each foreign visitor to the US under the US-VISIT system.
The information required by CAPPS-II would be, by
design, the information needed to ensure that all passengers can be uniquely
identified from reservations, and, as a result, that reservations for separate
trips can be indexed into lifetime travel histories. Under CAPPS-II, travel
companies in the US, including the CRSs which host most airline reservations,
would be permitted to retain all of this information indefinitely after passing
it on governments, and use it to construct their own permanent files on
travelers. These records could be accessed by government agencies at any time,
even if the government itself did not retain the CAPPS-II data.
On August 26, 2004, The Department of Homeland
Security's Assistant Secretary for the Transportation Security Administration
David Stone announced that the government would begin testing Secure Flight,
its new passenger prescreening system, in November. Admiral Stone stated that
commercial airlines would be ordered in September to turn over
"historical" PNR data for TSA to use in the testing phase of Secure
Flight.
The new program, slated for deployment early next
year, will focus on comparing Passenger Name Records (PNRs) against expanded
"selectee" and "no fly" lists maintained by the
government. If a traveler's PNR matches information on a watch list,
commercial data aggregators will be relied upon to verify the traveler's
identity. TSA will administer the program, removing all passenger screening
responsibility from the airlines.
Though TSA plans to implement a redress process
for travelers improperly flagged by Secure Flight, it is unclear how this
process will work. The government has long used "selectee" and
"no fly" lists for aviation security purposes, but passengers have
experienced great difficulty clearing their names when improperly flagged. In
2002, EPIC obtained through the Freedom of Information Act dozens of complaint
letters sent to TSA by irate passengers who felt they had been incorrectly
identified for additional security or were denied boarding because of the watch
lists. The complaints describe the bureaucratic maze passengers encounter if
they happen to be mistaken for individuals on the list, as well as the
difficulty they encounter trying to exonerate themselves.
Foreign visitors will be required to identify
themselves with passports satisfying ICAO machine-readable travel document
(MRTD) standards,
which may also include secretly and remotely readable RFID chips containing
digitally encoded biometric data.
US travelers will be allowed to obtain "registered travel" tokens
or credentials only by having biometric data recorded, and by submitting to a
background check of government and commercial databases. The motivation to register can
only be that unregistered travelers will be subjected to longer delays and/or
more intrusive searches and screening.
Although the overwhelming emphasis has been on
air travel, some of these measures and others are now being extended to other
transportation modes, starting with trains and buses. Already intercity train
and bus passengers in the US are required to display "valid photo
identification" to purchase tickets and on boarding.
A government-required RFID/biometric
Transportation Worker Identification Credential (TWIC) is being tested for
eventual issuance to more than 10 million workers in transportation facilities
in the US, including airports, seaports, rail and truck terminals, etc. The TWIC
was, however, intended in the future to identify all users of transportation
systems, i.e. travelers.
Eventually, all persons on transportation vehicles or in transportation
facilities may be required to carry government-issued RFID/biometric
identification credentials.
The Department of Homeland Security deployed the
United States Visitor and Immigrant Status Indicator Technology (US-VISIT) at
115 airports and 15 major seaports on January 5, 2004. When this
practice began, the general response was one of shock and alarm. Brazil, China,
Greece
and Switzerland
were among countries that protested against their citizens being fingerprinted
by the Department of Homeland Security. Brazil even threatened reciprocity.
This border security program is intended to
improve the United States' capability to collect information about foreign
nationals who travel to the US, as well as control the pre-entry, entry, status,
and exit of these travelers. US-VISIT is expected to be operational at every US
air, land and seaport by the end of 2005.
Some information in US-VISIT will be kept for 100 years, and all
information may be disclosed to any law enforcement agency in the US and any
other country.
When a visitor subject
to US-VISIT applies for a visa to travel to the US, he is fingerprinted and photographed at an overseas US consular office. This biometric information is then checked against more
than 20 interfacing government databases to determine the likelihood that the
visitor is a criminal or terrorist. When the visitor arrives at a US port of entry, he is
again fingerprinted and photographed to verify that he is the same person who
was issued the visa. The program will eventually be expanded to fingerprint
visitors when they exit the US, as well.
US-VISIT did not apply to visitors to the US
traveling through the Visa Waiver Program until September 20, 2004 when the program was expanded, the program was expanded to include Visa Waiver travelers
arriving at air and seaports.
The general response to this expansion of US-VISIT was very quiet, possibly
because the enlargement of the program was a result of the proposed extension
of the biometric passport deadline.
If any Visa Waiver program countries do not implement biometric passports by
October 2004, US law requires that these countries be removed from the Visa
Waiver program, resulting in all nationals being forced to get visas.
Earlier, the Department of Homeland Security
indicated that it intended to link CAPPS II and US-VISIT when both programs are
fully operational to ensure that "the processes at both border and airport
points of entry and exit are consistent." It is likely that
US-VISIT will now be linked with Secure Flight.
Other countries are considering similar systems
now that the US has expanded US-VISIT. The EU has proposed a similar system
involving fingerprints, enhanced by the fact that EU countries will also have
fingerprint-based biometric passports, creating a database of biometrics on
over 450 million people.
- Lack of enforceable legal protection for travel data comparable to that for financial, medical, or other sensitive categories of personal information
- Government demands for access to reservations and other commercial travel data and exemption of travel-related data from existing privacy and data protection regulations
- Compulsory identification of travelers (through biometrics, compulsory carrying or display of credentials, etc.) and compulsory entry of identifying data into reservations
- Indexing of reservations and travel transactions into lifetime personal travel dossiers
- Inclusion of secretly and remotely readable RFID chips in passports, tickets, "registered traveler" credentials, or other travel documents
- Profiling of travelers, denial of freedom of travel, slower or more intrusive searches, or other differential treatment of travelers on the basis of watch lists, profiles, or as a "registered traveler" status
- Integration of commercial and government databases about travelers; integration and conversion of travel industry infrastructure into an infrastructure of surveillance
Advances in technology
are also making it easier and cheaper to conduct covert audio surveillance.
Bugs come in many shapes and sizes. They range from micro engineered
transmitters the size of an office staple to devices no bigger than a cigarette
packet that are capable of transmitting video and sound signals for miles. Many
of the bugs are cleverly camouflaged. They are hidden in everything from
umbrella stands to light shades. Sometimes, the infiltrator will hide them in a
business or sports trophy where they will stay indefinitely. The latest bugs
remain active with their own power supply for around ten years.
Laws restricting the
use of covert audio devices vary widely across the world. Many countries have
provisions in their general wiretap laws that also cover the use of bugs. The
European Court of Human Rights has ruled several times that all signatories of
the Convention must enact laws governing their use. While it is illegal in most
circumstances in the United States to use or sell such devices, the British market had no
restrictions whatever until recently. As one private investigator told the
London Daily Telegraph, "It's a game anyone can play." Millions of
bugs are sold every year in Asian countries such as Hong Kong and Japan.
The devices are used for a variety of reasons. In
many Asian countries, use of the devices for industrial espionage is
widespread. They are also frequently used in the workplace or in homes. Law
enforcement and intelligence agencies also use the devices but according to
government records in the United States, Canada and other countries, they are
used much less frequently than traditional wiretaps for law enforcement purposes.
Surveillance cameras (also called Closed-Circuit
Television or CCTV
are increasingly being used to monitor public and private spaces throughout the
world. The leader is the United Kingdom, where between GBP 150 and 300 million
per year is spent on expanding a surveillance industry that has an estimated
one and a half million cameras watching public spaces. Many central business
districts in Britain are now covered by surveillance camera systems involving a
linked system of cameras with full pan, tilt, zoom and night vision or infrared
capability. CCTV systems are also in wide use in several other European
countries where they are closely regulated. Surveillance of public spaces has
grown markedly in the United States and Australia. In New York City, the NYCLU
Surveillance Camera Project identified 2,397 cameras in Manhattan, an
admittedly incomplete list.
The Mayor of Washington, DC had proposed a "London style" blanket
surveillance of public areas to cover the several public protests that takes
place in the capital, but public opposition has prevented the adoption of the
plan.
In Singapore, cameras are widely deployed for traffic enforcement and to
prevent littering. Several governments are now considering using surveillance
systems as an anti-terrorism tool. Some observers believe the surveillance
camera phenomenon is dramatically changing the nature of cities. The technology
has been described as the "fifth utility," where CCTV is
being integrated into the urban environment in much the same way as the
electricity supply and the telephone network in the first half of the century.
Governments and law enforcement authorities have
used video surveillance in various circumstances ranging from the prevention of
crimes,
the safety of urban environments and government buildings, traffic control, the monitoring of
demonstrators,
and in the context of criminal investigations. In the United States, several
cities have started implementing sophisticated systems of surveillance. In Washington,
DC, surveillance cameras have been placed on national monuments, such as the
Lincoln Memorial. New York, Tampa, Virginia Beach, Baltimore, and Chicago have
also started installing cameras.
In the United Kingdom, the government and police authorities have covered the
country with more than one and a half million cameras, some of them being used
to check the license plates of cars entering cities, and even the face of
drivers,
making CCTV the single most heavily funded non-criminal justice crime
prevention measure.
A 2003 survey conducted by the Dutch data protection authority found that one
municipality in five uses camera surveillance.
In Europe, because the encompassing data
protection legal framework of the European Union Data Protection Directive
applies to video surveillance records, privacy authorities have started drawing
up guidelines aimed at implementing the Directive's data protection principles
to the field of video surveillance.
The European Commission, in a recent consultation aimed at evaluating how the
Directive had been implemented in practice as regards the processing of sound
and image data, concluded that no change was required to the current rules for
it to be applicable to the processing of personal data in the context of video
surveillance, although more practical guidance was definitely needed.The
Article 29 Working Party (established under the EU Data Protection Directive)
has issued several documents on video surveillance. One includes a summary of
guidance issued by national data protection authorities.
In July 2000, the United Kingdom Data Protection
Commissioner issued a code of practice on the use of CCTV. The code sets out
guidelines for the operators of CCTV systems and makes clear their obligations
under the recently implemented Data Protection Act 1998.Also in
2000, the Greek Data Protection Commissioner issued a directive prohibiting the
use of CCTV, except in certain circumstances.In Sweden,
the 1998 Law on Secret Camera Surveillance restricts the use of video
surveillance. Norway's Personal Data Registers Act of 2000 also provides
specific rules for video surveillance. In Italy, the data protection authority
issued guidelines in May 2004 for the installation of surveillance cameras,
requiring, among other things, an assessment of whether the surveillance is
proportional to the objectives and whether alternative measures would be
possible.
In 2003, the European Court of Human Rights issued a judgment holding that the
disclosure of CCTV pictures by a public authority may constitute a violation of
an individual's right to privacy under Article 8 of the European Convention on
Human Rights.
In Canada, various provinces' privacy commissioners have established video
surveillance guidelines,
while Canada's Privacy Commissioner was active in limiting surveillance camerasby, e.g.,
launching a lawsuit against the Royal Canadian Mounted Police, calling their
use of the system an unconstitutional breach of privacy.In Washington,
DC, after the District of Columbia (DC) City Council and the US Congress
conducted several hearings on video surveillance, the DC City
Council enacted legislation directing the Chief of Police of the Metropolitan
Police Department (MPD) to issue regulations on the use of video surveillance cameras and technology.The MPD subsequently issued formal rules
on the use of CCTV in 2002.
Some other police departments and at least one federal government agency have
also established video surveillance guidelines.
In the United States, video surveillance is not
regulated by federal legislation, although some States have adopted statutes
prohibiting the use of video surveillance for peeping purposes, and video
voyeurism legislation is under active consideration by the US Congress.
As surveillance systems are becoming a routine
part of the urban landscape, scholars, data protection commissioners,
legislators, and the public are beginning to grapple with the implications and
purposes of this new technology, and to ask questions about its assumed
effectiveness.
Broader questions about the social consequences of video surveillance
activities are also being asked.
Proponents contend that video surveillance is a
deterrent to crime and gathers evidence of crimes. Generally, camera systems
have been rolled out with little prior research into the effectiveness or
appropriateness of the technology, as in most cases the deployment is driven by
a public relations need to create the impression of heightened security. The evidence
supporting the effectiveness of the camera system has been inconclusive. The
most important and comprehensive research to date is the United Kingdom Home
Office meta-study that has systematically reviewed the best studies done in the
past that have analyzed the effectiveness of CCTV systems. Other studies,
released earlier, found that in many areas with CCTV crime increased and street
lighting was a more effective deterrent.
In March 2002, a report issued by researchers at the University of Hull in United
Kingdom, found that cameras do not have a major impact on most criminal
activity, and even where they appear to have an effect it is because that crime
is often just displaced elsewhere.
Recent studies conducted by the Scottish Center for Criminology have yielded
similar results.
Questions are now surfacing about the use of cameras in Australia. In 2003, the
United States General Accounting Office (GAO) released a report on the use of
CCTV by law enforcement in Washington, DC, evaluating how law enforcement
agencies have responded to civil liberties risks flowing from CCTV surveillance
systems.
A 2003 study released by the Australian Institute of Criminology reached equivocal
conclusions about effectiveness of cameras in Australia.
Campaigns have begun in several countries to stop
the spread of surveillance camera systems,
and to monitor the deployment of cameras in several cities. In Washington, DC,
EPIC has launched Observing Surveillance
to document the presence of surveillance cameras in the nation's capital. For
several years, an international coalition composed of artists, scientists,
engineers, scholars, and others have declared December 24 to be "World
Sousveillance" day, and have staged several public protests to draw
attention to the use of surveillance cameras.
The debate over the appropriateness of
surveillance technology is likely to become sharper as the technology becomes
increasingly sophisticated. New systems can digitally record images, which
facilitate easy archiving, recovery, and sharing of information. Features
include night vision, computer-assisted operation, thermal imaging, and motion
detection facilities that help improve the operator's attentiveness by sounding
an alert if suspicious activity is taking place. The clarity of
the pictures is usually excellent, with many systems being able to read a
newspaper at a hundred meters. Technology is also being developed to spot
patterns in the surveillance data such as recognizing faces, analyzing crowd
behavior, and scanning the intimate area between skin surface and clothes using
"passive millimeter wave technology" to search for contraband or
weapons.
Research into these technologies is receiving significant government funding
for crime fighting and anti-terrorism purposes.
Tremendous progress in video surveillance
technologies have led to the miniaturization of cameras and enabled wireless
connectivity and access through the Internet. These developments, together with
the fact that more and more people use them in a private setting and for
private purposes, either to protect their property (security cameras), look
after their children and nannies ("nanny cams"), monitor nursing
home residents,
conduct virtual child visitation by divorced parents, or send pictures
to each other by mobile phone,
raise questions about the extent to which people are ready to be observed
everywhere they go in public places, or even, in private areas. Private bans on
cell phone cameras have been imposed by health clubs, schools, and employers.
Video surveillance is also being increasingly
used by private actors for law enforcement type purposes: to monitor their
properties, business and commercial areas;
to watch for thieves and pickpockets in shopping malls and casinos; to keep an eye on
private gated communities and passengers in aircraft; or to detect drug
dealing activities at schools.
Cameras are also used to monitor some police activities. In countries without
rules regulating video surveillance, it is relevant to question whether those
private actors' monitoring activities should be limited, or at least be subject
to the same constraints as government agents are.
Face recognition technology uses computerized
pattern matching technology to automatically identify peoples' faces. While it
is still very much in its infancy, it raises significant public policy
questions because it enables the covert identification and classification of
people in public. The borough of Newham in the United Kingdom first deployed a
face recognition system to scan faces against a database to identify people
"of interest." The Reykjavik airport in Iceland was among the first
airports to use the technology. In the United States, this same kind of face
recognition technology was used at the 2001 Super Bowl in Tampa, Florida to
compare the faces of attendees to faces in a database of mug shots. There was
widespread public outcry, prompting some to call the event the "Snooper
Bowl."
The reliability of face recognition technology
remains in dispute. For instance, it was not accurate enough for use in the
Salt Lake Winter Olympic games where the security chief said, "it's just
not proven technology yet."
Studies sponsored by the United States Defense Department showed the system is
right only 54 percent of the time and can be significantly compromised by
changes in lighting, weight, hair, sunglasses, subject cooperation, and other
factors.
Tests on the face recognition systems in operation at Palm Beach Airport in Florida, and Boston Logan Airport
also showed the technology to be ineffective and error-ridden.
As the power and capabilities of surveillance
technology increases while the cost and size of systems decreases, there will
be further incentives to use the technology. For example, the US Government
plans to require other countries to use biometric passports using face
recognition technology in the near future, although immediate implementation of
the requirement is likely to be postponed until 2006 because of
"challenging technical reasons."
These and other developments may create new pressures for appropriate
regulations to safeguard privacy and to prevent the misuse of the technology.
Developments in
satellite surveillance (also called "remote sensing") are also
occurring at a fast pace, and embrace features similar to those of more
conventional visual surveillance. Satellite resolution has constantly improved
over the past decade. Since the end of the Cold War, companies such as
EarthWatch, Motorola and Boeing have invested billions of dollars to create
satellites capable of mapping the most minute detail on the face of the earth.
A commercial satellite
capable of recognizing objects the size of a student's desk was launched from
the United States in September 1999 and began releasing images in October
2000. The Ikonos is the most powerful commercial imaging
satellite ever built. Its parabolic lens can recognize objects as small as one
meter anywhere on earth and, according to the company, viewers can see
individual trees, automobiles, road networks, and houses. The satellite, owned
by Denver
company Space Imaging, will be the first of a new generation of high resolution
satellites using technology formerly restricted to government security
agencies. Another ten companies have received licenses to launch equally
powerful satellites and several are expected to launch shortly.
The technology is
already being used for a vast range of purposes from media reporting of war and
natural disasters to detecting unlicensed building work and even illegal
swimming pools. Public interest groups are using the information to show images
of nuclear testing by countries and even images of secret United States bases such
as Area 51 in Nevada.
While industry looks
for the opportunity to exploit current spy satellite technology, a great deal
of effort is being made to integrate the existing images with ground-based
Geographic Information System (GIS) databases than can provide detailed data on
human activity. Double clicking on a satellite image of an urban area can
reveal precise details of the occupants of a target house. The "Open
Skies" policy accepted worldwide means that there are few restrictions of
the use of the technology.
But the companies have
a distance to go before they catch up with governments. It is estimated that
the current generation of secret spy satellites such as the Ikon/Keyhole-12 can
recognize objects as small as 10cm across and some analysts say that it can
image a license plate. Boeing recently landed a 10-year contract from the United
States Government for a Future Imagery Architecture (FIA) to replace the KH
satellites and the ground infrastructure. The FIA is based on a constellation of new satellites that
are smaller, less expensive, and placed in orbit to allow for real-time
surveillance of battlefields and other targets.
Surveillance by law enforcement is not the only
online privacy risk. The growth of the Internet and electronic commerce has
dramatically increased the amount of personal information that is collected
about individuals by corporations. As consumers engage in routine online
transactions, they leave behind a trail of personal details, often without any
idea that they are doing so. Much of this information is routinely captured in
computer logs.
Most on-line companies keep track of users'
purchases. This information ranges from the trivial to the most sensitive and,
unless adequately protected, can be used for purposes that seriously harm the
interests of the consumer. Other companies gather personal information from
visitors by offering personalized services such as news searches, free e-mail
and stock portfolios. They then sell, trade, or share that information among
third party companies without the consumer's expressed knowledge or consent.
The perceived value of this kind of information is behind the stock-market
valuations of many dotcom companies.
Many on-line companies, for example, provide
lists of their customers' e-mail addresses to companies that specialize in
sending unsolicited commercial e-mail (spam). Other companies mine e-mail
address from sources such as messages posted on mailing lists, newsgroups, or
domain name registration data. In one test by the US Federal Trade Commission,
an e-mail address posted in a chat room began receiving spam within eight
minutes of submitting a post.
Mining or harvesting e-mail addresses produces a barrage of online
advertisements. Studies show that consumers resent spam both for the time it
takes to process and for the loss of privacy resulting from their e-mail
address circulating freely on countless directories. Furthermore, spam
can result in significant economic loss to the consumer. A 2001 report by the
European Commission found that "Internet subscribers worldwide are paying
an estimated EUR10 billion (~USD 9 billion) a year in connection costs to
receive junk e-mails."
The European Union's Privacy and Electronic Communications Directive prohibits
unsolicited commercial marketing by e-mail without "opt-in" consent. In Japan two new
anti-spam laws were passed in 2002. The laws allow users of the Internet and
text-enabled mobile phones to opt-out of spammers' contact lists, and require
that all unsolicited commercial e-mail be clearly identified. In concert with a
February 2004 conference in Brussels, the OECD's Directorate for Science,
Technology and Industry released a background paper on spam. The report
summarizes challenges to effective enforcement of regulation, which includes,
very low compliance with labeling regulations, the possibility that
do-not-e-mail registries may only punish "reputable marketers" who
comply with them, and some consumers' mistrust of opt-out frameworks. The
report surveyed industry responses to spam, cross-border issues, and
enforcement, and ultimately concluded that a multi-dimensional approach and
international co-operation was necessary. The International Telecommunications
Union has begun a new project on Countering Spam.
According to the ITU, "Unsolicited
commercial communications or spam, as it is more usually known, has grown into
one of the major plagues affecting today's digital world . . . . A
multi-pronged approach, including technical solutions, consumer education,
industry partnership, appropriate laws and enforcement mechanisms and
international cooperation is therefore needed." At the ITU WSIS
Thematic meeting on Countering Spam, held in Geneva in July 2004, a wide range
of topics were addressed.
Many companies, including Internet Service
Providers (ISPs), search engine firms, and web-based businesses, monitor users
as they travel across the Internet, collecting information on what sites they
visit, the time and length of these visits, search terms they enter, purchases
they make, or even "click-through" responses to banner ads. In the
off-line world this would be comparable to, for example, having someone follow
you through a shopping mall, scanning each page of every magazine you browse
though, every pair of shoes that you looked at and every menu entry you read at
the restaurant. When collected and combined with other data such as demographic
or "psychographic" data, these diffuse pieces of information create
highly detailed profiles of individuals. These profiles have become a major
currency in electronic commerce where they are used by advertisers and
marketers to predict a user's preferences, interests, needs and possible future
purchases. Most of these profiles are currently stored in anonymous form.
However, there is a distinct likelihood that they will soon be linked with
information, such as names and addresses, gathered from other sources, making
them personally identifiable.
The most pervasive tracking technology is the
cookie. The cookie is a small file containing an ID number that is placed on a
user's hard drive by a website. Cookies were developed to improve websites'
ability to track users over a session. The cookie can also notify the site that
the user has returned and can allow the site to track the user's activities
across many different visits. The use of cookies expanded greatly when it was
realized that a single cookie could be used across many different sites. This
led to the development of advertising network companies that can track users
across thousands of sites. The largest ad service, DoubleClick, has agreements
with thousands of web sites and maintains cookies on over 100 million unique
users; each linking to hundreds of pieces of information about the user's
browsing habits. It is possible to configure the dominant Internet browsers to
reject or send a warning notice before cookies are set. This does not provide
much protection, however, as websites will often condition access on acceptance
of cookies or send floods of requests to set new cookies, thereby frustrating
the browsing experience.
A more secretive manner of monitoring online
users takes place through the use of web bugs. Web bugs are invisible graphics
that are placed on Web sites or in e-mails in order to track visitors to that
Web site or the recipients of e-mails (often spam). A Web bug on a Web site
collects information such as the IP address of the visiting computer, the
browser being used, the time of the "hit," and also a previously set
cookie value. In an e-mail a Web bug is used to discover if and when the e-mail
message was read, how many times it was forwarded, and the IP address of the
recipient. A marketing e-mail directing users to Web sites can also be used to
link the e-mail addresses of those that later visit the site to their cookie
data. Web bugs can also be used in newsgroup messages to track readers.
In April 2004, Google announced a new, free
webmail service called "Gmail." Under Google's system, Gmail
subscribers would receive an entire gigabyte of storage space on the condition
that the company could extract content from incoming and outgoing messages for
ad targeting.
Gmail's in-depth analysis of subscriber and non-subscriber e-mail raises
serious privacy issues ranging from new commercial intrusions into
communications to the possibility that the content capture system could be
employed for law enforcement purposes similar to the FBI's Carnivore system.
There are also risks that ad tracking could create data files related to the
content of e-mail communication that would not enjoy strong legal protection
against law enforcement subpoenas. A coalition of privacy and civil liberties
groups urged Google to suspend the Gmail system, and a subset of
the coalition requested that the Attorney General of California investigate the
company for violations of the state's strict wiretapping laws. Privacy
International filed a complaint on Gmail with over a dozen countries, the
European Commission, and the Article 29 Data Protection Working Group. Legislation to
address Gmail has been introduced in California, and the system's introduction
sparked the Massachusetts legislature to strengthen the State's privacy act.
Individuals are also tracked online through
"spyware," invasive software that transmits browsing habits or
personal information to others. Some spyware is motivated by commercial
profiling, and is primarily designed for ad targeting. Other spyware is
specifically advertised as a method for spying on individuals. Spyware is
generally difficult to define, and in comments to US regulators, EPIC has
argued that even "legitimate" software can possess "indicia of
invasiveness" that typically appear in unsavory spyware programs. Spyware is
sometimes bundled with other programs, so that users download and install it
without fully understanding the tracking capabilities. Spyware can also be
installed by "drive by downloads," situations where individuals are
tricked into accepting a program for installation, and through vulnerabilities
in Internet browsers.
The European Commission's Working Party on the
Protection of Individuals with Regard to the Processing of Personal Data, in
its January 1999 report entitled "Recommendation 1/99 on Invisible and
Automatic Processing of Personal Data on the Internet Performed by Software and
Hardware," addressed the issue of governmental response to spyware. Recommendations
of the Working Party include giving the data subject notice of the data
processing and collection, a user right of access to the data, prevention of
the creation of client persistent information, and technical protections
against spyware. In April 2004, the US Federal Trade Commission held a forum on
spyware.
In the offline world, profiling has been thriving
for decades.
Profiling companies build personally identifiable databases based on a plethora
of sources including supermarket purchases, product warranty cards, public
records, census records, magazine and catalog subscriptions, and surveys. This
is done in the absence of legislation that would prevent dossier building.
Companies also "enhance" dossiers that they already own by combining
or "overlaying" information from other databases. For instance, a
business may request a name and phone number directly from the customer, and
then use this information to purchase other personal details. These dossiers
may link individual's identities to any number of facts deemed private by
advanced societies including medical conditions, physical characteristics, and
lifestyle preferences.
The line between online and offline profiling has
become more and more blurred. In 1999, DoubleClick announced that it was buying
Abacus, owner of the largest direct marketing lists in the country, with
information on the purchasing habits of 90 percent of all United States
households, and that DoubleClick was going to merge information from the
purchasing databases with information from online browsing. Following a public
outcry, the company suspended its plan to merge personal data with profiles.
However, in July 2000 the Federal Trade Commission reached an agreement with
the Network Advertisers Initiative, a group consisting of the largest online
advertisers including DoubleClick, which will allow for online profiling and
any future merger of such databases to occur with only "opt-out"
consent.
Another important player in this move towards
complete identification of Internet users is the Microsoft Corporation. In 2001
Microsoft began aggressively promoting the Passport and Hailstorm services in
preparation for the launch of Microsoft XP, the newest version of the Windows
operating system. Passport is an online identification and authentication
system, which employs a single sign-on system to facilitate e-commerce and
browsing among different web sites that require a user to identify oneself.
Once a user signs on to Passport, other affiliated sites visited by the user
receive information about the user. Passport stores user information in a
central database. The Passport service is intended to give Microsoft and
Passport affiliates the ability to send unsolicited commercial e-mail to
Internet users and to profile their activities. To register for Passport, a
user must submit an e-mail address. Users can also submit their real name,
city/locale, gender, age, occupation, marital status, personal statement,
hobbies and interest, favorite quote, favorite things, a personal photo, and a
home page. Hailstorm was a group of services
that Microsoft intended to provide from central servers. In theory it would
have collected an extraordinary range of consumer information. Privacy and
consumer groups in the United States filed a series of complaints against
Passport and Hailstorm with the Federal Trade Commission in 2001, detailing the
risks to privacy and security in these systems. In July 2002, European Union
(European Union) officials confirmed publicly that they were pursuing an
investigation into Passport for breach of European privacy laws. In January 2003,
the EU Working Party on Data Protection – Article 29 issued an opinion
requiring substantial changes to Microsoft Passport. Among other
things, the opinion requires Microsoft to allow users to restrict the use and
sharing of information for commercial and marketing purposes.
A competitor to Microsoft's Passport, Project
Liberty, is being developed by a coalition of companies. This
identification system is similar to Microsoft's single sign-on. However, it
allows users to choose what companies will be able to authenticate the user.
Attempts at developing more permanent methods of
identifying users have been underway for years. In 1999, Intel announced that
it was including a serial number in each new Pentium III chip that could be
accessed by websites and internal corporate networks. Most of the manufacturers
suppressed the number after a consumer boycott was announced, and Intel
announced in 2000 that it is dropping the serial number in future chips.
Microsoft and RealAudio were discovered using the internal networking number
found in most computers as another identifier for online users. Microsoft's
Windows Media Player contains a globally-unique identifier (GUID) that can be
tracked by website operators. Finally, the Media Access Control (MAC) address
embedded in many network cards are unique and can be used to identify many
computers.
The privacy of online consumers can also be
seriously compromised by security breaches. Many web sites are poorly secured
against both physical and electronic attacks. In December 2002,
thieves stole hard drives containing the unencrypted personal information of
over 500,000 United States servicemen from the Triwest Corporation. In March 2000,
following a security breach, De Beers lost 35,000 names, addresses, phone
numbers and e-mail addresses of people inquiring about buying diamonds. In
April 2000, it was revealed that an unknown Microsoft engineer had included a
backdoor into its web server software. If someone typed, "Netscape
engineers are weenies!" backwards, they would have access to the websites
and associated data. In August 2000, Kaiser Permanente, a top United States
health insurer, admitted that it had compromised the confidentiality and
privacy of its members when it sent over 800 e-mail messages, many containing
sensitive information, to the wrong members.
Similarly in July 2001, Eli Lilly, the makers of the anti-depressant drug
Prozac, revealed the names and e-mail addresses of over 700 patients that
subscribed to the company's e-mail service for information on the drug and
other issues.
In 2003, a security breach notice law took affect in California that requires
entities to notify individuals when their personal information may have been
accessed with authorization.
Since implementation of that law, every month brings a new series of notices of
major security breaches.
A common practice among online companies is to
sign on to a "seal" program in order to provide consumers with a
sense of security that their personal information is being protected. These
programs follow the traditional seal programs in laying down certain
eligibility standards which participant companies must respect in order to get
a compliance seal. The better seal programs conduct monitoring and compliance
checks, provide educational information, offer consumer dispute resolution, and
enforce sanctions against errant companies. There are many disadvantages of
seal programs operating within a self-regulatory system. All too often, seal
program operators have been shown to be ineffective and reluctant to take
enforcement measures against their members including companies such as
Microsoft.
A 1999 Forrester research report found that, "because independent privacy
groups like TRUSTe and BBBOnline earn their money from e-commerce
organizations, they become more of a privacy advocate for the industry – rather
than for consumers."
There are tools available that can be used to
protect the privacy of users in many cases. These technologies are known as
"Privacy Enhancing Technologies" (PET) and are aimed at eliminating
or minimizing the collection of personally identifiable information. Encryption
is an important tool for protection against certain forms of communications
surveillance. When properly implemented, a message is scrambled (i.e.,
encrypted) so that only the intended recipient will be able to unscramble (i.e.,
decrypt), and subsequently read, the contents. Pretty Good Privacy (PGP) is the
best-known encryption program and has hundreds of thousands of users. An
alternative is the open source program called GNU Privacy Guard (GPG) that
allows anyone to view the full source of the system to ensure that it does not
allow for secret surveillance.
Cryptographic modules are also implemented in applications; for example web browsers,
in order to maintain some confidentiality in electronic commerce transactions,
include Secure Sockets Layer (SSL) to encrypt sessions between users and
servers.
It is important to note that encryption of
content alone does not prevent the disclosure of traffic data; that is, it is
still clear that person A is e-mailing person B, or that person A is visiting
web site W. Other applications are available to maintain the privacy of these
transactions. "Anonymous remailers" strip identifying information
from e-mails and can deter traffic analysis.
Services such as Anonymizer provide anonymous websurfing, anonymous e-mail
messaging, banner ad and pop-up blocking, and automated deletion of cookies and
web bugs after Internet sessions.
There have been significant setbacks in the
effort to develop commercially viable privacy enhancing techniques. In October
2001, Zero Knowledge Systems ceased to operate the Freedom Network, which used
to provide a fully encrypted and pseudonymous link between the user and secure
servers, and replaced it with a simpler proxy-based service. In February 2002,
several flaws were discovered in SafeWeb, an anonymous-surfing technology
originally funded by the Central Intelligence Agency. In March 2002,
Network Associates, the company that provided the commercial version of PGP,
discontinued support for the application.
The international (free) version continues to be available from PGP
International.
At the same time, human rights groups and even
large corporations explored new techniques to protect online privacy. The
Canadian-based Privaterra worked with NGOs to encourage the use of strong
encryption techniques and other methods for online privacy. Hacktivism
efforts continued with new efforts to empower dissident political organizations
operating over the Internet. In July 2002, the international hacker group,
Hacktivismo,
announced a new free service called "Camera Shy" to allow users to
conceal messages in ordinary image files on the Internet. The browser-based
steganography
application automatically scans and decrypts content straight from the Internet
and leaves no traces on the user's system.
The same group released a developer version of a free secure and anonymous web
tool called "Six/Four" in February 2003. The CryptoRights Foundation
is on the cusp of releasing a suite of programs to help human rights and other
advocates communicate securely.
It is important to distinguish between genuine
privacy enhancing techniques and data security technologies that seek to render
processing safe but not to reduce the disclosure and processing of identifiable
data.
Moreover, there are many products offered by industry that are not privacy
protective. Many of these systems, such as Microsoft's Passport and the World
Wide Web Consortium's Platform for Privacy Preferences (P3P), are designed to
facilitate data sharing rather than to limit disclosure of personal
information.
Electronic Numbering (ENUM) is an Internet
infrastructure that will allow a single number to reference contact or other
information in a public database.
Individuals or businesses holding an ENUM account will be able to store
information, including phone numbers, e-mail addresses, voicemail numbers, fax
numbers, or any other type of data in the ENUM database. Persons wishing to
contact the entity would use the ENUM to query a public database for the stored
information.
ENUM raises a host of privacy issues that are yet
to be resolved. Most importantly, because of the different ways in which ENUM
can provide means to contact a person, ENUM has the potential to become a
Globally Unique Identifier (GUID). At a more fundamental level, issues of
notice and individual participation have yet to be resolved. Since the ENUM
database is public, one can assume that it will be mined for commercial and
government surveillance purposes. This may lead to an unprecedented amount of
spam, as a single ENUM can reveal multiple methods of contacting a person.
Radio Frequency Identification (RFID) is a type
of automatic identification system that enables data to be wirelessly
transmitted by portable tags to readers that process the data according to the
needs of a particular application. Tags in use today are small enough to be
invisibly embedded in products and product packaging. The data transmitted by
the tag may provide identification or location information, or specifics about
the product tagged, such as price, color, or date of purchase. RFID readers are
often connected to computer networks, facilitating the transfer of data from
the physical object to databases and software applications thousands of miles
away and allowing objects to be continually located and tracked through space.
RFID may also be used to identify documents and currency. RFID may even be
deployed to identify individuals. Today, major uses of RFID include supply
chain management, animal tracking, and electronic roadway toll collection.
While barcodes have historically been the primary
means of tracking products, RFID systems are rapidly becoming the preferred
technology for monitoring pets, products, vehicles and even people. In the widely
adopted EPC Global RFID standard, the data imprinted on a tag, the Electronic
Product Code (EPC), provides a unique link to individual product data. The data
is stored in a globally distributed, centrally managed electronic database,
known as the Object Name Service (ONS). Tag readers in remote physical
locations can connect to the ONS via the Internet and then read and modify the
item's ONS "dossier" throughout its lifecycle. In addition, the
tags can be read from a distance and through a variety of substances such as
snow, fog, ice, or paint, where barcodes have proved useless. RFID systems
enable tagged objects to speak to electronic readers over the course of a
product's lifetime – from production to disposal – providing retailers with an
unblinking, voyeuristic view of consumer attitudes and purchase behavior. RFID systems of
all kinds are capable of generating a volume of consumer data several orders of
magnitude greater than has been possible before. With in-store deployment, it
is predicted that Wal-Mart will generate more than seven terabytes of RFID data
a day.
Numerous retail industry white papers refer to the coming bonanza of
high-resolution consumer information and the ease with which this information
could be shared with third parties and aggregated for further data mining.
In January 2004, EPCGlobal chose Verisign, Inc.
to manage the root directory of ONS because of similarities between the name
service and Domain Name Service (DNS), which Verisign manages for the .COM and
.NET top-level domains.
This choice has raised alarm bells with privacy advocates, who note Verisign's
poor track record in electronic privacy.
The debate over RFID technology touches upon many
controversial policy issues. At its most fundamental, widespread use of RFID
tags could enable corporations to track every move consumers make. Corporations
which compile the data transmitted by the tags could determine which products a
consumer purchases, how often products are used, and even where the product –
and by extension the consumer – travels. By aggregating data to form consumer
profiles, corporations could make inferential assumptions about a consumer's
income, health, lifestyle, buying habits, and travels. This information could
be sold to governments to create dossiers of individual citizens, or simply
sold to other corporations for marketing purposes. While the ability of RFID
readers to collect data from tags once a consumer has left a store or moved
beyond the readers' range is currently limited, many consumer groups and
privacy advocates note that RFID technology is quickly advancing, while
measures to protect individual privacy by limiting the amount and type of
information corporations can collect about consumers is lacking.
Opponents of RFID tags have proposed measures to
side-step the chips' relentless information-gathering, ranging from disabling
the tags by crushing or puncturing them, boycotting the products of companies
which use or plan to implement RFID technology, or finding ways to block the
reading of a tag using special mylar bags or other technological means. The
RFID industry has moved to meet this consumer demand with its own solutions,
most notably the EPCGlobal standard for "killing tags" which allows
for tags to be physically disabled at point of sale by the merchant. Another
industry-level solution has been proposed by RSA Security, Inc., which would provide
a system for tag reading to be blocked in specified "privacy zones"
of varying scope.Both
"tag killing" and tag blocking are problematic solutions that have
yet to be proven in the field.The
"Blocker Tag" remains an unproven solution for many reasons.
Technologists appear to disagree as to the ease with which such a system might
be circumvented,
and it places a significant burden on consumers to make sure they protect their
privacy through the duration of their ownership of a product.
Currently, RFID tags are not widely used in
consumer products because the price of the tags is still prohibitively
expensive.
However, developments in RFID technology are yielding systems with larger
memory capacities, wider reading ranges, and faster processing. Over the next few
years, industry experts expect to see a broad range of RFID pilots, and even
several fully integrated systems, launched. Recently, Microsoft Corporation
announced that it would develop software that will enable retailers,
manufacturers, and distributors to use RFID tags to track goods within stores
and factories, as well as programs specifically designed to use the new retail
tagging technology.
Many organizations have considered implementing
RFID technology. Gillette and Wal-Mart had teamed up to test specially designed
shelves that would allow for real-time tracking of inventory levels.The
"smart shelves" would read radio frequency waves emitted by
microchips embedded in millions of shavers and other products. But, perhaps in a
nod to public opposition to the devices, Wal-Mart recently announced that it
would limit the use of RFID tags to warehouses and distribution centers. In a similar
fashion, Italian clothier Benetton announced that it would implant RFID tags in
the apparel products it retails, only to cancel its plans in the wake of public
opposition to the move.
However, New Hanover County Public Library in North Carolina recently installed
a self-checkout workstation and a self-return book drop powered by VTLS, Inc.,
the international market leader in technology for library automation.Several
libraries in the United States
have already tagged every book, tape, CD, or other item in their collections. Tire manufacturer
Michelin recently began fleet testing of a radio frequency tire identification
system for passenger and light truck tires
In addition, the European Central Bank is moving forward with plans to embed
RFID tags as thin as a human hair into the fibers of Euro bank notes by 2005,
in spite of consumer protests.
The tags would allow currency to record information about each transaction in
which it is passed.Governments
and law enforcement agencies hail the technology as a means of preventing
money-laundering, black-market transactions, and even bribery demands for
unmarked bills.
However, consumers fear that the technology will eliminate the anonymity that
cash affords.
While RFID technology has not become widespread
in the US, corporations in Europe and Asia have moved forward with plans to tag
consumer products. The German conglomerate Metro is developing "stores of
the future," in which groceries and household items sold in its Extra
stores will be equipped with RFID tags.Marks
& Spencer, one of the largest retailers in the United Kingdom, is
developing a massive project to tag clothing. The project is a
follow-up to the company's implementation of RFID tags into 3.5 million produce
delivery trays in 2002.
In addition, an RFID system was unveiled at the Tokyo International Book Fair
2003 that would allow booksellers to track consumers' in-store reading
preferences.
Also, Alexandra Hospital in Singapore recently
began a new tracking system in its accident and emergency department in the
wake of the Severe Acute Respiratory Syndrome (SARS) scare.Under
this system, all patients, visitors, and staff entering the hospital are issued
a card embedded with an RFID chip, so that if anyone is later diagnosed with
SARS, a record of all other individuals with whom that person has been in
contact can be immediately determined.
Other hospitals in Singapore are expected to adopt similar technology.
Europe's largest amusement park, Legoland in Denmark,
uses active RFID tags contained in bracelets and Wi-Fi networks to help parents
track their children through the park.
The PRISM system, developed by Alanco Technologies, Inc. for use in
correctional facilities, uses a tamper proof RFID-enabled wrist bracelet to
monitor the location of prison inmates in real time, reducing instances of
prison vandalism and other unruly behavior. "A host of management
reporting tools are available that include medicine and meal distribution,
adherence to pre-determined time schedules, restricted area management, and
specific location, arrival and departure information." The United States
Transportation Security Administration (TSA) is considering
the use of RFID-tagged airline boarding passes.
Applications that are not initially designed to
track individuals, such as the US RFID-based electronic highway toll collection
system EZ Pass, might nonetheless make human tracking possible. In the
investigation of the slaying of US Federal prosecutor Jonathan P. Luna in late
2003, authorities used EZ Pass data from highway tollbooths in two states to
discover he had made repeated trips to the Philadelphia area over a period of
six months.
RFID manufacturer Applied Digital Solutions (ADSX) has developed a passive chip
the size of a pen point that is implanted in the human body. The VeriChip
Personal Identification System is designed for use in a variety of applications
including financial and transportation security, residential and commercial
building access, military and government security. A nightclub in Spain
began using the VeriChip system in March 2004, to improve access for VIPs and
allow them to pay for drinks without cash or credit cards. ADSX has begun a
campaign to promote the technology with the slogan "Get Chipped," and
a mobile van called the "ChipMobile" can perform the chip insertion
procedure in towns that it visits.
Many individuals and non-government organizations
have voiced strong opposition to widespread implementation of RFID tags without
proper privacy protections in place.One US
organization opposing the use of RFID tags is Consumers Against Supermarket
Privacy Invasion and Numbering (CASPIAN). CASPIAN located a number of internal
public relations documents that discuss how RFID developers plan to
"neutralize opposition" to the technology. The documents,
prepared by the public relations firm Fleishman-Hillard, suggest that:
"Political climate and shifting public perception require a proactive plan
that . . . mitigates possible public backlash" to RFID adoption. CASPIAN has
proposed federal legislation known as "RFID Right to Know Act of
2003," which calls for mandatory labels on RFID-equipped products so that
consumers can identify and make informed choices about purchasing products
installed with tracking chips.
Over the past year there has been widespread
activity on the part of governments and NGOs to begin the process of regulating
the use of RFID to protect individual privacy. An international resolution on
RFID was adopted by data protection and privacy commissioners in Sydney, Australia;
bills have been drafted and debated in state legislatures of the United States;
and several individual countries, including Canada, Italy, Australia and Japan,
have outlined guidelines for domestic industry to follow in their use of RFID.
The approach of regulatory movements worldwide
varies considerably. RFID bills drafted in the US, all share a
"notice" clause.
This clause requires any consumer products bearing RFID tags to be
conspicuously labeled. There is no legislation currently being considered in
the US at the federal level.
Although it does not explicitly call for labeling,
a joint resolution on RFID, proposed by data protection authorities in Germany,
Spain and Switzerland and adopted at the International Conference of Data
Protection and Privacy Commissioners in Sydney, Australia on November 20, 2003, requires consumers to be able to delete data and destroy or disable
tags on consumer items. Further, the resolution asserts "all the basic
principles of data protection and privacy law have to be observed when
designing, implementing and using RFID technology." Joint guidelines
released by Japan's Ministry of Public Management, Home Affairs, Posts and
Telecommunications (MPT) and the Ministry of Economy, Trade and Industry (METI)
on June 8, 2004, call for consumers to be given options on how they might
interfere with the reading of tags, but appear to say nothing about rights to
have the tag removed or destroyed.
At the WSIS Summit in Geneva, Switzerland in the
fall of 2003, three international researchers from the United Kingdom, Switzerland
and Sweden discovered that the security system used to control access to the
United Nations Summit included hidden RFID tags embedded in the official Summit
badges. The researchers issued a press release detailing the manner in which
individual attendees could be identified and tracked as they moved through the
conference and argued that the processing of the personal data by WSIS violates
"the principles of the Swiss Federal Law on Data Protection of June 1992,
the European Union Data Protection Directive (1995/46/EC), and the 1990 United
Nation Guidelines concerning Computerized personal data files."
There is continuing debate over how existing laws
and regulations in the US and Europe might apply to the use of RFID technology.
In the United States, there is little in the way of omnibus legislation that
might apply to RFID practice. In Europe, however, existing data protection
directives apply to both the issue of individual tracking and the association
of data with personal identification. As a result, any use of RFID tags that involves
processing of personal data is likely to be subject to a number of data
protection obligations.
The EU Health and Consumer Protection
Directorate, which comes into law on January 1, 2005, mandates the ability to
trace the origins of food "to control the food chain, solve food scares
quickly, and prevent bioterrorism." It is widely believed that the food
industry will use RFID technology to meet this mandate.
Public records present some of the most difficult
privacy challenges. On one hand, public records may assist individuals in
ensuring that a government remains transparent and accountable. On the other,
public records may be converted from this tool of citizen empowerment to one
that empowers governments and businesses to track citizens. Increasingly,
personal information is being harvested from public records to create detailed
profiles on individuals. Public records may contain many types of personal
information that are commercially valuable. These include: Social Security numbers,
birth records, arrest information, civil case history, criminal case history,
addresses, drivers license information, land sales transactions, records of
asset holdings, ownership of corporations, marital status, presence of
children, employment status, and health information. Often, individuals are
compelled by law to provide truthful and complete personal information to
government authorities that is then placed in the public record. For instance,
in order to exercise the right of marriage, in some states a publicly available
license must be filed at a courthouse containing the individuals' Social
Security Numbers.
The advent of remote electronic access to public
records systems has raised the specter of vastly increased data mining and
profiling. Mining a public records database soon will no longer require the
time and expense involved in traveling to the physical location of the records.
Data miners will be able to remotely access public records systems and use
widely available software to harvest personal information. This harvesting of
personal information already has had a substantial impact on individuals. In
2002, the Wall Street Journal reported that drug maker Eli Lilly had terminated
employees for decade-old convictions discovered in dossiers aggregated from
public records.
Unrestricted commercial harvesting of public
records has enabled the American government to obtain detailed dossiers on
citizens with ease.
Through private-public partnerships, several profiling companies make consumer
dossiers available to the government. One company in particular, ChoicePoint, has emerged as
the leading provider for law enforcement and other government agencies. ChoicePoint
maintains web pages customized for individual federal agencies to facilitate the
sale of public record information to police.
As a result of FOIA requests initiated by EPIC, it was discovered that
ChoicePoint was selling the national ID databases of several Latin American
countries to the American immigration law enforcement agency. Since that
revelation, several Central and South American countries have initiated
investigations into the legality of the information transfer.
The counting of citizens can be traced back to
the Biblical recordings of Moses. In the Book of Numbers, Moses counted people
in areas surrounding his kingdom in order to strengthen the count of the
population under his control. Scholars discuss that the list of names was used
as an original census, creating a legal identity of, and control over, a group
of people.
The US Census has been administered every 10
years since the Revolutionary War, and it was intended to be used primarily for
the apportionment of Representatives for the nation's Congress. The complexity
of the census has grown with the expansion of the United States; the country's
government has found extensive uses for census related statistics. The census
has also been crucial in tracking the population needs of various regions and
understanding the structural composition of the nation's population.
The census raises important privacy issues. The
risks that accompany the electronic compilation of personal information include
re-identification,
which is the practice of linking individuals' identities to anonymous census
records; the use of personal information for marketing solicitations; and even
more serious consequences of political abuse.
In the United States, census data is protected
statutorily.
The US Code requires that information gathered by authorities be kept
confidential and be used exclusively for statistical purposes. The statute
provides penalties for employees who willfully disclose such information
illegally. Authorities are restricted from using the information for any
purpose other than statistics, making any publication allowing any individual
to be identified, or permitting any unauthorized person to examine the census
reports.
Internationally, data protection norms apply to
census data. Article 6(1)(b) of the European Union Data Protection Directive
provides that "appropriate safeguards" must be established for
"processing of data for historical, statistical or scientific
purposes."
A specific example of the privacy risks of the US
census can also be found in the 1940s. It has been recorded that even before
the Japanese attack on Pearl Harbor, President Franklin Delano Roosevelt
ordered the Census Bureau to collect information on "American-born and
foreign-born Japanese" from the Census data lists. Information was
gathered from the 1930 and 1940 censuses on all Japanese-Americans and then
given to the Federal Bureau of Investigation (FBI) and top military officials.
These sources point directly to the census information as one of the reasons
that led to the internment of almost 110,000 Japanese-Americans on the West Coast,
two-thirds of whom were US citizens.
In July 2004, a Freedom of Information Act
request pursued by the Electronic Privacy Information Center revealed that the
Census Bureau provided specially tabulated population statistics on Arab
Americans to the Department of Homeland Security, including detailed
information on how many people of Arab backgrounds live in certain ZIP codes.
The tabulations were produced in August 2002 and December 2003 in response to
requests from what is now the Customs and Border Protection division of the
Department of Homeland Security. One set listed cities with more than 1,000
Arab Americans. The second, far more detailed, provided ZIP-code-level
breakdowns of Arab American populations, sorted by country of origin. The
categories provided were Egyptian, Iraqi, Jordanian, Lebanese, Moroccan,
Palestinian, Syrian and two general categories, "Arab/Arabic" and
"Other Arab."
Following the efforts of a coalition of ethnic advocacy groups, privacy
watchdogs and civil rights and civil liberties organizations. the Census Bureau
subsequently announced that it would no longer assist law enforcement or
intelligence agencies with special tabulations on ethnic groups and other
''sensitive populations'' without the approval of senior bureau officials.
In the United Kingdom, it was determined that
compulsory transfers were considered in Northern Ireland in 1972. A UK government
top-secret memo has surfaced describing a plan to relocate Irish Catholics; the
plan was written with census data. Although never implemented, the use of
census data for non-statistical purposes has caused great concern in Europe.
The Census continues to be controversial in Germany. Since the Census
was instrumental in identifying individuals persecuted by the Nazi regime,
Germans have been sensitive to the administration and planned expansions of the
Census.
In the 1980s, the German Government instituted a law requiring more information
to be provided on the national census. After a public outcry, the law was
challenged in court. The issue was brought before the German Federal
Constitutional Court by representatives who had been instrumental in the
passage of the first German Data Protection Act during the 1970s. The court
found the census law unconstitutional based upon what the court termed a
fundamental right to informational self-determination implicit in the German
Constitution.
Several companies have developed Digital Rights
Management (DRM) systems to prevent the unauthorized use of digital files. DRM technologies
can control file access (number of views, length of views), altering, sharing,
copying, printing, and saving. These technologies may be contained within the
operating system, program software, or in the actual hardware of a device. Some
DRM technology can disable users' machines for unauthorized access to files.
InTether Point-to-Point, for instance, imposes "penalties" for those
who attempt an "illegal use" of a digital file. Penalties include
automatic rebooting of the users' machine, or destruction of the file the user
is attempting to access.
DRM systems take two approaches to securing
content. The first is "containment," an approach where the content is
encrypted in a shell so that it can only be accessed by authorized users. The second is
"marking," the practice of placing a watermark, flag, or a XrML tag
on content as a signal to a device that the media is copy protected. Some
systems combine the two approaches. Nevertheless, according to an authority in
the field,
DRMs are vulnerable to cracking by individuals with moderate programming
skills.
These technologies have been developed with
little regard for privacy protection. DRM technology usually requires the user
to reveal his or her identity and rights to access the file. Upon
authentication of identity and rights to the file, the user can access the
content. Under the Digital Millennium Copyright Act, tampering with or
producing "circumvention" tools for copyright control technologies is
illegal.
These systems can prevent anonymous consumption
of content, and could be employed to profile users' preferences or to limit
access to digital books, music, or programs. DRM technologies may "…enable
an unprecedented degree of intrusion into and oversight of individual decisions
about what to read, hear and view."
For instance, a DRM technology called Copyright Agent quietly scans
peer-to-peer networks to discover whether users possess illegal content. If a
copyright violation is found, the program automatically informs the users'
Internet Service Provider that his or her service should be severed.
In February 2002, the European Commission
Information Society Directorate held a workshop on DRM technologies to examine,
among other issues, their effects on privacy. Similar workshops
have also been held at the US Department of Commerce Technology Administration and the Berkeley Center
for Law and Technology.
In February 2002, Sunncomm, Inc., a DRM systems
developer, and Music City Records settled a lawsuit brought by a California
woman who objected to their practice of tracking and disclosing personal
information to third-parties with no opt-out scheme. The settlement
agreement required the companies to provide notice to consumers of their
information collection practices and to refrain from requiring consumers to
disclose their personal information as a condition of downloading, playing, or
listening to a CD.
In June 2002, Microsoft released information
regarding its new "Palladium" initiative, which was renamed in 2003
to "Next-Generation Secure Computing Base." Through software
and hardware controls, Palladium could place Microsoft as the architect of
computer identification and authentication. Additionally, systems embedded in
both software and hardware would control access to content, thereby creating
ubiquitous DRM schemes that can track users and control their use of media and
even access to websites. Microsoft has experienced a delay in its
implementation of Palladium, and now expects to have elements of the system in
by 2006.
In November 2003, the US Federal Communications
Commission voted unanimously to create a requirement that consumer products be
able to recognize a Digital Broadcast Flag by July 2005. Such a flag will mark
digital content as "protected" and direct devices to limit
individuals' use of the content. EPIC recommended against the adoption of a
Digital Television Broadcast Flag mandate unless it incorporates privacy
protections for viewer data.
In April 2004, the European Commission (the
Commission) advocated passing legislation to unify content licensing, arguing
that the market for digital content will be ineffective without a single
standard for Europe.
Specifically, the Commission called for Community-level regulation of
collecting societies, the companies that administer royalties and license fees
for content owners. DRM systems, too, would have to be interoperable under the
plan. The balance struck among rights holders, media players owners, and users
will have great effect on users' ability to access digital content and to
shield themselves from monitoring.
Authentication is the process of verifying a
claim that is being made regarding an identity, an attribute pertaining to an
identity (e.g., "this person is a citizen of the United States"),
or a set of attributes. Traditionally, the greatest demand for secure
authentication solutions has come from enterprises looking to meet their own
intra-organizational security needs, as well as from government organizations
in contexts where national security interests are believed to be at stake. In
recent years, the demand for (and the adoption of) secure authentication
solutions has been sharply on the rise in all kinds of other contexts that
directly affect the privacy of individuals on a scale unimaginable two decades
ago. Much of this is driven by the growing popularity of the Internet and
mobile communication networks, as well as by the rapid increase in PCs and
information appliances such as Web-enabled mobile phones and handheld
computers.
As new authentication architectures are being
developed (through de jure, de facto, and technical standards)
and adopted for an ever-growing number of applications, the privacy of individuals
is being eroded at an unprecedented pace, often with little or no justification
at all. New electronic communication and transaction mechanisms automatically
capture and record identities in central computer systems without individuals
even being aware of it. As more and more personal information is collected and
recorded on central systems, policies and traditional security safeguards to
prevent against leakage and abuse are rapidly becoming ineffective.
Much of this explosive tension between the
(perceived or real) need for authentication on the one hand and privacy demands
on the other can be attributed to a widespread misbelief: namely, that
identification is the same as authentication, and that privacy and
authentication are opposite goals. This misbelief is perpetuated by all kinds
of influential standards organizations. The International Standard Organization (ISO), for
example, defines authentication as "the provision of assurance of the
claimed identity of an entity," and the Internet Engineering Task Force (IETF)
defines authentication as "[t]he process of verifying an identity claimed
by or for a system entity." Likewise, at the political level,
authentication and identity are often mistakenly equated.
The actual fact of the matter is that
authentication is a much broader notion than identification. In many contexts,
authentication does not require identification. Indeed, organizations are often
not interested in the identity per se of the person they are dealing
with, but only in the confirmation of previous contacts of that person, the
affiliation of the person to a group, the authenticity of personal data of the
person, the entitlements or privileges of the person, and so on. For example,
to authenticate whether a user is permitted to purchase alcohol, all that needs
to be authenticated is that the user is at least 21 years of age. In this
example, identification of the person would only serve as an indirect means to
accomplish the authentication that is of actual interest ("over 21 years
of age").
In the "old" world, individuals could
easily gain access to services without disclosing their identity, either by
showing the right privileges or entitlements or by providing service providers
with "context-specific" identifiers, such as employee numbers or a
health insurance number. While such identifiers serve to identify users, they
only do so within specific spheres of activity; organizations cannot use them
to cross-profile users across spheres of activity.
Unfortunately, today's most widespread
authentication technologies (such as passwords, biometrics, Kerberos, and PKI)
all fundamentally cause inescapable identification through identifiers that are
globally unique. These identity-based authentication technologies were invented
many decades ago, when open networks were hardly existent, let alone
organizations seeking to securely share personal information over such
networks. Consequently, the only privacy protection that the designers of
traditional authentication techniques had in mind was protection against
wire-tappers and other unauthorized outsiders. Traditional authentication
technologies are not appropriate to address the growing authentication needs in
today's day and age, however, since they enable organizations to track and cross-profile
users on the basis of globally unique identifiers (such as cryptographic keys)
that are inescapably assigned to them.
An equally worrisome trend is the centralization
of authentication powers from different organizations into a single trusted
organization that acts on behalf of all its constituent organizations. In its
original Passport architecture
for example, Microsoft relied on the centralization of all data collected from
Web site visitors in order to provide authentication services on behalf of a
rapidly increasing number of Web sites. Microsoft abandoned this architecture
following privacy complaints from consumer groups and EU officials,] as well as a
lack of adoption from service providers who were highly reluctant to entrust
Microsoft with their customer data.
The "federated" authentication
architecture promoted by the Liberty Alliance (an industry
alliance of some 160 key industry players in a wide range of sectors, led by a
number of major companies who were unwilling to delegate their autonomy to
Microsoft in the original Passport initiative) leaves personal data at the
organizations that collect it, and allows for multiple "circles of
trust" to co-exist. However, even this architecture does nothing to
improve the privacy of users: the authentication power (and therefore the
access control power) remains centralized. Specifically, whenever a service
provider deals with a user, it queries in real time the central "identity
provider" in its circle of trust; the identity provider simply returns an
authentication assertion as to the validity of the identity claim of the access
requestor, which the service provider then uses in its own authorization
process. Even though users may be "pseudonymous" towards service
providers (in Liberty Alliance the identity provider assigns different user
names to the same user, one per service provider), they are certainly not vis-à-vis
the most powerful parties in this architecture: the identity providers. Within
each circle of trust, the identity provider can track, trace and link in real
time all interactions between users and organizations. The identity provider
can even impersonate users and falsely deny them access everywhere.
While such centralized authentication approaches
may meet the needs of large enterprises that want to do employee-related and
supplier-related identity management across their own internal branches, beyond
this restricted context the approach rapidly becomes highly problematic with
regard to privacy. It may even be in conflict with privacy legislation. If
adopted on a government-wide scale, the implications of these privacy-invasive
architectures would certainly be unprecedented.
In an electronic world, if at the technical level
(by analyzing the electronic data flow) everything is inescapably identifiable
through globally unique identifiers, privacy legislation becomes virtually
meaningless; how can one force organizations not to collect identifiable
information when they cannot prevent it from being delivered to them? The only
way out of the seeming conflict between authentication and privacy is to resort
to authentication technologies that technically separate the notion of
authentication from that of identification. Two decades of research in
cryptography have demonstrated that secure authentication and privacy are not
trade-offs, but that they are in fact mutually reinforcing when implemented
properly. Using techniques that are rooted in modern cryptography, such as
Digital Credentials,
it is entirely feasible to do secure authentication without necessarily
requiring identification. For instance, role-based authentication can be
implemented in such a manner that the access requestor cannot be identified.
More generally, privacy-preserving authentication
techniques allow each party involved in the electronic processing and
forwarding of privacy-sensitive information to securely retain fine-grained
control over the information, even as the information is electronically
transmitted beyond corporate firewalls and across arbitrary organizational
domains. At no point in the chain of electronic information transfer from one
party to the next will any party be able to learn more than precisely that
which its sender expressly allows.
Each time when implementing a new authentication
measure for an existing or new transaction mechanism, it is imperative that
designers and adopters analyze how much personally identifiable information
really needs to be disclosed for the purposes of authentication. Assuming the
information disclosure is found to be necessary and proportionate with respect
to the nature of the transaction, they should then seek to implement security
needs using authentication technologies that protect privacy, instead of
resorting to approaches based on inescapable identification.
In
the first quarter of 2004, more than 4.7 million new domain names were
registered. This brings the total number of registrations to an all time high
of 63 million domain names. Registrants include large and small businesses,
individuals, media organizations, non-profit groups, public interest
organizations, political, and religious organizations, and support groups.
These domain name registrants share their services, ideas, views, activities,
and more by way of websites, e-mail, newsgroups, and other Internet media.
Registrants are required to provide information in the registration process,
which is then made publicly available.
The Internet Corporation for Assigned Names and
Numbers (ICANN), a private-sector corporation that coordinates policy for the
Internet,
has established contractual arrangements with the registries that manage the
top-level domains and the registrars that sell the domain names to the
registrants. ICANN requires public disclosure on the Internet of domain name
registrants' contact information (such as mailing address, phone number and
e-mail address), administrative contact information, technical contact
information, domain name and servers, and other information. This information
is referred to as "WHOIS" data. Its public availability has generated
concerns over privacy protection.
Under ICANN's WHOIS policy, Internet users are
unable to register for a domain anonymously. The WHOIS database broadly exposes
domain name registrants' personal information to a global audience, including
criminals and spammers.
Anyone with Internet access has access to WHOIS data, including stalkers,
corrupt governments cracking down on dissidents, spammers, aggressive
intellectual property lawyers, and police agents without legal authority. Even those
speaking out for human rights cannot conceal their identity. While it is true
that some registrants use the Internet to conduct fraud, most domain name
registrants do not, and many have legitimate reasons to conceal their
identities and to register domain names anonymously. For example, political,
artistic and religious groups around the world rely on the Internet to provide
information and express views while avoiding persecution. Concealing actual
identity may be critical for political, artistic, and religious expression.
WHOIS data lends itself to both good faith and
bad faith uses, and investigating fraud is only one of many uses of WHOIS data.
There now exist various automated data mining procedures that provide bad-faith
users with access to large amounts of personal data at a time, rather than just
individual queries. Web-based WHOIS services now have to complicate their
access procedures, for example, requiring users to enter number codes before
they can retrieve information. The WHOIS database was not originally intended
to allow access for such a variety of purposes. The original purpose of WHOIS
was instead to allow network administrators to find and fix technical problems
with minimal hassle in order to maintain the stability of the Internet.
ICANN's WHOIS policy requires that registrants
provide accurate WHOIS information, or otherwise forgo a domain name. If a domain
registration is assumed to have inaccurate information, registrants are
contacted and given a very limited amount of time to address the problem. Data
entered at registration may change in the real world and registrant may forget
to update it. They may lose their domain if they are unable to respond quickly
to any attempts to contact them. Privacy experts have noted that a policy
requiring accurate WHOIS data and then publicly disclosing the data creates
serious implications for free speech.
The ICANN WHOIS policies conflict with national
privacy laws, including the EU Data Protection Directive, which require the
establishment of a legal framework to ensure that when personal information is
collected, it is used only for its intended purpose. At a recent ICANN meeting,
George Papapavlou, a representative from the European Commission stated that if
the original purpose of the WHOIS database is purely technical, the rights of access
to and collection of that information pertain solely to that original purpose. Speaking at the
"Freedom 2.0" conference held by EPIC in May 2004, Vinton G. Cerf,
the President of ICANN, confirmed directly that the original purpose of WHOIS
was indeed purely technical.
As personal information in the directory is used for other purposes and ICANN's
policy keeps the information public and anonymously accessible, the database
could be found illegal according to many data protection laws including the European
Data Protection Directive.
Under European law, technical users would be the
only ones with a legitimate claim to the information. While intellectual
property lawyers and law enforcement officials claim the WHOIS database must
retain all its current data in its public form as a resource for
investigations, the fact that the WHOIS database was originally created for
technical purposes makes it clear that such claims to the database would be
inconsistent with its original purpose.
In 2003, ICANN's Generic Names Supporting
Organization (GNSO) began a policy development process identifying three
issues, access, data and accuracy, and creating task forces to study and make
recommendations on each. EPIC is serving on one of the WHOIS task forces. The outcome
of the WHOIS Policy Development Process will have a significant impact on
privacy, civil liberties, and freedom of expression for Internet users. Civil liberties
groups and the Non-Commercial Users Constituency of ICANN have
urged ICANN to limit the use and scope of the WHOIS database to its original
purpose, which is the resolution of technical network issues, and to establish
strong privacy protections based on internationally accepted privacy standards.
This limitation would entail restricting access to the data, minimizing data
required to only that needed for technical matters, and not penalizing
registrants for protecting their personal information by entering inaccurate
personal data elements.
The task forces have drafted reports on WHOIS policy
in these three areas, yet it is unclear whether the recommendations will
improve privacy protections. Some of the recommendations entail more privacy
risks than safeguards. At the same time, some of the better recommendations,
including some restrictions on access and data required, may not be accepted by
the GNSO Council and the ICANN Board should they decide to rule on the policy
development. After three years, this policy development process, including the
establishement of previous task forces, has not made any strides in the
protection of privacy and the current problematic policy remains.
While ICANN has considerable authority over the
development of WHOIS policies for the generic top-level domains (gTLDs), such
as .com, .org, and .net, it is unclear whether ICANN will be able to exercise
similar control over the country-code top-level domains (ccTLDs), such as .uk
and .de, which may choose to follow national policies. Significantly, country
code Top Level Domains are moving to provide more privacy protection in
accordance with national law. For example, regarding Australia's TLD, .au, the
WHOIS policy of the .au Domain Administration Ltd
(AUDA) states in section 4.2, "In order to
comply with Australian privacy legislation, registrant telephone and facsimile
numbers will not be disclosed. In the case of id.au domain names (for
individual registrants, rather than corporate registrants), the registrant
contact name and address details also will not be disclosed." In addition,
auDA does not allow bulk access to WHOIS data, which ICANN's gTLDs do. It is unclear
what, if any, indirect effect the GNSO WHOIS policy development will have on
the policies of ccTLDs.
The ICANN WHOIS policy process has continued for
several years, yet has failed to resolve the privacy risks faced by Internet
users that result directly from ICANN's own data practices.
The World Summit on the Information Society
(WSIS) is the first in the series of United Nations (UN) summits that deals
with information society issues.
Preparations for the summit, which were set up by the UN General Assembly in
2001, took more than two years, with a number of regional and global
preparatory meetings. The task of the Summit is not a small one: to develop a
"common vision of the information society." Because of the general
feeling that this could not be done by governments alone, the summit process
allowed limited participation of observers in a proposed
multi-stakeholder process.
The outcome of the Summit will be a political statement by
the leaders of the world, rather than a binding legal document. At the December
2003 Summit, governments
adopted a Declaration and Plan of Action, and established a UN Working Group on Internet Governance. The
second phase involves the implementation of the Plan of Action as well as the
consultations and final report of the Working Group on Internet Governance.
How big the Summit's impact
will be in the end will depend more on the momentum and networks created by the
summit process, not by the two texts it adopted. In the end this is actually
beneficial in the interest of privacy and human rights development, as the
texts themselves fell short in these areas. Civil society worked to improve
these documents, to center them around human rights, but was forced to issue
separate documents: "Shaping Information Societies for Human Needs: Civil
Society Declaration to the World Summit on the Information Society,"
and "Civil Society Essential Benchmarks for WSIS."
As the idea for the summit had
developed first in the International Telecommunications Union (ITU), the
telecommunications body of the UN, the initial focus was very
technology-centred. It was based on the general assumption that the widespread
use of information and communication technologies (ICTs) would foster
development and help democracy. Mainly because of the efforts of a global
coalition of activists and academics from civil society groups, the general
discussion moved from "information" (read: ICTs) to society over the
course of the summit preparations. One outcome was that human rights gained a
prominent place in the summit Declaration and Plan of Action that were adopted
by the summit in Geneva.
The Universal Declaration of Human Rights is underlined in the first paragraph
of the summit declaration, and its article 19 on freedom of speech is quoted as
"central to the Information
Society."
Because the summit preparations
took place in the context of the global "war on terrorism," one of
the most discussed topics was security.
Especially the United States
and the Russian Federation put
an emphasis on this matter. This was enforced by developments in other
international organizations, like the Council of Europe,
the OECD or even the UN General Assembly,
where Cyber-Security or similar topics have moved up the agenda in recent
years. The respective paragraph of the WSIS summit declaration ends with an
explicit reference to the war on terrorism: "It is necessary to prevent
the use of information resources and technologies for criminal and terrorist
purposes, while respecting human rights."
With such prominent interests
behind it, the protection of privacy was not a goal. The first drafts of the
summit declaration made no reference to privacy at all. Civil society groups
were concerned about the strong focus on security in the whole text. In their
view, security is a vague political goal that can be higher or lower on the
agenda depending on day-to-day politics. Privacy and other human rights and
civil liberties, on the other hand, are constitutional fundamentals of every
democracy that must not be violated for the sake – or, as often is the case,
under the guise – of security.
The international NGO network
active in the WSIS-process, mainly the Privacy and Security Working Group and
the Human Rights Caucus, advocated for the insertion of a new paragraph
specifically on privacy and for placing it at the beginning of the
"security" section of the summit declaration.
It would have made clear that privacy gets clear priority, especially in the
information society, where the trafficking, processing and misusing of personal
information have become bigger than ever before in the history of human rights.
However, the whole debate in the
intergovernmental drafting group on security was too much centred around the
security language, so that no delegation wanted to insist strongly on privacy.
Privacy was later mentioned in the summit declaration at all only due to the
efforts of the European Union, Switzerland, Brazil, Australia and a few other countries. It
now calls for a "global culture of cyber-security," in particular for
strengthening a "trust framework, including information security and
network security, authentication, privacy and consumer protection."
Here, privacy and security as well as authentication and consumer protection
are seen as parts of a holistic strategy. Only "within this global culture
of cyber-security, is [it] important to enhance security and to ensure the
protection of data and privacy, while enhancing access and trade," the
summit declaration continues. Privacy did not gain nearly such a prominent role
as freedom of speech or other human rights.
Even the private sector itself
had suggested more specific privacy language in the summit declaration. The
Coordinating Committee of Business Interlocutors, for example, that had been
set up for the WSIS by the International Chamber of Commerce, had asked for
"effective privacy protection of personal data."
The Plan of Action that was also
adopted by the summit is generally vague. It was intended to facilitate the
implementation of the principles espoused in the Declaration and provides
concrete measurements of progression in the vision of the Information Society.
Besides some initiatives like linking every school and library in the world to
the Internet by 2015, there are no clearly defined benchmarks or schedules for
implementation. This will be one of the main tasks for the second phase of the
summit that ends in Tunis in
November 2005.
The paragraph of the action
plan that deals with security and privacy does not mention the "war on
terrorism," but is still mainly focused on security and makes an implicit
reference to the Council of Europe's Convention on cybercrime. Of the 10
initiatives suggested by the action plan in the context of security and
privacy, only one specifically mentions privacy.
Only the third paragraph mentions privacy alone.
It only calls for "user education and awareness," specifically about
"online privacy and the means of protecting privacy." There is no
reference to specific measures or initiatives governments or private
corporations should take as the major users of personal information.
It remains to be seen if any meaningful
initiatives in favor of privacy will develop in the second phase of the summit.
Civil society groups could here play an active role because of the summit's
multi-stakeholder approach, but they would need the political backing of some
influential governments.
The
convergence of communications networks, computers and mass media into an
interactive network combining television and the Internet is the next
progression of the technology currently being developed. Already, the new boxes
are replacing the traditional cable TV set-top box with an interactive device
that also includes the functions of a limited personal computer and video
recorder. At the same time, personal computers are regularly equipped with TV
tuner cards to handle advanced video operations.
The designers of these
new appliances paint a pleasant picture of the conveniences that will be
available with these new systems. They anticipate that viewers will be able to
make spur of the moment purchases over their boxes, based on what their
favorite star is wearing or on an individually tailored ad that appears between
shows. Communities will be formed as people chat live about the plots of their
favorite shows or sporting events. Vast libraries of movies and shows will be
available for renting on demand by just pressing a button on the remote
control. The industry calls this "T-Commerce" for Television
Commerce. Millions of users are expected to be using these devices in just the
next few years, and the ad revenue to justify the new expensive boxes is
expected to hit USD5 billion by 2004.
Interactivity has been
the dream of the television industry since the invention of the TV. For several
decades, there have been a series of expensive tests that have failed because
the technology has been crude and expensive. The change that now makes ITV possible is the evolution of
the Internet and its underlying protocols and the advancement of digital
television. These protocols are now being used to allow for interactive
high-speed access to the Internet over existing cable lines. Slowly,
intelligent cable TV boxes, which connect to broadband and interactive cable
systems, are being deployed.
Several companies have
jumped into this new market in the last few years. The largest players are
America Online and Microsoft. Microsoft purchased WebTV in 1998 and has also
been including interactive television abilities in their operating systems for
several years. Thus far, because of poor service, little interactive
programming, and relatively high prices, the number of users has not significantly
grown. They also are hampered by the need to use telephone lines to communicate
with the service in most areas as cable lines are slowly becoming converted to
interactive communications. America Online has announced that it will start
deploying AOL TV in the United States in 2000. When its merger with media giant Time-Warner is
complete, it will have control over a significant portion of the cable
television lines and television shows in the United
States. It is expected that AOL will use
that market power to force the development of more interactive television and
the deployment of interactive boxes that will be capable of tracking users even
if they do not wish to use the functions.
Meanwhile, there are
other companies that have developed devices that will automatically record
television shows for viewers and make recommendations for new shows based on
viewers' previous behavior. The new systems are being designed, like their
Internet predecessors, to track every activity of users as they surf the net
through the boxes. They also are being designed to track the shows and
commercials users watch and to use that information to tailor advertising for
the greatest effect. Rupert Murdoch said in the NewsCorp annual report,
"It will tell us not only who our customers are, but what they buy, what
they watch, what they read and what they want." George Orwell's vision of the television that watches you
will soon be a standard consumer appliance.
Even where systems are
designed not to report back this kind of information, there is increasing
pressure from the content industries to build systems this way so that they can
monitor viewer's habits and protect against copyright infringement. This year,
SONICBlue Inc., the maker of Replay TV, a personal video recorder, was sued by
the entertainment studios who argued that features allowing users to pause,
fast forward, and skip commercials violated their copyrights. As part of the
lawsuit, the studios requested all data that the company had on its customers
viewing habits, including what shows were recorded, watched, and forwarded to
friends. Because the ReplayTV 4000 product did not transmit this sort of data
back to the company, SONICblue had no data to provide to the studios. It was,
therefore, ordered by a court to re-engineer its product and install software
to record TV usage data and transmit that data back to SONICblue so that it
could then be turned over to the studios. This order was overturned in May 2002
but the issue is likely to resurface.
Unlike personal
computers that give users control over their actions and choices, the new ITV
systems are generally based on a sealed "black box" controlled by the
company that gives the user little or no control. In the WebTV box, users are
not able to refuse cookies or delete them afterwards. The systems are closed
and it is difficult, if not impossible, for even advanced users to identify
what the system is doing. It will also prevent users from being able to use
their own software.
There are other
significant differences in that the media is more top-down, and corporatized
than the Internet, which is decentralized and allows nearly any user to set up
his own web site and become a content producer. Many of the ITV providers
describe their systems as "closed gardens" that will only show
content in which the providers have a financial interest. Other information
will either be banned or be slower or more difficult to locate and view.
Some video game
consoles provide an Internet access functionality that requires subscribers to register much of their
personal information (name, address, telephone number, e-mail address, credit
card number, etc.). The game consoleshard disk also record all the games played
and their patterns, names of all the players involved in a game, scores
obtained, and other similar information, and transmits the data to the console
manufacturer the next time the player connects. The next generation consoles (Xbox 2, PlayStation 3 and
PSX) that will be launched in 2005 clearly aim at ousting interactive TV
set-top boxes from the center of home entertainment by offering, in addition to
games, the same services as set-top boxes: personal video recorder (such as
Tivo and ReplayTV), e-commerce, e-mail, web access, photo albums, DVDs, home
movie and music.
Genetic data poses unique privacy issues because
it can serve as an identifier and can also convey sensitive personal
information. Not only does genetic information provide something like a
fingerprint through variations in genetic sequences; it also provides a growing
amount of information about genetic diseases and predispositions.
Errors in the genetic code are responsible for an
estimated 3,000 to 4,000 hereditary diseases, including Huntington's disease,
cystic fibrosis, neurofibromatosis, Duchenne muscular dystrophy, and many
others. Furthermore, altered genes are now known to play a part in cancer,
heart disease, diabetes, and many other common diseases. In these more common
and complex disorders, genetic alterations increase a person's risk of
developing that disorder. The disease itself results from the interaction of
such genetic predispositions and environmental factors, including diet and
lifestyle.
In addition to indicating predisposition to
disease, "genes do appear to influence behavior." Although the
findings are controversial and far from conclusive, genes have been found to
influence homosexuality, thrill seeking and tendencies towards violent criminal
behavior.
Twin and adoption studies have shown that "nearly all behaviors that have
been studied show moderate to high inheritability – usually to a somewhat
greater degree than do many common physical diseases."
The prevailing scientific opinion is that most
behavior and human diseases are not the result of a single mutation or gene.
Rather, most facets of human development "represent the culmination of
lifelong interactions between our genome and the environment." Currently
available scientific knowledge thus does not seem to provide a strong link
between an individual's genetic sequence and that person's eventual development
of disease or personality traits; such conclusions are matters of probability
and must be interpreted accordingly.
However, it is an area of scientific development
that is undergoing rapid change and the body of knowledge about the human
genome is increasing rapidly. The human genome sequence was published in
February 2001, immediately kicking off a debate of the future of genetic
technology and its impact on society – including privacy. For example,
United States Senators James M. Jeffords and Tom Daschle have commented,
"[o]ne of the most difficult issues is determining the proper balance
between privacy concerns and fair use of genetic information."
Both the general public and scientific researchers
have recognized that safeguards for genetic information are needed. For
example, polls have found that 86 percent of adults believe that doctors should
ask permission before conducting any genetic testing and 93 percent believe
that researchers should do the same before any analysis. Dr. Francis S.
Collins, Director of the National Human Genome Research Institute, has observed
that "in genetics research studies, we are seeing individuals who opt not
to participate in research because of their fear that this information could
fall into the wrong hands and be used to deny them a job or a promotion." Privacy concerns
about genetic testing are heightened by the potential that test results may be
inaccurate because of quality control problems in testing laboratories. A 1999
survey of genetic testing facilities found that of the 245 laboratories
examined, 36 failed to meet high quality assurance standards.
Unlike fingerprints, DNA sequences are not unique
(identical twins have different fingerprints but the same DNA profiles). DNA
identification works by comparing particular regions of two samples and looking
for differences rather than comparing entire DNA sequences. Identification is
actually a process of combining several such comparisons and calculating the
probability that the two samples are a false match.
Reliable identification
requires that samples be handled carefully to prevent contamination, that a
sufficient number of segments be compared, and that laboratory technicians meet
an appropriately high threshold for acceptable probability of a chance match. "Provided that tests are
actually looking at different regions of the genome, and provided that the
genetic patterns aren't 'structured' within a community by inbreeding, using
multiple tests can reduce the chance of a false match from one in a hundred to
one in a million or even one in 500 million. But they can't entirely eliminate
the chance of a false match."
In the
United States,
the standard for forensic identification requires a comparison of 13 DNA
segments. According to a FBI spokesman, "[t]here's a
greater chance that you'll find a close match as the databases get
bigger."
Besides false matches, some criminals have become reportedly savvier at
manipulating results of DNA identification.
In England, a police union has stopped officers from giving voluntary DNA
samples in a DNA sweep to catch a rapist, although policemen's fingerprints are
routinely included in forensic fingerprint databases.
Law enforcement agencies worldwide are
increasingly relying upon DNA evidence. According to the 2002 global survey by
Interpol, 77 of its 179 member countries perform DNA analysis and 41 member
countries have forensic DNA databanks, which include both physical samples and
databases of DNA profiles.
As of 2003, 36 of 46 European Interpol members performed forensic DNA testing,
and 26 of them allow international exchange of information. The percentage of
members having DNA databanks is predicted to double in the next few years.
To facilitate exchange
of DNA information between member states, Interpol set up a DNA database pilot
project in July 2003. Profiles sent to Interpol are in standardized numeric
format and additional information about name, or the crime to which the
individual is connected, is not required. If a match is recorded, police forces
of the two countries communicate directly. The first "hit" on the
Interpol database was recorded in 2004 when one of the DNA profiles submitted
by the Slovenian authorities was matched against to a profile sent to Interpol
by the Croatian police.
United Kingdom has the largest forensic DNA databank in the world, which
holds over 2.5 million samples of those who have been charged with one of a
list of offenses. Since April 4, 2004, those who have been arrested but not charged are included
in the databank.
Britain has
recently passed a law allowing collection of DNA samples from those who were
arrested for drunk driving, even if they were not convicted. In a recent decision, the House of Lords ruled that the
law permitting retention of DNA samples taken from individuals who are later
acquitted or against whom charges are dropped does not violate the European
Convention on Human Rights. A pilot project is also underway in the British city of Bristol to collect DNA
samples from 25,000 babies and their parents as part of a national DNA database
that could be used for law enforcement. Several Australian states have been considering laws that
would permit the creation of a national DNA database. Israel has also been considering such a database.
The rules for inclusion in forensic DNA databanks
and the rules that govern access to data, physical specimen retention, and
privacy protections differ from country to country. In countries that operate
under federal systems, such as the United States and Australia, rules for
forensic DNA databanks can vary from jurisdiction to jurisdiction. Several
European nations have expanded their databanks by including new categories of
offenses (e.g., burglaries) or classes of offenders (e.g.,
violent offenders). Additionally, some nations include profiles of suspects or
arrestees, either based on the crime for which they are arrested or based on
the length of expected sentence if convicted. Some nations remove or expunge
either profiles or underlying samples, but there are nations that do not. For
example, the UK maintains all samples and profiles indefinitely.
In the United States, trends are also toward
expanding forensic DNA databases. As of 2004, 34 states collect profiles of all
felons.
In the US, judges and courts have issued warrants, indictments and even
convictions
based solely on DNA identification. In the UK, a man was found and charged on
the basis of a family member's DNA found in the UK DNA databank.
DNA identification is also used in order to
exonerate previously convicted criminals. One of the best-known efforts is the
Innocence Project. This clinical law program provides legal assistance to
persons challenging their convictions based on DNA evidence. As of June 2004,
144 individuals have been exonerated as a result of the work by the Innocence
Project.
On the basis of the proportion of cases that have been overturned and related
FBI data, the Innocence Project estimates that thousands of individuals wrongly
convicted could be freed if provided with easier access to DNA testing. Similar Innocence
Project programs have also started at the University of Wisconsin Law School,
the University of Washington School of Law and the Santa Clara University of
Law.
Despite the recognition of limitations in
DNA-based identification, there is a push for more and larger DNA databases.
Forensic DNA databases were originally created for tracking violent sex
offenders, but have expanded in purpose and scope. "In less than a decade,
we have gone from collecting DNA from convicted sex offenders – on the theory
that they are likely to be recidivists and that they frequently leave
biological evidence – to data banks of all violent offenders; to juvenile
offenders in 29 states; to testing of persons who have been arrested, but not
convicted of a crime."
In the United States, local, state and federal law enforcement agencies
contribute DNA profiles from crime scenes and those convicted of violent crimes
into a national database to look for potential matches. In April 2003,
the Bush Administration proposed that DNA profiles from juvenile offenders and
from adults who have been arrested but not convicted would be added to the
FBI's national DNA database.
The White House also indicated it would spend about USD 1 billion over five
years to promote the use of DNA for law enforcement purposes.
Other, non-law enforcement related DNA databases
have also emerged for use in identification. Since the early 1990s, all
personnel serving in the United States Armed Forces have been required to
submit DNA samples to ensure later identification. As of May 2001, the United
States military's DNA depository contains 3.3 million samples, including
samples from active duty and reserve personnel and some military contractors. At the conclusion
of military service, individuals have the right to request that their samples
be destroyed. However,
the program has faced resistance within the military's own ranks. In 1996, two
United States Marines faced court-martials when they refused to provide DNA
samples for the identification program.
In addition to government-related DNA
identification, a new industry – paternity testing – has emerged, placing large
amounts of genetic data wholly under private sector control. Despite the
controversy surrounding law enforcement collection of DNA, a larger proportion
of genetic identification is done to establish paternity. In the United States,
part of the reason for the rise in paternity DNA testing are federal
requirements for identifying fathers in order to receive child support. Paternity testing
previously required blood samples and was more difficult to perform than
currently used DNA tests – which may only require a few strands of hair.
Advances in technology have made genetic testing
easier and faster. According to genetic testing companies, kits costing USD 100
to USD 2,000 are available for over 400 diseases with hundreds more on the way. The easy
availability of tests vastly increases the amount of information at an
individual's disposal. However, it is important to remember that for disorders
that involve the interaction between multiple genes and environmental and
lifestyle factors, the links between genes and disease are not well understood.
Genetic information may provide some indication of vulnerability, but it is not
possible to say whether or not a specific individual will develop the disease,
when disease might develop, or how severe it will become. For example, the
Washington Post reported in 2003 that researchers identified a gene responsible
for the development of depression after exposure to stress. People with a
variation in that gene are more than twice as likely as people with the normal
version of the gene to react to a traumatic event by becoming depressed.
Nevertheless, 57 percent of people with the mutated gene never became depressed
and 17 percent of people without the mutation developed depression in response
to similar crises.
Several countries, such as Iceland and Estonia
are building nationwide DNA databases for medical research. Many of these
undertakings are encouraged by pharmaceutical companies and other business
enterprises looking to profit from new medical procedures and services. Some
efforts have been made to establish legal frameworks for these databanks. Nevertheless, Iceland's
Supreme Court ruled in the spring of 2004 that the Health
Database Act of 1998, which created the national DNA databank, does not comply
with the country's constitutional privacy protections.
While genetic screening has become easier and
cheaper, treatment of genetic disease lags behind. Thus, while someone may have
the ability to determine if they are at high-risk of disease, many people may
choose not to find out due to the inability to take any precautionary measures.
The concept of a "right not to know" would apply in these situations,
allowing a person to control the knowledge about whether she has a certain
genetic make-up.
For example, Huntington's disease is an inherited
neurological disease that results in death by a person's late 30s or early 40s
after extended deterioration of both mental and physical control. There is no
treatment for the condition yet a reliable test for Huntington's does exist.
The inheritability of the disease is straightforward; the children of a person
with Huntington's will have a fifty-percent chance of also being affected. The
resistance to knowing one's propensity for Huntington's is borne out in surveys
finding that only 66 percent of those at risk of developing Huntington's would
test themselves with 15 percent of that group indicating they would contemplate
suicide if they tested positive. Of those indicating that they would not want
to test themselves, 30 percent indicated they would consider suicide if they
did find out that they would manifest the disease. Due to the
emotional and psychological impact that such information would have, many
people in these situations exercise their "right not to know" by
refusing to test themselves.
In practice, maintaining a "right not to
know" can be difficult. Due to the simple inheritability of Huntington's,
one family member's decision to test herself for Huntington's will reveal
information about other family members. For example, if a daughter decides to
test herself for Huntington's due to a history of the disease through her
mother's side of the family, the test results would indicate whether or not her
mother also has the disease – thus compromising the mother's desire not to
know.
More problematic than the inability to properly
interpret genetic test results is the possibility that individuals will not be
able to control when genetic testing is conducted or how the results are used.
The two most controversial areas of genetic testing are in the workplace and
the provision of medical and life insurance.
As genetic databases become more common
worldwide, there has been a concurrent rise in the use of testing by employers.
Although there are legitimate uses of genetic testing, such as the prevention
of occupational diseases, there is also concern that employers will use these
tests to discriminate against current or potential employees. Without legal
intervention, information indicating, for example, whether someone is prone to
a debilitating illness or even an "undesirable" condition (such as
laziness or depression) may be used by employers to discriminate against
employees.
Genetic screening in the workplace has been
conducted for decades but, based on limited polling of employers, still seems
relatively rare when compared to general medical information accessed by
employers. Some of the earliest genetic screening took place as early as the
1960s. Dow Chemical conducted genetic monitoring (genetic tests conducted over
time to detect possible mutagenic effects of the workplace environment) from
1964-1977.
In 1982, a United States federal government survey found that 1.6 percent of
companies were using genetic testing for employment purposes.
Despite the uncertainty about how commonly
workplace genetic testing takes place, it has happened. In 1994, employees at
the Lawrence Berkeley National Laboratory at the University of California - Berkeley
discovered the laboratory's surreptitious practice of testing its employee
blood and urine samples for syphilis, sickle cell anemia and pregnancy. The laboratory,
funded by the United States Department of Energy, conducts non-classified
research and had been testing its employees for decades. In subsequent
litigation, the government argued that since its employees had agreed to a
general medical examination, they had no reason to expect that genetic testing
would not also be conducted. The government also argued notice was provided via
a list of tests to be conducted posted on an examining room wall. The
government in the federal district court but the United States Court of Appeals
for the Ninth Circuit reversed and concluded the conditions being tested for
raised "the highest expectations of privacy." In 2000, the
laboratory settled with employees for USD2.2 million, ceased conducting the
tests and allowed earlier test results to be reviewed and deleted.
More recently, in February 2001, an employee of
the Burlington Northern Santa Fe Railroad in the United States sued the company
for conducting tests for a genetic predisposition associated with carpal tunnel
syndrome. The company had allegedly collected blood samples from 125 employees
and tested 18 of those samples without employee consent. The employee filing
the suit had refused to contribute a blood sample and was told he would be
investigated. The lawsuit alleges violation of disability law and existing
legal prohibitions on genetic testing by employers.
While tied to workplace genetic testing in the US,
where employers often provide and pay for health insurance, genetic testing has
also been directly used in the underwriting of life and medical insurance. In
February 2001, Norwich Union Life, one of Britain's largest insurers, admitted
using genetic tests for breast and ovarian cancer and Alzheimer's disease to
evaluate applicants. Moreover, Norwich Union Life was violating the industry's
code of conduct since the genetic tests had not been approved by the
government's Human Genetics Commission.
The controversial practice resulted in some individuals paying higher insurance
premiums based on genetic predispositions, creating political pressure to
outlaw the use of genetic data by insurers in the United Kingdom altogether.
While representatives of Norwich Union Life
claimed that the genetic tests were not compulsory, simply providing lower
premiums for people that do not test positive for genetic tests can lead to
rampant genetic testing. An "assessment spiral" will result when one
company offers discounts for those with a particular genetic profile, creating
pressure on competitors to offer similar discounts in order to keep
"low-risk" policy holders and resulting in higher premiums for those
that are not tested or do not possess the correct genetic make-up. Thus,
non-compulsory genetic testing can easily lead to genetic discrimination.
Recognizing the issues implicated in widespread
genetic testing, several international bodies have recommended that genetic
testing should be carefully circumscribed by law. In 1989, the European
Parliament issued a resolution recommending legislation to prohibit genetic
testing for the purposes of selecting workers or examining employees without
their consent. It advised that employees must be informed of any analysis and
implications of genetic data before tests are carried out and allowed withdraw
from testing at any time.
The Council of Europe has also recommended that "the admission to, or the
continued exercise of . . . employment, should not be made dependent on the
undergoing of tests or screening."
Similarly, the World Medical Association (WMA) has issued statements to this
effect. In 1992, issuing a Declaration on the Human Genome Project, it
recommended the adoption of laws similar to those that prohibit "the use
of race discrimination in employment or insurance." In May 2000, it announced that it would draw up
guidelines on the development of centralized health storage databases that will
address "the issues of privacy, consent, individual access and
accountability."
In 1997, the United Nations Educational, Scientific and Cultural Organization
(UNESCO) adopted a Universal Declaration on the Human Genome and Human Rights,
outlining the rights of individuals to control the collection and use of
genetic information.
In many cases, exisiting labor codes may
indirectly prohibit genetic testing. It is also possible that the use of genetic
data by employers to discriminate against workers may violate equal opportunity
or anti-discrimination laws. In the United States, for example, genetic testing
may violate the 1964 Civil Rights Act that prohibits discrimination in
employment on the basis of "race, sex, national origin, and
religion," or the Americans with Disabilities Act of 1990, which prohibits
discrimination in employment against a "qualified individual with a
disability."
Governments are also beginning to address the
privacy issues directly. In the United States, most laws applying to genetic
discrimination, testing or identification have been passed by states rather
than the federal government. Some states have passed
laws that prohibit employment discrimination on the basis of genetic
information. In 2000, President Clinton issued an executive
order prohibiting the use of genetic information in federal agency hiring and
promotion decisions.
Workers around the
world are frequently subject to some kind of monitoring by their employers. Employers supervise work processes for quality control and
performance purposes. They collect personal information from employees for a
variety of reasons, such as health care, tax, and background checks.
Traditionally, this
monitoring and information gathering in the workplace involved some form of
human intervention and either the consent, or at least the knowledge, of
employees. The changing structure and nature of the workplace, however, has led
to more invasive and often covert monitoring practices which call into question
employees' most basic right to privacy and dignity within the workplace.
Progress in technology has facilitated an increasing level of automated
surveillance. Now the supervision of employee performance, behavior, and
communications can be carried out by technological means, with increased ease and
efficiency. The technology currently being developed is extremely powerful and
can extend to every aspect of a worker's life. Software programs can record
keystrokes on computers and monitor exact screen images, telephone management
systems can analyze the pattern of telephone use and the destination of calls,
and miniature cameras and "Smart" ID badges can monitor an employee's
behavior, movements, and even physical orientation.
Advances in science
have also pushed the boundaries of what personal details and information an
employer can acquire from an employee. Psychological tests, general
intelligence tests, performance tests, personality tests, honesty and
background checks, drug tests, and medical tests are routinely used in
workplace recruitment and evaluation methods. Since the discovery of DNA, there
has also been an increased use of genetic testing, allowing employers to access
the most intimate details of a person's body in order to predict susceptibility
to diseases, medical, or even behavioral conditions. The success of the Human
Genome Project will likely make this kind of testing more prevalent. Currently,
genetic testing is prohibitively expensive for many employers, and not used as
frequently as other forms of medical or drug testing. Article 21 of the
European Union Charter of Fundamental Rights provides explicitly that "any
discrimination based on . . . genetic features . . . shall be prohibited."
Employers' collection
of personal information and use of surveillance technology is often justified
on the grounds of health and safety, customer relations, or legal obligation.
However, according to a recent study by the Privacy Foundation, it is
actually the low cost of surveillance technologies more than anything
else that contributes to the increased monitoring. In many cases, workplace monitoring can seriously
compromise the privacy and dignity of employees. Surveillance techniques can be
used to harass, to discriminate, and to create unhealthy dynamics in the
workplace.
Privacy advocates have
long maintained that providing notice of a monitoring or surveillance policy
should, at a bare minimum, be required before employers can engage in such
invasive activities. Advocates support strong privacy principles in the
workplace such as the International Labor Office's "Code of Practice on
the Protection of Workers' Personal Data," which protects employees'
personal data and fundamental right to privacy in the technological era. These guidelines were issued by the International Labor
Office in 1997, following three comprehensive studies on international workers'
privacy laws. The general principles of the code are:
- personal data should be used lawfully
and fairly; only for reasons directly relevant to the employment of the worker
and only for the purposes for which they were originally collected;
- employers should not collect sensitive
personal data (e.g., concerning a worker's sex life; political,
religious, or other beliefs; or trade union membership or criminal convictions)
unless that information is directly relevant to an employment decision and is
collected in conformity with national legislation;
- polygraphs, truth-verification
equipment or any other similar testing procedure should not be used;
- medical data should only be collected
in conformity with national legislation and principles of medical
confidentiality; genetic screening should be prohibited or limited to cases
explicitly authorized by national legislation; and drug testing should only be
undertaken in conformity with national law and practice or international
standards;
- workers should be informed in advance
of any monitoring, and any data collected by such monitoring should not be the
only factors in evaluating performance;
- employers should ensure the security of
personal data against loss, unauthorized access, use, alteration or disclosure;
and
- employees should be informed regularly
of any data held about them and be given access to that data.
The code does not form
international law and is not of binding effect. It was intended to be used
"in the development of legislation, regulations, collective agreements,
work rules, policies and practical measures." Unfortunately, however, the
laws differ greatly from country to country, and in some countries there are
few legal constraints on workplace surveillance.
In the United States, for
example, the courts have typically been slow to recognize employees' rights to
privacy. There has not yet been any satisfactory and uniform determination of
what level of privacy employees are entitled to and how that privacy should be
protected. Many believe that since employers have ownership or
"control" over the working premises, and its contents and facilities,
that employees give up all rights and expectations to privacy and freedom from
invasion. Others simply avoid the question by making employees consent to
surveillance, monitoring, and testing as a condition of employment. Legislation
has recently been introduced, however, which would prevent employers from
secretly monitoring the communications and computer use of their employees.
US public sector
employees are protected by several laws. The Fourth Amendment applies not only
to law enforcement officers, but to government officials and employers as well.
A constitutional right to information privacy, recognized in Whalen v. Roe, can protect against employer disclosures of employees'
personal information. Other laws which may protect the privacy of public
employees include relevant state constitutional provisions, federal and state
wiretap laws, the Americans with Disabilities Act (ADA), the federal Privacy
Act, and the common law privacy torts. In addition, depending on the type of
employment contract governing the work agreement, public employees may have
recourse under contractual remedies. However, most employment agreements are
considered "at will," which means that employees may be dismissed for
any or no reason, provided sufficient notice is given. One exception to this
general rule is that employees may not be dismissed for a reason that violates
public policy, such as for not complying with a privacy-invasive procedure.
Should this occur, employees can sue for wrongful termination in violation of
public policy.
US private sector
employees have some, but not all, of the protections afforded public sector
employees. The Fourth Amendment and many state constitutions do not apply to
private employers. However, the federal wiretap law applies to both public and
private sector employers. Private sector employees may also establish recourse
for invasions of privacy under the ADA, breach of contract theories, and privacy torts.
Internationally,
regulations governing the compilation and use of employees' personal data vary
significantly. In European countries, the collection and processing of personal
information is protected by the EU Data Protection and the Telecommunication
Privacy Directives. That last Directive, however, provides for the
confidentiality of communications for "public" systems and therefore
would not cover privately owned systems in the workplace. However, the principles laid out in these directives are
general in scope and their application to workplace privacy issues is not
always clear.
Nonetheless, many
European countries, such as Austria, Germany, Norway and Sweden, have strong labor codes and privacy laws that directly or
indirectly prohibit or restrict this kind of surveillance. In Finland, a new law on
Data Protection in Working Life entered into force in October 2001. In October
2000, the United Kingdom Privacy Commissioner issued "The Employment
Practices Data Protection Code," a draft code of guidance for
employer/employee relationships. In March 2002, the first part of this code, regarding data
protection in recruitment and selection of employees, was issued. In October 2002, the Information Commission released part
two of the code, which covers employment records. One significant provision
requires that any sickness and accident records, detailing the medical cause of
any absence be maintained separately from medical records that do not reveal
medical conditions. Two further parts on monitoring at work and medical
information and testing will be issued over the next few months. In 1999, the
Swedish government established a Committee to study workplace privacy issues.
In March 2002, the Committee issued a proposal recommending specific
legislation to protect the personal information of current employees, former
employees and employment applicants in both the private and public sectors. In May 2002, the European Union Article 29 Data Protection
Working Party issued a working paper on monitoring and surveillance of
electronic communications in the workplace. The document set out a list of
questions to be asked before any monitoring measure is put in place. For
example: Is the monitoring activity transparent to the workers? Is it
necessary? Could not the employer obtain the same result with traditional
methods of supervision? Is the processing of personal data proposed fair to the
workers? Is it proportionate to the concerns that it tries to allay? The
working paper also set out principles employers should bear in mind when
processing workers' personal data. These principles include: finality (data
must be collected for a specific and legitimate purpose); transparency (workers
should know which data the employer is collecting about them); and security
(the employer must implement security measures at the workplace to ensure the
safety of the personal data of workers).
In October 2002, the
European Commissioner for Employment and Social Affairs launched a formal
consultation initiative to improve the protection of workers' personal data
throughout the EU. The
substance of the consultation addressed issues such as the effectiveness of
employee consent in safeguarding personal data, access to, and the processing
of medical data within the employment context, identifying the permissible
scope of drug and genetic testing, and employer monitoring and surveillance of
employees. Currently, both the International Labor Organization (ILO) and the
Council of Europe have established specific guidelines establishing data
protection in the employment relationship. In
addition, Article 8 of the EU Charter of Fundamental Rights refers to the
protection of personal data, and Articles 21, 26, and 31 contain provisions
relevant to the protection of employees' private data.
There have also been
developments outside of Europe on this issue. In June 2002, the Hong Kong Data Protection
Commission issued a draft code of practice on workplace for public
consultation. The draft code covers telephone, closed-circuit television,
e-mail and computer usage and possibly location monitoring. In Australia, the Privacy Amendment (Private Sector) Act
2000 put in place limited restrictions on employers' monitoring of
communications by requiring the establishment of formal e-mail use policies
that must be made clear to all employees. It also requires employers to prove
that the monitoring of e-mails is justifiable–for instance, on grounds of employees'
excessive use of e-mail, distributing offensive material, suspected criminal
activities, or passing on of sensitive information. However, the legislation grants exemptions to small
businesses and the media and also exempts all employee records in any industry
sector.
Employer searches of an
employee's workspace raises important privacy issues. In the public sector, the
US Supreme Court has held that whether an employee has a reasonable expectation
of privacy in a workspace is to be decided on a case-by-case basis because of
the great variety of workplace settings. The Court also held that a public employer's intrusions,
even into constitutionally protected privacy interests of government employees
for either non-investigatory, work-related purposes or for investigations of
work-related misconduct, should be judged under a standard of reasonableness.
The Court noted that requiring an employer to obtain a warrant whenever he or
she wished to enter an employee's workspace for work-related purpose would
seriously disrupt business routine and be unduly burdensome. In terms of
workplace computer searches, a federal court has held that an employee has a
reasonable expectation of privacy in the contents of an office computer, but an
investigatory search for evidence of work-related employee misconduct is
constitutionally reasonable if the search is justified at its inception and is
of appropriate scope (i.e., reasonably related to the objectives of the
search and not excessively intrusive in light of the nature of the misconduct). In addition, government employers cannot require employees
to undergo unreasonable searches under the Fourth Amendment as a condition of
employment, but the search is permissible if the employee consents to the
search.
In the private sector,
employees may have a reasonable expectation of privacy in certain areas and
personal items. One court has held that an employee who is under no suspicion
of wrongdoing and secures a locker with her own lock and with the employer's
consent has a reasonable expectation of privacy in the locker and its contents. In addition, employers may be liable if they reveal
confidential information about their employees. Public sector employees have an additional course of
redress for the disclosure of personal information by an employer by means of a
civil action under the constitutional right to information privacy.
Employers are
increasingly turning to video surveillance to monitor the activities of
employees. In answering the question of whether an employer's use of video
surveillance is permissible, US courts have examined an employee's expectation
of privacy in the area being monitored, as well as considered any applicable
laws or regulations governing such a search. Federal courts have held almost
unanimously that silent video surveillance is not prohibited by Title I of the
Electronic Communications Privacy Act (ECPA) of 1986. But video surveillance that includes the ability to record
conversations would violate Title I. Silent video surveillance is subject to
the Fourth Amendment's protections against unreasonable searches, but at least
one court has held that the Fourth Amendment is only implicated if an employee
has a reasonable expectation of privacy in the area being surveilled. If employees have no reasonable expectation of privacy in
an area under observation–such as in a locker area that can be viewed by anyone
who enters–the Fourth Amendment is not violated, regardless of the nature of
the search.
Internationally, video
surveillance is used extensively for many different reasons. Australia spent
substantially more money per capita than any other industrialized nation on
video surveillance equipment. Video cameras are now one of the most commonly used
surveillance devices in the Australian workplace, and their use is regulated by
The Workplace Video Surveillance Act of 1998. Video surveillance is justified as a security measure to
deter theft, vandalism, or other unauthorized intrusions, and to monitor
employee conformance with occupational health and safety procedures, as well as
general performance.
Workplace surveillance
in New Zealand
is prevalent, and often occurs beyond the reach of the law given the
deregulated labor market, according to a report issued by the Office of the
Privacy Commissioner. The current policy in New
Zealand is to leave negations involving
workplace surveillance to employment agreements between employers and employees
rather than establishing legislation regulating such activities, although
employment law and contractual implied terms of fair dealing offer employees
some protections. New Zealand employers are entitled to take reasonable steps to monitor
employee performance, to safeguard working conditions, and to secure the place
of business. Employees, in turn, are generally granted protections to safeguard
their person, property, and private conversations and beliefs, and are provided
with avenues to amend irrelevant, inaccurate, or incomplete facts that are
considered in employment decisions.
Automated workplace
monitoring has become increasingly common in recent years. Even in workplaces
staffed by highly skilled information technology specialists, employers demand
the right to spy on every detail of a worker's performance. Modern networked
systems can interrogate computers to determine which software is being run, how
often, and in what manner. A comprehensive audit trail gives managers a profile
of each user, and a panorama of how the workers are interacting with their
machines. Software programs can also give managers total central control of
individual PCs. A manager can now remotely modify or suspend programs on any
machine, while at the same time reading and analyzing e-mail traffic and Internet
activity. A recent report by the American Management Association found that
nearly eighty percent of major US companies monitor employees at work by checking
communications such as telephone conversations, computer files, e-mails and
Internet connections or by using video surveillance for performance evaluation
and security purposes.
An employer can monitor
the level of use of a computer by surveilling the number of keystrokes an
employee enters into a word processing program in a specified period of time or
the amount of time a computer is idle during the workday. Numerous technologies
are available which monitor and analyze the performance of IT workers. Some
allow network administrators to observe an employee's screen in real time, scan
data files and e-mail, analyze keystroke performance, and even overwrite
passwords. Once this information is collected, it can be analyzed by standard
processing programs to determine a worker's performance profile. These
monitoring products are sold at very low prices and have infiltrated the
market. These snooping programs have also become popular not just among
employers but also law enforcement agencies, private attorneys, investigators,
and suspicious lovers.
The use of video
cameras and closed circuit televisions (CCTV) is another common way of
monitoring employees within the workplace. Even areas where employees would
previously have enjoyed high expectations of privacy, such as bathrooms or
locker rooms, have come under increasing surveillance. Postal workers in New York City found
hidden cameras in restroom stalls and waiters in the Boston Sheraton were
secretly videotaped in the hotel locker room. Where staff are more mobile, companies are now using a
range of technologies to track geographic movements. Some hospitals now require nurses to wear badges on their
uniforms so they can be located constantly. Advances in this area now allow carrier companies to place
an electronic mechanism (described as a geostationary satellite-based mobile
communications system) on trucks that then sends back to a main terminal the
exact position of the vehicle at all times. In this way, carrier companies can
ensure that no side trips nor other deviations are taken from the prescribed
route. Wide area systems such as Trackback are in use throughout
the United Kingdom.
Telephone surveillance
has become endemic throughout the private and public sector. In the United States, employers
have broad discretion to monitor employees' calls for "business purposes."
Companies are extensively using telephone analysis technology. Call center
workers for British Telecom are regularly presented with a comprehensive
analysis sheet, showing their performance relative to other workers. Airline
reservations clerks in the United States and elsewhere wear telephonic headsets that monitor the
length and content of all telephone calls, as well as the duration of their
bathroom and lunch breaks. In one instance, telephone calls received by airline
reservation agents were electronically monitored on a second-by-second basis:
agents were allowed only 11 seconds between each call and 12 minutes of break
time each day. Other airline agents have complained that they are
evaluated based on how many times they use a customer's name during a call or
how often they try to overcome a customer's initial objections to buying a
ticket.
The level of
sophistication of telephone surveillance systems can be astonishing. Some
systems can record all transactional activity on a phone, together with
destination numbers and times. Other technology can then process and analyze
this data. A British program called "Watcall," produced by the
Harlequin company, can analyze telephone calls and group them into
"friendship networks" to determine patterns of use. Voice mail systems are also subject to systematic or
random monitoring by managers. Most new systems have default pass codes for
administrators, and these can open all message boxes.
Computers and networks
are particularly conducive to surveillance. The Privacy Foundation study found that fourteen million employees in the United States are
subject to this kind of surveillance on a continuous basis. This number
obviously increases dramatically when random surveillance checks are included.
Employers can monitor e-mail by randomly reviewing e-mail transmissions, by
specifically reviewing transmissions of certain employees, or by selecting key
terms to flag e-mail. In the latter case, software analyzes a company's entire e-mail
traffic phrase by phrase, and draws conclusions about whether a message is
legitimate company business. It can be instructed to search for specific
keywords and "damaging" phrases. Some programs can even use
algorithms to analyze communications patterns and turn them into images.
Monitors can then look at these images to follow traffic patterns and detect
whether sensitive data is at risk.
Many employers rely on
software for remote monitoring of e-mail messages. With a few clicks they can
see every e-mail message that employees send or receive and determine whether
they are "legitimate" or not. Managers give a variety of reasons for
installing such software. Some say it is to protect trade secrets or preventing
sexual harassment incidents. Others want to prevent oversized-mails clogging
networks and using too much bandwidth. Still others simply don't want employees
"wasting" company time by using the systems for personal activities.
In an ideal world, this monitoring should follow the conventional format, i.e.,
identical to the quality check that has applied to correspondence sent out on
company letterhead. However, the speed and efficiency of e-mail means that
digital communication involves a vast intersection with personal
correspondence. It also has features more in common with an internal memo, for
which there has always been less monitoring and management.
According to the
American Management Study, nearly two thirds of all companies discipline employees
for abuse of e-mail or Internet connections and twenty-seven percent dismiss
employees for those reasons. In 2000, Dow Chemical Company fired fifty US employees and
threatened two hundred others with suspension after they found
"offensive" material in their e-mail. The company opened the personal
e-mail of more than 7,000 employees. Similarly, the New York Times fired twenty-three employees
in 1999 for sending "obscene" messages. Internationally, employer
monitoring of e-mail and Internet usage varies from country to country. The
Swiss Federal Data Protection Commissioner issued a statement in its annual
report explaining the circumstances under which use of Internet and e-mail at
the workplace may be monitored. According to the report, surveillance activities by
employers are primarily focused on preventing technical malfunctions. Records
of an individual's e-mail and Internet use may be evaluated only once an abuse
has been identified and the individual is notified of the evaluation. In Hong Kong, the Office of the Privacy Commissioner for Personal Data
in 2000 commissioned a survey to examine employer surveillance in the workplace. According to the survey, sixty-four percent of employers
had installed at least one type of employee monitoring equipment, but only
eighteen percent of the employers had a written policy on employee monitoring.
Further, thirty-five percent of respondents did not even know whether such a
policy existed. In
contrast, France has established stringent policies that protect the privacy of
employees' e-mail usage. The French Supreme Court held recently that employers
do not have the right to open any of their employees' messages. The Court ruled
in a case between Nikon and a former employee that the company had no automatic
right to search through an e-mail inbox.
Courts in the United States have taken
various positions in cases involving an employee's use of e-mail and the
Internet at work. One court has found that an at-will employee has no
reasonable expectation of privacy in the contents of an e-mail voluntarily sent
on an employer's e-mail system, even though the employer had assured its
employees that e-mail communications would remain confidential and privileged. The court reasoned that once an employee communicated
comments to a second person over an e-mail system utilized by the entire
company, any reasonable expectation of privacy is lost. And even if an employee
had a reasonable expectation of privacy in the contents of an e-mail, a
reasonable person would not consider an employer's interception of such communications
to be substantial or highly offensive. Another court has held that an employer
that has a "business use only" policy for Internet usage may conduct
audits of its computer network to identify, terminate, and prosecute
unauthorized activity. The court found that while employees may have a legitimate
expectation of privacy in their computer equipment, some office practices,
regulations, or procedures may reduce such an expectation.
These cases raise
complex legal and ethical questions concerning an employee's fundamental right
to privacy and due process, such as: what if an employee is sent an
"offensive" e-mail, accidentally or maliciously? The e-mail cannot
simply be deleted. It remains logged on the company server, threatening the relationship
of trust between employee and management. Or what if an employee is dismissed
on the grounds of sensitive personal information (for example, issues relating
to sexual preferences, medical conditions, etc.) gathered through a system?
This problem also arises when companies monitor all Internet activity looking
for visits to "inappropriate" sites. Such surveillance has elements
in common with traditional surveillance for hard copy pornography, but there
are significant dangers to workers in the realm of electronic surveillance. An
employee may accidentally visit a pornographic site upon opening a spam e-mail
that links to such a site. Or websites may be accidentally visited when
displayed as a "hit" in response to a perfectly innocent search
query. The surveillance technology does not, however, distinguish between an
innocent mistake and an intentional visit.
The monitoring of chat
room visits has also created some distress in the workplace. There is an
increasing trend among companies to dismiss or sue employees for divulging
company "trade secrets" or defaming the company in chat rooms. These
have become known as "John Doe" cases. Because most people log on to
chat rooms anonymously or use an alias, once a company observes a certain party
in a chat room engaging in "illegitimate" speech, they must subpoena
the message-board services such as Yahoo! or America Online, it obtain the
identity of the specific author. The service providers often turn over
identifying information when presented with a subpoena without any notice to
the individual. The number of these cases is rapidly increasing and threatens
not only the privacy of employees but also their rights to anonymity and free
speech.
There is also an
increasing amount of drug testing in many countries. The number of companies
using these tests has risen in proportion to the decreasing costs of the tests.
For many employees, drug testing is now a standard part of working life.
Companies routinely administer tests in the recruitment stage or at intermittent
periods during employment, even where there is no evidence of misconduct, poor
performance, or any other reason to suspect drug use. There are thousands of
easy-to-use kits, which can detect traces of drugs within minutes and without
the need for a laboratory, available on the market today. Most of these tests
analyze hair or urine samples to detect traces of drugs such as amphetamines,
marijuana, cocaine, opiates, and methamphetamines.
Internationally, the
use of and justifications for workplace drug testing varies from country to
country. In European countries, one of the most frequently used arguments for
workplace drug testing and one of the least controversial is that the test is a
means of ensuring the safety of employees. In France, Norway, and the Netherlands, only workers in traditional safety-sensitive positions,
or those positions which include access to dangerous materials or classified
information, are subjected to testing in any form. Accordingly there is less testing and there are more legal
restrictions in these countries. In the Netherlands, pre-employment testing is illegal, and in France only the
occupational physician may decide to conduct drug tests, not the employer. On the other hand, workplace drug testing is more
commonplace in British and Swedish companies, where workers in all types of
jobs are tested in order to ensure "business-safety."
A major ethical issue
implicated by drug testing is that the process amounts to an unwarranted
invasion of privacy. Most guidelines for workplace drug testing, such as the
ILO Guiding Principles on Drug and Alcohol Testing of 1996, require that
informed consent be obtained before testing. Opponents of testing, such as the
German Federal Data Protection Commission and the Swiss Data Protection
Commissioner, argue that because workers are dependent on their employers,
meaningful consent to workplace drug testing is not possible. This policy is not followed in some countries. In the United Kingdom, failure
to comply with a requirement for drug testing that is included in an employment
agreement can be interpreted as a disciplinary offence.
Some European
constitutions, for example in Belgium and Finland, hold that fundamental rights such as the right to privacy
are indivisible and that the individual cannot consent to waive these rights. Privacy issues are often implicated in the realm of
workplace drug testing within the larger concerns for data protection. The
testing process involves collecting sensitive data both on use of drugs and on
medication taken which might influence the test result. The collecting and
storage of such information is therefore not only subject to strict controls in
many European countries, but also the subject of European rules such as the EU
Data Protection and Telecommunications Privacy Directives and the ILO Code of
Practice on the Protection of Workers' Personal Data of 1996. In some European countries, the tension between the need
for workplace security and the protection of personal information is resolved
by strengthening the role of the occupational physician. In Finland, France, Belgium, Germany, and Austria, the drug test
results are communicated to the occupational doctor, not to the employer. The
doctor is only allowed to inform the employer whether the person is fit for
work or not; not what results were revealed from the drug test.
In the United States, courts
have upheld the legality of workplace drug testing in many different
circumstances. The US Supreme Court upheld regulations mandating blood and
urine tests of railroad employees to ensure workplace safety. Courts have also upheld drug testing by schools of all
students involved in athletics and extracurricular activities. However,
the US Supreme Court recently struck down a policy of performing drug tests on
pregnant women in a public hospital, finding that the employees of the hospital
are government actors subject to Fourth Amendment limitations.
US courts have also considered the issues of notice and
consent in relation to workplace drug testing. Providing notice of future drug
tests shields employers from liability for intrusion upon seclusion because the
employee has provided explicit consent to take the test. In addition, employers
may lawfully condition employment upon successfully passing a drug test. The
issue of wide scale preventative drug testing raises a host of other questions
concerning privacy, bodily integrity, individual freedom, and the presumption
of innocence. The process of testing itself can be hugely invasive. Observers
are often present to prevent employees from tampering with samples. In the case
of urine testing, the monitor's observation of the drug testing process can be
particularly offensive. Consider the case of one employee who felt humiliated
while undergoing a urine drug test:
I waited for the attendant to turn her back before pulling
down my pants, but she told me she had to watch everything I did. I am a
40-year-old mother of three: nothing I have ever done in my life equals or
deserves the humiliation, degradation and mortification I felt.
This type of test can
quickly turn from a necessary evil needed to protect lives and reputations into
a process of intimidation and harassment. It raises questions about whether the
benefits to employers really outweigh the rights and dignity of workers.
Companies which manufacture drug testing equipment extol the advantages of drug
tests, claiming the tests can save employers thousands of dollars by reducing
incidences of absenteeism, low productivity, accidents, injuries, compensation,
and health care claims stemming from employees' drug usage. Governments
generally have also encouraged testing as part of a larger war on drugs. What
employers are not told, however, is that there are also numerous ethical and
economic disadvantages to drug testing.
Drug testing fosters a
climate of negativity based on suspicion and secrecy rather than trust,
openness, and respect. Low morale or resentment among workers may consequently
lead to low productivity or profits. In addition, even though individual tests
may no longer be expensive because they are so sweepingly administered among
employees, the negative costs may be costing employers far more than they are
saving them. Catching one or two light drug users for every few thousand people
tested is hardly an economical justification for the initial outlay. Even if
tests do reveal traces of drugs there is no clear evidence to suggest that mild
drug use has a greater effect on productivity than, for example, alcohol.
Dismissing workers on grounds of policy and suspicion rather than performance
and proof, may result in the loss of valuable employees to the employer.
Evidence has not shown that drug testing can deter future use, and it is in no
way a substitute for proper guidance, support and counseling. In fact, in an
ironic twist, routine testing may even encourage more serious drug usage among
employees. As one commentator says:
If one wants to get inebriated on a Friday night and still pass a urine test
Monday, smoking a joint would be foolish. Cocaine and alcohol would represent
the "safer" choices of intoxicants because alcohol is
"legal" and cocaine cannot be detected in the body as long.
Finally, drug testing
is inaccurate and can often lead to false and misleading results. A report by
the Ontario Information and Privacy Commissioners' Office says up to 40 percent
of tests are inaccurate. Highly sensitive tests can be positive even when the drug
sought is not present. Some say positive reactions may result from a carry-over
following a strong positive earlier or from human error, such as contamination
due to failure to cleanse equipment. Others note that certain legal substances can also result
in positive tests for illegal drugs. For example, there have been reports of
Vicks inhalers resulting in positive tests for amphetamines and
methamphetamines, standard anti-inflammatory drugs like Ibuprofen showing up
positive on marijuana tests, and even traces of morphine being detected from
poppy seeds.
Other issues that raise
workplace privacy concerns are employer requirements that employees complete
medical tests, questionnaires, and polygraph tests. In the United States, employer
use of polygraph testing has been limited by federal statute. Congress passed
the Employee Polygraph Protection Act (EPPA), which makes it unlawful for private sector employers to
require current or prospective employees to take a lie detector test. The
statute exempts public employers at the federal, state, and local levels.
However, there are a few exceptions to the EPPA. For example, employers may use
polygraphs as part of an ongoing investigation involving economic loss or
injury to the employer's business, and employers who provide security services
are exempt. One court has held that an employer who performed unauthorized
tests using blood and urine samples provided by a job applicant violated the
individual's privacy. The court looked to the constitutional right to
information privacy recognized in Whalen, and held that unauthorized
tests were unconstitutional searches under the Fourth Amendment. In another
case, a court found that questionnaires that collected health information about
employees were permissible. The court reasoned that an individual's interest in
protecting his or her privacy is not as great when the information is sought by
the government, is not publicly disseminated, and when measures are in place to
protect the privacy of information that is collected. Some states have statutes
which restrict the degree to which employers may require potential employees to
undergo testing or complete mandatory questionnaires.
Internationally, there are fewer workplace
privacy laws that specifically address the use of polygraphs in the employment
context. In Europe, honesty testing through mechanical devices, such as
polygraphs or voice stress analyzers, or through questionnaires that strive to
evaluate workers' attitudes to honesty, are not expressly regulated. Elsewhere, mechanical honesty testing is
prohibited by statute in the Canadian territories of New Brunswick and Ontario,
and is also prohibited in the Australian State of New South Wales.
Technology that facilitates the right of citizens
to participate in the public discourse may threaten privacy, especially when it
is associated with the administration of elections and, under certain
conditions, the very act of voting.
The use of technology in the online
and offline
voting process is growing in popularity around the world. The Charter of
Fundamental Rights of the European Union
and the United Nations Universal Declaration of Human Rights' support the right
of citizens to both privacy and self-governance. Democracies are universally
defined as the most efficient means of supporting self-governance through
citizen participation in the form of voting. The secret ballot has long been
considered an integral requirement of democractic governance, In 1983, the Strasbourg Conference on Parliamentary Democracy said that
genuine democract is protected by "the citozen's right to choose and
change government in elections conducted under universal suffrage and by secret
ballot.
E-voting technology allows for the first time
independent voting in public elections for millions of disabled and language
minority voters through the benefit of a secret ballot. Efforts existed
prior to the introduction of electronic voting to facilitate independent voting
for the blind.
Direct Recording Electronic (DRE) Voting Machines
DRE voting machines produce no tangible evidence
of the ballot, but instead save the voters choice to a memory card or disk
stored in the voting device.
However a hybrid DRE voting machine that uses the technology as a paper
ballot-marking device is now available for use in public elections. These DRE paper
and paperless voting machines are applicable to online and offline voting
systems. They each may use one of two dominant forms of voter interface: push
buttons or a touch screen display.
DRE voting machines provide privacy to voters through the application of cryptography and assistive
technology.
The use of smart cards, tokens or the registration of the order in which voters
use the machines could each compromise users' privacy.
Automated Tabulation of Paper Ballots
Technology may be used to expedite the counting
of paper punch card ballots or optical scan ballots used in public elections. Ballots are
collected at polling locations and in most cases transported to a central
location for counting.
Ballot reading technology may be present in voting locations to allow voters to
verify their ballots before leaving them and for counting purposes. This may present
privacy problems should the ballot choices be visible to others. Some voting
administration procedures if not clear may be interpreted to allow voters to give
their ballots to poll workers to place ballots through ballot readers, which
threatens ballot secrecy.
Internet Voting
In October 2000, the Internet Corporation held
the first binding global Internet Election for Assigned Names and Numbers
(ICANN), the technical coordinating entity for the Internet. The election
selected Directors for the ICANN Board.
Internet or online voting is still in its infancy
with a small number of countries attempting public elections using this method. Most of the public
elections attempted involve low-level political contest or decisions. Internet
voting may take one of two forms: a polling place Internet voting system and/or
a remote Internet voting system. In 1999, an Internet voting project by the
European Union (EU) was launched to conduct three years of remote election
pilot projects.
The EU Commission's Information Society Technologies
(IST) 1999 Program for Research, Technology Development and Demonstration funded a
three-year Internet voting project that began in 2000. The use of cryptography
in three pilot voting projects to protect voter privacy was reported as
successful.
Trial Internet elections were held in Kistaand, Stockholm, Sweden, Issy-les-Moulineaux,
France, and Bremen, Germany.
An Internet voting paradigm raises several
privacy questions: are Internet votes cast in secret? Are Internet voters free
of intimidation or undue influence by others? How can adequate private space
around personal computers acting as voting machines be maintained, and how can
data in transit be secure from disclosure or tampering? The answers to these
questions will indicate how much Internet voting will help to ensure privacy
and voting in the future.
Electronic Voter Registration and Centralized Registration
Databases
Electronic voter registration and centralized
registration databases present challenges to privacy. To participate in
most public elections some form of voter registration is required. Electronic voter
registration that establishes centralized databases of personally identifiable
information on voters for a region or nation would be a target for identity
thieves, manipulation, and tampering.
There is also a concern that national voter registration requirements could be
used in ways that were not initially disclosed by governments. Some proposals
for centralized voter registration would allow governments to check voter
registration information against other government-managed databases. In the United
States, the Help America Vote Act allows states to check voter registration
list with other state databases like those kept for driver's licenses or public
assistance, to verify the identity of potential voters.
Absentee Voting or Voting by Mail
Absentee voting or voting by mail exposes voters to the
threat that their votes may not be kept secret. Absentee voting systems must
ensure that only qualified voters and those who have not participated in the
regular election are the only absented ballots counted. These conditions over
time have lead to a system of absentee voting that associates each absentee
ballot to the voter, which could threaten ballot secrecy.
Nanotechnology is an emerging science in which
developers create devices and systems that have novel properties and functions
because of their small size.
This new technology is believed to have the potential to fundamentally
transform the way in which common products are produced by manipulating their
component parts on the atomic level. This manipulation is hoped to result in
the manufacturing of products that are smaller, stronger, and lighter than
those available today.
Nanotechnology will likely raise new challenges
to the protection of individual privacy. As nanotechnology makes computing
devices smaller and more efficient, collecting, storing, sharing and processing
large amounts of information will become easier and cheaper. Nanotechnology has
the capability of dramatically expanding surveillance devices and producing new
weapons.
Nanotechnology is considered to be in its
"pre-competitive" stage, which the federal government defines as
having limited application for commercial use. However, the potential is great
for both commercial and non-commercial applications. For this reason, US
federal resources are being made available for work in on several key areas of
nanotechnology: biology, materials research, medical, and defense applications.
