There is no
explicit right to privacy in the United States Constitution. The Supreme Court
has ruled that there is a limited constitutional right of privacy based on
several provisions in the Bill of Rights. This includes a right to privacy from
government surveillance into an area where a person has a "reasonable
expectation of privacy" and also in matters relating to marriage,
procreation, contraception, sexual activity, family relationships, child
rearing and education. The Court has also recognized a right of
anonymity and the right of political groups to prevent
disclosure of their members' names to government agencies. Some states within the country have
incorporated explicit privacy protections into their state constitutions.
The Supreme
Court ruled in 1977 that individuals do not have constitutional privacy
interests in data transferred to third parties, meaning that specific statutes
would have to be enacted to protect data held by others. Rather than enact general statutory protections
for personal data, the United States has taken a sectoral approach to privacy
regulation so that records held by third parties, such as consumer marketing
profiles or telephone calling records, are generally not protected unless a
legislature has enacted a specific law.
The United
States Supreme Court has considered many important privacy cases over the last
few years. In January 2000, the Supreme Court heard Reno v. Condon, a case addressing the constitutionality of the
Drivers Privacy Protection Act (DPPA), a 1994 law that protects drivers'
records held by state motor vehicle agencies. In a unanimous decision, the
Court found that the information was "an article of commerce" and can
be regulated by the federal government. In June 2001, the Supreme Court ruled in the
case of Kyllo v. United States that
the use of a thermal imaging device, without a warrant, to detect heat
emanating from a person's residence constituted an illegal search under the
Fourth Amendment. The Fourth Amendment protects individuals from intrusions
into areas where there is a "reasonable expectation of privacy." In November 2000, the Supreme Court ruled held
that suspicionless vehicle checkpoints, used to discover and interdict illegal narcotics,
violate the Fourth Amendment. Also, in March 2001, the Supreme Court held
that a state hospital cannot perform diagnostic tests to obtain evidence of
criminal conduct without the patient's consent; such a test is unreasonable and
violates the Fourth Amendment.
In the 2001
term, the Supreme Court addressed anonymity, searches on buses, and student
privacy. In Watchtower Bible, the
Court invalidated a law that required registration with the government before
individuals could engage in door-to-door solicitation. The Court held that a
pre-registration requirement violated the First Amendment, which guarantees
freedom from government restrictions on free expression, and individuals' right
to anonymity. In United
States v. Drayton, the Court held that the Fourth Amendment does not
require police officers to advise bus passengers of their right not to
cooperate and to refuse consent to searches. Student privacy was diminished in a series of
cases involving drug testing, "peer grading," the practice of
allowing a fellow student to score a test, and the right to sue under a federal
student privacy law. In Earls, the
Court held that random, suspicionless drug testing of students involved in
non-athletic extracurricular activities was justified under the "special
needs" exception to the Fourth Amendment. In Falvo,
the Court held that both peer grading and the reporting aloud of peer grades
did not violate the Family Educational Rights and Privacy Act of 1974 (FERPA). In Gonzaga,
the Court held that the FERPA does not give individuals a right to sue for
violations of privacy.
In the 2002
term, the Supreme Court ruled that a "Megan's Law statute," which
requires sex offenders to have their pictures and addresses put on
the Internet, does not violate the Ex Post Facto clause of the Constitution. In a related case, Connecticut Dept. of Public Safety v. Doe, the Court unanimously
held that inclusion in a public sex offender registry, without a separate
hearing on the offender's risk to the community, does not violate the Due
Process Clause of the Constitution. In a far-reaching opinion, the Supreme Court
ruled in Lawrence v. Texas that a
state law that prohibited homosexual sodomy violated the due process rights of
the Constitution. The Court reversed an earlier opinion in
which it had upheld sodomy statutes. The court decision further states: "The
petitioners are entitled to respect for their private lives. The state cannot
demean their existence or control their destiny by making their private sexual
conduct a crime…" The court also cites with approval the
European Court of Human Rights and other foreign courts that have affirmed the
"rights of homosexual adults to engage in intimate, consensual
conduct." The decisions were brought to the attention of the high court in an amicus brief filed
by the former UN High Commissioner for Human Rights.
In the 2003
term, the Supreme Court considered the Privacy Act, a privacy exemption to the
Freedom of Information Act, and the issue of whether police could compel an
individual to identify himself in public. In Doe v. Chao, the Court ruled that a plaintiff in a Privacy Act suit
must demonstrate actual damages to qualify for the Act's minimum statutory
award of USD 1,000. In that case, the Department of Labor identified
black lung benefits claimants with their Social Security Number and exposed the
identifer to public view in violation of the Privacy Act. In National Archives & Records Administion
v. Favish, the Supreme Court expanded a privacy exemption in the Freedom of
Information Act. That case involved a request for access to
pictures of a suicide victim, who happened to be a senior Executive
Administration employee. Noting that five separate investigations had been made
into the circumstances of the suicide, the Court denied access to the
photographs. Although American law generally does not recognize privacy
interests after the death of the data subject, the Court held that surviving
family members have a right to personal privacy with respect to their close relative's
death-scene images. This right outweighed the public's interest in disclosure.
In Hiibel v. Sixth Judicial District
Court, the Court upheld a state statute that required individuals to
identify themselves when requested by a police officer who has "reasonable
suspicion" that the individual is involved in wrongdoing. Such statutes exist in over 20 American states.
The decision is limited in scope because identification requirements must occur
within the scope of a "Terry Stop," an encounter where a police
officer can articulate facts that reasonably indicate that a suspect is
involved in criminal activity. Also, while an individual has to reveal his or
her identity under the statute, the individual need not produce an identity
document.
The Privacy
Act of 1974 protects records held by United States Government agencies and
requires agencies to apply basic fair information practices. Its effectiveness is significantly weakened by
administrative interpretations of a provision allowing for disclosure of
personal information for a "routine use" compatible with the purpose
for which the information was originally collected. Limits on the use of the
Social Security Number have also been undercut in recent years because Congress
has approved new purposes for the identifier and because the private sector employs the
identifier for both identification and authentication purposes. The Act also allows certain agency systems of
records to be exempt from accuracy and other requirements. In March 2003, the
Department of Justice announced that it would exempt the National Crime
Information Center (NCIC) from
data quality standards in the Privacy Act. The NCIC contains 39 million criminal records,
and is used by over 80,000 law enforcement agencies. The change was strongly
opposed by a broad coalition of organizations and individuals across the United
States. A report from the General Accounting Office
(GAO), released in July 2003, found uneven compliance
with Privacy Act requirements. The GAO report stated that agency officials:
[I]dentified barriers to improved compliance that include a
need for more OMB leadership and guidance on the Act, low agency
priority given to implementing the Act, and insufficient training on the Act.
In the absence of consistent compliance with the Privacy Act, the government
cannot adequately assure the public that all legislated individual privacy
rights are being protected.
There is no
independent privacy oversight agency in the United States. The Office of
Management and Budget (OMB) plays a
limited role in setting policy for federal agencies under the Privacy Act, but
it has not been particularly active or effective. In 1999 a Chief Counselor for
Privacy was appointed within the OMB to coordinate federal stances towards
privacy. The Counselor had only a limited advisory capacity. The Bush
Administration has not replaced this privacy officer.
The Federal
Trade Commission (FTC) has oversight and enforcement powers for the laws
protecting children's online privacy, consumer credit information and fair
trading practices. The FTC has received thousands of complaints
but has issued opinions in only a few cases. It has also organized a series of
workshops and surveys, which have found that industry
protection of privacy on the Internet is poor, but the FTC had long said that
the industry should have more time to make self-regulation work. In a shift
from this position, in June 2000, the FTC recommended in a report to the United
States Congress that legislation is necessary to protect consumer privacy on
the Internet due to the dismal findings in a survey of online privacy policies. Since issuing that report, in October 2001a new
Chairman of the Commission appointed by President Bush has recommended that
more study is necessary before legislation is passed to protect Internet
Privacy. The agency has sought additional powers to
pursue cross-border fraud, much of which involves privacy-invasive
telemarketing or spam.
In recent
years, the FTC has focused on enforcing existing law in the areas of
telemarketing, spam, pretexting, and children's privacy. In January 2002, the FTC proposed changed to
the Telemarketing Sales Rule to tighten use of individuals' account numbers,
and to create a national do-not-call list for individuals who wish to opt-out
of telemarketing. Enrollment began in June 2003, and now
approximately 60 million numbers have been added to the list.
The FTC's
actions under federal "unfair and deceptive" practices law
essentially have created a "common law" of privacy in the country.
Thus, when the agency brings suit against a company for certain
privacy-invasive practices, it can have industry-wide effect. Recent cases
against pharmaceutical giant Eli Lily, Microsoft Passport, and American Student List have improved privacy protections nationwide.
The American Student List case, in particular, is likely to change many common
industry practices. That case stands for the proposition that
federal law is violated where companies conceal or omit material secondary uses
of personal information, a common practice of many private-sector profilers.
The United
States has no comprehensive privacy protection law for the private sector. A
patchwork of federal laws covers some specific categories of personal
information. These include financial records, health information, credit reports, video rentals, cable television, children's (under age thirteen) online
activities, educational records, motor vehicle registrations, and telemarketing. The end of 1999 brought increased scrutiny on
financial privacy. In 1999, the Michigan Attorney General sued several banks
for revealing that they were selling information about their customers to
marketers. Other banks across the country subsequently admitted that they were
also selling customer records. The Gramm-Leach-Bliley Act, which formally eliminated
traditional ownership barriers between different financial institutions such as
banks, securities firms and insurance companies, set weak protections on
financial information that is likely to be shared among merged institutions. In
spite of the low level of protections conferred, the effective date of the
privacy provisions were pushed back from November 2000 until July 2001. The law
allows information sharing amongst affiliates, but offers individuals a limited
opt-out for information sharing among non-affiliates. Consumer privacy was
improved under the law when the FTC determined that the Social Security Number
qualified as non-public personal information, thus subject to the notice and
opt-out requirements in certain contexts. The data industry has been
unsuccessful in challenging this determination.
The year
2000 also saw the sole federal law governing information use online go into
effect. The Children's Online Privacy Protection Act (COPPA), passed by
Congress in 1998 and requiring parental consent before information is collected
from children under the age of thirteen, went into effect in April 2000. Protections for medical records were finally
introduced in the United States in 2001. In October 1999, the Department of
Health and Human Services issued draft regulations protecting medical privacy.
The final rules were issued on December 20, 2000 and went into effect in April
2001. The large number of exemptions provided limits the protection offered by
the new rules. There is also a variety of sectoral legislation on the state
level that may give additional protections to citizens of individual states.
In 2003,
Congress passed legislation significantly amending the Fair Credit Reporting
Act (FCRA) and the nation's first spam regulation. Congress amended the FCRA because portions of
the statute were expiring that would allow states to pass more stringent
privacy protections. Congress amended the law to protect financial
institutions from state privacy regulation, but also created new privacy
rights. For instance, under regulations that take effect in 2004, individuals
will be able to request a free credit report from each of the credit bureaus
once a year. Credit reporting agencies will be required to disclose credit
scores, but they may charge a fee for their provision. Individuals will have a
new right to opt-out of marketing solicitations that flow from affiliate
sharing of personal information. The Act will now allow individuals to file
fraud alerts, which require credit reporting agencies to inform others that
fraud may be present. ID theft victims also can request transaction records,
when businesses have extended credit to an impostor, in order to sometimes
allow them to identify the impostor.
Congress
acted with similar motives of preempting more stringent state law in passing
the Controlling the Assault of Non-Solicited Pornography and Marketing Act of
2003, known as the "CAN-SPAM" Act. The Act defines spam as any message where the
"primary purpose" is the "commercial advertisement or promotion
of a commercial product or service." Spam must include notice that the
message is an advertisement or solicitation, an opt-out notice, and a valid
postal address of the sender. Address harvesting and dictionary attacks are
illegal under the Act, but these practices are considered aggravating offenses,
and they cannot serve as the sole basis of prosecution of a spammer.
Enforcement of the Act is limited to the FTC, state attorneys general, and
Internet service providers (ISPs). CAN-SPAM gave the FTC the authority to
create a do-not-spam registry, but the agency chose not to, citing
impracticability. Instead, the agency urged the private sector to
increase sender authentication in an attempt to reduce "spoofed"
spam.
The tort of
privacy was first adopted in 1905 and all but two of the 50 states recognize a
civil right of action for invasion of privacy in their laws. The privacy torts consist of intrusion upon an
individual's seclusion or private affairs, public disclosure of embarrassing
private facts, painting an individual in a "false light" in the
public eye, and appropriation of an individual's name or likeness.
In April
2003, the first federal regulation protecting individually identifiable health
information became effective for enforcement. The Standards for Privacy of
Individually Identifiable Health Information, commonly known as the "HIPAA
Privacy Rule," provide basic protections for individually identifiable
health information and give individuals rights with respect to the information
about them. The Privacy Rule is permissive in nature because it permits several
types of disclosures but requires only disclosures to the individual or his
personal representative and to the Secretary of Health and Human Services for
the purpose of enforcement. The Privacy Rule allows state laws to remain in
place where state law provisions provide greater protection. State laws deal
with health information in areas such as access to medical records, regulation
of licenses for medical professionals and organizations, regulations for
entitlement programs, mental health records, records related to conditions such
as HIV/AIDS, and reproductive rights. The federal Privacy Rule contains civil
penalties for non-compliance and will be enforced by the Office for Civil
Rights within the Department of Health and Human Services. The Rule also
contains criminal penalties for malicious misappropriation and misuse of health
information, which will be enforced by the Department of Justice.
There is
substantial activity in the states. In recent years, Massachusetts and Hawaii
have considered comprehensive privacy bills for the private sector. California
passed a Social Security Number bill that will prohibits the printing of the
identifier on forms, invoices, and identification badges. The bill also gives
individuals greater power to control their credit report once fraud is
suspected. California also passed a Database Protection
Law that requires notice to individuals when their
personal information was accessed as a result of a security breach or accident. Minnesota enacted a bill that requires Internet
Service Providers to give notice and obtain user authorization before using
personal information for secondary purposes. In a statewide referendum, North Dakota residents
established opt-in protections for financial information. Additionally, Georgia enacted a privacy law
that prohibits private businesses from discarding documents or computer
components that contain personal information.
Concerns about
the adequacy of self-regulaton, particularly for Internet-based firms, continue
in the United States. Several profitable companies, including eBay.com,
Amazon.com, drkoop.com, and Yahoo.com have either changed users' privacy
settings or have changed privacy policies to the detriment of users. A series of companies, including Intel and
Microsoft, were discovered to have released products that secretly track the
activities of Internet users. Users have filed several lawsuits under the
wiretap and computer crime laws. In several cases, TRUSTe, an
industry-sponsored self-regulation watchdog group ruled that the practices did
not violate its privacy seal program. Significant controversy arose around
online profiling, the practice of advertising companies to track Internet users
and compile dossiers on them in order to target banner advertisements. The
largest of these advertisers, DoubleClick, ignited widespread public outrage
when it began attaching personal information from a marketing firm it purchased
to the estimated 100 million previously anonymous profiles it had collected. The company backed down due to public
opposition, a dramatic fall in its stock price and investigations from the FTC
and several state attorneys general. In July 2000 the Federal Trade Commission
reached an agreement with the Network Advertisers Initiative, a group
consisting of the largest online advertisers including DoubleClick, which will
allow for online profiling and any future merger of such databases to occur
with only the opt-out consent. In January 2001, the FTC dropped its
investigation of DoubleClick. However, several private lawsuits were filed
against DoubleClick. In January 2001, DoubleClick closed its online profiling
division, and in May 2002, privacy class actions suits against the company were
settled that resulted in little or no benefit to Internet users. Intel announced in May 2000 that it was
dropping the incorporation of unique identifiers in its next-generation
computer processors following a consumer boycott.
Several
industry spokespeople, including Intel's Chairman Andrew Grove, have been
supportive of federal Internet privacy legislation in order to stave off the
states' recent efforts to enact such protections on their own.
The United
States Department of Commerce and the European Commission in June 2000
announced that they had reached an agreement on the Safe Harbor negotiations
that would allow United States companies to continue to receive personal data
from Europe. The European Parliament adopted a resolution in early July seeking
greater privacy protections from the arrangement. The Commission announced that it was going to
continue with the agreement without changes. Over 500 companies have joined the
Safe Harbor.
Surveillance
of wire, oral and electronic communications for criminal investigations is
governed by the Omnibus Safe Streets and Crime Control Act of 1968 and the
Electronic Communications Privacy Act of 1986 ("Title III"). Police are required to obtain a court order
based on several legal requirements before capturing the content of a
communication. Surveillance for national security purposes is governed by the
Foreign Intelligence Surveillance Act (FISA) that has less rigorous
requirements. The number of FISA orders reached an all-time
high in 2003, with 1,727 applications presented to, and 1,724 approved by, the
secret FISA Court.
The use of
electronic surveillance under Title III has more than tripled in the last ten
years. In 2002, a total of 1,358 federal and state wiretaps were completed. The
vast majority of the wiretaps were authorized for narcotics investigations. In
2003, The Administrative Office of the United States Courts reported that state
and federal courts authorized an all-time high 1,442 interceptions of wire,
oral and electronic communications in 2003, an increase of six percent over
interceptions authorized in 2002. The agency also reported that federal
officials requested 578 intercept applications in 2003, a 16 percent increase
over those requested in 2002. No wiretap applications were denied in 2003. Encryption was encountered in one wiretap
terminated in 2003, but apparently the encryption did not prevent law
enforcement from accessing the communication. In 2002, 18 wiretaps involved encryption,
and law enforcement was able to access the communication in each case. The question of police decryption methods has
recently been raised in the case of United
States v Scarfo. In this case, the FBI surreptitiously installed a key
logger device on the defendant's computer in order to capture his Pretty Good
Privacy encryption passphrase. The defense successfully argued before a federal
court in New Jersey that it should be granted access to the details of the key
logger technique, in order to determine the legality of the search. The judge
directed the government to produce a report "detailing how the key logger
device functions" by August 31, 2001. In December 2001, the judge upheld the legality
of the key logger device, and ruled that further exposure of its workings
"would cause identifiable damage to the national security of the United
States."
In December
2001, the FBI confirmed the existence of a technique called "Magic
Lantern." This device would reportedly allow the agency
to plant a Trojan horse keystroke logger on a target's computer by sending a
computer virus over the Internet; rather than require physical access to the
computer as is now the case. Controversy arose surrounding this announcement,
as anti-virus companies argued that they could not leave a hole in their
protection software to allow for Magic Lantern's surreptitious placement on
computers. Doing so, they argued, would create a conflict of interests.
Moreover if each country's law enforcement agency developed a similar form of
virus, each virus would have to be excluded from anti-virus companies'
products: translating the purpose of the software, and affecting consumer
trust.
The federal
wiretap laws were amended by the Communications Assistance to Law Enforcement
Act (CALEA) in 1994 that required telephone companies to redesign their
equipment to facilitate electronic surveillance. The Federal Communications Commission issued
regulations in November 1998 implementing the law. The regulations include several additional provisions
including requiring that all mobile phone companies facilitate location
tracking of users. Privacy groups challenged the implementation of the law in
federal court and telecommunications companies, who argued that the regulations
give the government more power than authorized under the law and the
Constitution. In August 2000, the United States Court of
Appeals for the District of Columbia Circuit ruled that law enforcement
agencies must meet the highest legal standard before using these new surveillance
capabilities. In 2004, the FBI sought greater access to Internet telephony
under CALEA. The agency is seeking to have Voice Over
Internet Protocol communications designed in such a way that law enforcement
can easily surveil the contents of conversations or routing information.
The
intelligence agencies have also pushed for more authority and funding to
conduct surveillance of Internet communications, arguing that this is necessary
to protect the nation's infrastructure from "information warfare." In
July 2000, it was revealed that the FBI had developed a system called
"Carnivore" that is placed at an ISP's offices and can monitor all
traffic about a user including e-mail and browsing. Earthlink, a major ISP, announced that it
refused to install the system in its network. After the system was discovered, Attorney
General Reno promised to conduct a review of its privacy protections. In the fall of 2000, the Justice Department
commissioned a team of experts at the Illinois Institute of Technology Research
Institute (IITRI) and the Illinois Institute of Technology Chicago-Kent College
of Law to undertake an independent review of the carnivore system. The IITRI
group issued its final report on Carnivore in December 2000 and made several
recommendations for changes to the system. These recommendations have not yet been
implemented by the Justice Department and the system remains in use today. In
May 2002, EPIC obtained Freedom of Information Act (FOIA) documents on
Carnivore that indicated that the program may have hindered the government's
anti-terrorism investigation by overcollecting data in violation of wiretapping
laws.
The USA
PATRIOT Act, which passed in the wake of the September 11, 2001 attacks,
significantly weakened privacy protections in federal wiretapping statutes. The Act extended the "pen register"
portions of federal wiretapping law, allowing Carnivore to be used to collect
traffic data based on a mere certification of a prosecutor that it would
collect information relevant to an ongoing investigation. The bill made computer crimes and terrorism
predicate offenses for initiation of a federal wiretap. The bill authorizes national application of a
wiretap order, that is, a court in one jurisdiction can issue a warrant that
could apply anywhere in the country. Courts can issue roving wiretaps, giving law
enforcement the ability to monitor many different devices that a suspect may
use. Although supporters of the USA PATRIOT Act
claimed that a sunset provision in the bill would limit police power, only some
of the new surveillance authority will expire. Also, several states followed
suit by passing state legislation that loosens protections against wiretaps.
Following
the USA PATRIOT Act, Congress further weakened privacy protections against
wiretapping in passing the Cyber Security Enhancement Act (CSEA). The CSEA allows communications providers to
voluntarily provide government agents with access to the contents of customer
communications without consent based on a "good faith" belief that an
emergency justifies the release. The same section grants law enforcement the
power to install pen register and trap and trace devices without a court order
where there is an ongoing attack on a "protected computer." Any
computer involved in interstate commerce or communications qualifies as a
"protected computer." Further, the law introduces fines and 20-year
prison terms for offenders who recklessly cause or attempt to cause serious
bodily injury.
The
government established an official Department of Homeland Security (DHS) in
2002, combining 22 agencies and an estimated USD 38 billion budget. This cabinet level agency will have increased
law enforcement and information sharing powers but more limited open government
responsibilities. For instance, the legislation allows the department to share
intelligence and grand jury information with state and local authorities, but
broadly exempts "critical infrastructure information" submitted to
the agency from the open government laws.
Limited
privacy protections were included in the legislation creating the DHS. The
legislation created a civil rights officer and a separate privacy officer
charged with the responsibility of compliance with the Privacy Act, with
formulating privacy impact assessments for rules proposed by the Department,
and with preparing an annual report to Congress. Other portions of the bill
prohibit the government from creating a citizen snitch program called the
"Terrorism Information Prevention System." The department is
statutorily barred from developing a national identification system or card.
Over initial
objections from the White House, the Congress established the National
Commission on Terrorist Attacks Upon the United States The Commission was asked to investigate
"facts and circumstances relating to the terrorist attacks of September
11, 2001," including those relating to intelligence agencies, law
enforcement agencies, diplomacy, immigration issues and border control, the flow
of assets to terrorist organizations, commercial aviation, the role of
congressional oversight and resource allocation, and other areas determined
relevant by the Commission.
The
Commission, a panel of five Democrats and five Republicans, held twelve public
hearings between March 2003 and June 2004. Among the key recommendations of the
Commission that may impact upon privacy were the following:
·
Improved use of "no-fly" and
"automatic selectee" lists should not be delayed while the argument
about a successor to CAPPS continues. This screening function should be
performed by the TSA, and it should utilize the larger set of watchlists
maintained by the federal government. Air carriers should be required to supply
the information needed to test and implement this new system.
·
Secure identification should begin in
the United States. The federal government should set standards for the issuance
of birth certificates and sources of identification, such as drivers licenses.
Fraud in identification documents is no longer just a problem of theft. At many
entry points to vulnerable facilities, including gates for boarding aircraft,
sources of identification are the last opportunity to ensure that people are
who they say they are and to check whether they are terrorists.
·
Americans should not be exempt from
carrying biometric passports or otherwise enabling their identities to be
securely verified when they enter the United States; nor should Canadians or
Mexicans. Currently U.S. persons are exempt from carrying passports when returning
from Canada, Mexico, and the Caribbean.
Civil liberties organizations
expressed caution about the recommendations of the 9-11 Commission. For
example, EPIC wrote, "Significant errors have been found in both the
no-fly watchlists and the automatic selectee system. This is a particularly
serious problem for US persons who travel within the United States. There
should be an independent evaluation of how best to operate these screening
systems and still safeguard basic rights." Regarding the development of a system of biometric identification,
EPIC further said:
Some
steps should be taken to reduce the risk of fraud and identity theft.
Identification documents should be made more secure. However, the integration
of secure identity cards with interconnected databases raises substantial
privacy risks that will require new legislation and new forms of oversight.
Privacy enhancing techniques that minimize the collection and use of personally
identifiable information should also be considered. . . . There are significant
privacy and civil liberties concerns regarding the use of such devices that
must be resolved before the widespread deployment of biometric passports for
U.S. citizens. In particular, a system properly designed to ensure the security
of the borders should not provide the basis for routine identification within
the United States.
The
Commission also recommended certain safeguards to protect privacy and promote
government oversight including:
·
As the President
determines the guidelines for information sharing among government agencies and
by those agencies with the private sector, he should safeguard the privacy of
individuals about whom information is shared.
·
At this time of
increased and consolidated government authority, there should be a board within
the executive branch to oversee adherence to the guidelines we recommend and
the commitment the government makes to defend our civil liberties.
Regarding the establishment of
board to safeguard civil liberties, civil liberties organizations, and even one
member of the Commission, urged the establishment of an independent oversight
board.
Recent years
have seen a new trend towards the increased use of video surveillance cameras
linked with facial recognition software in public places. This kind of technology was first used at the
2001 Super Bowl in Tampa, Florida to compare the faces of attendees to faces in
a database of mug shots. Public usage of the technology then spread to the Ybor
City district of Tampa, where the technology encountered much public
opposition. In August 2001, the Tampa City Council held a vote on whether they
should terminate their contract with Visionics, but they narrowly decided to
keep using the software. Later in the year, police discontinued use of the
system because it produced too many false positives, resulting in wasted police
time. Virginia Beach, Virginia, received funding in
2001 from the Virginia Department of Criminal Justice Services to install a
system that can scan and process the facial images of tourists visiting the
town. Face recognition technology is still not reliable and remains unregulated
by US laws. Studies sponsored by the Defense Department have also shown the
system is right only 54 percent of the time and can be significantly
compromised by changes in lighting, weight, hair, sunglasses, subject
cooperation, and other factors. Tests on the face recognition systems in
operation at Palm Beach Airport in Florida, and Boston Logan Airport have also
shown the technology to be ineffective and error-ridden.
There have
been several proposals to create a National ID in the wake of the September
terrorist attacks. Most of these efforts have sought the creation
of a national identification system through the standardization of state
driver's licenses. A publishing entrepeneur, Steven Brill, has
proposed a "Verified Identity Pass" for those who subject themselves
to a background check and submission of a biometric sample in exchange for the
opportunity to breeze through security lines. There are also more limited attempts to create
national identification systems through "enhanced visa" documents and
"trusted traveler" programs. In June 2004, the Department of Homeland
Security announced that it was creating a database for its "Registered
Traveler" program. Enrollees in a three-month test period will
submit biometric samples and undergo a background check. The value of the
program is questionable for travelers, as enrollees will still have to submit
to normal screening; the card only makes it less likely that they will be
subject to secondary screening with a metal-detecting wand.
In 2002, the
government initiated several privacy-invasive programs as a result of the
September 11, 2001 attacks. Among these are the United States Visitor and
Immigrant Status Indicator Technology program (US VISIT) system, which requires visitors to the country
to submit a biometric identifier to the government. When a visitor subject to
US-VISIT applies for a visa to travel to the United States, he is fingerprinted
and photographed at an overseas US consular office. This biometric information is then checked
against more than 20 interfacing government databases to determine the
likelihood that the visitor is a criminal or terrorist. When the visitor arrives at a US port of entry,
he is again fingerprinted and photographed to verify that he is same person who
was issued the visa. The program will eventually be expanded to
fingerprint visitors when they exit the US, as well. US-VISIT currently does not apply to visitors
to the United States traveling through the Visa Waiver Program, but by
September 20, 2004, the program will be expanded to include Visa Waiver
travelers arriving at air and seaports.
On January
5, 2004, the Department of Homeland Security had already deployed US-VISIT at
115 airports and 15 major seaports. US-VISIT is expected to be operational at every
US air, land and seaport by the end of 2005.
Additionally,
immigration authorities, in conjunction with several other federal agencies,
are implementing the Student and Exchange Visitor Information System (SEVIS).
SEVIS is an Internet-based system that allows schools to transmit student information
to the government for purposes of tracking and monitoring non-immigrant and
exchange students. Accessible information includes a student's personally
identifiable information, admission at port of entry, academic information,
such as changes in program of study, and disciplinary information. Schools will
be required to transmit such information to the Bureau of Citizenship and
Immigration Services (BCIS, formerly the Immigration and Naturalization
Service) for the duration of a student's stay in the United States. The USA
PATRIOT Act required that SEVIS be fully implemented by January 1, 2003.
Total
Information Awareness (TIA) was one of many post-September 11 responses to
terrorism. TIA is a now-defunct program of the Defense Advanced Research Projects
Agency (DARPA) that intended to scan ultra-large databases of personal
information to detect the "information signature" of terrorists. The
program was headed by Admiral John Poindexter, and was renamed "Terrorism
Information Awareness" to pacify critics. Congress acted to limit the project in February
2003 by requiring DARPA to submit a detailed report on TIA and later in the
year, cut funding for Poindexter's entire Information Awareness Office.
The Computer
Assisted Passenger Prescreening System (CAPPS II) aims to conduct background
risk assessments on all air travelers before they fly on commercial airliners.
The profiling system will rely on experimental data-mining technology to sift
through data from various commercial and government databases, assigning
different "risk scores" to passengers. Based on these scores,
passengers will either be denied boarding, subjected to a more intrusive
physical search, or passed through normal screening. Civil libertarians have
noted that CAPPS II may be scaled to other settings in the future, such as
train stations, bus stations, or even the entrances of public buildings. In July 2003, the Department of Homeland
Security indicated that there would be further revisions to the CAPPS program. The Department of Homeland Security intends to
link CAPPS II and US-VISIT when both programs are fully operational to ensure
that "the processes at both border and airport points of entry and exit
are consistent."
States are
pursing information sharing and data mining arrangements. Most notable amongst
these systems is "MATRIX," the Multi-state Anti-TerrorismInformation Exchange. The MATRIX is a prototype database system run
by the State of Florida and Seisint, a private company. Built by a consortium
of state law enforcement agencies, MATRIX combines public and private records
from multiple databases with data analysis tools. MATRIX is available to law
enforcement agents in participating states, and provides a wealth of personal
information in near-real time. However, the success of the MATRIX seems to be
limited as many states have left the system. At publication, only five states
remained in the information sharing agreement.
The Foreign
Intelligence Surveillance Court of Review (FISCR) convened for its first
controversy in 2002, and broadly expanded the Department of Justice (DOJ)'s
surveillance authority under FISA. The Court held that the Department of
Justice could use looser foreign intelligence standards to conduct criminal
investigations in the United States. In doing so, the Court of Review reversed
a unanimous lower opinion that revealed a pattern of FBI misrepresentations and
cast serious doubt on the veracity and accuracy of claims made by the DOJ and
the FBI in support of requests for approval of national security and
anti-terrorism surveillance. The lower court found that DOJ and FBI officials
had submitted erroneous information in more than 75 applications for search
warrants and wiretaps and had improperly shared intelligence information with
agents and prosecutors handling criminal cases on at least four occasions.
As a result
of these problems, the court refused to give DOJ the broad new surveillance
powers it sought to employ after the September 11 terrorist attacks.
Nevertheless, the Court of Review reversed the earlier decision, and permitted
the government to remove the separation that has long existed between officials
conducting surveillance on suspected foreign agents and criminal prosecutors
investigating crimes.
In July
2003, the Department of Housing and Urban Development (HUD) announced guidelines for "Homeless Management Information
Systems" (HMIS). HMIS was created in order to track homeless
populations in order to deliver more efficient services. However, the system as
proposed by HUD is unnecessarily privacy invasive, and requires the homeless to
give their name, SSN, date of birth, medical information, benefits information,
and a history of services rendered to them. HMIS, if adopted as proposed, will
enable law enforcement and national security interests to obtained detailed
information on the homeless with ease.
In the United States RFID
legislation has been proposed, but not yet passed, in several state
legislatures over the past year. Most of this legislation includes provisions
for clear labeling of consumer products bearing RFID tags, a requirement
originally proposed for federal legislation drafted by CASPIAN, the "RFID
Right to Know Act of 2003." A bill introduced and still being debated in the California senate
requires that tags be destroyed or removed at checkout. A bill in the Utah legislature, which failed, and bills in Missouri
and Maryland, require tags be labeled only. A Virginia bill calls for a general review of RFID practices and
privacy. There is no legislation currently being considered in the US at the
federal level, although the FTC recently conducted a workshop to consider the
question.
In November, a joint position
statement of consumer and privacy groups including EPIC called for a moratorium
on the use of RFID tags in individual consumer products until a formal
technology assessment can be conducted. Further, the statement called for
industry use of RFID to abide by Fair Information Practices and stated that
certain uses of RFID, such as the tracking of individuals, should be flatly
prohibited.
Numerous US regulatory bodies
and federal agencies have shown interest in RFID technology. On June 20, 2004,
the FTC conducted a workshop to debate the current and potential impact of RFID
on consumers and individual privacy. Privacy advocates cautioned that without
regulation RFID use could have significant, negative impact on individual
privacy. At the workshop, the FTC considered that it was too early to
consider regulation. The FCC already regulates the use of electromagnetic spectrum in
RFID applications. The FCC places limits on the power and spectrum allocation
of RFID readers, which in turn will limit the read range of a particular tag. Recently, the FCC reduced RF (radio frequency) power restrictions
on the DHS to improve the effectiveness of scanning shipping containers when
they reach US ports. On October 23, 2004, the Department of Defense (DOD) announced a
policy requiring all suppliers to begin using RFID on the "lowest possible
piece" of shipments to the DOD by January 2005. The announcement cited
improvement of data quality, items management, asset visibility, and
maintenance of material as reasons for the new policy. In February 2004, the Food and Drug Administration (FDA) released a
report suggesting that RFID could be instrumental in the fight against
counterfeit drugs and help improve patient safety. The report claims it should
be feasible to use RFID to track all drugs at the unit level by 2007. In October 2002, the FDA ruled that the VeriChip, an RFID chip
designed to be implanted in the human body, is not a regulated medical device
"for security, financial, and personal identification/safety
applications," although specific health applications would be. In October 2004, the FDA allowed the use of the chip to provide
easy access to individual medical records. In June 2004, the Department of Homeland Security (DHS) signed a
multi-billion dollar contract with Accenture that will include using RFID at US
border checkpoints. Airlines are beginning to develop pilot programs to test
the use of RFID for luggage tags to enhance security and protect against lost
or misdirected bags.
Voting in the United States is open to those 18 years or older, but is not mandatory. Application of Direct recording electronic (DRE) paperless voting technology in US public elections addresses some issues
of voter privacy while potentially creating others. The greatest privacy
benefits of DRE voting machines accrue to those who are visually disabled or
have literacy challenges, or to language minorities. Critics of paperless DRE
voting technology acknowledge the apparent usability benefits to some voters,
but point to a critical vulnerability in their design. There are also charges that if the restricted space around DRE
voting machines were too small this would threaten voter privacy. DRE voting technology has triggered strong debate between
technologists, election administrators, voting rights activists, media, and NGOs.
Internet voting in the US is
still in its infancy with only two states, Arizona and Michigan, that have attempted some level of public elections using this
method. In 2004, the US military sought to undertake for the first time an all
Internet voting process for military personal and civilians living abroad.
Voter registration lists are now
the responsibility of state governments, with local authorities tasked to register voters. Registration
forms may include requests for name, current and previous address, home and
work telephone numbers, birthplace, social security number, birth date, race, gender, and party affiliation. This registration information is made available to the people who
manage political campaigns who can use the information to solicit voters for
support. A new election law, the Help America Vote Act, requires that voter registrants submit proof of identity by
providing a state-issued identity document or the last four digits of their
social security number.
The Internet is making it much
easier to engage in "free speech" in the form of monetary
contributions to political causes and candidates. However, Congress can regulate the volume of this speech. Contribution of USD 200 or more will expose contributor's
personally identifiable information to others. The presentation of this personally identifiable information on the
Federal Election Commission (FEC) web page has been greatly enhanced with data mining technology. The FEC Act of 1971, as amended in 1974, limits political
contributions by individuals or groups to candidates for federal elective
office.
The Freedom of Information Act
(FOIA) was enacted in 1966 and has been amended several times. It allows for access to federal government records by any
requestor, except those held by the courts or the White House. However, there
are numerous exceptions, long delays at many agencies, and little oversight
unless a requestor files a lawsuit to enforce its rights. It was amended in
1996 by the Electronic Freedom of Information Act to specifically provide
access to records in electronic form. Most recently, the Congress enacted a "critical infrastructure
information" (CII) exemption to the FOIA for the newly-formed DHS. This
exemption would shield information voluntarily provided to the government by
private entities on security information from the FOIA. Once disclosed to the government, CII could not be used against the
company in civil litigation, and government agents who disclose the information
would be subject to criminal penalties and fines. Since the creation of this
loophole for the DHS, other agencies have sought similar exemptions from the FOIA.
There are also laws in all states on providing access to government records.
