Responding to Terrorism
Identity systems
Surveillance of Communications
Travel Privacy
Audio Bugging
Video Surveillance
Satellite Surveillance
Electronic Commerce
Radio-Frequency Identification (RFID)
Public Records
Census
Digital Rights Management
Authentication and Identity Disclosure
WHOIS
UN WSIS and Privacy
Spy TV: Interactive Television & "T-Commerce"
Genetic Privacy
Workplace Privacy
E-Voting Privacy
Nanotechnology
Responding to Terrorism
It may take some years to fully evaluate the effects of the terrorist attacks of the past few years on privacy and civil liberties. In the wake of each attack, earlier proposals were re-introduced, and new policies with similar objectives were drafted to extend police surveillance authority. Four years on from September 11 2001, the legal and political landscapes have shifted significantly in many, if not most, countries.
With terrorist attacks occurring around the world, including in Egypt, the United Kingdom, Spain, Bali, Russia, Morocco, and Saudi Arabia, governments have responded to these events by enhancing and creating new powers. The country reports in this survey outline, in more detail, the many legislative shifts that have taken place around the world. Terrorism politics is truly global.
The changes in anti-terrorism laws are not the only policy transformations in response to terrorism. The mere threat of terrorism has changed political discourse. In some cases, the "war on terrorism" has given new life to previously failed proposals such as national ID cards in the United Kingdom. In 2003, the UK government returned to the rhetoric of terrorism to shore up support for the cards while previously fraud and asylum seekers were used.[1] Despite more recent statements by the Home Office Minister, quietly admitting that ID cards will have no effect on combating terrorism, and would not have prevented the attacks in July 2005,[2] the policy is seen as inseparable in the minds of politicians, the media, and the general public. This is despite mounting evidence stating otherwise.[3]
In some cases, policies have been adopted from other countries with little consideration to the variances in political dynamics. Hong Kong attempted to harmonize its laws on sedition with mainland China, requiring a standardization of criminalized groups. Malaysia decided against repealing its Internal Security Act 1960 involving detention.[4] South Africa and Jamaica's draft anti-terrorism laws copy Canada's proposed definition of "terrorist activity," even though Canada later changed its definition because there were concerns that protesters would be confused with terrorists.
In other cases, the mere increase of state power is immediately associated with the "war on terrorism"; whether requiring the removal of veils for driver's license photos,[5] secret seizure of packages from the media,[6] clamping down on train-spotters and -photographers,[7] chasing down opposition parties,[8] and the equation of terrorism to separatism[9] and its implications,[10] or suppressing dissent,[11] amongst others. Canada created a travelers' database for anti-terrorism purposes, and other crimes. The United Kingdom managed to pass communications data retention laws in the legislative environment of the aftermath of September 2001; while retained data could be accessed, under another law, for practically any investigation. In the US, concerns have arisen regarding the use of counter-terrorism powers to seize funds from foreign banks that do business in the US for investigations that are unrelated to terrorism.[12]
In other situations, these laws may be passed and used to suppress dissent. In Italy, the Interior Minister warned of a growing climate of "widespread political illegality" and mixed together Islamic terrorist groups, endogenous left-wing armed groups, anarchist insurrectionaries, and right-wing groups as a common threat.[13] Moldova's bill to fight extremism coincides with the government's intention to minimize dissent as it allows the banning of political parties, public and religious associations, and media outlets if they promote violent overthrow of country's territorial integrity, undermining state power, or setting up illegal armed organizations.[14] Georgia's bill, drafted in consultation with European colleagues according to a state security ministry official,[15] provides for restricting or suspending the activities of organizations that receive foreign funding and whose activities "threaten Georgia's national interests," but fails to define those interests.[16]
While the legal landscape is shifting and affecting many components of human rights, not only privacy, in many cases these policies are founded upon its curtailment.
The immediate period after September 2001 was a time of fear, flux and uncertainty. The United Nations responded with Resolution 1368 calling for increased cooperation between countries to prevent and suppress terrorism.[17] North Atlantic Treaty Organization (NATO) invoked Article 5, claiming an attack on any NATO member country is an attack on all of NATO; legislatures responded accordingly. The Council of Europe condemned the attacks, called for solidarity, and also called for increased cooperation in criminal matters.[18] Later, the Council of Europe Parliamentary Assembly called on countries to ratify conventions combating terrorism, lift any reservations in these agreements, and extend the mandate of police working groups to include "terrorist messages and the decoding thereof."[19] The European Union responded similarly, pushing for a European arrest warrant, common legislative frameworks for terrorism, increasing intelligence and police cooperation, the freezing of assets and ensuring passage of the Money Laundering Directive.[20] The Organization for Economic Cooperation and Development (OECD) furthered its support for the Financial Action Task Force on Money Laundering and, along with the G-7[21] and the European Commission, called for the extension of its mandate to combat terrorist financing.[22] These calls for international cooperation were perceived by many as impetus to create new laws.
The European Commission considered requiring every member state of the European Union to make cyber attacks punishable as a terrorist offense. New Zealand minimized public consultation on a proposed law to freeze the financial assets of suspected terrorists because the government felt it was bound by United Nations Security Council resolutions. France expanded police powers to search private property without warrants. Germany reduced authorization restraints on interception of communications, and increased data sharing between law enforcement and national security agencies.
Australia and Canada both introduced laws to redefine "terrorist activity" and to grant powers of surveillance to national security agencies (ASIO and CSIS respectively) for domestic purposes if terrorist activity or affiliation is suspected. India passed a law to allow authorities to detain suspects without trial, conduct increased wiretapping, and seize funds and property. The United Kingdom passed a law to permit the retention of data, which will be accessed for law enforcement purposes. The United States passed several laws that increase surveillance powers and minimize oversight and due process requirements.
As time moved on, so did many of these policies. Some changes involved the "re-balancing" or a re-assessing of state power, such as moves to restrict the USA PATRIOT Act on access to library borrowing privileges,[23] India repealed the Prevention of Terrorism Act.[24] Also, the UK's highest court found the detention powers under the Anti-Terrorism, Crime and Security Act as unlawful according to the European Convention on Human Rights.[25]
But with every subsequent terrorist incident, governments around the world saw the opportunity to enhance their powers even further. For instance, as they did after September 11, 2001, the Council of Justice and Home Affairs ministers of the European Union held emergency summits after the March 2004 Madrid bombings, and again after the July 2005 London bombings, calling for greater powers of surveillance of communications and financial transactions, increased cooperation across borders, and sometimes calling for the exact same policies they sought in prior meetings. After a terrorist attack in the Philippines in February 2005, the Philippine government sought a new set of anti-terrorist measures such as requiring surveillance-enabled communications facilities at all phone providers, and a renewed push for identity cards. In the wake of terrorist attacks in Russia, a raft of new powers were introduced with little debate,[26] including harsher penalties and a ban on media coverage of terrorist attacks,[27] despite criticism from the United States.[28] As was the case after the 2001 attacks in the US, countries all around the world respond to international incidents not directly affecting them. After the July 2005 bombings in London, both France and Italy enhanced their immigration and police powers,[29] including the collection of DNA samples.[30]
Within this deluge of new policy proposals in the periods after terrorist attacks, several trends may be identified.
Almost every country that changed its laws to reflect "new" terrorist threats increased the ability of law enforcement and national security agencies to perform interception of communications and the type of data that can be accessed, and transformed the powers of search and seizure. The novelty in these initiatives tends to arise in reduced authorization requirements and oversight. These included initiatives to weaken due process requirements; this occurred in Canada where the first anti-terrorism bill proposed that law enforcement agencies would no longer be required to justify the need for a wiretap.[31]
There is also a general increase in the breadth of application of these powers. By incorporating and including new technologies and communications infrastructures, additional government agencies are permitted to use these powers, and formalize roving powers.[32]
Attempts to differentiate the authorization and oversight requirements based on communications technology also occurred. The Australian government created powers to intercept and read e-mail, SMS and voicemail messages without a warrant because these communications were considered access to "stored" data rather than "intercepted" in real-time.[33]
Protections against invasive searches and seizures are continually degraded. Random searches generated much public discussion after the London bombings, with some discussion of racial profiling; despite already significant rises in the stopping and searching of visible minorities since 2001.[34]
In 2000, the United Kingdom proposed a policy to require the retention of communications traffic data for up to seven years by a central government authority.[35] While the proposal faced significant resistance in the public discourse at that time, in December 2001, a similar policy was introduced and passed under the United Kingdom's anti-terrorism law in response to the events of September 2001.
The European Union Directive on Privacy and Electronic Communications also supports the creation of such data retention laws within the European community and is consistent with international pressure to weaken data protection. Such a pressure came from the US government when, in October 2001, President George W. Bush sent a letter to the president of the European Commission requesting that the European Union "[c]onsider data protection issues in the context of law enforcement and counterterrorism imperatives," and as a result, "[r]evise draft privacy directives that call for mandatory destruction to permit the retention of critical data for a reasonable period."[36]
This pressure was reiterated in May 2002, this time by the Group of 8 Justice and Interior Ministers, requesting that countries:
Ensure data protection legislation, as implemented, takes into account public safety and other social values, in particular by allowing retention and preservation of data important for network security requirements or law enforcement investigations or prosecutions, and particularly with respect to the Internet and other emerging technologies.[37]
And again, in emergency meetings after the Madrid and London bombings, Justice ministers from EU member states called for all member states to implement mandatory data retention.[38]
At the same time, individuals and citizens are losing subject access rights under data protection and freedom of information regimes. In the interests of critical infrastructure protection, access to information is being reduced, limiting government accountability.[39] Meanwhile, in order to protect sensitive investigative and intelligence data, subject access requests are restricted as some data banks are being exempted from both data protection and freedom of information laws.[40]
Several policies were introduced to enable and promote increased data sharing, both within and across government agencies, and with the private sector. The sharing of data between agencies introduces mission creep, where data collected for one purpose is used for another, but also introduces highly sensitive data to arms of government that cannot be expected to protect the data adequately.
There have been significant shifts in the policies and practices in the United States, with changes to the Attorney General Guidelines regulating the actions and capabilities of the Department of Justice and Federal Bureau of Investigation (FBI); increased sharing of information between the FBI and Central Intelligence Agency supported by the USA PATRIOT Act' and proposed policies to increase sharing with local law enforcement agencies. The United States is not alone in introducing such policies. The United Kingdom continues to propose "joined-up government" within its consultation paper on modernizing government and public services[41] to create "data-sharing gateways" and provide "seamless" services.[42] It also tried unsuccessfully to allow practically any government agency to gain access to the traffic data of individuals under the Regulation of Investigatory Powers Act, including local councils and parishes.[43]
The increased flow of data is also coming from the private sector. The United Kingdom and Canada proposed laws to grant law enforcement agencies access to travelers' information. The United Kingdom Home Office has recommended that it gain access to information from every passenger before international flights,[44] and its new "E-borders" program calls for the collection and retention of passenger data of all citizens and visitors.[45] The Canadian Public Safety Act, finally passed in May 2005, grants both the federal law enforcement and the intelligence agencies access to air passenger information, regardless of domestic or international travel, and to match this data with other personal information[46] for a wide number of purposes and investigations, not limited only to terrorism.[47]
Similarly, the European Union considered granting Europol access to the Schengen Information System, including privileges to change the information held on travelers.[48] Data sharing among financial institutions and government agencies also increased. New money-laundering agreements and regulations have been introduced to increase surveillance of transactions, and even expanded to include hedge funds and money-transfer firms.[49] Donations to charities are receiving further scrutiny as both charities and donors are monitored to investigate links with terrorist groups.[50] Some financial institutions are also sharing personal information in order to minimize risk of clients being terrorists, or "undesirables."[51]
The controversial private-run profiling system, MATRIX (Multistate Anti-TeRrorism Information eXchange) was shut down in April 2005. This system combined information from government databases and private-sector companies.[52] Although many states withdrew from the system, it was uncovered that the system, developed by Florida-based company Seisint, was used extensively in the months following the 2001 attacks on the World Trade Center and Pentagon. With funding from the US departments of Justice and Homeland Security,[53] the system identified 120,000 people who showed a statistical likelihood of being terrorists.[54] This "High-Terrorism Factor" was used to conduct investigations and arrests after the information was submitted to state police, the former Immigration and Naturalization Service, FBI, and the Secret Service. Subsequent use of the system showed that it had limited use for combating terrorism, and was accessed mostly for cases involving fraud and theft.[55]
Following from data sharing, there are several proposals to create profiles or increase the existing profiles of individuals. This occurs in several stages; the most immediate appears to be the profiling of travelers. There has already been testing of a next generation computer-assisted passenger prescreening system in the United States that will bring in data from credit-reporting agencies and other companies, and even previous flights and registries, for data mining. New projects also include trusted-traveler programs involving the collection of biometrics and background checks, and are quickly becoming international standards.[56] Some airports have also installed face-recognition technologies, while similar technologies are being implemented at national monuments, and even beaches.
In the longer term there are several proposals to increase profiling of citizens and non-citizens. These proposals are typically enhanced and complemented by national identification schemes, enhanced with biometrics. There was considerable discussion in the United States in introducing such a national ID card scheme but no formal policy was introduced, though a standardization process was introduced for government-issued identity documents such as driving licenses under the REAL ID Act of 2005. Meanwhile non-citizens may already be tracked at border entry points and as they move within the United States. A system called Student and Exchange Visitor Information System (SEVIS) keeps track of foreign students to ensure that they are still registered and maintains a log of their addresses.
The United Kingdom proposed the adoption of entitlement cards in an effort to deal with immigration, illegal work and identity theft, but also supported by the fight against terrorism. In December 2004, it introduced the Identity Card Bill for consideration in Parliament, though it was withdrawn in April for the May 2005 elections, and again reintroduced in June 2005. Similarly, Hong Kong introduced a biometric chip identity card to verify fingerprints to authenticate travelers into China. The government of the Philippines is again proposing an identity card after a number of failed attempts.[57]
None of the above trends are necessarily new. The novelty is the speed with which these policies gained acceptance, and in many cases, became law in the periods following terrorist attacks.
New policies to combat terrorism continue to emerge. The United States continues to lead with new policies, technologies, and practices. The importance of US policies is that they tend to influence policies and citizens of other countries. By September 2002, the Office of Management and Budget counted 58 new regulations responding to terrorism.[58] In March 2003, the Government Accountability Office counted nine new National Strategies.[59] There have been innumerable laws passed at the federal and state levels,[60] and countless changes in administrative measures, including the Attorney General Investigative Guidelines. A number of technological systems have been proposed and implemented, ranging from the "Total Information Awareness" Program (TIA), to the aforementioned MATRIX systems, the Computer Assisted Passenger Prescreening System (CAPPS II) and "Secure Flight."
One of the largest such systems is implemented at the US border. On top of increased interviews of visa applicants, and requirements for machine-readable passports from other countries, in January 2004, the Department of Homeland Security introduced the US Visitor & Immigration Status Indication Technology System (US-VISIT). US-VISIT collects information on all visa-visitors to the US, including two fingerprints and a digital photograph. In September 2004, this procedure was extended to all visitors.[61] In July 2005, a new policy was announced to increase biometric collection to that of all ten fingerprints.
Meanwhile, US Customs officials have been meeting with EU officials regarding the transfer of, and access to, passenger personal data, as required under Aviation and Transportation Security Act 2001. The EU's Article 29 Data Protection Working Group noted several problems with the proposed data sharing, including the retention time and the excessive amount of data being requested.[62] The negotiations that followed in 2003 and the beginning of 2004 resulted in the EU's capitulation, however. The European Commission agreed in early 2004 to submit European airlines' customer information to the US Department of Homeland Security, despite numerous unresolved issues.[63]
Several other programs for data-sharing and data-mining have been developed, including the National Security Entry-Exit Registration System (NSEERS) and the Student and Exchange Visitor Information System (SEVIS). The most well-known system is the Total Information Awareness program. This program was one of many post-September 11 responses to terrorism. TIA is a now-defunct program of the Defense Advanced Research Projects Agency (DARPA); it was to scan ultra-large databases of personal information to detect the "information signature" of terrorists.[64] The program was headed by Admiral John Poindexter, and was renamed "Terrorism Information Awareness" to pacify critics.[65] Congress acted to limit the project in February 2003 by requiring DARPA to submit a detailed report on TIA and, later in the year, cut funding for Poindexter's entire Information Awareness Office.
Further data collection measures that were controversial in 2003 included the registration and fingerprinting of immigrants. The National Security Entry-Exit Registration System (NSEERS) involved the registration of nearly 82,000 male immigrants and visitors from predominantly Muslim countries, leading to possibly 13,000 deportations.[66] The information has been stored in a secure government database along with travel data, photos, and matched against other data held on potential terrorists.[67] Officials have admitted in 2004 that only 11 individuals have been identified to have links to terrorism.[68] Another system, the Student and Exchange Visitor Information System (SEVIS), used to track the nearly one million foreign students in the US, has also been problematic due to poor technology and limited resources.[69]
There have also been several developments in surveillance law. The use of the USA PATRIOT Act continues to be questioned. There have been attempts at extending some of its contentious measures that are supposed to sunset at the end of 2005.[70] After an extensive cross-country campaign by then-Attorney General John Ashcroft, the White House exerted a great deal of pressure on Congress to prevent laws that scale back the powers[71] and to extend the more invasive provisions indefinitely.[72] One effort to water down the law was rejected in the House of Representatives by a 210-210 tie vote in July 2004, after debate was prolonged when it appeared that the law's reach would be minimized.[73] Later, in June 2005, the House voted 238-187 to restrict access to book purchases and library-borrowing records.[74] After the July 2005 terrorist bombings in London, however, both the House and the Senate moved to extend or make the USA PATRIOT Act permanent.[75]
In February 2003, a draft bill was uncovered, entitled the Domestic Security Enhancement Act of 2003, which contains several new powers including the stripping of citizenship, wiretaps without court orders, secret detentions, limits on the challenging of secret evidence, increased use of DNA without court orders and consent, increased data sharing, and increased international cooperation in search and seizure and extradition. Though the law was never formally introduced, its components have appeared in other laws, both in the US and abroad.
In February 2005, the US House of Representatives approved H.R. 418, the REAL ID Act. It became law in May 2005 without any hearings. One aim of the law is to establish and rapidly implement regulations both for state driver's licenses and for identification document security standards. The law also requires states to deny driver's licenses to undocumented immigrants. These new regulations are seen as moving the license into the realm of a national ID card.
The general response to the REAL ID Act in the US is one of widespread concern, and there are reports of a number of plans to appeal to the courts on the matter. For instance, the National Governors Association threatened lawsuits on the grounds that it will cost states up to USD 700 million to comply with the law.[76] The Mexican government is prepared to lodge a diplomatic complaint regarding the law, referring to it as “negative, inconvenient and obstructionist."[77]
In an interesting development, the state of Georgia has prohibited the use of fingerprints in drivers' licenses. This followed concerns regarding identity theft, and acknowledgement by the law enforcement community that the fingerprints were not being used for combating crime.[78] The state assembly of Georgia responded by passing a law, by a wide majority,[79] prohibiting the collection of fingerprints for state driver's licenses.
Other countries have found novel means of implementing invasive policies and practices. The global legal landscape is fragmented. In some countries there are no specific terrorism laws as yet, such as in Belgium. Other countries have been very active in implementing laws.
Recently the Philippines has been actively confronting terrorism and devising new policies. Prior identity card policies faced opposition due to their discriminatory grounds. One plan involved requiring Muslims in Manila to carry an ID card at all times, supposedly intended to detect terrorists hiding in Muslim communities. Although these measures were supported by the police and intended to be implemented very quickly, the plan disappeared after a loud and widespread outcry by Muslim groups, politicians and civil liberties groups.[80]
In August 2003, the Bureau of Immigration and Deportation presented its plans for a biometrics-enhanced smart card for all aliens residing in the Philippines, which it introduced as a counter-terrorist measure.[81] Besides the biometric data in the form of thumbprint templates and facial structure records, the "Alien Certificate of Registration Identification Card" (ACR-ICard) was to contain personal information, criminal records and ACR payment transactions, as well as the date and time of a subject's arrival/departure.[82]
After a terrorist attack in February 2005, plans were re-introduced for a national ID card. The president signed another executive order calling for its implementation and Interior Minister Angelo Reyes pushed for the system as a solution to terrorism.[83] Although the exact details of the card remain to be known, there are indications that the government of the Philippines is watching the UK process carefully.
Canada has also considered the adoption of ID Cards. The reasoning behind its introduction, according to the minister of Citizenship and Immigration, is that the US will soon require the fingerprinting of Canadians as they pass through the US-Canada border.[84] The Public Safety Act 2005 grants law enforcement authorities access to travel information, even within Canada.[85]
The Public Safety Act went through a number of iterations before it became law, however. In its fourth version, the purposes for access and processing of this information had changed mildly since earlier versions. These purposes are now: transportation security purposes; national security investigations relating to terrorism; situations of immediate threat to the life or safety of a person; the enforcement of arrest warrants for offences punishable by five years or more of imprisonment and that are specified in the regulations; and arrest warrants under the Immigration and Refugee Protection Act and the Extradition Act. A record must be kept of all disclosures, the information disclosed, the reasons, and the name of the person or body to whom the information was disclosed. Information must be deleted within seven days of its receipt, unless required for security purposes. Despite these provisions, law enforcement authorities have stated clearly their intentions to interpret these provisions widely.[86]
This is a separate initiative from the Canadian Customs and Revenue Agency, a proposal to retain travel information for six years. Recently, that proposal has been altered to purge non-customs related data after it is no longer used, and to implement access controls on the database.
Australia has been actively pursuing the concept of a smart passport that includes digital photos. The government has run a trial of the SmartGate application at Sydney Airport, which was heavily criticized as involving ineffective and flawed technology.[87] At the same time, the Australian government has also been pushing for an advanced passenger processing system at the Asia-Pacific Economic Cooperation (APEC) forum.[88] In 2004, the Australian Customs agency received approval from the EU to access the passenger name records of EU citizens, because the Article 29 Working Party deemed the protections adequate.[89]
The New Zealand Customs Service began receiving advance passenger lists in 2003 from airlines under its Customs and Excise Act. The airlines would "feed data directly to the CS's computer system" before landing, and this information is checked for "people of interest." This system is seen as a first step to setting up an Advance Passenger Processing system that will identify problematic passengers prior to boarding flights.[90]
The European Union is pushing forward with a directive requiring carriers to collect and send data on all passengers at the time of boarding to law enforcement agencies in destination countries or face fines.[91]
Some legal developments pertain directly to information technology use. Cuba's law on combating terrorism includes hacking.[92] New Zealand's counter-terrorism bill could force individuals to disclose their passwords, even in non-terrorism related investigations, or face three months in jail or a fine of NZD 2,000.[93] Kenya's bill includes an offense for "collection of information for terrorist purposes," i.e, when someone "collects, makes or transmits a record of information of a kind likely to be useful to a person committing or preparing an act of terrorism; or possesses a document or record containing information of that kind shall be guilty of an offence' term not exceeding 10 years"; "transmit" includes by telephone, e-mail, voicemail, or other telecommunications method; and make available on the Internet. "It is a defense for a person charged with an offence under this section to satisfy the court that he had a reasonable excuse for his action or possession."
It is increasingly difficult to identify the sources of laws, however. Several countries have introduced new laws because of they feel it is imperative to model changes upon those in other countries. For example, Kenyan opposition party members accuse the United Kingdom and the United States for pressuring Kenya; they note that the definition of terrorism in the Kenyan bill is taken from Section 802 of the PATRIOT Act. This was denied by Justice and Constitutional Affairs Assistant Minister Robinson Njeru Githae.[94]
Another source of law includes international treaties. Romania's recently passed law on corruption includes components of the Council of Europe Convention on Cybercrime. Many countries are trying to ratify and implement into law the approximately 12 United Nations conventions on anti-terrorism. Governments report regularly to the United Nations Security Council committee on Resolution 1373 on their progress in adopting these conventions.[95] However, they are also adding to and interpreting these conventions. For example, New Zealand Justice Minister Phil Goff stated in April 2003 that the new Counter Terrorism Bill "was the final step in adopting the last of 12 United Nations conventions aimed at fighting terrorism. . . . It will give police and customs officers more powers to fight terrorism, including enabling police to use tracking devices, and will allow evidence found in the investigation of one crime to be used in the prosecution of another."[96] These additional powers are not included within the standard conventions.
It is therefore important to note not only the laws in other countries, but also the activities of international governmental organizations. These organizations have been very active in developing counter-terrorism policy tools and mechanisms.
The African Union, formerly the Organization of African Unity, released a convention in August 2002 in order to promote the criminalization of terrorist acts, and extradition and mutual legal assistance regimes.[97] While this convention contains controversial concepts with respect to civil liberties, it is far from unique considering the developments in recent years in such conventions as the Council of Europe Convention on Cybercrime.
The Asian-Pacific Economic Cooperation forum (APEC) held a summit in October 2002 in order to promote growth and fight against terrorism. An agreement emerged from the Mexico summit that aims to halt terrorist financing, and to promote cyber-security. At the 2003 summit in Bangkok, the US tried to focus the agenda on how anti-terrorism policy can support global trade, to the concern of some APEC members who wanted to focus on economic issues.[98] The final declaration included a statement that APEC leaders will undertake measures to "dismantle, fully and without delay, transnational terrorist groups that threaten APEC economies."[99] The group will now create a fund, run by the Asian Development Bank, to finance counter-terrorism initiatives including port security and anti-money laundering.[100] It now appears that APEC is considering the creation of "financial intelligence units" to combat the diversion of money from trade to terror groups.[101] Now APEC is calling on all member states to implement biometric passports and is promoting advanced passenger information systems.[102]
The Association for Southeastern Asian Nations (ASEAN) 2003 summer summit included an agreement to obtain and share evidence amongst member countries, share bank records, cooperate in the freezing of foreign assets, and conduct searches and seizures upon request from fellow members; all in the aim to combat terrorism and cross-border crime.[103] An uncommon development, however, is the lack of agreement on extradition. Discussions have also occurred on the issue of secure identity documents. This disagreement continued, however, in the October 2003 summit when the summit statement paid little attention to anti-terrorism policy.[104] The summit did see the establishment of the ASEAN Security Community, strongly advocated by Indonesia,[105] that would not only focus on terrorism, but also on other transnational crimes.[106] This was followed up with a meeting in Bangkok of the ASEAN+3 countries (ASEAN and China, South Korea, and Japan), where ministers vowed to improve communication and enhance intelligence sharing, "especially against the growing threat of terrorism in the region."[107] This would be done through the speeding up of mutual assistance and extradition treaties.
The Group of 8 industrialized countries (G8) is the primary source of discussion on secure passports. At the May 2003 summit of Justice and Home Affairs ministers in Paris, the United Kingdom reportedly promoted computerized passports.[108] The ministers unanimously stressed the importance of developing biometric technologies with the goal of developing a common framework for biometric passports, as is being discussed by the International Civil Aviation Organization (ICAO). There was some disagreement, according to reports, that the French and the US differed on which form of biometrics should be promoted (reports stated that the US supported iris scans or "other innovative technologies," while the French supported fingerprints).[109] In the end, according to ICAO, facial recognition was adopted at the end of May 2003.[110] Other issues addressed by ministers included critical infrastructure protection, child pornography, and enhancing financial investigations. In this last issue of discussion, the G8 ministers promoted the work of experts who "identified 29 best practice principles on tracing, freezing, seizing and confiscating crime-related assets," while admitting that "these principles and good practices are ambitious."[111]
The G8 Evian summit of heads of government met in June 2003. At this summit, the G8 created the Counter-Terrorism Action Group (CTAG), which would support the UN Counter-Terrorism Committee for "capacity building."[112] The proposal was led by the US, with the goal to create a group that would deal with "terrorist financing, customs and immigration controls, illegal arms trafficking, police and law enforcement"; "will identify relevant international best practices, codes, and standards in combating terrorism"; "target counterterrorism assistance to priority countries"; and "work with International Financial institutions to strengthen counterterrorism financing measures."[113]
The G8 summits for 2004, held in the US, furthered these ideas. The Justice and Home Affairs Ministers summit called for legislation to enable sharing of information among and between the intelligence community, the law enforcement community and prosecutors to the fullest degree possible, to prevent, disrupt and preempt terrorist activities; while giving due regard to civil liberties and fundamental principles of law.[114] The ministerial summit also called for "special investigative techniques" that involve undercover agents, cover filing and listening devices, and covert interception of "all forms of electronic communications," and "the use of other critical measures," but that they must take into account privacy rights; while states are encouraged to change legal procedure to allow such techniques to be used in courts.[115] The official Sea Island Summit of G8 leaders, however, did not reflect much of this. That summit included new language regarding a "Secure and Facilitated International Travel Initiative" to protect borders through the sharing of personal information and secure travel documents.[116]
At the G8 summit in Gleneagles, the world was focusing on aid and environmental issues. During the summit, a number of bombs exploded on the London transport system. This led to a number of new declarations on terrorism. Unlike past declarations, the goals gave much fewer details. Previous declarations contained specific policy initiatives, usually released with action plans. Remarkably little detail emerged regarding these new anti-terrorism initiatives. The leaders called for increased sharing of information on the movement of terrorists across borders, particularly intelligence and police information, policy expertise, and even analyses. They referred particularly to terrorist travel, and possibly document security.[117] Similarly, the G8 called for further work at the UN and other organizations to build the political will and capacity of other countries to combat terrorism.
The Commonwealth Secretariat also engaged in work to promote capacity building. In 2002 the secretariat developed "Implementation Kits for International Counter-Terrorism Conventions," a form of "do-it-yourself" manual for governments, covering all 12 multilateral treaties drawn up between 1963 and 1999 by the UN and other inter-governmental fora.[118] In September 2002, the secretariat also released "Model Legislative Provisions on Measures to Combat Terrorism," which define for specified entities a variety of offenses and their investigation, interception of communications and admissibility as evidence. The model provisions also establish procedures for trials, promotion of information sharing, ensure extradition and mutual legal assistance, empower governments to seize evidence, manage charities, outline refugee application refusals, and allow for the removal of persons.[119]
The intergovernmental policy area of financial regulations is dominated by the output of the Financial Action Task Force (FATF). In the early 1990s, FATF developed its 40 recommendations on combating money laundering. In April 2002, FATF released guidance for financial institutions for detecting terrorist financing and conducted consultation on 40 recommendations for terrorist financing, thus extending beyond money laundering. In June 2003, the new recommendations were adopted. According to FATF:
The FATF recognises [sic] that countries have diverse legal and financial systems and so all cannot take identical measures to achieve the common objective, especially over matters of detail. The Recommendations therefore set minimum standards for action for countries to implement the detail according to their particular circumstances and constitutional frameworks. The Recommendations cover all the measures that national systems should have in place within their criminal justice and regulatory systems; the preventive measures to be taken by financial institutions and certain other businesses and professions; and international co-operation.[120]
The acknowledgement of flexibility is due to, according to reports, disagreement on regulatory procedures between American and German delegations.[121] The recommendations include the requirement that institutional secrecy laws are not used to inhibit implementation, and recommend against the keeping of anonymous accounts, with some recommendations on identification as "due diligence." Cooperation between countries is also recommended, as is the removal of unduly restrictive conditions for this cooperation to take place. The scope of application also increases; non-financial businesses including lawyers and notaries except when under privilege.
Inter-governmental organizations in the Europe have been very active as well. The Southeastern Europe Cooperation Initiative (SECI) Regional Center for Fight Against Cross-Border Crimes had its first meeting of "Mission Force for Fight Against terrorism" [sic], in June 2003. Held in Turkey, 85 representatives attended from Albania, Bulgaria, Bosnia-Herzegovina, Croatia, Hungary, Macedonia, Moldova, Romania, Greece, Slovenia and Serbia-Montenegro. According to Turkish Security Director General Gokhan Aydiner, "Turkey has been trying for years to bring the issue of terrorism onto agenda of the world. In some countries, terrorist organizations and their members are considered fighters of freedom. Those who staged gory actions in which thousands of people lost their lives, continue their terrorism activities without any punishment."[122] According to media reports, the task force aimed to cover organized crimes and terrorism, development of common operational plans, financial sources of terrorist organizations.
The Organization for Security and Cooperation in Europe (OSCE) began a new initiative with its first annual security review conference in June 2003. A speech by US Ambassador Cofer Black, Coordinator for Counterterrorism, called on OSCE to continue fighting terrorism, to encourage FATF adherence, to implement UN conventions (noting that only 38 percent of OSCE states have become parties to all 12), and to do the utmost to prevent spread of small arms and light weapons. He also called for closer cooperation with the UN, G8, and ICAO to develop international standards and in turn to encourage regional implementation. Particularly, he called for cooperation on the issue of travel document security with G8 and ICAO.[123] This was supported by "several delegations," as it was felt that "this work could make a significant, real contribution not only to the war on terrorism, but also to the fight against organized crime and illegal immigration, all issues that many delegations had identified as threats to their security and stability."[124] The Bulgarian government, which took over the leadership of OSCE in 2004, promised to steer the organization towards greater international cooperation in combating terrorism and safeguarding national borders.[125]
The vast majority of these meetings of inter-governmental organizations outlined above were closed. In the coming months and years, however, their work, findings, conclusions, and conventions will affect national policy discourse.
This will be particularly the case in the European Union and primarily the output of the Council, where there is more of a binding requirement to enact policies at the national level. As accession countries to the EU begin their process of legal harmonization, interpretation and guidance on EU policies will require scrutiny. The EU has been active in all of the issues covered above. In 2001 and 2002, the Council Framework Decision on a European arrest warrant was developed and is currently being implemented into national law. A Working Party on Terrorism has been convened to develop measures to exchange information between member states and the creation of computer-aided preventative searches on the basis of offender profiles (particularly the compiling of travel patterns).[126] These profiles may include method and means of travel, "physical distinguishing features (e.g., battle scars)," education, places of stay, methods of communication, psycho-sociological features, family situation, expertise in advanced technologies; with the aim to identify terrorists before an act is carried out. A proposed innovation includes searching through "relevant national databases (e.g., registers of residents, registers of foreigners, universities etc.) subject to the provisions of national law, for person who need to be vetted more closely by the security authorities."[127]
The EU has also developed a "roadmap" regarding the implementation of an "EU Action Plan in the fight against terrorism." This roadmap includes the discussion of counter-terrorism in political dialogues with third countries and other multilateral fora. The EU has been particularly active in meetings with Asian countries, and in meetings with the US on mutual legal assistance.[128] The roadmap also consists of enhancing preventing of crime involving the use of electronic communications systems, measures to counter insider dealing, transparency criteria for legal entities, initiatives to draw up a common list of terrorist organizations, and the "systematic transmission to Europol of any piece of data relevant to terrorism," while complying with international obligations regarding protection of fundamental rights and ensuring "a balance between data protection and police efficiency," among other initiatives.
After the March 2004 bombings in Madrid, the EU rushed forward on these initiatives. Amidst calls from the UK Home Office Secretary David Blunkett to "cut the waffle" and to follow up on plans agreed to at the EU years ago, he called for EU member states to implement security measures agreed to after the September 11 attacks.[129] The UK then pushed for other countries to adopt rules on data retention and the EU-wide arrest warrant; although some resistance arose from Sweden, Germany, and Denmark.[130] The final declaration reflected these sentiments, calling for rules on the retention of communications traffic, and simplifying exchanges of information across borders, with a view to adoption by June 2005.[131]
These initiatives led to the establishment of the "Hague Programme." This is a five-year action plan, under the auspices of freedom, justice and security.[132] This program was launched in November 2004, and gained momentum in May 2005 when 10 key action areas were identified. These action plans consist of detailed proposals for EU action on terrorism, migration management, visa policies, asylum, privacy and security, the fight against organized crime and criminal justice.
Following the London bombings in July 2005, days after the UK took over the Presidency of the European Union, the data-sharing momentum increased. Topics on the UK's agenda include data retention for three years, discussion of data protection regulations in the third pillar, increased data sharing between countries under the "principle of availability,"[133] new border security measures, identity documents and fingerprinting of EU residents and citizens, and monitoring of financial transactions.
While the anti-terrorism policy developments outlined above and later in this report have shifted the legal and technological landscape for privacy, there have been some developments in the area of civil liberties and terrorism.
In the US, opposition to the USA-PATRIOT Act has grown. In response to the law, some librarians have begun to tape warnings to computer screens that usage could be subject to scrutiny by law enforcement agencies; in some cases they are destroying records of reading habits and sign-up logs of computer use.[134] There have been successful amendments on TIA- and CAPPS II-related policies to call for studies of the privacy and civil liberties implications of these programs. Finally, in many districts and cities, there is opposition to the PATRIOT Act. Hundreds of local governments have passed laws against the act.[135] Members of Congress and Senators continue to introduce new legislation to minimize the threats to privacy and civil liberties.
Changes in proposed and existing laws are occurring for several reasons elsewhere in the world. In Hong Kong in 2003, after protests including one involving more than 400,000 demonstrators, the government appeared to have backed down on changes to the Basic Law to deal with sedition.[136] Jordan rescinded Article 150 of its penal code, which was introduced in response to the events of September 11, 2001. The article had allowed for "permanent or temporary closure" of publications that "carry false or libelous information that can undermine national unity or the country's reputation," and publications carrying articles that incite "crimes, strikes, illegal public assemblies or undermining public order."[137]
In the most severe case, Peru was forced to review sentences given out to 1,800 people when the high court handed down a decision rejecting the anti-terrorism decrees established under the Fujimori government as unconstitutional.[138] These decrees included trials for treason before hooded military judges and life sentences without review,[139] including for offenses relating to free expression.[140]
The effectiveness of opposition may take some time to take full effect. After India's anti-terrorism bill became law, it was reported that the entire opposition to the government walked out on Parliament.[141] Since its enactment, however, and after its use to detain some politicians, the Parliament has constituted a Review Committee to ensure that the powers are not misused for non-terrorism purposes.[142]
The new government in India repealed the controversial Prevention of Terrorism Act (POTA). As stated in the President's address to Parliament in June 2004, "My government is concerned about the misuse of POTA in the recent past. While there can be no compromise on the fight against terrorism, the Government is of the view that existing laws could adequately handle the menace of terrorism. The Government, therefore, proposes to repeal POTA."[143]
Other efforts for repealing laws came close, or are in the works. In the United Kingdom House of Lords, efforts to repeal the retention of communications data almost succeeded in November 2003. A Privy Council Report emerged in December 2003 calling on data retention to be separated from anti-terror legislation and given its day in Parliament for appropriate deliberation and oversight, while also limiting retention to one year and placing that language in the primary legislation.[144] The European Commission's decision to permit the flow of passenger information from European carriers' databases to the US Department of Homeland Security has been questioned repeatedly by the European Parliament, and the Parliament has taken its case to the European Court of Justice.[145] These are merely some of the sources of change.
Non-governmental organizations around the world have questioned draft laws, bills, and court decisions and have voiced concerns, taken cases to courts, and responded to consultation processes. The arising court decisions may lead to further changes, parliamentarians may listen more, and increased attention to international organizations may lead to more open policy-making, and as a result, better laws.
Identity (ID) cards are in use in one form or another in virtually all countries of the world. The type of card, its functions, and integrity vary enormously. While several countries have official, compulsory, national ID cards that are used for a variety of purposes, many countries do not. These include Australia, Canada, India, Ireland, New Zealand, the United States and the Nordic countries. Those that do have such a card include Belgium, Egypt, France, Germany, Greece, Hong Kong, Malaysia, and South Africa.
Nationwide ID systems are established for a variety of reasons. Race, politics and religion often drive the deployment of ID cards.[146] The fear of insurgence, religious differences, immigration, or political extremism have been all too common motivators for the establishment of ID systems that aim to force undesirables in a State to register with the government, or make them vulnerable in the open without proper documents.
In recent years technology has rapidly evolved to enable electronic record creation and the construction of large commercial and state databases. A national identifier contained in an ID card enables disparate information about a person that is stored in different databases to be easily linked and analyzed through data mining techniques. ID cards are also becoming "smarter" – the technology to build microprocessors the size of postage stamps and put them on wallet-sized cards has become more affordable. This technology enables multiple applications such as a credit card, library card, health care card, driver's license and government benefit program information to be all stored on the same national ID along with a password or a biometric identifier. Governments in Finland, Malaysia, and Singapore have experimented with such "Smart" ID cards. In July 2002, the Labor government in the United Kingdom launched a six-month public consultation process on whether the United Kingdom should adopt an "entitlement card" with similar features.[147] Critics contend that such cards, especially when combined with information contained in databases, enable intrusive profiling of individuals and create a misplaced reliance on a single document, which enables precisely the type of fraud the cards are meant to eliminate.[148] In April 2004 the UK Government announced its draft bill on the identity card and a back-end database of all residents.
In several countries, these systems have been successfully challenged on constitutional privacy grounds. In 1998, the Philippine Supreme Court ruled that a national ID system violated the constitutional right to privacy.[149] In 1991, the Hungarian Constitutional Court ruled that a law creating a multi-use personal identification number violated the constitutional right of privacy.[150] The 1997 Portuguese Constitution states "Citizens shall not be given an all-purpose national identity number."[151]
In other countries, opposition to the cards combined with the high economic cost and other logistical difficulties of implementing the systems has led to their withdrawal. Massive protests against the Australia Card in 1987 resulted in the near collapse of the government. Card projects in South Korea and Taiwan were also stopped after widespread protests. In the United States plans to convert the state driver's license into a nationwide system of identification have stalled because of the stiff resistance from a broad coalition of civil society groups.[152]
Biometrics is the identification or verification of someone's identity on the basis of physiological or behavioral characteristics. Biometrics involves comparing a previously captured unique characteristic of a person to a new sample provided by the person. This information is used to authenticate or verify that a person is who they said they were (a one-to-one match) by comparing the previously stored characteristic to the fresh characteristic provided. It can also be used for identification purposes where the fresh characteristic is compared against all the stored characteristics (a one-to-many match). New biometric technology attempts to automate the identification or verification process by converting the provided biometric into an algorithm, which is then used for matching purposes. The computer matching technique necessarily produces either false positives, where a person is incorrectly identified as someone else, or false negatives, where a person who is meant to be identified by the system is not correctly identified. The two error rates are dependent, so for example reducing the number of false positives increases the number of false negatives. The tolerance level is adjusted depending on the need for security in the application.
The most popular forms of biometric ID are fingerprints, retina/iris scans, hand geometry, voice recognition, and digitized (electronically stored) images. The technology is gaining interest from governments and companies because, unlike other forms of ID such as cards or papers, it can be more difficult to alter or tamper with one's own physical or behavior characteristics. Important questions remain, however, about the effectiveness of the automated biometric matching techniques, particularly for large-scale applications.[153] Critics also argue that widespread deployment of biometric identification technology could remove the veil of anonymity or pseudo-anonymity in most daily transactions through the creation an electronic trail of people's movements and habits.[154]
Biometrics schemes are being implemented across the world. The technology is widely used in small settings for access control to secure locations such a nuclear facility or bank vault. It is increasingly being used for broader applications such as retail outlets, government agencies, childcare centers, police forces and automated-teller machines. Spain has commenced a national fingerprint system for unemployment benefits and healthcare entitlements. Russia has announced plans for a national electronic fingerprint system for banks. Jamaicans are required to scan their thumbs into a database before qualifying to vote in elections. In France and Germany, tests are under way with equipment that puts fingerprint information onto credit cards. Many computer manufacturers are considering including biometric readers on their systems for security purposes.
The most controversial form of biometrics – DNA identification – is benefiting from new scanning technology that can automatically match DNA samples against a large database in minutes. Police forces in several countries including Canada, Germany, and the United States have created national DNA databases. Samples are being routinely taken from a larger group of people. Initially, it was only individuals convicted of sexual crimes. Then it was expanded to people convicted of other violent crimes and then to arrests. Now, many jurisdictions are collecting samples from all individuals arrested, even for the most minor offenses. Former New York City Mayor Rudolf Giuliani even proposed that all children have a DNA sample collected at birth. In Australia, the United Kingdom, and the United States, police have been demanding that all individuals in a particular area voluntarily provide samples or face being considered a suspect. United States Attorney General Ashcroft has testified that he has asked the FBI to increase the capacity of its database from 1.5 million to 50 million profiles.[155]
At the same time, DNA data has been used as exculpatory evidence in many criminal trials.
The USA-PATRIOT Act, passed by the US Congress after the events of September 11, 2001 included the requirement that the President certify a biometric technology standard for use in identifying aliens seeking admission into the US, within two years. The schedule for its implementation was accelerated by another piece of legislation, the little known Enhanced Border Security and Visa Entry Reform Act 2002. Part of this second law included seeking international co-operation with this standard. The incentive to international co-operation was made clear: "By October 26, 2004, in order for a country to remain eligible for participation in the visa waiver program its government must certify that it has a program to issue to its nationals machine-readable passports that are tamper-resistant and which incorporate biometric and authentication identifiers that satisfy the standards of the International Civil Aviation Organization (ICAO).
These laws gave momentum to the standards that were being considered at the ICAO by requiring visa waiver countries (which include many EU countries, Australia, Brunei, Iceland, Japan, Monaco, New Zealand, Norway, Singapore, and Slovenia) to implement biometrics into their Machine-Readable Travel Documents (MRTDs), i.e. passports. Failure to do so, presumably, means a removal from the program.
Moving the decision to the ICAO pushes the policy well beyond the Visa Waiver Program countries. The ICAO is the international standard-setter for passports already and the ICAO has been researching biometric passports since 1995. Since then the technologies have changed sufficiently to allow for facial recognition, fingerprints and iris scans to be considered for implementation in passports standards.
The primary purposes of biometric use, according to the ICAO, is to allow for verification ("confirming identity by comparing identity details of the person claiming to be a specific living individual against details previously recorded on that individual") and identification ("determining possible identity by comparing identity details of the presenting person against details previously recorded on a number of living individuals"). Beneficial side effects include advanced passenger information to ports of entry, and electronic tracking of passport use.
In May 2003, the facial recognition emerged as the primary candidate. Intellectual Property issues prevented iris scans from being accepted; while it was felt that the facial recognition is more socially acceptable. Multiple applications of biometrics are also considered, and permitted. Although the use of a single biometric technology by all States is preferred by the ICAO to ensure interoperability, "[h]owever, it is also recognized that some States may conclude it desirable to deploy two biometrics on the same document." Already the EU is discussing requiring fingerprints in passports.
The ICAO is aware, however, that there are contentious legal issues involved with the infrastructure for these passports, including the collisions between the goals of centralizing citizens' biometrics and protecting privacy laws, and with "cultural practices." Not only does this involve a central data store of fingerprints and photos (and face scans) that can be scanned against other databases for other purposes, but this sensitive information may be transferred to other countries when verification is required at border controls. The ICAO foresees that this information may be retained by these other countries. In essence, this may turn into a global distributed database of personal information.
Something that may be important to remember at the time of national implementation is that there is some flexibility permitted by the ICAO. Some states may interpret the ICAO standards to require centralised databases.[156]
The ICAO calls for central databases that allow for additional security confirmation checks, but does not go so far as to require such systems. It may be interesting to see if national governments recall this option, or if they rather change their national laws to allow for centralized storage, as allowed in other ICAO documents. Already the EU is moving towards a centralized registry of biometrics from the passport enrolment process.
Most countries around the world regulate the interception of communications by governments and private individuals and organizations. These controls typically take the form of constitutional provisions protecting the privacy of communications and laws and regulations that implement those requirements.
There has been great pressure on countries to adopt wiretapping laws to address new technologies. These laws are also in response to law enforcement and intelligence agencies pressure to increase surveillance capabilities. In Japan, wiretapping was only approved as a legal method of investigation in 1999. Other countries such as Australia, Belgium, Germany, New Zealand, South Africa and the United Kingdom have all updated their laws to facilitate surveillance of new technologies.
The United States government has been at the forefront of promoting greater use of electronic surveillance. Former FBI Director Louis Freeh traveled extensively around the world, promoting the use of wiretapping in newly democratic countries such as Hungary and the Czech Republic. At the same time, the United States has led world efforts to ensure that all communications technologies have built-in surveillance capabilities and to prohibit the manufacture and use of equipment that cannot be eavesdropped upon. The United States has also been working through international organizations such as the OECD, G-8 and the Council of Europe to promote surveillance.
It is recognized worldwide that wiretapping and electronic surveillance are a highly intrusive form of investigation that should only be used in limited and unusual circumstances. Nearly all major international agreements on human rights protect the right of individuals from unwarranted invasive surveillance.
Nearly every country in the world has enacted laws on the interception of oral, telephone, fax and telex communications. In most democratic countries, intercepts are initiated by law enforcement or intelligence agencies only after it has been approved by an judge or some other kind of independent magistrate or high level official and generally only for serious crimes. Frequently, it must be shown that other types of investigation were attempted and were not successful. There is some divergence on what constitutes a "serious crime," and appropriate approval.
Several countries including France and the United Kingdom have created special commissions that review wiretap usage and monitor for abuses. These bodies have developed an expertise in the area that most judges who authorize surveillance do not have, while they also have the ability to conduct follow up investigations once a case is complete. In other countries, the privacy commissioner or data protection authority has some ability to conduct oversight of electronic surveillance.
An important oversight measure that many countries employ is the requiring of annual public reporting of information about the use of electronic surveillance by government departments. These reports typically provide summary details about the number of uses of electronic surveillance, the types of crimes that they are authorized for, their duration and other information. This is a common feature of wiretap laws in English-speaking countries and many others in Europe. Countries that issue annual reports on the use of surveillance include Australia, Canada, France, New Zealand, Sweden, the United Kingdom, and the United States. Meanwhile in the Netherlands, the Minister of Justice in April 2003 announced that he saw no additional value in maintaining a log of the frequency of wiretaps, or installing a special functionary to oversee the warranty process.[157][158]
These countries recognize that it is necessary to allow for people outside governments to know about its uses to limit abuses. They are widely used in many countries by the Parliaments for oversight and also by journalists, NGOs and others to examine the activities of law enforcement. The reports have shown an increase in the use of surveillance in many countries including Australia,[159] the United States, and the United Kingdom while others such as Canada have remained steady. Most recently, however, Canada has reduced the amount of reporting; despite statutory requirements, annual reports from the Solicitor General on surveillance activities have not been released since 1999.[160]
These laws are designed to ensure that legitimate and normal activities in a democracy such as journalism, civic protests, trade union organizing or political opposition are free from being subjected to unwarranted surveillance because they have different interests and goals than those in power. It also ensures that relatively minor crimes, especially those that would not generally involve telecommunications for facilitation, are not used as a pretext to conduct intrusive surveillance for political or other reasons.
However, wiretapping abuses have been revealed in most countries, sometimes occurring on a vast scale involving thousands of illegal taps. The abuses invariably affect anyone "of interest" to a government. Targets include political opponents, student leaders and human rights workers.[161] This can occur even in the most democratic of countries such as Denmark and Sweden, where it was recently disclosed that intelligence agencies were conducting surveillance of thousands of left-leaning activists for nearly 40 years.
The United Nations Commissioner on Human Rights in 1988 made clear that human rights protections on the secrecy of communications broadly covers all forms of communications:
Compliance with Article 17 requires that the integrity and confidentiality of correspondence should be guaranteed de jure and de facto. Correspondence should be delivered to the addressee without interception and without being opened or otherwise read. Surveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited.[162]
The need for greater protection is recognized by many democratic countries around the world. Most recently, the German Federal Constitutional Court has considered whether the interception laws passed in 1998 are constitutional.[163] In March 2004, the German Federal Constitutional Court ruled[164] that significant portions of the 1998 Grosser Lauschangriff[165] wiretapping laws infringed upon the guarantees of human dignity and the inviobility of the home under Articles 1 and 13 of the constitution, or Basic Law.[166] The court held that certain communications are protected by an absolute area of intimacy where citizens can communicate privately without fear of government surveillance.[167] This includes conversations with close family members, priests, doctors and defense attorneys, but excludes conversations about crimes that have already been committed or the planning of future crimes. However, to justify surveillance between the target and such persons of trust, the government must show "there is strong reason to believe that the content of conversation does not fall in the area of intimacy,"[168] and that the crime is "particularly serious".[169] Once a specially protected conversation begins the eavesdropping must stop immediately and any recordings of that portion of the conversation must be erased. The German legislature has until June 2005 to amend Grosser Lauschangriff to comply with the court's decision.
In the past 15 years, the United States government has led a worldwide effort to limit individual privacy and enhance the capability of its police and intelligence services to eavesdrop on personal conversations. This campaign had two strategies. The first is to promote laws that make it mandatory for all companies that develop digital telephone switches, cellular and satellite phones and all developing communication technologies to build in surveillance capabilities; the second is to seek limits on the development and dissemination of products, both in hardware and software, that provide encryption, a technique that allows people to scramble their communications and files to prevent others from reading them.[170]
Law enforcement agencies have traditionally worked closely with telecommunications companies to formulate arrangements that would make phone systems "wiretap friendly." These agreements range from allowing police physical access to telephone exchanges, to installing equipment to automate the interception. Because most telecommunications operators were either monopolies or operated by government telecommunications agencies, this process was generally hidden from public view.
Following deregulation and new entries into telecommunications in the United States in the early 1990s, law enforcement agencies, led by the FBI, began demanding that all current and future telecommunications systems be designed to ensure that they would be able to conduct wiretaps. After several years of lobbying, the United States Congress approved the Communications Assistance for Law Enforcement Act (CALEA) in 1994.[171] The act sets out legal requirements for telecommunications providers and equipment manufacturers on the surveillance capabilities that must be built into all telephone systems used in the United States. In 1999, at the request of the Federal Bureau of Investigation, an order was issued under CALEA requiring carriers to make available the physical location of the antenna tower that a mobile phone uses to connect at the beginning and end of a call.[172]
Due to heavy lobbying, the Internet Service Providers (ISPs) in the United States were exempted from implementing these technical requirements under CALEA. Changes are in the wind, however as the FBI is calling for the Federal Communications Commission to expand the law to reconsider Voice Over IP, i.e., phone calls over the Internet and providers as telecommunications carriers under CALEA.[173] If these providers are reclassified as carriers, then the requirements for intercept capability under CALEA will also apply to them. The Senate is currently reviewing legislation on regulating VOIP.[174]
Intercepting content over digital services is a common legal practice in other countries. In Australia the Telecommunications Act 1997 places obligations on telecommunications operators to positively assist law enforcement in the performance of their duties and to provide an interception capability. The costs of these obligations are borne by the operators themselves.[175][176]
In the United Kingdom the Regulation of Investigatory Powers Act 2000 requires that telecommunications operators maintain a "reasonable interception capability" in their systems and be able to provide on notice certain "traffic data."[177] It also imposes on obligation on third parties to hand over encryption keys. These requirements were further clarified in the Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002. In the Netherlands, a new Telecommunications Act was approved in December 1998 that required that ISPs have the capability by August 2000 to intercept all traffic with a court order and maintain users logs for three months.[178] The law was enacted after XS4ALL, a Dutch ISP, refused to conduct a broad wiretap of electronic communications of one of its subscribers. In New Zealand, the Telecommunications (Residual Powers) Act 1987 requires network operators to assist in the operation of a call data warrant (equivalent to the United States trap and trace or pen register warrant).[179] An obligation to assist in the operation of a full interception warrant is now also being considered in New Zealand. The Telecommunications (Interception Capabilities) Bill currently being drafted by the Government would require all ISPs and telephone companies to upgrade their systems so that they are able to assist the police and intelligence agencies intercept communications. It would also require a telecommunications operator to decrypt the communications of a customer if that operator had provided the encryption facility.[180]In January 2002, a new Law on the surveillance of mail and telecommunications entered into force in Switzerland, requiring ISPs to take all necessary measures to allow for interception.[181] In contrast, the Austrian Federal Constitutional Court held, in a decision[182] in February 2003, that the law compelling telecommunications service providers to implement wiretapping measures at their own expense is unconstitutional.[183] Most recently, Poland and New Zealand have been reported as proposing and adopting new laws requiring ISPs to monitor and record communications transactions.
International cooperation played a significant role in the development of these standards. In 1993, the FBI began hosting meetings at its research facility in Quantico, Virginia called the "International Law Enforcement Telecommunications Seminar" (ILETS) . The meetings included representatives from Canada, Hong Kong, Australia and the European Union. At these meetings, an international technical standard for surveillance, based on the FBI's CALEA demands, was adopted as the "International Requirements for Interception." In January 1995, the Council of the European Union approved a secret resolution adopting the ILETS standards.[184] Following this, many countries adopted the resolution into their domestic laws without revealing the role of the FBI in developing the standard. Following the adoption, the European Union and the United States offered a Memorandum of Understanding (MOU) for other countries to sign to commit to the standards. Several countries including Canada and Australia immediately signed the MOU. Others were encouraged to adopt the standards to ensure trade. International standards organizations, including the International Telecommunications Union (ITU) and the European Telecommunication Standardisation Institute (ETSI), were then successfully approached to adopt the standards.
The ILETS group continued to meet. Several committees were formed and developed a more detailed standard extending the scope of the interception standards. The new standards were designed to apply to a wide range of communications technologies, including the Internet and satellite communications. It also set more detailed criteria for surveillance across all technologies. The result was a document called ENFOPOL 98, the European Union designation for documents created by the European Union Police Cooperation Working Group.[185]
In 1998, the document became public and generated considerable criticism. The committees responded by removing most of the controversial details and putting them into a secret operations manual that has not been made publicly available. The new document, now called ENFOPOL 19, expanded the type of surveillance to include "IP address (electronic address assigned to a party connected to the Internet), credit card number and E-mail address."[186] In April 1999, the Council proposed the new draft council resolution to adopt the ENFOPOL 19 standards into law in the European Union. The Council of Ministers revised the document and, in June 2000, approved a resolution calling for countries:
to ensure that, in the development and implementation – in cooperation with communication service providers – of any measures which may have a bearing on the carrying out of legally authorised forms of interception of telecommunications, the law enforcement operational needs . . . are duly taken into account.[187]
The annex for the document sets out detailed guidelines for interception requirements for "all telecommunications services, circuit and packet-switched, fixed and mobile networks and services." It expands the coverage of the original International User Requirements (IURs) to now include networking technologies, without acknowledging that technologies such as computer networking generate more and greater details of information including web browsing and mobile location information and thus applying traditional surveillance analogies result in more intrusive surveillance.
A related development has been the use of "black boxes" on ISP networks to monitor user traffic. The actual workings of these black boxes are unknown to the public. What little information has been made public reveals that many of the systems are based on "packet sniffers" typically employed by computer network operators for security and maintenance purposes. These are specialized software programs running in a computer that is hooked into the network at a location where they can monitor traffic flowing in and out of systems. These sniffers can monitor the entire data stream searching for keywords, phrases or strings such as net addresses or e-mail accounts. It can then record or retransmit for further review anything that fits its search criteria. In many of the systems, the boxes are connected to government agencies by high-speed connections.
In April 2000, it was publicly revealed that the FBI had developed and was using an Internet monitoring system called "Carnivore" (now called "DCS 1000").[188] The system places a PC running Windows NT at an ISP's offices and can monitor all traffic about a user, including e-mail and browsing. Carnivore "can scan millions of e-mails a second" and "would give the government, at least theoretically, the ability to eavesdrop on all customers' digital communications, from e-mail to online banking and Web surfing."[189] In response to the public uproar over Carnivore, Attorney General Janet Reno announced that the technical specifications of the system would be disclosed to a "group of experts" to allay public concerns.[190] In the fall of 2000, the Justice Department commissioned a team of experts at the IIT Research Institute and the Illinois Institute of Technology Chicago-Kent College of Law (IITRI) to undertake an independent review of the carnivore system. The IITRI group issued its final report on Carnivore in December 2000 and made several recommendations for changes to the system.[191]
In some countries, there have been laws or decrees enacted to require the systems to build in these boxes. Russia was the first country where this requirement was made public, and according to Russian computer experts, the United States government advised them on implementation. In 1998, the Russian Federal Security Service (FSB) issued a decree on the System for Operational Research Actions on the Documentary Telecommunication Networks (SORM-2) that would require ISPs to install surveillance devices and high-speed links to the FSB which would allow the FSB direct access to the communications of Internet users without a warrant.[192] ISPs are required to pay for the costs of installing and maintaining the devices. When an ISP based in Volgograd challenged FSB's demand to install the system, the local FSB and Ministry of Communication attempted to have its license revoked. The agencies were forced to back off after the ISP challenged the decision in court. In a separate case, the Supreme Court ruled in May 2000 that SORM-2 was not a valid ministerial act because it failed several procedural requirements. Following the Russian lead, in September 1999, Ukrainian President Leonid Kuchma proposed requiring that ISPs install surveillance devices on their systems based on the Russian SORM system. The rules and a subsequent bill were attacked by the Parliament and withdrawn. However, in August 1999, the security service visited several of the large ISPs who were reported to have installed the boxes.
In the Netherlands, following the passage of the 1998 Telecommunications Act (see above), the Dutch Forensics Institute[193] developed a "black-box" for ISPs to install on their networks. The black box would be under control of the ISP and turned on after receiving a court order. The box would look at authentication traffic of the person to wiretap and divert the person's traffic to law enforcement if the person is online. Due to the inability of ISPs to adopt the requirements of the law, however, its implementation has been delayed.
In China, a system know as the "Great Firewall" routes all international connections through proxy servers at official gateways, where Ministry for Public Security (MPS) officials identify individual users and content, define rights, and carefully monitor network traffic into and out of the country. At a 2001 security industry conference, the government announced an ambitious successor project known as "Golden Shield." Rather than relying solely on a national Intranet, separated from the global Internet by a massive firewall, China will now build surveillance intelligence into the network, allowing it to "see," "hear" and "think." [194] Content-filtration will shift from the national level to millions of digital information and communications devices in public places and people's homes.[195] The technology behind Golden Shield is incredibly complex and is based on research developed largely by Western technology firms, including Nortel Networks, Sun Microsystems and others. The Golden Shield efforts do not signal an abandonment of other avenues of access and content control. For example, details are only beginning to emerge about a new "black box" device, derived from technology previously used in airline cockpit data recorders, and broadly similar to the Carnivore system. Chinese Internet police would use the black box technology to monitor dissidents and collect evidence on illegal activities.[196]
New methods of surveillance, and in particular those capable of circumventing encryption, are also being developed. One such technological device is a "key logger" system. A key logger system records the keystrokes an individual enters on a computer's keyboard. Keystroke loggers can be employed to capture every key pressed on a computer keyboard, including information that is typed and then deleted. Such devices can be manually placed by law enforcement agents on a suspect's computer, or installed "remotely" by placing a virus on the suspect's computer that will disclose private encryption keys.
The question of such surreptitious police decryption methods arose in the case of United States v Scarfo.[197] There, the FBI manually installed a key logger device on the defendant's computer in order to capture his PGP encryption password. Once they discovered the password, the files were decrypted, and incriminatory evidence was found. In December 2001, the United States FBI confirmed the existence of a similar technique called "Magic Lantern."[198] This device would reportedly allow the agency to plant a Trojan horse keystroke logger on a target's computer by sending a computer virus over the Internet; rather than require physical access to the computer as is now the case. The new Danish Anti-Terrorism law, enacted in June 2002, appears to give law enforcement the power to secretly install this kind of snooping software on the computers of criminal suspects.[199]
As new telecommunications technologies emerge, many countries are adapting existing surveillance laws to address the interception of networked and mobile communications. These updated laws pose new threats to privacy in many countries because the governments often simply apply old standards to new technologies without analyzing how the technology has changed the nature and sensitivity of the information. It is crucial for the protection of privacy and human rights that transactional data created by new technologies is given greater protection under law than traditional telephone calling records and other transactional information found in older systems.
In the traditional telephone system, transactional data usually takes the form of telephone numbers or telephone identifiers, the call metrics (e.g., length of call, time and date), countries involved, and types of services used. This data is usually collected and processed by telephone companies for billing and network efficiency (e.g., fault correction) purposes. While this data is stored by telephone companies, it is available to law enforcement authorities. Communications content, i.e., conversations, are not stored routinely. As a result, the obstacles to law enforcement access to this data were minimal: traffic data was available, legally less sensitive, and so accessible with lower authorization and oversight requirements. The content of communications was treated as more sensitive, and more invasive, and more difficult to collect, thus typically requiring greater authorization and oversight mechanisms.
Different communications infrastructures give rise to different forms of transactional data, however. When surfing the net, a user can visit dozens of sites in just a few minutes and reveal a great deal about their personal situation and interests. This can include medical, financial, social interests and other highly sensitive personal information. As the Council of Europe acknowledges in the Explanatory Report of the Convention on Cybercrime:
The collection of this data may, in some situations, permit the compilation of a profile of a person's interests, associates and social context. Accordingly Parties should bear such considerations in mind when establishing the appropriate safeguards and legal prerequisites for undertaking such measures.[200]
The detailed and potentially sensitive nature of the data makes it more similar to content of communications than telephone records.
Similarly, location information generated by mobile communications infrastructure, such as mobile phones and mobile IP, is more sensitive than the mere location of a fixed telephony communication. The location information of mobile communications can provide details of an individual's movements and activities and whom they have met with. This location information may be combined with other transactional information such as websites visited using the mobile device, individuals called, search engine requests; all used to create a considerable profile. This affects a wide variety of human rights beyond the right of privacy including the rights of free speech and assembly.
Moreover, newer mobile communications protocols are becoming increasingly specific about location data, and the availability of this information is becoming part of the actual communications protocol. That is, the means of identifying the location of a device is becoming more precision-based, and this location information is communicated to several parties, not necessarily only between the device and the mobile communications operator. As a result, the location of the device can be more easily discerned, not necessarily requiring access to the data held by the operator.
In addition to this data that naturally arises from the functioning of a wireless network, there are other initiatives driving the development of technologies that build in location-tracking capabilities. For example, in the United States, the Federal Communications Commission (FCC) directed wireless telephone service providers to begin implementing Automatic Location Identification (ALI) for emergency (911) calls by October 1, 2001. The ALI "accuracy standards" require providers to develop capabilities that will permit the location of users with the following degrees of precision: for handset-based solutions – 50 meters for 67 percent of calls, 150 meters for 95 percent of calls; for network-based solutions – 100 meters for 67 percent of calls, 300 meters for 95 percent of calls.[201] Other wireless devices and services increasingly are coming into use, including wireless personal digital assistants, wireless Internet access, and automotive navigation and assistance services (telematics), which when combined with Global Positioning Satellite capabilities, can determine the physical locations of users very precisely.
While there is likely to be strong commercial and law enforcement demand for the collection and use of the location data generated by these services, a legal framework to protect privacy specifically with respect to location information has not yet been implemented. In the absence of legal clarity, some operators have been keeping this kind of data indefinitely. In October 2001, British mobile operator Virgin Mobile revealed that that it had retained all call records since it was created in 1999. Similarly, in November 2001, it was reported that Irish operators, Eircell and Digifone, were holding customer records for more than six years. In both cases, the operators, stated that they believed they were required to keep these records under the law. [202]
The level of legal protection afforded to other traffic data is similarly unclear. Policies generally treat all of this transactional data as "traffic data;" this data then bears the protections afforded under the traditional telephone system. The United Kingdom in its Regulation of Investigatory Powers Act 2000 accepted, after an extensive debate, that there are varying levels of sensitivity to this data, and separates "traffic data" (source and destination of a transaction used for routing within a network) from the more sensitive "communications data" that includes URLs, domain names, etc. The latter requires greater authorization and oversight procedures. Not all countries have pursued this line of reasoning.
Previous United States policy differentiated between traffic data on cable and telephone communications. The Cable Act traditionally protected traffic data to a greater degree than telephone traffic data. Now that cable infrastructure is used for Internet communications (which were previously used over telephone lines, and thus traditional laws applied), successive White House administrations worked to erase this distinction, finally succeeding with the USA-PATRIOT Act. Rather than deal with the specifics of digital communications media and services, the changes in United States law reduces the protections of traffic data for all communications to what had previously existed for telephone communications data. This was clearly intended, under the guise of technological neutrality. According to Attorney General Ashcroft:
Agents will be directed to take advantage of new, technologically neutral standards for intelligence gathering . . . Investigators will be directed to pursue aggressively terrorists on the internet. New authority in the legislation permits the use of devices that capture senders and receivers addresses associated with communications on the Internet.[203]
On May 30, 2002, the European Parliament voted on the European Union Electronic Communications and Privacy Directive.[205] In a remarkable reversal of their original opposition to data retention, the members voted to allow each EU government to enact laws to retain the traffic and location data of all people using mobile phones, SMS, landline telephones, faxes, e-mails, chatrooms, the Internet, or any other electronic communication devices, to communicate. The new Directive reverses the 1997 Telecommunications Privacy Directive by explicitly allowing European Union countries to compel Internet service providers and telecommunications companies to record, index, and store their subscribers' communications data.[206] The data that can be retained includes all data generated by the conveyance of communications on an electronic communications network ("traffic data") as well as the data indicating the geographic position of a mobile phone user ("location data").[207] The contents of communications are not covered by the data retention measures. These requirements can be implemented for purposes varying from national security to criminal investigations and prevention, and prosecution of criminal offences, all without specific judicial authorization.
Although this data retention provision is supposed to constitute an exception to the general regime of data protection established by the directive, the ability of governments to compel ISPs and telecommunications companies to store all data about all of their subscribers can hardly be construed as an exception to be narrowly interpreted. The practical result is that all users of new communications technologies are now considered worthy of scrutiny and surveillance in a generalized and preventive fashion for periods of time that States' legislatures or governments have the discretion to determine. Furthermore, because of the cross-border nature of Internet communications, this Directive is likely to have negative repercussions for citizens of other countries. There is a significant risk that non-European Union law enforcement agencies will seek data held in Europe that it can not obtain at home, either because it was not retained or because their national law would not permit this kind of access.
During the debates on the Directive, many members of the European Parliament, and the European Union privacy commissioners consistently opposed data retention, arguing that, these policies are in contravention of data protection practices of deletion of data once it is no longer required for the purpose for which it was collected; and also in contravention of proportionality principles in accordance with constitutional laws and jurisprudence. Similarly, the Global Internet Liberty Campaign, a coalition of 60 civil liberties groups organized a campaign and drafted an open letter to oppose data retention. The letter was sent to all European Parliament members and heads of European Union institutions after more than 16,000 individuals from 73 countries endorsed it in less than a week.[208] The letter asserted that data retention (for reasons other than billing purposes) is contrary to well-established international human rights conventions and case law.
While a few other countries have already established data retention schemes (e.g., Belgium, Denmark, France, the Netherlands, Spain, Switzerland and the United Kingdom) the implementation phase of the Directive's data retention provision may be bumpy in other Member States. The German Parliament has repeatedly refused to allow for retention, finally settling on a new Telecommunications Act, passed in May 2004 that allows telecommunications providers to retain data, but does not require them to do so. In the United Kingdom, after a review by a parliamentary committee, significant questions were raised regarding the legality, invasiveness, and the financial burdens involved in data retention.[209] This did not prevent the UK Government from upholding the practice in secondary legislation, however. The Directive may be seen as being in conflict with the constitutions of some European Union countries, with respect to fundamental rights such as the presumption of innocence, the right to privacy, the secrecy of communications, or freedom of expression.[210] In Finland, because of concerns regarding freedom of speech and privacy, content retention requirements have been reduced to three weeks at most, and for Internet traffic data no retention is required.[211]
Meanwhile, the situation is uncertain in Austria, Germany, Greece, Luxembourg, Portugal, and Sweden as they consider or question the means through which they can establish retention policies.[212] In Ireland, proposals from the Department of Justice have been poorly received from the industry, the Data Protection Commissioner, the Department of Communications, and the Marine and Natural Resources.[213] Industry associations in several countries[214] and the International Chamber of Commerce have all announced their concerns with general retention laws.[215] In all, nine states have established laws so far; while 10 out of 15 EU governments favor a "harmonizing" EU measure.[216] In October 2003 Privacy International released guidance that the practice of retention violates Article 8 of the European Convention on Human Rights.[217] This is likely to become the key battleground as the EU moves forward on a harmonizing measure for a deadline of June 2005, which is a direct response to the Madrid bombing of February 2004.
Europe is not alone, however. Australia has proposed a code of practice for ISPs to retain traffic data on a voluntary basis.[218] Argentina also passed a law calling for the retention of traffic data for 10 years.[219] Other countries are also calling for the retention of subscriber details, and are preventing anonymous access to the Internet through ID card requirements at cybercafés,[220] while others are banning the use of anonymous mobile telephony.
Cybercrime: International Initiatives in Harmonizing Surveillance
A related effort for enhancing government control of the Internet and promoting surveillance is also being conducted in the name of preventing "cyber-crime," "information warfare" or protecting "critical infrastructures." Under these efforts, proposals to increase surveillance of the communications and activities of Internet users are being introduced as a way to prevent computer intruders from attacking systems and to stop other crimes such as intellectual property violations.
The international lead bodies are the Council of Europe and the G-8, while there has also been some activity within the European Union.[221] The United States has been active behind the scenes in developing and promoting these efforts.[222] After meeting behind closed doors for years, these organizations finally, in 2000, made public proposals that would place restrictions on online privacy and anonymity in the name of preventing cyber-crime.
Council of Europe
The Council of Europe (CoE) is an intergovernmental organization formed in 1949 by West European countries. There are now 45 member countries. Its main role is "to strengthen democracy, human rights and the rule of law throughout its member states." Its description also notes that "it acts as a forum for examining a whole range of social problems, such as social exclusion, intolerance, the integration of migrants, the threat to private life posed by new technology, bioethical issues, terrorism, drug trafficking and criminal activities."
On September 8, 1995, the CoE approved a recommendation[223] to enhance law enforcement access to computers in member states. In 1997, the CoE formed a Committee of Experts on Crime in Cyber-space (PC-CY). The group met in secret for several years drafting an international treaty, and in April 2000, released the "Draft Convention on Cyber-crime, version 19." Several subsequent versions were released until version 27 was released in June 2001.
The convention has three parts. Part I proposes the criminalization of on-line activities such as data and system interference, the circumvention of copyright, the distribution of child pornography, and computer fraud. Part II requires ratifying states to pass laws to increase their domestic surveillance capabilities to cater for new technologies. This includes the power to intercept internet communications, gain access to traffic data in real-time or through preservation orders to ISPs, and access to secured or "protected" data. The final part of the treaty requires all states to cooperate in criminal investigations. So, for example, country A can request country B to utilize any of the aforementioned investigative powers within country B for a crime that is being investigated in country A. There is no requirement for the crime in country A to actually qualify as a crime in country B, i.e., no requirement for dual-criminality. In this sense, the convention is the largest mutual legal assistance regime in criminal matters ever created.
The draft convention text was strongly criticized by a wide variety of interested parties including privacy and civil liberties groups for its promotion of surveillance and lack of controls such as authorization requirements and dual criminality;[224] prominent security experts for previously articulated limitations on security software;[225] and industry for the costs of implementing the requirements, and the challenges involved in responding to requests from 43 different countries. The Article 29 Data Protection Working Group has expressed concern regarding the convention's implications upon privacy and human rights, concluding that:
The Working Party therefore sees a need for clarification of the text of the articles of the draft convention because their wording is often too vague and confusing and may not qualify as a sufficient basis for relevant laws and mandatory measures that are intended to lawfully limit fundamental rights and freedoms.[226]
The convention text was finalized in September 2001. After the terrorist attacks on the United States, the convention was positioned as a means of combating terrorism. A signing ceremony took place in November 2001 where it was signed by 30 countries, and later signed by another eight.
The convention came into force on January 7, 2004, once it was ratified by five signatory states, all members of the Council of Europe.[227] The Convention was originally open to the members of the CoE and to countries that were involved in its development, which includes Canada, Japan, South Africa and the United States. Now that it is in force, other non-COE countries like China and Singapore can also ask to join. The Australian government announced in July 2001 that its bill on computer crime, which requires users to provide encryption keys, is based on the Convention.[228] So far only Albania, Croatia, Estonia, Hungary, Lithuania, and Romania have ratified the convention. Romania has incorporated some of the language of the convention into its law on transparency and corruption.[229]In December the Bush Administration signaled its intention to ratify the convention. In June, the Senate Committee on Foreign Relations began its review of the convention
A protocol on Racism and Xenophobia was released in November 2002. This protocol will require the criminalization of certain forms of Internet speech that some might find offensive.[230] The Bush Administration has already stated that it will not support the protocol.[231] There was some discussion of a second protocol on "terrorist messages and the decoding thereof," however discussion on this matter has not advanced publicly.[232]
G-8
The G-8 is made up of the heads of state of eight industrialized countries in the world (Canada, France, Germany, Italy, Japan, Russia, the United Kingdom, and the United States. The European Commission participates as an observer). The leaders have been meeting annually since 1975 to discuss issues of importance, including economics and finance, transnational organized crime, terrorism, and the information society.
Since 1995, the G-8 has become increasing more involved in the issue of high-tech crime, and has created working groups and issued a series of communiqués from the leaders and actions plans from justice ministers. Much of this work has been coordinated by the Lyon Group, established formally in 1997.
At the Birmingham, England summit in May 1998, the G-8 adopted a recommendation on ten principles and a ten-point action plan on high-tech crime. The ministers announced:
We call for close cooperation with industry to reach agreement on a legal framework for obtaining, presenting and preserving electronic data as evidence, while maintaining appropriate privacy protection, and agreements on sharing evidence of those crimes with international partners. This will help us combat a wide range of crime, including abuse of the Internet and other new technologies.
The G-8 has met several times with industry and is actively promoting requirements that ISPs maintain records of all of their users' activities in case there is a future need to investigate a crime that might have occurred. These requirements were strongly criticized at a meeting held by the G-8 in Japan in 2001 where industry and a civil liberties group were invited and a draft press release and guidelines that promoted data retention had to be withdrawn after they had already been made public.
The G-8 has continued its activity in the area of law enforcement and combating terrorism, however. Throughout 2002 several summits involving Finance Ministers, Justice and Interior Ministers, and heads of state have released several statements regarding increased surveillance, traceability of communications,[233] and data retention.[234] Increased cooperation across borders was discussed at length; and as with the Council of Europe convention, no requirements of dual-criminality are necessary.
The European Union
In July 2000, the Commission announced plans for a new directive for fighting cyber-crime.[235] A communication was released in January 2001.[236] While similar to the Council of Europe convention in many ways, the Commission's proposal also included proposals regarding data retention and the reduction of anonymity. These policies were sought within "public forums" (only with limited invited speaking slots) in the fall of 2001, with unclear and unpublished results.
The retention proposal was sought in the alternative forum of the Directive on Privacy and Electronic Commerce in the European Parliament. The substantive law measures of criminalizing data and systems interference and defining other such offences are being pursued as a Council Framework Decision, which was in draft mode for almost a year and nearly forgotten,[237] until the Madrid bombings of 2004 when it was placed back upon the agenda with an expected implementation date of June 2005. This initiative is designed to be consistent with the CoE and G-8 activities.
The Organization for Economic Co-Operation and Development
In contrast to many of these law enforcement-driven initiatives, the Organisation for Economic Cooperation and Development (OECD) has tended to take a broader view of security issues. In 1992, the OECD issued Guidelines for the Security of Information Systems.[238] Containing nine principles, the Guidelines stress the importance of ensuring transparency, proportionality and other democratic values when establishing measures, practices and procedures for the security of information systems. In the fall of 2001, the OECD Working Party on Information Security and Privacy (WPISP) established a group of experts to conduct a review of these guidelines (such a review must take place every five years). The group of experts met four times between December 2001 and June 2002 and recommended several changes. The OECD Council adopted the 2002 Security Guidelines[239] on July 25, 2002 and they remain in effect.[240] Although the guidelines have been substantially revised, the need to ensure key democratic values, such as openness, transparency and the protection of personal information, is nonetheless reiterated in the principles. The OECD also developed a "Culture of Security" web site[241] launched after the "OECD Global Forum on Information Systems and Network Security: Towards a Global Culture of Security" held in Oslo, Norway in October 2003. The site provides member and non-member governments with an international information-exchange tool on initiatives to implement the Guidelines and serves as a portal to relevant Web sites as a first step towards creating a global culture of security.OECD member countries adopted an implementation plan[242] and released it to the public in January 2003. The OECD also took a survey of OECD member countries in July 2003, analyzing measures taken since the adoption of the Security Guidelines in July 2002 as consistent with the OECD Implementation Plan. The survey results[243] were released on June 7, 2004.
In the past several years, there has been considerable attention given to mass surveillance by intelligence agencies of international and national communications. Investigations have been opened and hearings held in parliaments around the world about the "Echelon" system coordinated by the United States.
Immediately following the Second World War, in 1947, the governments of the United States, the United Kingdom, Canada, Australia and New Zealand signed a National Security pact known as the "Quadripartite," or "United Kingdom– United States" (UKUSA) agreement. Its intention was to seal an intelligence bond in which a common national security objective was created. Under the terms of the agreement, the five nations carved up the earth into five spheres of influence, and each country was assigned particular signals intelligence (SIGINT) targets.
The UKUSA Agreement standardized terminology, code words, intercept handling procedures, arrangements for cooperation, sharing of information, Sensitive Compartmented Information (SCI) clearances, and access to facilities. One important component of the agreement was the exchange of data and personnel.
The strongest alliance within the UKUSA relationship is the one between the United States National Security Agency (NSA), and Britain's Government Communications Headquarters (GCHQ). The NSA operates under a 1952 presidential mandate, National Security Council Intelligence Directive (NSCID) Number 6, to eavesdrop on the world's communications networks for intelligence and military purposes. In doing so, it has built a vast spying operation that can reach into the telecommunications systems of every country on earth. Its operations are so secret that this activity, outside the United States, occurs with little or no legislative or judicial oversight. The most important facility in the alliance is Menwith Hill, a Royal Air Force base in the north of England. With over two dozen domes and a vast computer operations facility, the base has the capacity to eavesdrop on vast chunks of the communications spectrum. With the creation of Intelsat and digital telecommunications, Menwith Hill and other stations developed the capability to eavesdrop on an extensive scale on satellite-borne fax, telex and voice messages.
The current debate over NSA activities has focused on the existence of a signals intelligence system known as "Echelon." United States officials have refused to confirm the existence of this or any other surveillance systems. In May 2001, the European Parliament's Temporary Committee on the Echelon Interception System (established in July 2000) issued a report concluding that "the existence of a global system for intercepting communications . . . is no longer in doubt."[244] According to the committee, the Echelon system (reportedly run by the United States in cooperation with Britain, Canada, Australia and New Zealand) was set up at the beginning of the Cold War for intelligence gathering and has developed into a network of intercept stations around the world. Its primary purpose, according to the report, is to intercept private and commercial communications, not military intelligence.
The report recommended "self-protection" by EU citizens and companies, and encouraged further development and use of encryption technology within Europe to protect communications against surveillance. The report also recommended actions to be taken by the European Parliament during its September 2001 session in Strasbourg. These included provisions for the United States to (1) negotiate and sign an agreement with the European Union (European Union) requiring both parties to "observe, vis-à-vis the other, the provisions governing the protection of the privacy of citizens and the confidentiality of business communications applicable to its own citizens and firms;" (2) sign the International Covenant on Civil and Political Rights so complaints by individuals could be submitted to the Human Rights Committee created by the covenant; (3) negotiate with Member States a code of conduct akin to that of the European Union; and (4) begin a dialog with the European Union on economic intelligence gathering. On this point the Committee did not find widespread evidence of Echelon being used primarily for economic intelligence gathering. The Committee also recommended that Germany and the United Kingdom condition further authorization of United States communications interception operations within their territories on United States compliance with the European Convention on Human Rights. No further action on these recommendations has been taken.
Prior to issuing its report, the Temporary Committee traveled to Washington, DC to meet with senior Bush administration government and intelligence officials to discuss Echelon. When they arrived, however, their meetings with these officials at the Departments of State, Commerce and Defense, the CIA and the NSA were cancelled at the last minute. The European Parliament subsequently issued a Resolution protesting this move.[245]
The work of the recent Temporary Committee was based on two earlier reports of the European Parliament. The first, "An Appraisal of the Technologies of Political Control,"[246] was published in 1997 and stated that the NSA had established an integrated communications surveillance capability in Europe. It described Echelon as a communications intelligence sharing sub-system capable of scanning particular communications to detect information of interest. In 1999, the second European Parliament report, "Interception Capabilities 2000" set out the technical specifications of the interception system.[247] The report described the merger of Echelon and the (ILETS) stating that in time, the two vast systems – one designed for national security and one for law enforcement – would merge, and in the process will compromise national control over surveillance activities.
These recent events have left observers contemplating two profound conclusions. First, as long as the UK-USA SIGINT partners police and govern their own operations outside of actual effective parliamentary and judicial oversight, there is good reason to believe that SIGINT can be turned against individuals and groups exercising civil and political rights. There is ample evidence that the activities of Greenpeace, Christian Aid, Amnesty International, the International Committee to Ban Landmines, the Tibetan government-in-exile, various anti-globalization movements like the Independent Media Center, and the International Committee of the Red Cross have been targeted by UKUSA agencies. Second, there is an increasing blurring between the activities of intelligence agencies and law enforcement. The creation of a seamless international intelligence and law enforcement surveillance system has resulted in the potential for a huge international network that may, in practice, negate current rules and regulations prohibiting domestic communications surveillance by national intelligence agencies.
Second, there is an increasing blurring between the activities of intelligence agencies and law enforcement. The creation of a seamless international intelligence and law enforcement surveillance system has resulted in the potential for a huge international network that may, in practice, negate current rules and regulations prohibiting domestic communications surveillance by national intelligence agencies.
The use of Echelon to target diplomatic communications was highlighted as a result of disclosures made in 2003 by a British intelligence employee, former United Nations officials, and a former British Cabinet Minister concerning eavesdropping by the US NSA and the British GCHQ over UN Secretary General Kofi Annan's telephone communications and private conversations.[248]
The issue of eavesdropping on the diplomatic communications of the UN and its member nations' missions is covered by four international conventions: the Universal Declaration of Human Rights (Article 12),[249] the 1961 Vienna Convention on Diplomatic Relations (Article 27),[250] the 1947 Headquarters Agreement between the UN and the United States,[251] and the 1946 Convention on the Privileges and Immunities of the UN (Article 2).[252]
Since the terrorist attacks of September 11, 2001, one of the greatest fears of security officials in the world has been that would-be terrorists would board commercial airline flights without their malicious intentions being detected in advance. As a result, the US and many of its international allies have placed a high priority on identifying, tracking, and profiling travelers, especially air travelers.
Travelers and workers at transportation facilities such as airports have come to be regarded as objects of suspicion, potential terrorists, and targets of surveillance. Security agencies have sought access to reservations and other travel data collected for commercial purposes; compulsory identification of travelers and travel and transportation workers; mandatory collection of additional traveler data and compilation of personal travel dossiers; and deployment of new technologies for real-time tracking and logging of travelers' movements.
Fear is not necessarily proportional to actual danger,[253] and it is not clear that these policy and procedural changes are the outcome of a considered evaluation of risks, benefits, and trade-offs.[254] But whatever the motivation or effectiveness for their declared purposes, these aviation and transportation "security" measures create substantial potential for both commercial and government misuse of personal travel data. Taken together, they could – if successful – lead to the creation of a global infrastructure of surveillance of the movements of persons, incorporating both the travel industry and government agencies.
The privacy of travel records has been less well protected than that of any comparably sensitive category of commercial data. Existing travel industry norms for personal data handling fail to provide the level of protection provided for other categories of data, and required by generally accepted norms of data protection. Even in jurisdictions where data protection laws include travel data, enforcement against violations by the travel industry has been lax.
Reservation and transaction records created by travel companies for commercial purposes contain intimate personal information about airline (and sometimes intercity train and bus) travelers and their movements, as well as personally identifiable information about third-party ticket purchasers, travel industry personnel involved in making and changing reservations, and other business and personal associates of travelers.[255]
Reservation data or one or more people traveling on the same itinerary is stored in a Passenger Name Record (PNR), which typically contains names of travelers and details of flights, hotels, car rentals, and other travel services. PNRs can also contain residential and business postal and e-mail addresses and phone numbers, credit card details, and names and personal information of emergency contacts. Through billing, meeting, and discount eligibility codes, PNRs contain information about memberships and organizational affiliations. Since a single PNR typically is used for an entire travel party, PNRs contain detailed information on patterns of association between travelers. PNRs can contain religious meal preferences and special service requests that describe intimate details of physical and medical conditions (e.g., "Uses wheelchair, can control bowels and bladder") – categories of information that have special protected status in the European Union and some other countries as "sensitive" personal data.
Airlines and travel agencies around the world, even those that compete with each other, have long been part of an integrated global network of reservation systems. Most of these systems predate current norms of data protection. While PNR formats vary, "interline" agreements between airlines, joint industry ticketing and financial clearinghouses, and industry-standard protocols[256] facilitate easy global sharing of PNR data.
Most of the world's airlines and travel agencies outsource hosting of their PNR databases to one of four companies: Sabre, Galileo (a division of the Cendant Corp.), Worldspan, and Amadeus. These Computerized Reservation System (CRS) or Global Distribution System (GDS) companies function both as data warehouses and data aggregators, and have a relationship to travel data analogous to that of credit bureaus to financial data. After the completion of a trip, copies of PNRs are "purged" from live to archival storage systems, and can be retained indefinitely by CRSs, airlines, and travel agencies.
Unlike medical and financial data, travel data has not generally been legally recognized as posing special privacy issues, or afforded any special protection. PNRs and ticketing records had been regarded as simply another category of commercial transaction data.
In many countries airlines and travel agents are overseen by different government agencies than other businesses, and few if any aviation regulatory agencies include data protection divisions or enforcement staff. In the US, for example, most consumer privacy policies are enforced by state and local consumer protection authorities and the Federal Trade Commission (FTC). But enforcement of privacy policies by airlines and travel agencies, and of compliance by airlines and travel agencies with the EU-US Safe Harbor arrangement,[257] is under the exclusive jurisdiction of the Department of Transportation (DOT). The DOT has no staff dedicated to consumer privacy or data protection, and has never brought an enforcement action for violation of a privacy policy or of the Safe Harbor arrangement.
The International Civil Aviation Organization (ICAO) has adopted a model Code of Conduct on the Regulation and Operation of Computer Reservation Systems (CRS) that aims at safeguarding privacy.[258] However, the ICAO Code of Conduct on the Regulation and Operation of Computer Reservation Systems has not been widely adopted by ICAO member states. CRSs operate under government regulations in the US[259] and Canada,[260] but those regulations include no provisions related to privacy or data protection.
The European Union Code of Conduct for Computerized Reservation Systems, Article 5(d), provides that, "personal information concerning a consumer and generated by a travel agent shall be made available to others not involved in the transaction only with the consent of the consumer."[261] But there is no record of any enforcement action ever having been taken under this section, despite a history of widespread and systematic violations by all four major CRSs.
National data protection authorities in Belgium (on the complaint of data subjects, including a Member of the European Parliament)[262] and France[263] have ruled that transfers of PNR data by airlines to US government agencies without passengers' consent are illegal. Additional citizen complaints against airlines for violations of national data protection laws have been made in Spain[264] and the Netherlands.[265] However, no corrective action or change in data sharing practices has been ordered as a result of any of these enforcement proceedings.
Like the ICAO standards, the recommendations of the Passenger Services Conference of the International Air Transportation Association (IATA) are only advisory. In addition, they relate only to the conduct of IATA member airlines and not to travel agencies or CRSs. Even if followed, the IATA recommendations serve more to legitimate than to limit airlines' transfers of passenger data to government agencies.[266]
Almost immediately after September 11, 2001, airlines and the US government – often in collaboration, and of necessity involving the CRSs in their work – began accessing and using archived PNRs to investigate the hijackings and to test the possibility of identifying "suspicious" travelers through PNR profiling. Most of the major US-based airlines and CRSs, and a variety of US government agencies and contractors, were involved in these investigations and experiments over the next two years.[267] All of these tests were conducted at the time in secret, without notice to, or consent of, the data subjects, and in most cases – except the initial investigation of the events leading up to September 11 – without warrants or subpoenas. They were gradually revealed to the public as a result of US Freedom of Information Act (FOIA) requests and lawsuits, Congressional questioning, investigative journalism, and admissions by airlines. Governments, airlines, and CRSs in other countries were pressured by the US to cooperate in providing reservation data for these programs, irrespective of national data protection laws against such use without travelers' prior consent.
These profiling systems and tests have not been shown to be effective in identifying would-be terrorists from reservation data, either alone or in conjunction with other databases.[268] It's impossible to identify from a PNR in what country (or countries) the data it contains was collected, so each of these tests probably included data subject to many international jurisdictions. The US government proceeded with these tests without waiting for any of the legal changes needed to harmonize them with any other countries' laws. Nonetheless, the US and some other governments have, after the fact, sought to modify existing data protection rules and industry standards to mandate – or failing that, at least to permit – government access to PNR data in order to attempt to identify "suspicious" travelers.
Currently, only the United States, Canada, Australia and New Zealand have legislation in place that makes government access to airline reservation data mandatory. A number of other States are exploring this process.[269]
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) was amended in 2001 by Bill C-44 to allow Canadian airlines to provide foreign governments with "any information . . . relating to persons on board or expected to be on board the aircraft and that is required by the laws of the foreign state."[270] The PIPEDA was further amended in 2004 by Bill C-7 to expand the exemption of travel data.[271] Bill C-7 in particular provoked considerable criticism, including opposition from the Canadian Bar Association.[272] Both bills were widely characterized as Canada's counterparts to the USA PATRIOT Act. In May 2004, the European Commission approved a conditional finding that the level of protection afforded to PNR data transferred to the US Department of Homeland Security (DHS) Bureau of Customs and Border Protection (CBP) satisfies the standard of "adequacy" required by the EU Data Protection Directive,[273] on the basis of which the Council of the European Community signed an agreement purporting to authorize PNR transfers to the US, if certain conditions were met.[274]
The finding of adequacy was contrary to the formal opinion of the working party of EU national data protection officers.[275] Both the agreement and the finding of adequacy of protection of PNR data in the US prompted extraordinary public controversy within the EU and conflict between EU institutions. Both were denounced by privacy advocates on both sides of the Atlantic.[276] In June 2004, the President of the European Parliament moved the Court of Justice of the European Communities, on behalf of the Parliament, to annul both the agreement and the adequacy finding.[277]
The stated goal of the US government is the adoption of permanent international standards overriding existing national data protection laws, and mandating access to PNR data by all governments worldwide.[278]
In addition to seeking access to existing PNRs, some governments have sought to require data in PNRs beyond that which would otherwise be entered for commercial purposes; to modify PNR formats to facilitate desired government uses of PNR data; and/or to require airlines to transmit additional Advance Passenger Information (API) data collected solely to satisfy government demands.[279] While API data is typically described as corresponding to the information that could already be gleaned from travelers' tickets and passports, the majority of the categories of PNR and API data sought by the US cannot be obtained from current travel documents.[280]
These governmental initiatives have been led primarily by the US and, within the EU, by Spain.[281] In April 2004, a Spanish proposal that all airlines operating to, or within, the EU be required to collect and transmit to the governments of destination countries information concerning all passengers, was adopted by the Council of the European Union over the objections of the European Parliament committees that had considered it.[282]
Canadian customs and immigration agencies have developed and deployed their own airline reservation profiling software and algorithms, but use "risk management criteria that are common to both countries" to determine what travel data to share with the US.[283]
Australia has mandated that all airlines provide the government with continuous real-time access to their reservations systems, and has implemented an automated profiling system, based on certain elements of PNR and API data, which selects certain reservations for review and possible action by customs officers.[284]
In New Zealand, government access to PNR and API data has been limited to international flights, and law enforcement authorities have used the advance passenger processing system developed by Australia. The New Zealand government has sought, but has not yet obtained, legal authority to issue "do not board" orders to airlines on the basis of automated analysis of PNR and API data.[285]
The US has imposed a requirement for collection and automated transmission of API data on all international flights to the US, and has pursued multilateral agreements on API data transfers with the EU (as part of the PNR agreement), the G-8[286] and, globally, through ICAO.
The US has also proposed to use secret security directives to impose both the requirement for travelers to display evidence of their identity and the requirement for airlines and travel agents to create a PNR containing specified identifying information for each traveler, concealing the details of the requirements from the public and frustrating judicial review. A federal court has found that such identification requirements do not violate constitutional guarantees against unreasonable search and seizure.[287]
Registered Traveler
In 2004, the US government began testing the Registered Traveler Pilot Program at Minneapolis-St. Paul International Airport.[288] The program allows certain passengers to volunteer personal and biometric information to the government for prescreening.[289] In exchange, program participants go through special security lines for physical screening.[290] The pilot program has been expanded to five airports throughout the US.[291] A privatized version of the program is being developed at Orlando International Airport.[292]
Computer Assisted Passenger Prescreening System II (CAPPS II)
The model for the global travel data regime sought by the US was the second generation Computer Assisted Passenger Screening System (CAPPS II), which was proposed by the US government in January 2003 for flights to, from, and within the US.[293] In 2004, the US government announced its decision to abandon the program.[294] Department of Homeland Security Secretary Tom Ridge said that privacy concerns surrounding the pilot program coupled with ongoing Congressional doubts about the effectiveness of the program contributed to the decision. When asked whether the program could be considered "dead," Ridge answered "yes."[295]
However, civil liberties organizations and air travel experts expressed skepticism about the announcement. Some said that CAPPS II was simply being renamed or merged into other programs, and that the US government would continue to pursue its essential functionality: mandatory identification of all air travelers, entry of identifying data into reservations, and government access to those reservations.[296] These goals were also endorsed by the "9/11 Commission" in the US, whose first recommendation for how to "protect against terrorist attacks" was "targeting travel" and expanding "travel intelligence collection," i.e. surveillance of travelers.[297]
CAPPS II or its successor would be a system of automated identity- and reservation-based profiling unlike any other airline passenger screening or security system in the world.[298] CAPPS II would have profiled each passenger and assign them a risk or "suspiciousness" score on the basis of their identity as determined from their PNR. That would not be possible unless each passenger (a) is identified, (b) has a reservation, and (c) has sufficient information entered in their reservation to identify them uniquely. CAPPS II would therefore have the had effect of prohibiting anonymous or unreserved travel, and mandating entry of specified identifying information about each passenger in his or her PNR.[299]
The US had sought permission from other countries, including the EU and Canada, to use data collected in those countries for CAPPS II.[300] The "Undertakings" by the US, which were a condition for the European Commission's finding of adequacy of passenger data protection in the US, specifically declare that the US may use data from the EU in CAPPS II tests,[301] although that authorization refers specifically to "CAPPS II," and thus may be invalidated by the change of the program's name (see below).
As the US Communications Assistance to Law Enforcement Act (CALEA) did with the infrastructure of transport of information, government travel security initiatives would require the embedding of "intelligence gathering" capabilities into the infrastructure of transportation of people, imposing as an unfunded mandate on the travel industry whatever changes, at whatever cost, are required to provide that surveillance functionality. Even airlines that supported CAPPS II were concerned about the cost of the changes it would require to reservation data structures, messaging formats and protocols, and business procedures worldwide, especially if those costs are not reimbursed by governments.[302] While the US government has suggested that it might cut back on the use of other, non-travel commercial databases in the profiling component of its revised and/or renamed successor to CAPPS II, the intelligence gathering component and its required changes to airline databases would remain as extensive and costly as ever.
CAPPS II would have incorporated existing US "no-fly" and other airline passenger "watch lists." As part of its international initiatives for government access to, and trans-border sharing of, PNR and API data, the US government has sought to establish a global system for exchanges of traveler watch list information, and to exempt it from requirements of disclosure, due process, and judicial review.[303] PNR data obtained through CAPPS II would have also been included in the lifetime "biographic and biometric travel history" created and maintained on each foreign visitor to the US under the US-VISIT system.[304]
The information required by CAPPS II would have been, by design, the information needed to ensure that all passengers could be uniquely identified from reservations, and, as a result, that reservations for separate trips could be indexed into lifetime travel histories. Under CAPPS II, travel companies in the US, including the CRSs, which host most airline reservations, would have been permitted to retain all of this information indefinitely after passing it on to governments, and use it to construct their own permanent files on travelers. These records could be accessed by government agencies at any time, even if the government itself did not retain the CAPPS II data.
Secure Flight
On August 26, 2004, The Department of Homeland Security Transportation Security Administration announced that the government would begin testing Secure Flight, a new passenger prescreening system, in November.[305] Secure Flight will compare PNRs against information maintained by the FBI’s Terrorist Screening Center, which includes expanded "selectee" and "no fly" lists. TSA will also seek to identify "suspicious indicators associated with travel behavior" in passengers' itinerary PNR data. Furthermore, the agency is testing the use of commercial databases to verify the accuracy of information provided by travelers.[306] TSA will administer the program, removing all passenger screening responsibility from the airlines. The agency also ordered 72 airlines to turn over their passenger records from June 2004 for Secure Flight testing.[307]
Though TSA plans to implement a redress process for travelers improperly flagged by Secure Flight, it is unclear how this process will work. The government has long used "selectee" and "no fly" lists for aviation security purposes, but passengers have experienced great difficulty clearing their names when improperly flagged. In 2002, EPIC obtained through the Freedom of Information Act dozens of complaint letters sent to TSA by irate passengers who felt they had been incorrectly identified for additional security or were denied boarding because of the watch lists. The complaints describe the bureaucratic maze passengers encounter if they happen to be mistaken for individuals on the list, as well as the difficulty they encounter trying to exonerate themselves.[308]
Secure Flight will be tested live with two airlines beginning in August 2005.
Foreign visitors will be required to identify themselves with passports satisfying ICAO machine-readable travel document (MRTD) standards,[309] which may also include secretly and remotely readable RFID chips containing digitally encoded biometric data.[310] US travelers will be allowed to obtain "registered travel" tokens or credentials only by having biometric data recorded, and by submitting to a background check of government and commercial databases.[311] The motivation to register can only be that unregistered travelers will be subjected to longer delays and/or more intrusive searches and screening.[312]
Although the overwhelming emphasis has been on air travel, some of these measures and others are now being extended to other transportation modes, starting with trains and buses. Already intercity train and bus passengers in the US are required to display "valid photo identification" to purchase tickets and on boarding.[313]
A government-required RFID/biometric Transportation Worker Identification Credential (TWIC) is being tested for eventual issuance to more than 10 million workers in transportation facilities in the US, including airports, seaports, rail and truck terminals, etc.[314] The TWIC was, however, intended in the future to identify all users of transportation systems, i.e. travelers.[315] Eventually, all persons on transportation vehicles or in transportation facilities may be required to carry government-issued RFID/biometric identification credentials.
The Department of Homeland Security deployed the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) at 115 airports and 15 major seaports on January 5, 2004.[316] When this practice began, the general response was one of shock and alarm. Brazil, China, Greece[317] and Switzerland[318] were among countries that protested against their citizens being fingerprinted by the Department of Homeland Security. Brazil even threatened reciprocity.[319]
This border security program is intended to improve the United States' capability to collect information about foreign nationals who travel to the US, as well as control the pre-entry, entry, status, and exit of these travelers. US-VISIT is expected to be operational at every US air and seaport and the 50 busiest land ports of entry by the end of 2005.[320] Some information in US-VISIT will be kept for 100 years,[321] and all information may be disclosed to any law enforcement agency in the US and any other country.[322]
When a visitor subject to US-VISIT applies for a visa to travel to the US, he is fingerprinted and photographed at an overseas US consular office.[323] This biometric information is then checked against more than 20 interfacing government databases to determine the likelihood that the visitor is a criminal or terrorist.[324] When the visitor arrives at a US port of entry, he is again fingerprinted and photographed to verify that he is the same person who was issued the visa.[325] A pilot program has been launched to fingerprint visitors when they exit the US, as well.[326]
US-VISIT did not apply to visitors to the US traveling through the Visa Waiver Program until September 20, 2004 when the program was expanded to include Visa Waiver travelers arriving at air and seaports.[327] The general response to this expansion of US-VISIT was very quiet, possibly because the enlargement of the program was a result of the proposed extension of the biometric passport deadline.[328] If any Visa Waiver program countries do not present acceptable plans by October 2005 for launching biometric e-passports by 2006, US law requires that these countries be removed from the Visa Waiver program, resulting in all nationals being forced to get visas.[329] Earlier, the Department of Homeland Security indicated that it intended to link CAPPS II and US-VISIT when both programs were fully operational to ensure that "the processes at both border and airport points of entry and exit are consistent."[330]
Other countries are considering similar systems now that the US has expanded US-VISIT. The EU has proposed a similar system involving fingerprints, enhanced by the fact that EU countries will also have fingerprint-based biometric passports, creating a database of biometrics on over 450 million people.
Lack of enforceable legal protection for travel data comparable to that for financial, medical, or other sensitive categories of personal information
Government demands for access to reservations and other commercial travel data and exemption of travel-related data from existing privacy and data protection regulations
Compulsory identification of travelers (through biometrics, compulsory carrying or display of credentials, etc.) and compulsory entry of identifying data into reservations
Indexing of reservations and travel transactions into lifetime personal travel dossiers
Inclusion of secretly and remotely readable RFID chips in passports, tickets, "registered traveler" credentials, or other travel documents
Profiling of travelers, denial of freedom of travel, slower or more intrusive searches, or other differential treatment of travelers on the basis of watch lists, profiles, or as a "registered traveler" status
Integration of commercial and government databases about travelers; integration and conversion of travel industry infrastructure into an infrastructure of surveillance
Advances in technology are also making it easier and cheaper to conduct covert audio surveillance. Bugs come in many shapes and sizes. They range from micro engineered transmitters the size of an office staple to devices no bigger than a cigarette packet that are capable of transmitting video and sound signals for miles. Many of the bugs are cleverly camouflaged. They are hidden in everything from umbrella stands to light shades. Sometimes, the infiltrator will hide them in a business or sports trophy where they will stay indefinitely. The latest bugs remain active with their own power supply for around ten years.
Laws restricting the use of covert audio devices vary widely across the world. Many countries have provisions in their general wiretap laws that also cover the use of bugs. The European Court of Human Rights has ruled several times that all signatories of the Convention must enact laws governing their use. While it is illegal in most circumstances in the United States to use or sell such devices, the British market had no restrictions whatever until recently. As one private investigator told the London Daily Telegraph, "It's a game anyone can play." Millions of bugs are sold every year in Asian countries such as Hong Kong and Japan.
The devices are used for a variety of reasons. In many Asian countries, use of the devices for industrial espionage is widespread. They are also frequently used in the workplace or in homes. Law enforcement and intelligence agencies also use the devices but according to government records in the United States, Canada and other countries, they are used much less frequently than traditional wiretaps for law enforcement purposes.
Surveillance cameras (also called Closed-Circuit Television or CCTV[331] are increasingly being used to monitor public and private spaces throughout the world. The leader is the United Kingdom, where between GBP 150 and 300 million per year is spent on expanding a surveillance industry that has an estimated one and a half million cameras watching public spaces.[332] Many central business districts in Britain are now covered by surveillance camera systems involving a linked system of cameras with full pan, tilt, zoom and night vision or infrared capability. CCTV systems are also in wide use in several other European countries where they are closely regulated. Surveillance of public spaces has grown markedly in the United States and Australia. In New York City, the NYCLU Surveillance Camera Project identified 2,397 cameras in Manhattan, an admittedly incomplete list.[333] The Mayor of Washington, DC had proposed a "London style" blanket surveillance of public areas to cover the several public protests that takes place in the capital, but public opposition has prevented the adoption of the plan.[334] In Singapore, cameras are widely deployed for traffic enforcement and to prevent littering. Several governments are now considering using surveillance systems as an anti-terrorism tool. Some observers believe the surveillance camera phenomenon is dramatically changing the nature of cities. The technology has been described as the "fifth utility,"[335] where CCTV is being integrated into the urban environment in much the same way as the electricity supply and the telephone network in the first half of the century.[336]
Governments and law enforcement authorities have used video surveillance in various circumstances ranging from the prevention of crimes,[337] the safety of urban environments and government buildings, traffic control,[338] the monitoring of demonstrators,[339] and in the context of criminal investigations. In the United States, several cities have started implementing sophisticated systems of surveillance. In Washington, DC, surveillance cameras have been placed on national monuments, such as the Lincoln Memorial. New York, Tampa, Virginia Beach,[340] Baltimore,[341] and Chicago have also started installing cameras.[342] In the United Kingdom, the government and police authorities have covered the country with more than one and a half million cameras, some of them being used to check the license plates of cars entering cities, and even the face of drivers,[343] making CCTV the single most heavily funded non-criminal justice crime prevention measure.[344] A 2003 survey conducted by the Dutch data protection authority found that one municipality in five uses camera surveillance.[345]
In Europe, because the encompassing data protection legal framework of the European Union Data Protection Directive applies to video surveillance records, privacy authorities have started drawing up guidelines aimed at implementing the Directive's data protection principles to the field of video surveillance.[346] The European Commission, in a recent consultation aimed at evaluating how the Directive had been implemented in practice as regards the processing of sound and image data, concluded that no change was required to the current rules for it to be applicable to the processing of personal data in the context of video surveillance, although more practical guidance was definitely needed.[347] The Article 29 Working Party (established under the EU Data Protection Directive) has issued several documents on video surveillance. One includes a summary of guidance issued by national data protection authorities.[348]
In July 2000, the United Kingdom Data Protection Commissioner issued a code of practice on the use of CCTV. The code sets out guidelines for the operators of CCTV systems and makes clear their obligations under the recently implemented Data Protection Act 1998.[349] Also in 2000, the Greek Data Protection Commissioner issued a directive prohibiting the use of CCTV, except in certain circumstances.[350] In Sweden, the 1998 Law on Secret Camera Surveillance restricts the use of video surveillance. Norway's Personal Data Registers Act of 2000 also provides specific rules for video surveillance. In Italy, the data protection authority issued guidelines in May 2004 for the installation of surveillance cameras, requiring, among other things, an assessment of whether the surveillance is proportional to the objectives and whether alternative measures would be possible.[351] In 2003, the European Court of Human Rights issued a judgment holding that the disclosure of CCTV pictures by a public authority may constitute a violation of an individual's right to privacy under Article 8 of the European Convention on Human Rights.[352] In Canada, various provinces' privacy commissioners have established video surveillance guidelines,[353] while Canada's Privacy Commissioner was active in limiting surveillance cameras[354] by, e.g., launching a lawsuit against the Royal Canadian Mounted Police, calling their use of the system an unconstitutional breach of privacy.[355] In Washington, DC, after the District of Columbia (DC) City Council and the US Congress conducted several hearings on video surveillance,[356] the DC City Council enacted legislation directing the Chief of Police of the Metropolitan Police Department (MPD) to issue regulations on the use of video surveillance cameras and technology.[357] The MPD subsequently issued formal rules on the use of CCTV in 2002.[358] Some other police departments and at least one federal government agency have also established video surveillance guidelines.[359]
In the United States, video surveillance is not regulated by federal legislation, although some States have adopted statutes prohibiting the use of video surveillance for peeping purposes,[360] and video voyeurism legislation is under active consideration by the US Congress.[361]
As surveillance systems are becoming a routine part of the urban landscape, scholars, data protection commissioners, legislators, and the public are beginning to grapple with the implications and purposes of this new technology, and to ask questions about its assumed effectiveness.[362] Broader questions about the social consequences of video surveillance activities are also being asked.[363]
Proponents contend that video surveillance is a deterrent to crime and gathers evidence of crimes. Generally, camera systems have been rolled out with little prior research into the effectiveness or appropriateness of the technology, as in most cases the deployment is driven by a public relations need to create the impression of heightened security.[364] The evidence supporting the effectiveness of the camera system has been inconclusive. The most important and comprehensive research to date is the United Kingdom Home Office meta-study that has systematically reviewed the best studies done in the past that have analyzed the effectiveness of CCTV systems.[365] Other studies, released earlier, found that in many areas with CCTV crime increased and street lighting was a more effective deterrent.[366] In March 2002, a report issued by researchers at the University of Hull in United Kingdom, found that cameras do not have a major impact on most criminal activity, and even where they appear to have an effect it is because that crime is often just displaced elsewhere.[367] Recent studies conducted by the Scottish Center for Criminology have yielded similar results.[368] Questions are now surfacing about the use of cameras in Australia.[369] In 2003, the United States General Accounting Office (GAO) released a report on the use of CCTV by law enforcement in Washington, DC, evaluating how law enforcement agencies have responded to civil liberties risks flowing from CCTV surveillance systems.[370] A 2003 study released by the Australian Institute of Criminology reached equivocal conclusions about effectiveness of cameras in Australia.[371]
Campaigns have begun in several countries to stop the spread of surveillance camera systems,[372] and to monitor the deployment of cameras in several cities.[373] In Washington, DC, EPIC has launched Observing Surveillance[374] to document the presence of surveillance cameras in the nation's capital. For several years, an international coalition composed of artists, scientists, engineers, scholars, and others have declared December 24 to be "World Sousveillance" day, and have staged several public protests to draw attention to the use of surveillance cameras.[375]
The debate over the appropriateness of surveillance technology is likely to become sharper as the technology becomes increasingly sophisticated. New systems can digitally record images, which facilitate easy archiving, recovery, and sharing of information. Features include night vision, computer-assisted operation, thermal imaging,[376] and motion detection facilities that help improve the operator's attentiveness by sounding an alert if suspicious activity is taking place.[377] The clarity of the pictures is usually excellent, with many systems being able to read a newspaper at a hundred meters. Technology is also being developed to spot patterns in the surveillance data such as recognizing faces, analyzing crowd behavior, and scanning the intimate area between skin surface and clothes using "passive millimeter wave technology" to search for contraband or weapons.[378] Research into these technologies is receiving significant government funding for crime fighting and anti-terrorism purposes.[379]
Tremendous progress in video surveillance technologies have led to the miniaturization of cameras and enabled wireless connectivity and access through the Internet. These developments, together with the fact that more and more people use them in a private setting and for private purposes, either to protect their property (security cameras), look after their children and nannies ("nanny cams")[380], monitor nursing home residents,[381] conduct virtual child visitation by divorced parents,[382] or send pictures to each other by mobile phone,[383] raise questions about the extent to which people are ready to be observed everywhere they go in public places, or even, in private areas. Private bans on cell phone cameras have been imposed by health clubs, schools, and employers.[384]
Video surveillance is also being increasingly used by private actors for law enforcement type purposes: to monitor their properties, business and commercial areas;[385] to watch for thieves and pickpockets in shopping malls[386] and casinos;[387] to keep an eye on private gated communities and passengers in aircraft;[388] or to detect drug dealing activities at schools.[389] Cameras are also used to monitor some police activities.[390] In countries without rules regulating video surveillance, it is relevant to question whether those private actors' monitoring activities should be limited, or at least be subject to the same constraints as government agents are.
Face recognition technology[391] uses computerized pattern matching technology to automatically identify peoples' faces. While it is still very much in its infancy, it raises significant public policy questions because it enables the covert identification and classification of people in public. The borough of Newham in the United Kingdom first deployed a face recognition system to scan faces against a database to identify people "of interest." The Reykjavik airport in Iceland was among the first airports to use the technology. In the United States, this same kind of face recognition technology was used at the 2001 Super Bowl in Tampa, Florida to compare the faces of attendees to faces in a database of mug shots. There was widespread public outcry, prompting some to call the event the "Snooper Bowl."[392]
The reliability of face recognition technology remains in dispute. For instance, it was not accurate enough for use in the Salt Lake Winter Olympic games where the security chief said, "it's just not proven technology yet."[393] Studies sponsored by the United States Defense Department showed the system is right only 54 percent of the time and can be significantly compromised by changes in lighting, weight, hair, sunglasses, subject cooperation, and other factors.[394] Tests on the face recognition systems in operation at Palm Beach Airport in Florida,[395] and Boston Logan Airport also showed the technology to be ineffective and error-ridden.[396]
As the power and capabilities of surveillance technology increases while the cost and size of systems decreases, there will be further incentives to use the technology. For example, the US Government plans to require other countries to use biometric passports using face recognition technology in the near future, although immediate implementation of the requirement is likely to be postponed until 2006 because of "challenging technical reasons."[397] These and other developments may create new pressures for appropriate regulations to safeguard privacy and to prevent the misuse of the technology.[398]
Developments in satellite surveillance (also called "remote sensing") during the last decade have embraced features similar to those of more conventional visual surveillance. Satellite resolution has constantly improved since the end of the Cold War, largely due to efforts by companies such as EarthWatch, Motorola and Boeing. These companies have invested billions of dollars to create satellites capable of mapping even the most minute detail on the face of the earth.
The use of commercial satellite imagery by governments has increased substantially in recent years. Images obtained through commercial satellites were key in aiding US military forces carrying out Operation Iraqi Freedom.[399] The US Commercial Remote Sensing Space Policy, signed in 2003, ordered all federal government agencies to utilize commercial satellite imagery and encouraged development of a strong US remote sensing industry.[400] Space Imaging and DigitalGlobe are the two major players in the commercial satellite industry, collecting thousands of square kilometers of imagery each day. Both companies are the recipients of substantial contracts with the US government for images from their satellites.
Space Imaging was the first to launch one of the new generation high-resolution satellites, the IKONOS, in September 1999.[401] Its parabolic lens can recognize objects as small as one meter (3.28 feet) anywhere on earth and, according to the company, viewers can see individual trees, automobiles, road networks, and houses. Collecting data at a rate of over 2,000 square kilometers (772 square miles) per minute, the volume of imagery provided by this satellite is staggering. Considered the grandfather of commercial satellites, IKONOS is used by a number of industries in addition to government.[402] Public interest groups are also using the information to show images of nuclear testing by countries and even images of secret United States bases such as Area 51 in Nevada.[403]
The most powerful commercial imaging satellite to date was launched by DigitalGlobe in 2001. The satellite, QuickBird, provides images as small as two feet (0.61 meters). DigitalGlobe is currently working on improving resolution and collection capacity with their new system, called the WorldView Imaging system. The company anticipates that the satellite will be capable of achieving a half-meter resolution.[404]
While governments are increasingly relying on commercial satellite technology, private companies are raising public awareness by providing access to images through the Internet. Upon acquisition of the satellite image firm, Keyhole, in October 2004, Google Inc. combined satellite imagery, maps and its popular search engine to create Google Earth.[405] Google Earth is a free download that allows users to view a map in satellite form by simply entering an address or executing a search. The service is still in the early stages, and the level of resolution varies from distant aerial photographs to street level, depending on the area. For an additional fee, the company offers two upgraded versions of Google Earth, incorporating Global Positioning System (GPS) technology and data import capability for more advanced application. The satellite option was initially offered through Google’s Internet mapping service, Google Maps, but in a more limited form. Other companies, such as Microsoft, also offer satellite imagery through various Web sites.[406]
Satellite images have long been offered for sale to consumers by companies such as Terraserver and ImageAtlas but the widespread use of the Google search engine and the ability to link searches to the mapping service raised awareness, pushing discussions of privacy to the forefront.[407] Currently, the photographs are six to 18 months old, but critics have voiced concern over the possibility that Google may begin offering real-time images and the potential invasions of privacy that could result. Privacy advocates have suggested that Google offer an opt-out policy for this service, allowing individuals to enter their address and blank out their home from the public image database.[408]
Integration of existing satellite images with ground-based Geographic Information System (GIS) databases have produced interactive maps available for widespread use. GIS technology allows users to link detailed data on human activity to mapping software. Information ranging from census data to crime statistics may be incorporated into these maps.[409] Because there is no limit to the types of information that can be linked to satellite imagery, the implications of this technology are far-reaching. Were personal information integrated into such a map, simply double-clicking on a satellite image of an urban area could reveal precise details about the occupants of a particular house. The "Open Skies"[410] policy accepted worldwide means that there are few restrictions of the use of the technology.[411]
Despite these advances, private companies have a distance to go before they catch up with governments. Experts estimate that the current generation of secret spy satellites, such as the Ikon/Keyhole-12, can recognize objects as small as ten centimeters (approximately four inches) across and some analysts say that it can image a license plate.[412] The airplane manufacturer Boeing is currently fulfilling a 10-year contract with the United States government for a Future Imagery Architecture (FIA) to replace the KH satellites and the ground infrastructure.[413] The FIA is based on a constellation of new satellites that are smaller, less expensive, and placed in orbit to allow for real-time surveillance of battlefields and other targets.
Government use of satellites is extensive, ranging from homeland security operations to agricultural analysis. For example, the United Nations (UN) Office on Drugs and Crime uses IKONOS imagery to assess the illegal drug trade in Afghanistan, Laos, Myanmar, and Bolivia.[414] By analyzing satellite images, the UN is able to assess the level of production of illicit crops such as heroin and cocaine, and estimate the portion of the drug trade attributable to these nations.
Following the September 11, 2001 terrorist attacks on the United States, the US National Geospatial Intelligence Agency (NGA) began focusing its observation internally rather than abroad. Prior to the attacks, domestic US satellite surveillance most often involved natural disaster relief. Although laws limit the use of intelligence resources to issues of national security, the NGA admits to the existence of gray areas in which aiding the FBI in criminal investigations is common practice.[415]
Satellite utilization is not limited to visual surveillance, but also involves location tracking. The Global Positioning System (GPS)[416] is a satellite navigation system comprised of 24 satellites transmitting signals that enable mobile ground receivers to pinpoint their exact location. The system was created by the US Department of Defense[417] and is used primarily for military purposes. Initially, the US government relied on a "selective availability" feature that degraded the signal for civilian devices, allowing minimal accuracy. However, in 2000, the US Air Force discontinued use of this software, upgrading the accuracy of civilian devices from 100 meters to roughly 10 meters.[418]
Development of the European satellite system, Galileo,[419] will likely enhance surveillance technology. The system will consist of 30 satellites to be launched in 2006 and 2007 and is expected to be operational as early as 2008.[420] Galileo will be fully interoperable with GPS and, when used in conjunction, will offer much greater reliability and an expected accuracy of close to one meter.
Use of GPS is becoming increasingly common, as the technology finds its way into consumer wireless devices such as cellular phones, personal data assistants, and car navigation systems.[421] Although GPS provides convenient navigational assistance, the ability for others to track users raises serious concerns.[422] A number of relatively inexpensive devices, advertising the ability to covertly monitor the movements of individuals, are currently on the market.
Employer use of GPS to monitor their workforce is also on the rise.[423] The number of trackers installed on fleet vehicles in the US is expected to exceed 1.3 million by 2005.[424] Some companies require employees to carry GPS-enabled cell phones to allow for tracking on the job.[425] Employers cite legitimate purposes for such monitoring but the lack of clear standards governing this practice leaves the potential for abuse wide open.
Surveillance by law enforcement is not the only online privacy risk. The growth of the Internet and electronic commerce has dramatically increased the amount of personal information that is collected about individuals by corporations. As consumers engage in routine online transactions, they leave behind a trail of personal details, often without any idea that they are doing so. Much of this information is routinely captured in computer logs.
Most on-line companies keep track of users' purchases. This information ranges from the trivial to the most sensitive and, unless adequately protected, can be used for purposes that seriously harm the interests of the consumer. Other companies gather personal information from visitors by offering personalized services such as news searches, free e-mail and stock portfolios. They then sell, trade, or share that information among third party companies without the consumer's expressed knowledge or consent. The perceived value of this kind of information is behind the stock-market valuations of many dotcom companies.
Many on-line companies, for example, provide lists of their customers' e-mail addresses to companies that specialize in sending unsolicited commercial e-mail (spam). Other companies mine e-mail address from sources such as messages posted on mailing lists, newsgroups, or domain name registration data. In one test by the US Federal Trade Commission, an e-mail address posted in a chat room began receiving spam within eight minutes of submitting a post.[426] Mining or harvesting e-mail addresses produces a barrage of online advertisements. Studies show that consumers resent spam both for the time it takes to process and for the loss of privacy resulting from their e-mail address circulating freely on countless directories.[427] Furthermore, spam can result in significant economic loss to the consumer. A 2001 report by the European Commission found that "Internet subscribers worldwide are paying an estimated EUR10 billion (~USD 9 billion) a year in connection costs to receive junk e-mails."[428] The European Union's Privacy and Electronic Communications Directive prohibits unsolicited commercial marketing by e-mail without "opt-in" consent.[429] In Japan two new anti-spam laws were passed in 2002. The laws allow users of the Internet and text-enabled mobile phones to opt-out of spammers' contact lists, and require that all unsolicited commercial e-mail be clearly identified.[430] In concert with a February 2004 conference in Brussels, the OECD's Directorate for Science, Technology and Industry released a background paper on spam.[431] The report summarizes challenges to effective enforcement of regulation, which includes, very low compliance with labeling regulations, the possibility that do-not-e-mail registries may only punish "reputable marketers" who comply with them, and some consumers' mistrust of opt-out frameworks. The report surveyed industry responses to spam, cross-border issues, and enforcement, and ultimately concluded that a multi-dimensional approach and international co-operation was necessary. The International Telecommunications Union has begun a new project on Countering Spam.
According to the ITU, "Unsolicited commercial communications or spam, as it is more usually known, has grown into one of the major plagues affecting today's digital world . . . . A multi-pronged approach, including technical solutions, consumer education, industry partnership, appropriate laws and enforcement mechanisms and international cooperation is therefore needed."[432] At the ITU WSIS Thematic meeting on Countering Spam, held in Geneva in July 2004, a wide range of topics were addressed.[433]
Many companies, including Internet Service Providers (ISPs), search engine firms, and web-based businesses, monitor users as they travel across the Internet, collecting information on what sites they visit, the time and length of these visits, search terms they enter, purchases they make, or even "click-through" responses to banner ads. In the off-line world this would be comparable to, for example, having someone follow you through a shopping mall, scanning each page of every magazine you browse though, every pair of shoes that you looked at and every menu entry you read at the restaurant. When collected and combined with other data such as demographic or "psychographic" data, these diffuse pieces of information create highly detailed profiles of individuals. These profiles have become a major currency in electronic commerce where they are used by advertisers and marketers to predict a user's preferences, interests, needs and possible future purchases. Most of these profiles are currently stored in anonymous form. However, there is a distinct likelihood that they will soon be linked with information, such as names and addresses, gathered from other sources, making them personally identifiable.
The most pervasive tracking technology is the cookie. The cookie is a small file containing an ID number that is placed on a user's hard drive by a website. Cookies were developed to improve websites' ability to track users over a session. The cookie can also notify the site that the user has returned and can allow the site to track the user's activities across many different visits. The use of cookies expanded greatly when it was realized that a single cookie could be used across many different sites. This led to the development of advertising network companies that can track users across thousands of sites. The largest ad service, DoubleClick, has agreements with thousands of web sites and maintains cookies on over 100 million unique users; each linking to hundreds of pieces of information about the user's browsing habits. It is possible to configure the dominant Internet browsers to reject or send a warning notice before cookies are set. This does not provide much protection, however, as websites will often condition access on acceptance of cookies or send floods of requests to set new cookies, thereby frustrating the browsing experience.
A more secretive manner of monitoring online users takes place through the use of web bugs. Web bugs are invisible graphics that are placed on Web sites or in e-mails in order to track visitors to that Web site or the recipients of e-mails (often spam). A Web bug on a Web site collects information such as the IP address of the visiting computer, the browser being used, the time of the "hit," and also a previously set cookie value. In an e-mail a Web bug is used to discover if and when the e-mail message was read, how many times it was forwarded, and the IP address of the recipient. A marketing e-mail directing users to Web sites can also be used to link the e-mail addresses of those that later visit the site to their cookie data. Web bugs can also be used in newsgroup messages to track readers.[434]
In April 2004, Google announced a new, free webmail service called "Gmail." Under Google's system, Gmail subscribers would receive an entire gigabyte of storage space on the condition that the company could extract content from incoming and outgoing messages for ad targeting.[435] Gmail's in-depth analysis of subscriber and non-subscriber e-mail raises serious privacy issues ranging from new commercial intrusions into communications to the possibility that the content capture system could be employed for law enforcement purposes similar to the FBI's Carnivore system. There are also risks that ad tracking could create data files related to the content of e-mail communication that would not enjoy strong legal protection against law enforcement subpoenas. A coalition of privacy and civil liberties groups urged Google to suspend the Gmail system,[436] and a subset of the coalition requested that the Attorney General of California investigate the company for violations of the state's strict wiretapping laws.[437] Privacy International filed a complaint on Gmail with over a dozen countries, the European Commission, and the Article 29 Data Protection Working Group.[438] Legislation to address Gmail has been introduced in California, and the system's introduction sparked the Massachusetts legislature to strengthen the State's privacy act.
Individuals are also tracked online through "spyware," invasive software that transmits browsing habits or personal information to others. Some spyware is motivated by commercial profiling, and is primarily designed for ad targeting. Other spyware is specifically advertised as a method for spying on individuals. Spyware is generally difficult to define, and in comments to US regulators, EPIC has argued that even "legitimate" software can possess "indicia of invasiveness" that typically appear in unsavory spyware programs.[439] Spyware is sometimes bundled with other programs, so that users download and install it without fully understanding the tracking capabilities. Spyware can also be installed by "drive by downloads," situations where individuals are tricked into accepting a program for installation, and through vulnerabilities in Internet browsers.
The European Commission's Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, in its January 1999 report entitled "Recommendation 1/99 on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware," addressed the issue of governmental response to spyware.[440] Recommendations of the Working Party include giving the data subject notice of the data processing and collection, a user right of access to the data, prevention of the creation of client persistent information, and technical protections against spyware. In April 2004, the US Federal Trade Commission held a forum on spyware.[441]
In the offline world, profiling has been thriving for decades.[442] Profiling companies build personally identifiable databases based on a plethora of sources including supermarket purchases, product warranty cards, public records, census records, magazine and catalog subscriptions, and surveys. This is done in the absence of legislation that would prevent dossier building. Companies also "enhance" dossiers that they already own by combining or "overlaying" information from other databases. For instance, a business may request a name and phone number directly from the customer, and then use this information to purchase other personal details. These dossiers may link individual's identities to any number of facts deemed private by advanced societies including medical conditions, physical characteristics, and lifestyle preferences.
The line between online and offline profiling has become more and more blurred. In 1999, DoubleClick announced that it was buying Abacus, owner of the largest direct marketing lists in the country, with information on the purchasing habits of 90 percent of all United States households, and that DoubleClick was going to merge information from the purchasing databases with information from online browsing. Following a public outcry, the company suspended its plan to merge personal data with profiles. However, in July 2000 the Federal Trade Commission reached an agreement with the Network Advertisers Initiative, a group consisting of the largest online advertisers including DoubleClick, which will allow for online profiling and any future merger of such databases to occur with only "opt-out" consent.[443]
Another important player in this move towards complete identification of Internet users is the Microsoft Corporation. In 2001 Microsoft began aggressively promoting the Passport and Hailstorm services in preparation for the launch of Microsoft XP, the newest version of the Windows operating system. Passport is an online identification and authentication system, which employs a single sign-on system to facilitate e-commerce and browsing among different web sites that require a user to identify oneself. Once a user signs on to Passport, other affiliated sites visited by the user receive information about the user. Passport stores user information in a central database. The Passport service is intended to give Microsoft and Passport affiliates the ability to send unsolicited commercial e-mail to Internet users and to profile their activities. To register for Passport, a user must submit an e-mail address. Users can also submit their real name, city/locale, gender, age, occupation, marital status, personal statement, hobbies and interest, favorite quote, favorite things, a personal photo, and a home page. Hailstorm was a group of services[444] that Microsoft intended to provide from central servers. In theory it would have collected an extraordinary range of consumer information. Privacy and consumer groups in the United States filed a series of complaints against Passport and Hailstorm with the Federal Trade Commission in 2001, detailing the risks to privacy and security in these systems. In July 2002, European Union (European Union) officials confirmed publicly that they were pursuing an investigation into Passport for breach of European privacy laws.[445] In January 2003, the EU Working Party on Data Protection – Article 29 issued an opinion requiring substantial changes to Microsoft Passport.[446] Among other things, the opinion requires Microsoft to allow users to restrict the use and sharing of information for commercial and marketing purposes.
A competitor to Microsoft's Passport, Project Liberty, is being developed by a coalition of companies.[447] This identification system is similar to Microsoft's single sign-on. However, it allows users to choose what companies will be able to authenticate the user.[448]
Attempts at developing more permanent methods of identifying users have been underway for years. In 1999, Intel announced that it was including a serial number in each new Pentium III chip that could be accessed by websites and internal corporate networks. Most of the manufacturers suppressed the number after a consumer boycott was announced, and Intel announced in 2000 that it is dropping the serial number in future chips. Microsoft and RealAudio were discovered using the internal networking number found in most computers as another identifier for online users. Microsoft's Windows Media Player contains a globally-unique identifier (GUID) that can be tracked by website operators. Finally, the Media Access Control (MAC) address embedded in many network cards are unique and can be used to identify many computers.
The privacy of online consumers can also be seriously compromised by security breaches. Many web sites are poorly secured against both physical and electronic attacks.[449] In December 2002, thieves stole hard drives containing the unencrypted personal information of over 500,000 United States servicemen from the Triwest Corporation.[450] In March 2000, following a security breach, De Beers lost 35,000 names, addresses, phone numbers and e-mail addresses of people inquiring about buying diamonds. In April 2000, it was revealed that an unknown Microsoft engineer had included a backdoor into its web server software. If someone typed, "Netscape engineers are weenies!" backwards, they would have access to the websites and associated data. In August 2000, Kaiser Permanente, a top United States health insurer, admitted that it had compromised the confidentiality and privacy of its members when it sent over 800 e-mail messages, many containing sensitive information, to the wrong members.[451] Similarly in July 2001, Eli Lilly, the makers of the anti-depressant drug Prozac, revealed the names and e-mail addresses of over 700 patients that subscribed to the company's e-mail service for information on the drug and other issues.[452] In 2003, a security breach notice law took affect in California that requires entities to notify individuals when their personal information may have been accessed with authorization.[453] Since implementation of that law, every month brings a new series of notices of major security breaches.
A common practice among online companies is to sign on to a "seal" program in order to provide consumers with a sense of security that their personal information is being protected. These programs follow the traditional seal programs in laying down certain eligibility standards which participant companies must respect in order to get a compliance seal. The better seal programs conduct monitoring and compliance checks, provide educational information, offer consumer dispute resolution, and enforce sanctions against errant companies. There are many disadvantages of seal programs operating within a self-regulatory system. All too often, seal program operators have been shown to be ineffective and reluctant to take enforcement measures against their members including companies such as Microsoft.[454] A 1999 Forrester research report found that, "because independent privacy groups like TRUSTe and BBBOnline earn their money from e-commerce organizations, they become more of a privacy advocate for the industry – rather than for consumers."[455]
There are tools available that can be used to protect the privacy of users in many cases. These technologies are known as "Privacy Enhancing Technologies" (PET) and are aimed at eliminating or minimizing the collection of personally identifiable information. Encryption is an important tool for protection against certain forms of communications surveillance. When properly implemented, a message is scrambled (i.e., encrypted) so that only the intended recipient will be able to unscramble (i.e., decrypt), and subsequently read, the contents. Pretty Good Privacy (PGP) is the best-known encryption program and has hundreds of thousands of users. An alternative is the open source program called GNU Privacy Guard (GPG) that allows anyone to view the full source of the system to ensure that it does not allow for secret surveillance.[456] Cryptographic modules are also implemented in applications; for example web browsers, in order to maintain some confidentiality in electronic commerce transactions, include Secure Sockets Layer (SSL) to encrypt sessions between users and servers.
It is important to note that encryption of content alone does not prevent the disclosure of traffic data; that is, it is still clear that person A is e-mailing person B, or that person A is visiting web site W. Other applications are available to maintain the privacy of these transactions. "Anonymous remailers" strip identifying information from e-mails and can deter traffic analysis.[457] Services such as Anonymizer provide anonymous websurfing, anonymous e-mail messaging, banner ad and pop-up blocking, and automated deletion of cookies and web bugs after Internet sessions.[458]
There have been significant setbacks in the effort to develop commercially viable privacy enhancing techniques. In October 2001, Zero Knowledge Systems ceased to operate the Freedom Network, which used to provide a fully encrypted and pseudonymous link between the user and secure servers, and replaced it with a simpler proxy-based service. In February 2002, several flaws were discovered in SafeWeb, an anonymous-surfing technology originally funded by the Central Intelligence Agency.[459] In March 2002, Network Associates, the company that provided the commercial version of PGP, discontinued support for the application.[460] The international (free) version continues to be available from PGP International.[461]
At the same time, human rights groups and even large corporations explored new techniques to protect online privacy. The Canadian-based Privaterra worked with NGOs to encourage the use of strong encryption techniques and other methods for online privacy.[462] Hacktivism efforts continued with new efforts to empower dissident political organizations operating over the Internet. In July 2002, the international hacker group, Hacktivismo,[463] announced a new free service called "Camera Shy" to allow users to conceal messages in ordinary image files on the Internet. The browser-based steganography[464] application automatically scans and decrypts content straight from the Internet and leaves no traces on the user's system.[465] The same group released a developer version of a free secure and anonymous web tool called "Six/Four" in February 2003. The CryptoRights Foundation is on the cusp of releasing a suite of programs to help human rights and other advocates communicate securely.[466]
It is important to distinguish between genuine privacy enhancing techniques and data security technologies that seek to render processing safe but not to reduce the disclosure and processing of identifiable data.[467] Moreover, there are many products offered by industry that are not privacy protective. Many of these systems, such as Microsoft's Passport and the World Wide Web Consortium's Platform for Privacy Preferences (P3P), are designed to facilitate data sharing rather than to limit disclosure of personal information.[468]
Electronic Numbering (ENUM) is an Internet infrastructure that will allow a single number to reference contact or other information in a public database.[469] Individuals or businesses holding an ENUM account will be able to store information, including phone numbers, e-mail addresses, voicemail numbers, fax numbers, or any other type of data in the ENUM database. Persons wishing to contact the entity would use the ENUM to query a public database for the stored information.
ENUM raises a host of privacy issues that are yet to be resolved. Most importantly, because of the different ways in which ENUM can provide means to contact a person, ENUM has the potential to become a Globally Unique Identifier (GUID). At a more fundamental level, issues of notice and individual participation have yet to be resolved. Since the ENUM database is public, one can assume that it will be mined for commercial and government surveillance purposes. This may lead to an unprecedented amount of spam, as a single ENUM can reveal multiple methods of contacting a person.
Radio Frequency Identification (RFID) is a type of automatic identification system that enables data to be wirelessly transmitted by portable tags to readers that process the data according to the needs of a particular application. Tags in use today are small enough to be invisibly embedded in products, product packaging, and even printing inks. They can be read from a distance and through a variety of substances such as snow, fog, ice, or paint, where barcodes have proved useless.[470] The data transmitted by the tag may provide identification or location information, or specifics about the product tagged, such as price, color, or date of purchase. RFID readers are often connected to computer networks, facilitating the transfer of data from the physical object to databases and software applications thousands of miles away and allowing objects to be continually located and tracked through space. RFID may also be used to identify documents and currency. RFID may even be deployed to identify individuals.[471] Today, major uses of RFID include supply chain management, animal tracking, and electronic roadway toll collection.
While barcodes have historically been the primary means of tracking products, RFID systems are rapidly becoming the preferred technology for monitoring pets, products, vehicles and even people.[472] RFID systems enable tagged objects to speak to electronic readers over the course of a product's lifetime – from production to disposal – which could provide retailers with an unblinking, voyeuristic view of consumer attitudes and purchase behavior.[473] RFID systems of all kinds are capable of generating a volume of consumer data several orders of magnitude greater than has been possible before. With in-store deployment, it is predicted that Wal-Mart will generate more than seven terabytes of RFID data a day.[474] All of this data will reap a bonanza of high-resolution consumer information to be aggregated for further data mining or sold to third parties.[475] Industry experts estimate that the market for RFID technology will top USD 6 billion by 2010.[476]
The debate over RFID technology touches upon many controversial policy issues.[477] At its most fundamental, widespread use of RFID tags could enable corporations to track every move consumers make. Corporations that compile the data transmitted by the tags could determine which products a consumer purchases, how often products are used, and even where the product – and, by extension, the consumer – travels. By aggregating data to form consumer profiles, corporations could make assumptions about a consumer's income, health, lifestyle, travel and buying habits. This information could be sold to governments to create dossiers of individual citizens or simply sold to other corporations for marketing purposes. The potential to track spending habits and share RFID data for marketing is the highest cause for concern among consumers.[478] While the ability of RFID readers to collect data from tags once a consumer has left a store or moved beyond the readers' range is currently limited, many consumer groups and privacy advocates note that RFID technology is quickly advancing, while measures to protect individual privacy by limiting the amount and type of information corporations can collect is lacking.[479]
In the widely adopted EPCGlobal RFID standard, the data imprinted on a tag, the Electronic Product Code (EPC), provides a unique link to individual product data. The data is stored in a globally distributed, centrally managed electronic database, known as the Object Name Service (ONS). Tag readers in remote physical locations can connect to ONS via the Internet and then read and modify the item's ONS "dossier" throughout its lifecycle.[480] In January 2004, EPCGlobal chose Verisign, Inc. to manage the root directory of ONS because of similarities between the name service and Domain Name Service (DNS), which Verisign manages for the .COM and .NET top-level domains.[481] This choice has raised alarm bells with privacy advocates, who note Verisign's poor track record in electronic privacy.[482] Recognizing that new innovative uses will drive RFID's profit potential, Verisign labeled 2005 as "The Year of the [RFID] Pilot" and sponsored a number of conferences aimed at EPC developers.[483]
Opponents of RFID tags have proposed measures to sidestep the chips' relentless information-gathering, ranging from disabling the tags by crushing or puncturing them, boycotting the products of companies that use or plan to implement RFID technology,[484] or finding ways to block the reading of a tag using special mylar bags or other technological means. The RFID industry has moved to meet this consumer demand with its own solutions, most notably the EPCGlobal standard for "killing tags," which allows for tags to be physically disabled at point of sale by the merchant.[485] Another industry-level solution has been proposed by RSA Security, Inc., which would provide a system for tag reading to be blocked in specified "privacy zones" of varying scope.[486] Both "tag killing" and tag blocking are problematic solutions that have yet to be proven in the field.[487] The "Blocker Tag" remains an unproven solution for many reasons. Technologists appear to disagree as to the ease with which such a system might be circumvented,[488] and it places a significant burden on consumers to make sure they protect their privacy through the duration of their ownership of a product.
Currently, RFID tags are not widely used in consumer products because the price of the tags is still prohibitively expensive.[489] However, developments in RFID technology are yielding lower-cost systems with larger memory capacities, wider reading ranges, and faster processing.[490] Over the next few years, industry experts expect to see a broad range of RFID pilots, and even several fully integrated systems, launched. Companies, such as IBM, Sun, and Microsoft, are racing to develop the leading software that will enable retailers, manufacturers, and distributors to use RFID tags to track goods within stores and factories, as well as programs specifically designed to use the new retail tagging technology.[491]
Many large organizations have begun implementing RFID technology. Gillette, Wal-Mart, and Levi Strauss are among the early pioneers, using RFID for real-time tracking of inventory levels.[492] RFID systems have provided immediate benefits such as accurate replenishment of out-of-stock items and precise product sales performance statistics.[493] Other companies are developing "smart" shopping cart technology that makes use of RFID.[494] Using the Internet or a swipe card, the cart will guide consumers to their desired items and make suggestions for other products.[495] Hospitals are also beginning to use RFID to monitor medical supplies and track patients.[496]
Public organizations are also making use of the technology. For example, public libraries have embraced RFID.[497] A growing number of libraries in the United States[498] have already tagged every book, tape, CD, or other item in their collections.[499] Thirteen US government agencies plan to implement RFID within their operations in 2006.[500] The Energy Department wants to track hazardous waste materials.[501] The Labor Department plans to implement an RFID system to monitor and locate its tremendous volumes of case files.[502] These uses are not problematic, as RFID tags are not being used to identify and locate people. However, the Homeland Security and State departments want to use the technology to aid in border control and immigration management without taking travelers' privacy sufficiently into account.[503] The State Department's proposal[504] to roll out RFID-enabled passports with biometric data by Spring 2005[505] raised serious privacy and security issues that the agency disregarded. After more than two thousand critical comments[506] were filed,[507] the State Department backed off its original rollout date[508] and agreed to modify some of the RFID passport features to address some privacy and security problems. The State Department has decided to go forward with RFID-enabled passports, arguing that the technology can be secured.[509]
Corporations in Europe and Asia have moved forward with plans to tag consumer products. The German retail conglomerate Metro is planning to have 300 suppliers use RFID tags on their cases and pallets by 2006.[510] Marks & Spencer, one of the largest retailers in the United Kingdom, will have RFID systems in 53 of its 433 stores by Spring 2006.[511] The project is a follow-up to the company's implementation of RFID tags into 4 million produce delivery trays in 2002.[512] In South Korea, a company introduced a system to track freight at one of Asia’s largest shipping ports.[513]
In Singapore, plans have been unveiled to create an RFID electronic passport that stores biometric data.[514] Singapore expects its citizens to begin registering for the new passports in October 2005.[515] China has been developing an RFID standard since 2004 and is partnering with Korea and Japan on joint RFID projects.[516]
Europe's largest amusement park, Legoland in Denmark, uses active RFID tags contained in bracelets and Wi-Fi networks to help parents track their children through the park.[517] The PRISM system, developed by Alanco Technologies, Inc. for use in correctional facilities, uses tamper-proof RFID-enabled wrist bracelets to monitor the location of prison inmates in real-time, reducing instances of prison vandalism and other unruly behavior. "A host of management reporting tools are available that include medicine and meal distribution, adherence to pre-determined time schedules, restricted area management, and specific location, arrival and departure information."[518] The United States Transportation Security Administration (TSA) is considering the use of RFID-tagged airline boarding passes.[519] In Spring 2005, TSA awarded grant monies for companies to develop tracking technologies for airport ground vehicles and baggage using RFID.[520]
Applications that are not initially designed to track individuals, such as the US RFID-based electronic highway toll collection system EZ Pass, might nonetheless make human tracking possible. One of the more offbeat proposals is to use RFID chips to track human corpses as a way to prevent the black-market sale of organs.[521] In California, a school board attempted to track all of its children with cards containing RFID tags, but the proposal was quickly rejected by parents and privacy advocates.[522] This incident led California Senator Joe Simitian to introduce a bill banning the use of RFID technology in most state-issued ID cards.[523] The proposed Identity Information Protection Act would further require government IDs to use the highest level of RFID encryption.[524] A school in Japan experimented with tracking children in a short-term trial in 2004.[525] RFID manufacturer Applied Digital Solutions (ADSX) has developed a passive chip the size of a pen point that can be implanted in the human body. The VeriChip Personal Identification System is designed for use in a variety of applications including financial and transportation security, residential and commercial building access, military and government security.[526] A nightclub in Spain began using the VeriChip system in March 2004, to improve access for VIPs and allow them to pay for drinks without cash or credit cards.[527] ADSX has begun a campaign to promote the technology with the slogan "Get Chipped," and a mobile van called the "ChipMobile" can perform the chip insertion procedure in towns that it visits.[528]
Many individuals and non-government organizations have voiced strong opposition to widespread implementation of RFID tags without proper privacy protections.[529] One US organization opposing the use of RFID tags is Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN). CASPIAN organized a worldwide boycott of global retailer Tesco in opposition to its plan to expand item-level RFID tagging.[530] CASPIAN's main objection to Tesco is that its RFID tags are not deactivated at checkout to prevent possible tracking of consumers after the sale.[531] CASPIAN has proposed US federal legislation known as "RFID Right to Know Act of 2003," which calls for mandatory labels on RFID-equipped products so that consumers can identify and make informed choices about purchasing products installed with tracking chips.[532] EPIC has testified before Congress[533] and the Federal Trade Commission[534] to discuss privacy and security concerns raised by RFID and has called for the adoption of strong privacy guidelines for RFID technology[535] to protect consumers against potential abuses of the tracking technology. EPIC also advocated for stronger oversight of RFID use in the medical and health sectors.[536]
During the past year, there has been widespread activity on the part of governments and NGOs to begin the process of regulating the use of RFID to protect individual privacy. US Government Accountability Office, in June 2005, issued a report highlighting key RFID security and privacy issues.[537] US Department of Commerce held workshops and issued a comprehensive report in 2005 discussing the privacy challenges raised by RFID.[538] Federal Trade Commission issued a report[539] in March 2005 from an earlier workshop[540] that examines consumer privacy implications of RFID. Amidst the attention placed on RFID and privacy, there were reports[541] that the Department of Homeland Security - who firmly denied these reports[542] - planned to implement RFID in its new employee ID cards. Bills have been drafted and debated in state legislatures of the United States, and several other countries, including Canada, Italy, Australia and Japan, have outlined guidelines for domestic industry to follow in their use of RFID.
In its 2005 RFID Resolution, the Trans-Atlantic Consumer Dialogue (TACD), a consortium of US and EU consumer groups, called for urgent attention to the risks to consumers associated with RIFD.[543] The approach of regulatory movements worldwide varies considerably. RFID bills drafted in the US, all share a "notice" clause. This clause requires any consumer products bearing RFID tags to be conspicuously labeled. There is no legislation currently being considered in the US at the federal level.[544]
Although it does not explicitly call for labeling, a joint resolution on RFID, proposed by data protection authorities in Germany, Spain and Switzerland and adopted at the International Conference of Data Protection and Privacy Commissioners in Sydney, Australia on November 20, 2003, requires consumers to be able to delete data and destroy or disable tags on consumer items. Further, the resolution asserts "all the basic principles of data protection and privacy law have to be observed when designing, implementing and using RFID technology." The European Union published RFID privacy guidelines outlining the consumer's right to control and access information gathered through RFID technology[545] Joint guidelines released by Japan's Ministry of Public Management, Home Affairs, Posts and Telecommunications (MPT) and the Ministry of Economy, Trade and Industry (METI) on June 8, 2004, call for consumers to be given options on how they might interfere with the reading of tags, but appear to say nothing about rights to have the tag removed or destroyed.[546]
At the World Summit on the Information Society (WSIS) in Geneva, Switzerland, in the fall of 2003, three international researchers from the United Kingdom, Switzerland and Sweden discovered that the security system used to control access to the United Nations Summit included hidden RFID tags embedded in the official summit badges. The researchers issued a press release detailing the manner in which individual attendees could be identified and tracked as they moved through the conference and argued that the processing of the personal data by WSIS violates "the principles of the Swiss Federal Law on Data Protection of June 1992, the European Union Data Protection Directive (1995/46/EC), and the 1990 United Nation Guidelines concerning Computerized personal data files."[547]
There is continuing debate over how existing laws and regulations in the US and Europe might apply to the use of RFID technology. In the United States, there is little in the way of omnibus legislation that might apply to RFID practice. In Europe, however, existing data protection directives apply to both the issue of individual tracking and the association of data with personal identification. As a result, any use of RFID tags that involves processing of personal data is likely to be subject to a number of data protection obligations.[548]
Public records present some of the most difficult privacy challenges. On one hand, public records may assist individuals in ensuring that a government remains transparent and accountable. On the other, public records may be converted from this tool of citizen empowerment to one that empowers governments and businesses to track citizens.[549] Increasingly, personal information is being harvested from public records to create detailed profiles on individuals. Public records may contain many types of personal information that are commercially valuable. These include: Social Security numbers, birth records, arrest information, civil case history, criminal case history, addresses, drivers license information, land sales transactions, records of asset holdings, ownership of corporations, marital status, presence of children, employment status, and health information. Often, individuals are compelled by law to provide truthful and complete personal information to government authorities that is then placed in the public record. For instance, in order to exercise the right of marriage, in some states a publicly available license must be filed at a courthouse containing the individuals' Social Security Numbers.
The advent of remote electronic access to public records systems has raised the specter of vastly increased data mining and profiling. Mining a public records database soon will no longer require the time and expense involved in traveling to the physical location of the records. Data miners will be able to remotely access public records systems and use widely available software to harvest personal information. This harvesting of personal information already has had a substantial impact on individuals. In 2002, the Wall Street Journal reported that drug maker Eli Lilly had terminated employees for decade-old convictions discovered in dossiers aggregated from public records.[550]
Unrestricted commercial harvesting of public records has enabled the American government to obtain detailed dossiers on citizens with ease.[551] Through private-public partnerships, several profiling companies make consumer dossiers available to the government. One company in particular, ChoicePoint,[552] has emerged as the leading provider for law enforcement and other government agencies.[553] ChoicePoint maintains web pages customized for individual federal agencies to facilitate the sale of public record information to police.[554] As a result of FOIA requests initiated by EPIC, it was discovered that ChoicePoint was selling the national ID databases of several Latin American countries to the American immigration law enforcement agency.[555] Since that revelation, several Central and South American countries have initiated investigations into the legality of the information transfer.
The counting of citizens can be traced back to the Biblical recordings of Moses. In the Book of Numbers, Moses counted people in areas surrounding his kingdom in order to strengthen the count of the population under his control. Scholars discuss that the list of names was used as an original census, creating a legal identity of, and control over, a group of people.[556]
The US Census has been administered every 10 years since the Revolutionary War, and it was intended to be used primarily for the apportionment of Representatives for the nation's Congress. The complexity of the census has grown with the expansion of the United States; the country's government has found extensive uses for census related statistics. The census has also been crucial in tracking the population needs of various regions and understanding the structural composition of the nation's population.
The census raises important privacy issues. The risks that accompany the electronic compilation of personal information include re-identification,[557] which is the practice of linking individuals' identities to anonymous census records; the use of personal information for marketing solicitations; and even more serious consequences of political abuse.
In the United States, census data is protected statutorily.[558] The US Code requires that information gathered by authorities be kept confidential and be used exclusively for statistical purposes. The statute provides penalties for employees who willfully disclose such information illegally. Authorities are restricted from using the information for any purpose other than statistics, making any publication allowing any individual to be identified, or permitting any unauthorized person to examine the census reports.
Internationally, data protection norms apply to census data. Article 6(1)(b) of the European Union Data Protection Directive provides that "appropriate safeguards" must be established for "processing of data for historical, statistical or scientific purposes."
A specific example of the privacy risks of the US census can also be found in the 1940s. It has been recorded that even before the Japanese attack on Pearl Harbor, President Franklin Delano Roosevelt ordered the Census Bureau to collect information on "American-born and foreign-born Japanese" from the Census data lists. Information was gathered from the 1930 and 1940 censuses on all Japanese-Americans and then given to the Federal Bureau of Investigation (FBI) and top military officials. These sources point directly to the census information as one of the reasons that led to the internment of almost 110,000 Japanese-Americans on the West Coast, two-thirds of whom were US citizens.
In July 2004, a Freedom of Information Act request pursued by the Electronic Privacy Information Center revealed that the Census Bureau provided specially tabulated population statistics on Arab Americans to the Department of Homeland Security, including detailed information on how many people of Arab backgrounds live in certain ZIP codes. The tabulations were produced in August 2002 and December 2003 in response to requests from what is now the Customs and Border Protection division of the Department of Homeland Security. One set listed cities with more than 1,000 Arab Americans. The second, far more detailed, provided ZIP-code-level breakdowns of Arab American populations, sorted by country of origin. The categories provided were Egyptian, Iraqi, Jordanian, Lebanese, Moroccan, Palestinian, Syrian and two general categories, "Arab/Arabic" and "Other Arab."[559] Following the efforts of a coalition of ethnic advocacy groups, privacy watchdogs and civil rights and civil liberties organizations.[560] the Census Bureau subsequently announced that it would no longer assist law enforcement or intelligence agencies with special tabulations on ethnic groups and other ''sensitive populations'' without the approval of senior bureau officials.[561]
In the United Kingdom, it was determined that compulsory transfers were considered in Northern Ireland in 1972.[562] A UK government top-secret memo has surfaced describing a plan to relocate Irish Catholics; the plan was written with census data. Although never implemented, the use of census data for non-statistical purposes has caused great concern in Europe.
The Census continues to be controversial in Germany.[563] Since the Census was instrumental in identifying individuals persecuted by the Nazi regime, Germans have been sensitive to the administration and planned expansions of the Census.[564] In the 1980s, the German Government instituted a law requiring more information to be provided on the national census. After a public outcry, the law was challenged in court. The issue was brought before the German Federal Constitutional Court by representatives who had been instrumental in the passage of the first German Data Protection Act during the 1970s. The court found the census law unconstitutional based upon what the court termed a fundamental right to informational self-determination implicit in the German Constitution.
Several companies have developed Digital Rights Management (DRM) systems to prevent the unauthorized use of digital files.[565] DRM technologies can control file access (number of views, length of views), altering, sharing, copying, printing, and saving. These technologies may be contained within the operating system, program software, or in the actual hardware of a device. Some DRM technology can disable users' machines for unauthorized access to files. InTether Point-to-Point, for instance, imposes "penalties" for those who attempt an "illegal use" of a digital file.[566] Penalties include automatic rebooting of the users' machine, or destruction of the file the user is attempting to access.
DRM systems take two approaches to securing content. The first is "containment," an approach where the content is encrypted in a shell so that it can only be accessed by authorized users.[567] The second is "marking," the practice of placing a watermark, flag, or a XrML tag on content as a signal to a device that the media is copy protected. Some systems combine the two approaches. Nevertheless, according to an authority in the field,[568] DRMs are vulnerable to cracking by individuals with moderate programming skills.[569]
These technologies have been developed with little regard for privacy protection. DRM technology usually requires the user to reveal his or her identity and rights to access the file. Upon authentication of identity and rights to the file, the user can access the content. Under the Digital Millennium Copyright Act, tampering with or producing "circumvention" tools for copyright control technologies is illegal.
These systems can prevent anonymous consumption of content, and could be employed to profile users' preferences or to limit access to digital books, music, or programs. DRM technologies may "…enable an unprecedented degree of intrusion into and oversight of individual decisions about what to read, hear and view."[570] For instance, a DRM technology called Copyright Agent quietly scans peer-to-peer networks to discover whether users possess illegal content. If a copyright violation is found, the program automatically informs the users' Internet Service Provider that his or her service should be severed.[571]
In February 2002, the European Commission Information Society Directorate held a workshop on DRM technologies to examine, among other issues, their effects on privacy.[572] Similar workshops have also been held at the US Department of Commerce Technology Administration[573] and the Berkeley Center for Law and Technology.[574]
In February 2002, Sunncomm, Inc., a DRM systems developer, and Music City Records settled a lawsuit brought by a California woman who objected to their practice of tracking and disclosing personal information to third-parties with no opt-out scheme.[575] The settlement agreement required the companies to provide notice to consumers of their information collection practices and to refrain from requiring consumers to disclose their personal information as a condition of downloading, playing, or listening to a CD.[576]
In June 2002, Microsoft released information regarding its new "Palladium" initiative, which was renamed in 2003 to "Next-Generation Secure Computing Base."[577] Through software and hardware controls, Palladium could place Microsoft as the architect of computer identification and authentication. Additionally, systems embedded in both software and hardware would control access to content, thereby creating ubiquitous DRM schemes that can track users and control their use of media and even access to websites. Microsoft has experienced a delay in its implementation of Palladium, and now expects to have elements of the system in by 2006.
In November 2003, the US Federal Communications Commission voted unanimously to create a requirement that consumer products be able to recognize a Digital Broadcast Flag by July 2005. Such a flag will mark digital content as "protected" and direct devices to limit individuals' use of the content. EPIC recommended against the adoption of a Digital Television Broadcast Flag mandate unless it incorporates privacy protections for viewer data.[578]
In April 2004, the European Commission (the Commission) advocated passing legislation to unify content licensing, arguing that the market for digital content will be ineffective without a single standard for Europe.[579] Specifically, the Commission called for Community-level regulation of collecting societies, the companies that administer royalties and license fees for content owners. DRM systems, too, would have to be interoperable under the plan. The balance struck among rights holders, media players owners, and users will have great effect on users' ability to access digital content and to shield themselves from monitoring.
Authentication is the process of verifying a claim that is being made regarding an identity, an attribute pertaining to an identity (e.g., "this person is a citizen of the United States"), or a set of attributes. Traditionally, the greatest demand for secure authentication solutions has come from enterprises looking to meet their own intra-organizational security needs, as well as from government organizations in contexts where national security interests are believed to be at stake. In recent years, the demand for (and the adoption of) secure authentication solutions has been sharply on the rise in all kinds of other contexts that directly affect the privacy of individuals on a scale unimaginable two decades ago. Much of this is driven by the growing popularity of the Internet and mobile communication networks, as well as by the rapid increase in PCs and information appliances such as Web-enabled mobile phones and handheld computers.
As new authentication architectures are being developed (through de jure, de facto, and technical standards) and adopted for an ever-growing number of applications, the privacy of individuals is being eroded at an unprecedented pace, often with little or no justification at all. New electronic communication and transaction mechanisms automatically capture and record identities in central computer systems without individuals even being aware of it. As more and more personal information is collected and recorded on central systems, policies and traditional security safeguards to prevent against leakage and abuse are rapidly becoming ineffective.
Much of this explosive tension between the (perceived or real) need for authentication on the one hand and privacy demands on the other can be attributed to a widespread misbelief: namely, that identification is the same as authentication, and that privacy and authentication are opposite goals. This misbelief is perpetuated by all kinds of influential standards organizations. The International Standard Organization[580] (ISO), for example, defines authentication as "the provision of assurance of the claimed identity of an entity," and the Internet Engineering Task Force[581] (IETF) defines authentication as "[t]he process of verifying an identity claimed by or for a system entity." Likewise, at the political level, authentication and identity are often mistakenly equated.
The actual fact of the matter is that authentication is a much broader notion than identification. In many contexts, authentication does not require identification. Indeed, organizations are often not interested in the identity per se of the person they are dealing with, but only in the confirmation of previous contacts of that person, the affiliation of the person to a group, the authenticity of personal data of the person, the entitlements or privileges of the person, and so on. For example, to authenticate whether a user is permitted to purchase alcohol, all that needs to be authenticated is that the user is at least 21 years of age. In this example, identification of the person would only serve as an indirect means to accomplish the authentication that is of actual interest ("over 21 years of age").
In the "old" world, individuals could easily gain access to services without disclosing their identity, either by showing the right privileges or entitlements or by providing service providers with "context-specific" identifiers, such as employee numbers or a health insurance number. While such identifiers serve to identify users, they only do so within specific spheres of activity; organizations cannot use them to cross-profile users across spheres of activity.
Unfortunately, today's most widespread authentication technologies (such as passwords, biometrics, Kerberos, and PKI) all fundamentally cause inescapable identification through identifiers that are globally unique. These identity-based authentication technologies were invented many decades ago, when open networks were hardly existent, let alone organizations seeking to securely share personal information over such networks. Consequently, the only privacy protection that the designers of traditional authentication techniques had in mind was protection against wire-tappers and other unauthorized outsiders. Traditional authentication technologies are not appropriate to address the growing authentication needs in today's day and age, however, since they enable organizations to track and cross-profile users on the basis of globally unique identifiers (such as cryptographic keys) that are inescapably assigned to them.
An equally worrisome trend is the centralization of authentication powers from different organizations into a single trusted organization that acts on behalf of all its constituent organizations. In its original Passport architecture[582] for example, Microsoft relied on the centralization of all data collected from Web site visitors in order to provide authentication services on behalf of a rapidly increasing number of Web sites. Microsoft abandoned this architecture following privacy complaints from consumer groups and EU officials,[583]] as well as a lack of adoption from service providers who were highly reluctant to entrust Microsoft with their customer data.
The "federated" authentication architecture promoted by the Liberty Alliance[584] (an industry alliance of some 160 key industry players in a wide range of sectors, led by a number of major companies who were unwilling to delegate their autonomy to Microsoft in the original Passport initiative) leaves personal data at the organizations that collect it, and allows for multiple "circles of trust" to co-exist. However, even this architecture does nothing to improve the privacy of users: the authentication power (and therefore the access control power) remains centralized. Specifically, whenever a service provider deals with a user, it queries in real time the central "identity provider" in its circle of trust; the identity provider simply returns an authentication assertion as to the validity of the identity claim of the access requestor, which the service provider then uses in its own authorization process. Even though users may be "pseudonymous" towards service providers (in Liberty Alliance the identity provider assigns different user names to the same user, one per service provider), they are certainly not vis-à-vis the most powerful parties in this architecture: the identity providers. Within each circle of trust, the identity provider can track, trace and link in real time all interactions between users and organizations. The identity provider can even impersonate users and falsely deny them access everywhere.
While such centralized authentication approaches may meet the needs of large enterprises that want to do employee-related and supplier-related identity management across their own internal branches, beyond this restricted context the approach rapidly becomes highly problematic with regard to privacy. It may even be in conflict with privacy legislation. If adopted on a government-wide scale, the implications of these privacy-invasive architectures would certainly be unprecedented.
In an electronic world, if at the technical level (by analyzing the electronic data flow) everything is inescapably identifiable through globally unique identifiers, privacy legislation becomes virtually meaningless; how can one force organizations not to collect identifiable information when they cannot prevent it from being delivered to them? The only way out of the seeming conflict between authentication and privacy is to resort to authentication technologies that technically separate the notion of authentication from that of identification. Two decades of research in cryptography have demonstrated that secure authentication and privacy are not trade-offs, but that they are in fact mutually reinforcing when implemented properly. Using techniques that are rooted in modern cryptography, such as Digital Credentials,[585] it is entirely feasible to do secure authentication without necessarily requiring identification. For instance, role-based authentication can be implemented in such a manner that the access requestor cannot be identified.
More generally, privacy-preserving authentication techniques allow each party involved in the electronic processing and forwarding of privacy-sensitive information to securely retain fine-grained control over the information, even as the information is electronically transmitted beyond corporate firewalls and across arbitrary organizational domains. At no point in the chain of electronic information transfer from one party to the next will any party be able to learn more than precisely that which its sender expressly allows.
Each time when implementing a new authentication measure for an existing or new transaction mechanism, it is imperative that designers and adopters analyze how much personally identifiable information really needs to be disclosed for the purposes of authentication. Assuming the information disclosure is found to be necessary and proportionate with respect to the nature of the transaction, they should then seek to implement security needs using authentication technologies that protect privacy, instead of resorting to approaches based on inescapable identification.
In the first quarter of 2004, more than 4.7 million new domain names were registered. This brings the total number of registrations to an all time high of 63 million domain names.[586] Registrants include large and small businesses, individuals, media organizations, non-profit groups, public interest organizations, political, and religious organizations, and support groups. These domain name registrants share their services, ideas, views, activities, and more by way of websites, e-mail, newsgroups, and other Internet media. Registrants are required to provide information in the registration process, which is then made publicly available.
The Internet Corporation for Assigned Names and Numbers (ICANN), a private-sector corporation that coordinates policy for the Internet,[587] has established contractual arrangements with the registries that manage the top-level domains and the registrars that sell the domain names to the registrants. ICANN requires public disclosure on the Internet of domain name registrants' contact information (such as mailing address, phone number and e-mail address), administrative contact information, technical contact information, domain name and servers, and other information.[588] This information is referred to as "WHOIS" data. Its public availability has generated concerns over privacy protection.
Under ICANN's WHOIS policy, Internet users are unable to register for a domain anonymously. The WHOIS database broadly exposes domain name registrants' personal information to a global audience, including criminals and spammers.[589] Anyone with Internet access has access to WHOIS data, including stalkers, corrupt governments cracking down on dissidents, spammers, aggressive intellectual property lawyers, and police agents without legal authority.[590] Even those speaking out for human rights cannot conceal their identity. While it is true that some registrants use the Internet to conduct fraud, most domain name registrants do not, and many have legitimate reasons to conceal their identities and to register domain names anonymously. For example, political, artistic and religious groups around the world rely on the Internet to provide information and express views while avoiding persecution. Concealing actual identity may be critical for political, artistic, and religious expression.[591]
WHOIS data lends itself to both good faith and bad faith uses, and investigating fraud is only one of many uses of WHOIS data.[592] There now exist various automated data mining procedures that provide bad-faith users with access to large amounts of personal data at a time, rather than just individual queries. Web-based WHOIS services now have to complicate their access procedures, for example, requiring users to enter number codes before they can retrieve information. The WHOIS database was not originally intended to allow access for such a variety of purposes. The original purpose of WHOIS was instead to allow network administrators to find and fix technical problems with minimal hassle in order to maintain the stability of the Internet.
ICANN's WHOIS policy requires that registrants provide accurate WHOIS information, or otherwise forgo a domain name.[593] If a domain registration is assumed to have inaccurate information, registrants are contacted and given a very limited amount of time to address the problem. Data entered at registration may change in the real world and registrant may forget to update it. They may lose their domain if they are unable to respond quickly to any attempts to contact them. Privacy experts have noted that a policy requiring accurate WHOIS data and then publicly disclosing the data creates serious implications for free speech.[594]
The ICANN WHOIS policies conflict with national privacy laws, including the EU Data Protection Directive, which require the establishment of a legal framework to ensure that when personal information is collected, it is used only for its intended purpose. At a recent ICANN meeting, George Papapavlou, a representative from the European Commission stated that if the original purpose of the WHOIS database is purely technical, the rights of access to and collection of that information pertain solely to that original purpose.[595] Speaking at the "Freedom 2.0" conference held by EPIC in May 2004, Vinton G. Cerf, the President of ICANN, confirmed directly that the original purpose of WHOIS was indeed purely technical.[596] As personal information in the directory is used for other purposes and ICANN's policy keeps the information public and anonymously accessible, the database could be found illegal according to many data protection laws including the European Data Protection Directive.[597]
Under European law, technical users would be the only ones with a legitimate claim to the information. While intellectual property lawyers and law enforcement officials claim the WHOIS database must retain all its current data in its public form as a resource for investigations, the fact that the WHOIS database was originally created for technical purposes makes it clear that such claims to the database would be inconsistent with its original purpose.
In 2003, ICANN's Generic Names Supporting Organization (GNSO) began a policy development process identifying three issues, access, data and accuracy, and creating task forces to study and make recommendations on each. EPIC is serving on one of the WHOIS task forces. The outcome of the WHOIS Policy Development Process will have a significant impact on privacy, civil liberties, and freedom of expression for Internet users.[598] Civil liberties groups and the Non-Commercial Users Constituency[599] of ICANN have urged ICANN to limit the use and scope of the WHOIS database to its original purpose, which is the resolution of technical network issues, and to establish strong privacy protections based on internationally accepted privacy standards. This limitation would entail restricting access to the data, minimizing data required to only that needed for technical matters, and not penalizing registrants for protecting their personal information by entering inaccurate personal data elements.
The task forces have drafted reports[600] on WHOIS policy in these three areas, yet it is unclear whether the recommendations will improve privacy protections. Some of the recommendations entail more privacy risks than safeguards. At the same time, some of the better recommendations, including some restrictions on access and data required, may not be accepted by the GNSO Council and the ICANN Board should they decide to rule on the policy development. After three years, this policy development process, including the establishement of previous task forces, has not made any strides in the protection of privacy and the current problematic policy remains.
While ICANN has considerable authority over the development of WHOIS policies for the generic top-level domains (gTLDs), such as .com, .org, and .net, it is unclear whether ICANN will be able to exercise similar control over the country-code top-level domains (ccTLDs), such as .uk and .de, which may choose to follow national policies. Significantly, country code Top Level Domains are moving to provide more privacy protection in accordance with national law. For example, regarding Australia's TLD, .au, the WHOIS policy of the .au Domain Administration Ltd (AUDA) states in section 4.2, "In order to comply with Australian privacy legislation, registrant telephone and facsimile numbers will not be disclosed. In the case of id.au domain names (for individual registrants, rather than corporate registrants), the registrant contact name and address details also will not be disclosed." In addition, auDA does not allow bulk access to WHOIS data, which ICANN's gTLDs do.[601] It is unclear what, if any, indirect effect the GNSO WHOIS policy development will have on the policies of ccTLDs.
The ICANN WHOIS policy process has continued for several years, yet has failed to resolve the privacy risks faced by Internet users that result directly from ICANN's own data practices.
The World Summit on the Information Society (WSIS) is the first in the series of United Nations (UN) summits that deals with issues of the information society.[602] The Summit was split into two phases, the first which concluded in Geneva in December 2003, and the second in Tunis in November 2005. The Summit process was first initiated by the UN General Assembly in 2001. The task of the Summit is not a small one: to develop a "common vision of the information society." Because of the general feeling that this could not be done by governments alone, the summit process allowed limited participation of observers in a multi-stakeholder process.
At the Geneva summit meeting governments adopted a Declaration[603] and Plan of Action,[604] and established a UN Working Group on Internet Governance. How big the Summit's impact will be in the end will depend more on the momentum and networks created by the summit process, not by the two texts it adopted. In the end this is actually beneficial in the interest of privacy and human rights development, as the texts themselves fell short in these areas. Civil society worked to improve these documents, to center them around human rights, but was forced to issue separate documents: "Shaping Information Societies for Human Needs: Civil Society Declaration to the World Summit on the Information Society,"[605] and "Civil Society Essential Benchmarks for WSIS."[606]
As the idea for the summit had developed first in the International Telecommunications Union (ITU), the telecommunications body of the UN, the initial focus was very technology-centered. Mainly because of the efforts of a global coalition of activists and academics from civil society groups, the general discussion moved from "information" to "society" over the course of the summit preparations. One outcome was that human rights gained a prominent place in the Geneva Summit Declaration and Plan of Action.[607] The Universal Declaration of Human Rights is underlined in the first paragraph of the Summit Declaration, and its Article 19 on freedom of speech is quoted as "central to the Information Society."
Because the summit preparations took place in the context of the global "war on terrorism," one of the most discussed topics was security.[608] The United States and the Russian Federation placed particular emphasis on this matter. This was enforced by developments in other international organizations, like the Council of Europe,[609] the OECD[610] or even the UN General Assembly,[611] where cyber-security or similar topics have moved up the agenda in recent years. The respective paragraph of the WSIS summit declaration ends with an explicit reference to the war on terrorism: "It is necessary to prevent the use of information resources and technologies for criminal and terrorist purposes, while respecting human rights."
In this context, the protection of privacy was not a popular goal. The first drafts of the summit declaration made no reference to privacy at all. Civil society groups were concerned about the strong focus on security in the whole text. In their view, security is a vague political goal that can be higher or lower on the agenda depending on day-to-day politics. Privacy and other human rights and civil liberties, on the other hand, are constitutional fundamentals of every democracy that must not be violated for the sake – or, as often is the case, under the guise – of security.
The international NGO network active in the WSIS-process, mainly the Privacy and Security Working Group and the Human Rights Caucus, advocated for the insertion of a new paragraph specifically on privacy and for placing it at the beginning of the "Security" section of the Summit Declaration.[612] However, the whole debate in the Intergovernmental Drafting Group on Security was overly centered around the security language, so that no delegation wanted to insist strongly on privacy. Privacy was only later mentioned in the Summit Declaration due to the efforts of a few countries and political entities, including the European Union, Switzerland, Brazil, and Australia. It now calls for a "global culture of cyber-security," in particular for strengthening a "trust framework, including information security and network security, authentication, privacy and consumer protection." Here, privacy and security as well as authentication and consumer protection are seen as parts of a holistic strategy. Only "within this global culture of cyber-security, is [it] important to enhance security and to ensure the protection of data and privacy, while enhancing access and trade," the summit declaration continues. Privacy did not gain nearly such a prominent role as freedom of speech or other human rights.
Even the private sector itself had suggested more specific privacy language in the summit declaration. For example, the Coordinating Committee of Business Interlocutors, a committee that had been set up for the WSIS by the International Chamber of Commerce, had asked for "effective privacy protection of personal data."[613]
The Plan of Action that was also adopted by the Summit is generally vague. It was intended to facilitate the implementation of the principles espoused in the Declaration and provides concrete measurements of progression in the vision of the Information Society. Besides some initiatives like linking every school and library in the world to the Internet by 2015, there are no clearly defined benchmarks or schedules for implementation. The second phase of the Summit that ends in Tunis in November 2005 has not brought substantial progress here.
The paragraph of the Action Plan that deals with security and privacy does not mention the "war on terrorism," but is still mainly focused on security and makes an implicit reference to the Council of Europe's Cybercrime Convention. Of the 10 initiatives suggested by the action plan in the context of security and privacy, only one specifically mentions privacy, but only calls for "user education and awareness," specifically about "online privacy and the means of protecting privacy."[614] There is no reference to specific measures or initiatives governments or private corporations should take as the major users of personal information.
The second Summit phase mainly involves discussions on implementation and follow-up, financing, and Internet governance. The Working Group on Internet Governance (WGIG),[615] an independent body set up by the UN Secretary-General in November 2004 with a mandate from the Geneva WSIS Summit, was tasked with developing a report that defines "Internet governance," identifies related public policy issues, and develops a common understanding of the respective roles and responsibilities of the different stakeholders. The WGIG had a balanced membership from governments, the private sector, civil society, and international organizations. The group conducted regular open online and offline consultations and produced a number of draft "issue papers." One of these dealt with "consumer protection and privacy."[616] Its content included language like "while privacy is recognized as a human right, it is a right that balances the competing and legitimate interests of government and business to intrude upon privacy under law."[617]
The WSIS NGO coalition suggested including privacy as a key element of the WGIG's deliberations, because "in an 'Information Society,' where almost all attributes of an individual can be known, interactions mapped, and intentions assumed based on records, the need for protection of privacy is more crucial than ever."[618] Like many other stakeholders, the International Working Group on Data Protection in Telecommunications (IWGDPT)[619] also submitted input to the WGIG and referred to its "Ten Commandments to protect Privacy in the Internet World."[620]
The report of the WGIG was published on July 15, 2005.[621] While the centre of discussions had been around the unilateral control of core Internet resources by the US government, the report also deals with other Internet governance issues like interconnection costs, multilingual domain names, spam, and intellectual property rights. It contains a paragraph on data protection and privacy rights. The WGIG states that there is "a lack of national legislation and enforceable global standards for privacy and data-protection rights over the Internet," and recommends to the Summit to "encourage countries that lack privacy and/or personal data-protection legislation to develop clear rules and legal frameworks, with the participation of all stakeholders, to protect citizens against the misuse of personal data, particularly countries with no legal tradition in these fields." It also suggests a revision of the privacy policies for the WHOIS databases according to privacy legislation in the country of the registrar and the registrant, and the development of open technical proposals for privacy requirements for global electronic authentication systems. The WGIG recommends that "arrangements and procedures between national law enforcement agencies" should be "consistent with the appropriate protection of privacy, personal data and other human rights," and to "ensure that all measures taken in relation to the Internet, in particular those on grounds of security or to fight crime, do not lead to violations of human rights principles." The WGIG background report includes a lengthy paragraph on privacy that begins by stating that privacy "becomes even more important over the Internet, where the intrinsic nature of the Internet makes it possible to effectively track an individual in cyberspace and use information about him/her illegally or without authorization. Threats to personal privacy increase the mistrust towards the Internet."[622]
The outcomes of the WGIG will provide the basis for negotiations and decisions among governments for the second WSIS Summit meeting in Tunis in November 2005. The strong emphasis on privacy protection in the Working Group's report is an improvement compared to the Geneva Summit documents from 2003. However, the WGIG was not a negotiating body, and its report only makes recommendations to governments. The privacy and other human rights emphasis from this report might easily get lost before the Summit concludes, as the main focus, and the reason the Workjng Group was set up in the first place, is the international struggle around unilateral US government control over the Internet names and numbers authorities.
The convergence of communications networks, computers and mass media into an interactive network combining television and the Internet is the next progression of the technology currently being developed. New boxes are replacing the traditional cable TV set-top box with an interactive device that also includes the functions of a limited personal computer and video recorder. At the same time, personal computers are regularly equipped with TV tuner cards to handle advanced video operations.
The designers of these new appliances paint a pleasant picture of the conveniences that will be available with these new systems. They anticipate that viewers will be able to make spur of the moment purchases through their boxes, based on what their favorite star is wearing or on an individually tailored ad that appears between shows. Communities will be formed as people chat live about the plots of their favorite shows or sporting events. Vast libraries of movies and shows will be available for renting on demand by simply pressing a button on the remote control. The industry calls this "T-Commerce" for Television Commerce.
Interactivity has been the dream of the television industry since the invention of the TV. For several decades, there have been a series of expensive tests that have failed because the technology has been crude and expensive.[623] The change that now makes Interactive Television (ITV) possible is the evolution of the Internet and the advancement of digital television. The protocols underlying the Internet are now being used to allow for interactive high-speed access over existing cable lines. More and more, intelligent cable TV boxes, which connect to broadband and interactive cable systems, are being deployed. Although efforts to attract sizable numbers of subscribers to ITV services have yet to yield outstanding results, experts expect the industry to boom in the near future. Recently, the major cable operators have shifted focus from advanced interactive services, such as access to stock quotes or viewer control of camera angles, to providing video-on-demand and digital video recording (DVR) services.[624]
Popular use of enhanced digital television services is currently limited to the United States and the United Kingdom, but experts expect other countries to join the growing tide in coming years.[625] Researchers predict that 20 percent of US households will own a DVR by 2006.[626] DVR devices allow users to peruse and rewind live television shows, while they automatically record television shows for viewers and make recommendations for new shows based on viewers' previous behavior. The new systems are being designed, like their Internet predecessors, to track every activity of users as they surf the net through the boxes. They also are being designed to track the shows and commercials users watch and to use that information to tailor advertising for the greatest effect.[627] CEO Rupert Murdoch said in the NewsCorp annual report, "It will tell us not only who our customers are, but what they buy, what they watch, what they read and what they want."[628] George Orwell's vision of the television that watches you will soon be a standard consumer appliance.
Microsoft inched one step closer to this vision in 2001 when it teamed with Predictive Networks to bring Microsoft TV to the mainstream. Microsoft TV is a software platform that can be used to run devices such as DVRs, set-top boxes, and gaming consoles, providing various interactive TV services. Predictive Networks specializes in personalization software – the collection of user behavior and viewing habits to create what they call "digital silhouettes" of users.[629] The combination of these technologies raises questions about the implications for privacy. Although Predictive Networks attempted to assuage these fears by insisting that the information gathered indicates little about a given user and that anonymous IDs can be kept separate from personal data by not retaining demographic information on the devices, the potential for invasions remains significant.[630]
Digital video recording company TiVo encountered a wave of criticism over its data-gathering practices after reporting that a certain Super Bowl clip was the most-watched moment since the inception of the service. Even though this particular report was based on aggregate information gathered according to postal zip codes, consumers voiced concern that personal information may be linked to the viewing habits of particular boxes or somehow leaked during transmission.[631] TiVo boxes collect information about user viewing habits, which is then transmitted to TiVo headquarters via phone lines. Although the data collected and transmitted by TiVo is stripped of any identifying information, the company could conceivably track individual habits if it chose to do so.
Even where systems are designed to not report this kind of information, there is increasing pressure from the content industries to build systems this way so that they can monitor viewer's habits and protect against copyright infringement. In 2001, SONICBlue Inc., the maker of Replay TV, a personal video recorder, was sued by the entertainment studios who argued that features allowing users to pause, fast forward, and skip commercials violated their copyrights. As part of the lawsuit, the studios requested all data that the company had on its customers viewing habits, including what shows were recorded, watched, and forwarded to friends. Because the ReplayTV 4000 product did not transmit this type of data back to the company, SONICBlue had no data to provide to the studios. It was, therefore, ordered by a court to re-engineer its product and install software to record TV usage data and transmit that data back to SONICBlue so that it could then be turned over to the studios. This order was overturned in May 2002, but the issue is likely to resurface.[632]
Unlike personal computers that give users control over their actions and choices, the new ITV systems are generally based on a sealed "black box" controlled by the company that gives the user little or no control. In the MSNTV (formerly WebTV) box, users are not able to refuse cookies and must request a special tool to view and delete cookies. The systems are closed and it is difficult for even advanced users to identify what the system is doing. It will also prevent users from being able to use their own software.
There are other significant differences in that the media is more top-down, and corporatized than the Internet, which is decentralized and allows nearly any user to set up his own Web site and become a content producer. In the past, many ITV providers described their systems as "closed gardens" that will only show content in which the providers have a financial interest. Moving away from this concept, UK satellite broadcaster Sky recently announced plans to introduce a new interactive TV portal that will allow greater access to interactive TV. The new portal lowers the barriers to entry by allowing publishers of sites to register and launch a site for no charge, opening up the possibilities for a wide range of online providers. For a fee, publishers will be able to promote their site on the portal and register a code to allow easy access to their site.[633]
Some video game consoles provide an Internet access functionality[634] that requires subscribers to register much of their personal information (name, address, telephone number, e-mail address, credit card number, etc.). The game console's hard disk also records all the games played and their patterns, names of all the players involved in a game, scores obtained, and other similar information, and transmits the data to the console manufacturer the next time the player connects. The next generation consoles (Xbox 360, PlayStation 3 and Nintendo Revolution) threaten to oust interactive TV set-top boxes from the center of home entertainment by offering, in addition to games, the same services as set-top boxes: personal video recorders (such as Tivo and ReplayTV), e-commerce, e-mail, web access, photo albums, DVDs, home movies and music.
In response to the growing popularity of digital television, the US Federal Communications Commission (FCC) attempted to regulate the use of digital content by adopting a broadcast flag mandate. The flag works by sending a set of status bits, or "flags," in a data stream of digital programming to compatible digital receivers that define the uses of the content. The flag may indicate that certain programming is not recordable, prevent skipping of commercials, or prohibit the program from being saved on digital video recorders.[635] The broadcast flag was set to go into effect by July 2005 but the District of Columbia Circuit Court struck it down, stating that the FCC exceeded its authority by creating this rule.[636]
Civil liberties advocates are critical of the broadcast flag because it creates strong incentives to use privacy-invasive copy protection to enforce the interests of the content industry. By tracking the viewing habits of a consumer, content providers may overstep the boundaries established by the Cable Communications Policy Act and the Video Privacy Protection Act. To address these concerns, advocates called for incorporation of privacy requirements into the mandate.[637] Because the FCC's rule was ultimately struck down, the repercussions on personal privacy have yet to surface. However, most digital receivers are currently outfitted with this technology and the possibility remains that Congress will grant the FCC the authority to create this regulation or that a higher court will overturn the ruling.
Genetic data poses unique privacy issues because it can serve as an identifier and can also convey sensitive personal information. Not only does genetic information provide something like a fingerprint through variations in genetic sequences; it also provides a growing amount of information about genetic diseases and predispositions.
Errors in the genetic code are responsible for an estimated 3,000 to 4,000 hereditary diseases, including Huntington's disease, cystic fibrosis, neurofibromatosis, and Duchenne muscular dystrophy. Furthermore, altered genes are now known to play a role in cancer, heart disease, diabetes, and many other common diseases. In these more common and complex disorders, genetic alterations increase a person's risk of developing that disorder. The disease itself results from the interaction of such genetic predispositions and environmental factors, including diet and lifestyle.[638]
In addition to indicating predisposition to disease, "genes do appear to influence behavior."[639] Although the findings are controversial and far from conclusive, genes have been found to influence homosexuality, thrill-seeking and tendencies towards violent criminal behavior.[640] Twin and adoption studies have shown that "nearly all behaviors that have been studied show moderate to high inheritability – usually to a somewhat greater degree than do many common physical diseases."[641]
The prevailing scientific opinion is that most behavior and human diseases are not the result of a single mutation or gene. Rather, most facets of human development "represent the culmination of lifelong interactions between our genome and the environment."[642] Currently, available scientific knowledge does not seem to provide a strong link between an individual's genetic sequence and that person's eventual development of disease or personality traits; such conclusions are matters of probability and must be interpreted accordingly.
However, it is an area of scientific development that is undergoing rapid change and the body of knowledge about the human genome is increasing rapidly. The human genome sequence was published in February 2001, immediately kicking off a debate of the future of genetic technology and its impact on society – including privacy.[643] For example, United States Senators James M. Jeffords and Tom Daschle have commented, "[o]ne of the most difficult issues is determining the proper balance between privacy concerns and fair use of genetic information."[644]
Both the general public and scientific researchers have recognized that safeguards for genetic information are needed. For example, polls have found that 86 percent of adults believe that doctors should ask permission before conducting any genetic testing and 93 percent believe that researchers should do the same before any analysis.[645] Dr. Francis S. Collins, Director of the National Human Genome Research Institute, has observed that "in genetics research studies, we are seeing individuals who opt not to participate in research because of their fear that this information could fall into the wrong hands and be used to deny them a job or a promotion."[646] Privacy concerns about genetic testing are heightened by the potential that test results may be inaccurate because of quality control problems in testing laboratories. A 1999 survey of genetic testing facilities found that of the 245 laboratories examined, 36 failed to meet high quality assurance standards.[647]
Each person's DNA, with the exception of identical twins, is different from that of every other human being.[648] DNA identification, therefore, works by comparing particular regions of two sequences and looking for differences rather than similarities. Identification is actually a process of combining several such comparisons and calculating the probability that the two sequences are a false match.
Reliable identification requires that samples be handled carefully to prevent contamination, that a sufficient number of segments be compared, and that laboratory technicians meet an appropriately high threshold for acceptable probability of a chance match."Provided that tests are actually looking at different regions of the genome, and provided that the genetic patterns aren't 'structured' within a community by inbreeding, using multiple tests can reduce the chance of a false match from one in a hundred to one in a million or even one in 500 million. But they can't entirely eliminate the chance of a false match."[649] In the United States, the standard for forensic identification requires a comparison of 13 DNA segments.[650] According to an FBI spokesman, "[t]here's a greater chance that you'll find a close match as the databases get bigger."[651] Besides false matches, some criminals have reportedly become savvier at manipulating results of DNA identification by wearing gloves, masks, and condoms in an attempt to avoid leaving behind any bodily fluids or other evidence at crime scenes.[652] In England, a police union has stopped officers from giving voluntary DNA samples in a sweep to catch a rapist, although policemen's fingerprints are routinely included in forensic fingerprint databases.[653]
Law enforcement agencies worldwide are increasingly relying upon DNA evidence. According to the 2002 global survey by Interpol, 77 of its 179 member countries perform DNA analysis and 41 member countries have forensic DNA databanks, which include both physical samples and databases of DNA profiles.[654] As of 2003, 36 of 46 European Interpol members perform forensic DNA testing, and 26 of them allow international exchange of information.[655] The percentage of members having DNA databanks is predicted to double in the next few years.
To facilitate the exchange of DNA information between member states, Interpol set up a DNA database pilot project in July 2003. Profiles are sent to Interpol in standardized numeric format and additional information such as name of the individual or the crime to which the individual is connected, is not required. If a match is found when searches are performed, police forces of the two countries communicate directly. The first "hit" on the Interpol database was recorded in 2004 when one of the DNA profiles submitted by the Slovenian authorities was matched against a profile sent to Interpol by the Croatian police.[656]
The United Kingdom has the largest forensic DNA databank in the world, which has expanded from 750,000 records in 2000 to more than 2.9 million records in 2005.[657] Since April 4, 2004, those who have been arrested but not charged are also included in the databank, as are those arrested for drunk driving, even if not convicted.[658] In fact, a 13-year old schoolgirl was arrested in early 2005 for throwing a snowball at a police car, and as part of the arrest the girl's DNA profile was recorded, and it will remain in the National DNA Database for the rest of her life.[659] In a recent decision, the House of Lords ruled that the law permitting retention of DNA samples taken from individuals, who are later acquitted or against whom charges are dropped, does not violate the European Convention on Human Rights.[660] A pilot project is also underway in the British city of Bristol to collect DNA samples from 25,000 babies and their parents as part of a national DNA database that could be used for law enforcement.[661] Several Australian states have been considering laws that would permit the creation of a national DNA database.[662] Israel has also been considering such a database.[663]
The rules for inclusion in forensic DNA databanks and the rules that govern access to data, physical specimen retention, and privacy protections differ from country to country. In countries that operate under federal systems, such as the United States and Australia, rules for forensic DNA databanks can vary from jurisdiction to jurisdiction. Several European nations have expanded their databanks by including new categories of offenses (e.g., burglaries) or classes of offenders (e.g., violent offenders). Additionally, some nations include profiles of suspects or arrestees, either based on the crime for which they are arrested or based on the length of expected sentence if convicted. Some nations, however, remove or expunge these profiles or underlying samples, but there are nations that do not. For example, UK maintains all samples and profiles indefinitely.[664] In contrast to UK, some European countries have taken steps to further protect and limit the use of any genetic data they collect. In Sweden, the state only maintains genetic data for criminals who have spent more than two years in prison, while Norway only maintains data on serious offenders and requires a court order for such retention.[665] Germany also requires that the government obtain a court order and limits their genetic data to individuals convicted of certain specific offenses and are deemed likely to re-offend.[666]
In 2005, the Japanese National Police Agency also began using DNA data obtained from blood samples and bodily fluids collected at crime scenes to help in the identification of criminal suspects.[667] Prior to the system's implementation, DNA taken from suspects was considered to be personal information and all samples were destroyed at the completion of criminal investigations. With this new database, however, the government has stated the importance of this new technology as a possible replacement to fingerprints in identifying criminal suspects.[668]
In the United States, trends are also toward the expansion of forensic DNA databases. As of January 2005, each of the 50 states has a DNA database of some kind, and each collects and enters information regarding all persons convicted of sex crimes, and 38 states also collect the genetic profiles of all felons.[669] In the US, judges and courts have issued warrants,[670] indictments[671] and even convictions[672] based solely on DNA identification. In the UK, a man was found and charged on the basis of a family member's DNA found in the country's DNA databank.[673]
Along with the expanded use of DNA evidence around the world, there has also been an expanded amount of criticism for some of the methods used to collect samples. The University of Nebraska, in September 2004, released a report examining the use and effectiveness of DNA "dragnets" or "sweeps" in the US.[674] The report focused on 18 instances where police asked individuals to give voluntary DNA samples in order to identify the perpetrator of a crime or series of crimes. The report found that of the 18 instances where “sweeps” were employed, in only one case was the DNA evidence used to identify the perpetrator of the crime. Therefore, the report concluded that DNA "sweeps," although becoming increasingly common, are extremely unproductive in identifying criminal suspects.[675]
DNA identification is also used in order to exonerate persons where post-conviction DNA testing of evidence can yield conclusive proof of innocence. One of the best-known efforts in this field is the Innocence Project. This clinical law program provides legal assistance to persons who are challenging their convictions based on DNA evidence. As of June 2005, 159 individuals have been exonerated as a result of the work by the Innocence Project.[676] Based on the proportion of cases that have been overturned and related FBI data, the Innocence Project estimates that thousands of individuals who have been wrongly convicted could be freed if provided with easier access to DNA testing.[677] Due to the success of the Innocence Project, similar programs have now been established in 43 states.[678]
Despite the recognition of limitations in DNA-based identification, there is a push for more and larger DNA databases. Forensic DNA databases, originally created for tracking violent sex offenders, have expanded in purpose and scope. "In less than a decade, we have gone from collecting DNA from convicted sex offenders – on the theory that they are likely to be recidivists and that they frequently leave biological evidence – to data banks of all violent offenders; to juvenile offenders in 29 states; to testing of persons who have been arrested, but not convicted of a crime," according to Barry Steinhardt, Associate Director of the American Civil Liberties Union.[679] In the United States, local, state and federal law enforcement agencies contribute DNA profiles from crime scenes and from those convicted of violent crimes into a national database in order to look for potential matches.[680] In April 2003, the Bush Administration also proposed adding DNA profiles from juvenile offenders and from adults who had been arrested but not convicted to the FBI's national DNA database.[681] The White House also indicated it would spend about USD 1 billion over five years to promote the use of DNA for law enforcement purposes.[682]
Other, non-law enforcement related DNA databases have also emerged for use in identification. Since the early 1990s, all personnel serving in the United States Armed Forces have been required to submit DNA samples to possibly be used for later identification. As of May 2003, the United States military's DNA depository contained 3.8 million samples, including samples from active duty and reserve personnel and some military contractors.[683] Pursuant to a 1996 Department of Defense Directive,[684] individuals also have the right to request their samples be destroyed at the end of their term of service.[685] However, the overall program has faced resistance within the military's own ranks. In 1996, two United States Marines faced court-martials when they refused to provide DNA samples for the identification program.[686]
In addition to government-related DNA identification, a new industry – paternity testing – has emerged, and is placing large amounts of genetic data wholly under private sector control. Despite the controversy surrounding law enforcement collection of DNA, a larger proportion of genetic identification is performed to establish paternity. In the United States, part of the reason for the rise in paternity DNA testing has been the introduction of federal laws requiring the identification of fathers in order to receive child support.[687] Additionally, although paternity testing previously required blood samples and was difficult to perform, tests currently in use require only a few strands of hair.[688]
Advances in technology have also made genetic testing easier and faster. According to genetic testing companies, kits costing USD 100 to USD 2,000 are available for more than 400 diseases with hundreds more on the way.[689] The easy availability of these tests vastly increases the amount of information at an individual's disposal. However, it is important to remember that for disorders that involve the interaction between multiple genes and various environmental and lifestyle factors, the links between genes and their corresponding disease are not well understood. Genetic information may provide some indication of vulnerability, but it is not possible to say whether a specific individual will develop the disease, when the disease might develop, or how severe it may become. For example, the Washington Post reported in 2003 that researchers identified a gene responsible for the development of depression after exposure to extreme stress. People with a variation in the identified gene are more than twice as likely as people with the normal version of the gene to react to a traumatic event by becoming depressed. Nevertheless, 57 percent of people with the mutated gene never became depressed and 17 percent of people without the mutation developed depression in response to similar events.[690]
Several countries, such as Iceland and Estonia are building nationwide DNA databases for medical research. Many of these undertakings are encouraged by pharmaceutical companies and other business enterprises hoping to profit from new medical procedures and services. Some efforts have been made to establish legal frameworks for these databanks.[691] Nevertheless, Iceland's Supreme Court ruled in the spring of 2004 that the Health Database Act of 1998, which created the national DNA databank, does not comply with the country's constitutional privacy protections.[692]
In March 2005, the UK Human Genetics Commission released its report on profiling of newborns, after receiving a reference from the UK government to look into including every newborn's genome in a national health database.[693] The commission found that although genetic profiling is feasible and likely to become available commercially in less than 20 years, some steps must be taken in order to prevent any possible misuse of the information derived from it.[694] Additionally, although the commission also expressed the need to develop a program of research to identify the full costs and potential benefits of genetic profiling, they also indicated that the program was not ready to be implemented as part of a national health screening program.[695]
While genetic screening has become easier and cheaper, treatment of genetic disease lags behind. Thus, while someone may have the ability to determine if they are at high-risk of disease, many people may choose not to find out due to the inability to take any precautionary measures. The concept of a "right not to know" would apply in these situations, allowing a person to control the knowledge about whether she has a certain genetic predisposition.
For example, Huntington's disease is an inherited neurological disease that results in death by a person's in their late 30s or early 40s after a period of extended deterioration of both mental and physical control. Although there is no treatment for the condition, a reliable test for Huntington's does exist. The inheritability of the disease is straightforward, as demonstrated by the fact that children of a person with Huntington's will have a 50 percent chance of also being affected. The resistance to knowing one's propensity for Huntington's is evident in surveys finding that only 66 percent of those at risk of developing the disease would test themselves, with 15 percent of that group indicating they would contemplate suicide if they tested positive. Of those indicating that they would not want to test themselves, 30 percent indicated they would consider suicide if they did find out that they would manifest the disease.[696] Due to the emotional and psychological impact that such information would have, many people in these situations exercise their "right not to know" by refusing to test themselves.
In practice, maintaining a "right not to know" can be difficult. Due to the simple inheritability of Huntington's, one family member's decision to test herself for the disease will reveal information about other family members. For example, if a daughter decides to test herself for Huntington's due to a history of the disease through her mother's side of the family, the test results would indicate whether or not her mother also has the disease – thus compromising the mother's desire not to know.[697]
More problematic than the inability to properly interpret genetic test results is the possibility that individuals will not be able to control when genetic testing is conducted or how the results are used. The two most controversial areas of genetic testing are in the workplace and in the provision of medical and life insurance.
As genetic databases become more common worldwide, there has been a concurrent rise in the use of testing by employers. Although there are legitimate uses of genetic testing, such as the prevention of occupational diseases, there is also concern that employers will use these tests to discriminate against current or potential employees. Without legal intervention, information indicating, for example, whether someone is prone to a debilitating illness or even an "undesirable" condition (such as laziness or depression) may be used by employers to discriminate against employees.
Genetic screening in the workplace has been conducted for decades but, based on limited polling of employers, still seems relatively rare when compared to general medical information accessed by employers. Some of the earliest genetic screening took place as early as the 1960s. Dow Chemical conducted genetic monitoring (genetic tests conducted over time to detect possible mutagenic effects of the workplace environment) from 1964-1977.[698] In 1982, a United States federal government survey found that 1.6 percent of companies were using genetic testing for employment purposes.[699]
Despite the uncertainty about how commonly workplace genetic testing takes place, it has happened. In 1994, employees at the Lawrence Berkeley National Laboratory at the University of California at Berkeley discovered the laboratory's surreptitious practice of testing its employee blood and urine samples for syphilis, sickle cell anemia and pregnancy.[700] The laboratory, funded by the United States Department of Energy, conducted non-classified research and had been testing its employees for decades.[701] In subsequent litigation, the government argued that since its employees had agreed to a general medical examination, they had no reason to expect that genetic testing would not be conducted. The government also argued that notice was provided via a list of tests to be conducted that was posted on an examining room wall. Although the government won in the federal district court, the US Court of Appeals for the Ninth Circuit reversed and concluded the conditions being tested for raised "the highest expectations of privacy."[702] In 2000, the laboratory settled with employees for USD 2.2 million, ceased conducting the tests and allowed earlier test results to be reviewed and deleted.
More recently, in February 2001, an employee of the Burlington Northern Santa Fe Railroad in the United States sued the company for conducting tests for a genetic predisposition associated with carpal tunnel syndrome. The company had allegedly collected blood samples from 125 employees and tested 18 of those samples without employee consent. The employee filing the suit had refused to contribute a blood sample and was told he would be investigated. The lawsuit alleged violation of disability law and existing legal prohibitions on genetic testing by employers.[703]
The European Group on Ethics in Science and New Technologies (EGE) published an opinion in 2003, detailing the ethical aspects of workplace genetic testing.[704] As a general rule, the report recommends that employers consider a potential employee's current health situation and not on attempts to predict future health. Additionally, the report does recognize certain "exceptional cases" where the health and safety of third parties must be protected, and prescribes a set of "stringent conditions" for such screening. Among the conditions set forth in the report is the need for documented validity of the test used, informed consent of the individual, and protection of the confidentiality of the genetic information itself, which should be provided only to an independent health professional and not to the employer.[705]
While often tied to workplace genetic testing in the US, where employers often provide and pay for health insurance, genetic testing has also been directly used in the underwriting of life and medical insurance. In February 2001, Norwich Union Life, one of Britain's largest insurers, admitted using genetic tests for breast and ovarian cancer and Alzheimer's disease to evaluate applicants. Moreover, Norwich Union Life was violating the industry's code of conduct since the genetic tests had not been approved by the government's Human Genetics Commission.[706] The controversial practice resulted in some individuals paying higher insurance premiums based on genetic predispositions, creating political pressure to outlaw the use of genetic data by insurers in the United Kingdom altogether.[707]
While representatives of Norwich Union Life claimed that the genetic tests were not compulsory, simply providing lower premiums for people that do not test positive for genetic tests can lead to rampant genetic testing. An "assessment spiral" will result when one company offers discounts for those with a particular genetic profile, creating pressure on competitors to offer similar discounts in order to keep "low-risk" policy holders and resulting in higher premiums for those that are not tested or do not possess the correct genetic make-up.[708] Thus, non-compulsory genetic testing can easily lead to genetic discrimination.
Some insurance companies, however, have taken steps to embrace the science of genetic testing while ensuring a patient's privacy. Aetna, one of the largest insurance companies in the US, recommended in 2002 that the health care industry "support legislation and consider adopting guidelines for access to genetic counseling, genetic testing and the appropriate use of test results."[709] As part of his recommendations, Dr. Rowe, Chairman and CEO of Aetna, encouraged health plans to support legislation that would prohibit the establishment of rules for health coverage eligibility based on genetic testing, prohibit requesting genetic testing results as a condition to providing health insurance coverage, prohibit the use of genetic testing for risk selection or risk classification purposes in providing health coverage, and prohibit the disclosure of genetic testing results that may come into an insurance company's possession without member authorization.[710]
In Canada, however, recent articles have brought to light the issue that privacy and human rights legislations offer only limited protection to insurance applicants.[711] Many insurance companies have begun to request that individuals consent to having their health information verified and possibly even shared with other insurers through the Medical Information Bureau (MIB). The Canadian Genetics and Life Insurance Task Force recently convened, however, in an attempt to create a voluntary moratorium or voluntary agreement on the use of genetic information by insurers.[712]
Recognizing the issues implicated in widespread genetic testing, several international bodies have recommended that genetic testing be carefully circumscribed by law. In 1989, the European Parliament issued a resolution recommending legislation to prohibit genetic testing for the purposes of selecting workers or examining employees without their consent. It advised that employees must be informed of any analysis and implications of genetic data before tests are carried out and allowed to withdraw from testing at any time.[713] The Council of Europe has also recommended that "the admission to, or the continued exercise of . . . employment, should not be made dependent on the undergoing of tests or screening."[714] Similarly, the World Medical Association (WMA) has issued statements to this effect. In 1992, issuing a Declaration on the Human Genome Project, it recommended the adoption of laws similar to those that prohibit "the use of race discrimination in employment or insurance."[715] In October 2002, it announced that it had adopted guidelines on the development of centralized health storage databases that addressed "the issues of privacy, consent, individual access and accountability."[716] In 1997, the United Nations Educational, Scientific and Cultural Organization (UNESCO) adopted a Universal Declaration on the Human Genome and Human Rights, outlining the rights of individuals to control the collection and use of genetic information.[717] More recently, the Article 29 Data Protection Working Party of the European Commission has further defined the appropriate safeguards that should be implemented with regard to the processing of genetic data.[718] The European Commission recognized the importance of genetic data in safeguarding a person's health and in pursuing scientific research, but also stressed the need for the creation of national rules in accordance with data protection principles established by the EU Data Protection Directive. These principles should "render the blanket implementation of mass genetic screening unlawful," and would attach special importance to the management, destruction, and anonymization of a person's sample after the information is obtained.[719]
In many cases, existing labor codes may indirectly prohibit genetic testing.[720] It is also possible that the use of genetic data by employers to discriminate against workers may violate equal opportunity or anti-discrimination laws. In the United States, for example, genetic testing may violate the 1964 Civil Rights Act that prohibits discrimination in employment on the basis of "race, sex, national origin, and religion," or the Americans with Disabilities Act of 1990, which prohibits discrimination in employment against a "qualified individual with a disability."[721]
Local and national governments are also beginning to address genetic privacy issues directly. In the United States, most laws applying to genetic discrimination, testing or identification have been passed by states rather than the federal government. Some states have passed laws that prohibit employment discrimination on the basis of genetic information.[722] In 2000, President Bill Clinton issued an executive order prohibiting the use of genetic information in federal agency hiring and promotion decisions.[723]
In contrast to the US, most European countries have had broad data protection statutes in effect for many years. In February 1997, the Council of Europe's Committee of Ministers adopted the Recommendation on the Protection of Medical Data. This document, which applies to genetic data, protects personally identifiable information, limits the circle allowed to process health data, and sets standards for the use of medical data in scientific research.[724] In Australia, the application of the country's Privacy Act to genetic samples collected by authorities remains unclear. The law, however, has been determined to protect genetic data collected as part of a newborns screening card.[725]
Workers around the world are frequently subject to some kind of monitoring by their employers.[726] Employers supervise work processes for quality control and performance purposes. They collect personal information from employees for a variety of reasons, such as health care, tax, and background checks.
Traditionally, this monitoring and information gathering in the workplace involved some form of human intervention and either the consent, or at least the knowledge, of employees. The changing structure and nature of the workplace, however, has led to more invasive and often covert monitoring practices which call into question employees' most basic right to privacy and dignity within the workplace. Progress in technology has facilitated an increasing level of automated surveillance. Now the supervision of employee performance, behavior, and communications can be carried out by technological means, with increased ease and efficiency. The technology currently being developed is extremely powerful and can extend to every aspect of a worker's life. Software programs can record keystrokes on computers and monitor exact screen images, telephone management systems can analyze the pattern of telephone use and the destination of calls, and miniature cameras and "Smart" ID badges can monitor an employee's behavior, movements, and even physical orientation.
Advances in science have also pushed the boundaries of what personal details and information an employer can acquire from an employee. Psychological tests, general intelligence tests, performance tests, personality tests, honesty and background checks, drug tests, and medical tests are routinely used in workplace recruitment and evaluation methods. Since the discovery of DNA, there has also been an increased use of genetic testing, allowing employers to access the most intimate details of a person's body in order to predict susceptibility to diseases, medical, or even behavioral conditions. The success of the Human Genome Project will likely make this kind of testing more prevalent. Currently, genetic testing is prohibitively expensive for many employers, and not used as frequently as other forms of medical or drug testing. Article 21 of the European Union Charter of Fundamental Rights provides explicitly that "any discrimination based on . . . genetic features . . . shall be prohibited."[727]
Employers' collection of personal information and use of surveillance technology is often justified on the grounds of health and safety, customer relations, or legal obligation. However, according to a recent study by the Privacy Foundation, it is actually the low cost of surveillance technologies more than anything else that contributes to the increased monitoring.[728] In many cases, workplace monitoring can seriously compromise the privacy and dignity of employees. Surveillance techniques can be used to harass, to discriminate, and to create unhealthy dynamics in the workplace.
Privacy advocates have long maintained that providing notice of a monitoring or surveillance policy should, at a bare minimum, be required before employers can engage in such invasive activities. Advocates support strong privacy principles in the workplace such as the International Labor Office's "Code of Practice on the Protection of Workers' Personal Data," which protects employees' personal data and fundamental right to privacy in the technological era.[729] These guidelines were issued by the International Labor Office in 1997, following three comprehensive studies on international workers' privacy laws.[730] The general principles of the code are:
personal data should be used lawfully and fairly; only for reasons directly relevant to the employment of the worker and only for the purposes for which they were originally collected;
employers should not collect sensitive personal data (e.g., concerning a worker's sex life; political, religious, or other beliefs; or trade union membership or criminal convictions) unless that information is directly relevant to an employment decision and is collected in conformity with national legislation;
polygraphs, truth-verification equipment or any other similar testing procedure should not be used;
medical data should only be collected in conformity with national legislation and principles of medical confidentiality; genetic screening should be prohibited or limited to cases explicitly authorized by national legislation; and drug testing should only be undertaken in conformity with national law and practice or international standards;
workers should be informed in advance of any monitoring, and any data collected by such monitoring should not be the only factors in evaluating performance;
employers should ensure the security of personal data against loss, unauthorized access, use, alteration or disclosure; and
employees should be informed regularly of any data held about them and be given access to that data.
The code does not form international law and is not of binding effect. It was intended to be used "in the development of legislation, regulations, collective agreements, work rules, policies and practical measures." Unfortunately, however, the laws differ greatly from country to country, and in some countries there are few legal constraints on workplace surveillance.
In the United States, for example, the courts have typically been slow to recognize employees' rights to privacy. There has not yet been any satisfactory and uniform determination of what level of privacy employees are entitled to and how that privacy should be protected. Many believe that since employers have ownership or "control" over the working premises, and its contents and facilities, that employees give up all rights and expectations to privacy and freedom from invasion. Others simply avoid the question by making employees consent to surveillance, monitoring, and testing as a condition of employment. Legislation has recently been introduced, however, which would prevent employers from secretly monitoring the communications and computer use of their employees.[731]
US public sector employees are protected by several laws. The Fourth Amendment applies not only to law enforcement officers, but to government officials and employers as well. A constitutional right to information privacy, recognized in Whalen v. Roe,[732] can protect against employer disclosures of employees' personal information. Other laws which may protect the privacy of public employees include relevant state constitutional provisions, federal and state wiretap laws, the Americans with Disabilities Act (ADA), the federal Privacy Act, and the common law privacy torts. In addition, depending on the type of employment contract governing the work agreement, public employees may have recourse under contractual remedies. However, most employment agreements are considered "at will," which means that employees may be dismissed for any or no reason, provided sufficient notice is given. One exception to this general rule is that employees may not be dismissed for a reason that violates public policy, such as for not complying with a privacy-invasive procedure. Should this occur, employees can sue for wrongful termination in violation of public policy.
US private sector employees have some, but not all, of the protections afforded public sector employees. The Fourth Amendment and many state constitutions do not apply to private employers. However, the federal wiretap law applies to both public and private sector employers. Private sector employees may also establish recourse for invasions of privacy under the ADA, breach of contract theories, and privacy torts.
Internationally, regulations governing the compilation and use of employees' personal data vary significantly. In European countries, the collection and processing of personal information is protected by the EU Data Protection and the Telecommunication Privacy Directives.[733] That last Directive, however, provides for the confidentiality of communications for "public" systems and therefore would not cover privately owned systems in the workplace.[734] However, the principles laid out in these directives are general in scope and their application to workplace privacy issues is not always clear.
Nonetheless, many European countries, such as Austria, Germany, Norway and Sweden, have strong labor codes and privacy laws that directly or indirectly prohibit or restrict this kind of surveillance. In Finland, a new law on Data Protection in Working Life entered into force in October 2001. In October 2000, the United Kingdom Privacy Commissioner issued "The Employment Practices Data Protection Code," a draft code of guidance for employer/employee relationships.[735] In March 2002, the first part of this code, regarding data protection in recruitment and selection of employees, was issued.[736] In October 2002, the Information Commission released part two of the code, which covers employment records. One significant provision requires that any sickness and accident records, detailing the medical cause of any absence be maintained separately from medical records that do not reveal medical conditions.[737] Two further parts on monitoring at work and medical information and testing will be issued over the next few months. In 1999, the Swedish government established a Committee to study workplace privacy issues. In March 2002, the Committee issued a proposal recommending specific legislation to protect the personal information of current employees, former employees and employment applicants in both the private and public sectors.[738] In May 2002, the European Union Article 29 Data Protection Working Party issued a working paper on monitoring and surveillance of electronic communications in the workplace. The document set out a list of questions to be asked before any monitoring measure is put in place. For example: Is the monitoring activity transparent to the workers? Is it necessary? Could not the employer obtain the same result with traditional methods of supervision? Is the processing of personal data proposed fair to the workers? Is it proportionate to the concerns that it tries to allay? The working paper also set out principles employers should bear in mind when processing workers' personal data. These principles include: finality (data must be collected for a specific and legitimate purpose); transparency (workers should know which data the employer is collecting about them); and security (the employer must implement security measures at the workplace to ensure the safety of the personal data of workers).[739]
In October 2002, the European Commissioner for Employment and Social Affairs launched a formal consultation initiative to improve the protection of workers' personal data throughout the EU.[740] The substance of the consultation addressed issues such as the effectiveness of employee consent in safeguarding personal data, access to, and the processing of medical data within the employment context, identifying the permissible scope of drug and genetic testing, and employer monitoring and surveillance of employees. Currently, both the International Labor Organization (ILO) and the Council of Europe have established specific guidelines establishing data protection in the employment relationship.[741]> In addition, Article 8 of the EU Charter of Fundamental Rights refers to the protection of personal data, and Articles 21, 26, and 31 contain provisions relevant to the protection of employees' private data.[742]
There have also been developments outside of Europe on this issue. In June 2002, the Hong Kong Data Protection Commission issued a draft code of practice on workplace for public consultation. The draft code covers telephone, closed-circuit television, e-mail and computer usage and possibly location monitoring.[743] In Australia, the Privacy Amendment (Private Sector) Act 2000 put in place limited restrictions on employers' monitoring of communications by requiring the establishment of formal e-mail use policies that must be made clear to all employees. It also requires employers to prove that the monitoring of e-mails is justifiable–for instance, on grounds of employees' excessive use of e-mail, distributing offensive material, suspected criminal activities, or passing on of sensitive information.[744] However, the legislation grants exemptions to small businesses and the media and also exempts all employee records in any industry sector.
Employer searches of an employee's workspace raises important privacy issues. In the public sector, the US Supreme Court has held that whether an employee has a reasonable expectation of privacy in a workspace is to be decided on a case-by-case basis because of the great variety of workplace settings.[745] The Court also held that a public employer's intrusions, even into constitutionally protected privacy interests of government employees for either non-investigatory, work-related purposes or for investigations of work-related misconduct, should be judged under a standard of reasonableness. The Court noted that requiring an employer to obtain a warrant whenever he or she wished to enter an employee's workspace for work-related purpose would seriously disrupt business routine and be unduly burdensome. In terms of workplace computer searches, a federal court has held that an employee has a reasonable expectation of privacy in the contents of an office computer, but an investigatory search for evidence of work-related employee misconduct is constitutionally reasonable if the search is justified at its inception and is of appropriate scope (i.e., reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct).[746] In addition, government employers cannot require employees to undergo unreasonable searches under the Fourth Amendment as a condition of employment, but the search is permissible if the employee consents to the search.
In the private sector, employees may have a reasonable expectation of privacy in certain areas and personal items. One court has held that an employee who is under no suspicion of wrongdoing and secures a locker with her own lock and with the employer's consent has a reasonable expectation of privacy in the locker and its contents.[747] In addition, employers may be liable if they reveal confidential information about their employees.[748] Public sector employees have an additional course of redress for the disclosure of personal information by an employer by means of a civil action under the constitutional right to information privacy.[749]
Employers are increasingly turning to video surveillance to monitor the activities of employees. In answering the question of whether an employer's use of video surveillance is permissible, US courts have examined an employee's expectation of privacy in the area being monitored, as well as considered any applicable laws or regulations governing such a search. Federal courts have held almost unanimously that silent video surveillance is not prohibited by Title I of the Electronic Communications Privacy Act (ECPA) of 1986.[750] But video surveillance that includes the ability to record conversations would violate Title I. Silent video surveillance is subject to the Fourth Amendment's protections against unreasonable searches, but at least one court has held that the Fourth Amendment is only implicated if an employee has a reasonable expectation of privacy in the area being surveilled.[751] If employees have no reasonable expectation of privacy in an area under observation–such as in a locker area that can be viewed by anyone who enters–the Fourth Amendment is not violated, regardless of the nature of the search.
Internationally, video surveillance is used extensively for many different reasons. Australia spent substantially more money per capita than any other industrialized nation on video surveillance equipment.[752] Video cameras are now one of the most commonly used surveillance devices in the Australian workplace, and their use is regulated by The Workplace Video Surveillance Act of 1998.[753] Video surveillance is justified as a security measure to deter theft, vandalism, or other unauthorized intrusions, and to monitor employee conformance with occupational health and safety procedures, as well as general performance.
Workplace surveillance in New Zealand is prevalent, and often occurs beyond the reach of the law given the deregulated labor market, according to a report issued by the Office of the Privacy Commissioner.[754] The current policy in New Zealand is to leave negations involving workplace surveillance to employment agreements between employers and employees rather than establishing legislation regulating such activities, although employment law and contractual implied terms of fair dealing offer employees some protections. New Zealand employers are entitled to take reasonable steps to monitor employee performance, to safeguard working conditions, and to secure the place of business. Employees, in turn, are generally granted protections to safeguard their person, property, and private conversations and beliefs, and are provided with avenues to amend irrelevant, inaccurate, or incomplete facts that are considered in employment decisions.
Automated workplace monitoring has become increasingly common in recent years. Even in workplaces staffed by highly skilled information technology specialists, employers demand the right to spy on every detail of a worker's performance. Modern networked systems can interrogate computers to determine which software is being run, how often, and in what manner. A comprehensive audit trail gives managers a profile of each user, and a panorama of how the workers are interacting with their machines. Software programs can also give managers total central control of individual PCs. A manager can now remotely modify or suspend programs on any machine, while at the same time reading and analyzing e-mail traffic and Internet activity. A recent report by the American Management Association found that nearly eighty percent of major US companies monitor employees at work by checking communications such as telephone conversations, computer files, e-mails and Internet connections or by using video surveillance for performance evaluation and security purposes.[755]
An employer can monitor the level of use of a computer by surveilling the number of keystrokes an employee enters into a word processing program in a specified period of time or the amount of time a computer is idle during the workday. Numerous technologies are available which monitor and analyze the performance of IT workers. Some allow network administrators to observe an employee's screen in real time, scan data files and e-mail, analyze keystroke performance, and even overwrite passwords. Once this information is collected, it can be analyzed by standard processing programs to determine a worker's performance profile. These monitoring products are sold at very low prices and have infiltrated the market. These snooping programs have also become popular not just among employers but also law enforcement agencies, private attorneys, investigators, and suspicious lovers.
The use of video cameras and closed circuit televisions (CCTV) is another common way of monitoring employees within the workplace. Even areas where employees would previously have enjoyed high expectations of privacy, such as bathrooms or locker rooms, have come under increasing surveillance. Postal workers in New York City found hidden cameras in restroom stalls and waiters in the Boston Sheraton were secretly videotaped in the hotel locker room.[756] Where staff are more mobile, companies are now using a range of technologies to track geographic movements.[757] Some hospitals now require nurses to wear badges on their uniforms so they can be located constantly.[758] Advances in this area now allow carrier companies to place an electronic mechanism (described as a geostationary satellite-based mobile communications system)[759] on trucks that then sends back to a main terminal the exact position of the vehicle at all times. In this way, carrier companies can ensure that no side trips nor other deviations are taken from the prescribed route.[760] Wide area systems such as Trackback are in use throughout the United Kingdom.
Telephone surveillance has become endemic throughout the private and public sector. In the United States, employers have broad discretion to monitor employees' calls for "business purposes." Companies are extensively using telephone analysis technology. Call center workers for British Telecom are regularly presented with a comprehensive analysis sheet, showing their performance relative to other workers. Airline reservations clerks in the United States and elsewhere wear telephonic headsets that monitor the length and content of all telephone calls, as well as the duration of their bathroom and lunch breaks.[761] In one instance, telephone calls received by airline reservation agents were electronically monitored on a second-by-second basis: agents were allowed only 11 seconds between each call and 12 minutes of break time each day.[762] Other airline agents have complained that they are evaluated based on how many times they use a customer's name during a call or how often they try to overcome a customer's initial objections to buying a ticket.
The level of sophistication of telephone surveillance systems can be astonishing. Some systems can record all transactional activity on a phone, together with destination numbers and times. Other technology can then process and analyze this data. A British program called "Watcall," produced by the Harlequin company, can analyze telephone calls and group them into "friendship networks" to determine patterns of use.[763] Voice mail systems are also subject to systematic or random monitoring by managers. Most new systems have default pass codes for administrators, and these can open all message boxes.
Computers and networks are particularly conducive to surveillance. The Privacy Foundation study[764] found that fourteen million employees in the United States are subject to this kind of surveillance on a continuous basis. This number obviously increases dramatically when random surveillance checks are included. Employers can monitor e-mail by randomly reviewing e-mail transmissions, by specifically reviewing transmissions of certain employees, or by selecting key terms to flag e-mail. In the latter case, software analyzes a company's entire e-mail traffic phrase by phrase, and draws conclusions about whether a message is legitimate company business. It can be instructed to search for specific keywords and "damaging" phrases. Some programs can even use algorithms to analyze communications patterns and turn them into images. Monitors can then look at these images to follow traffic patterns and detect whether sensitive data is at risk.
Many employers rely on software for remote monitoring of e-mail messages. With a few clicks they can see every e-mail message that employees send or receive and determine whether they are "legitimate" or not. Managers give a variety of reasons for installing such software. Some say it is to protect trade secrets or preventing sexual harassment incidents. Others want to prevent oversized-mails clogging networks and using too much bandwidth. Still others simply don't want employees "wasting" company time by using the systems for personal activities. In an ideal world, this monitoring should follow the conventional format, i.e., identical to the quality check that has applied to correspondence sent out on company letterhead. However, the speed and efficiency of e-mail means that digital communication involves a vast intersection with personal correspondence. It also has features more in common with an internal memo, for which there has always been less monitoring and management.
According to the American Management Study,[765] nearly two thirds of all companies discipline employees for abuse of e-mail or Internet connections and twenty-seven percent dismiss employees for those reasons. In 2000, Dow Chemical Company fired fifty US employees and threatened two hundred others with suspension after they found "offensive" material in their e-mail. The company opened the personal e-mail of more than 7,000 employees.[766] Similarly, the New York Times fired twenty-three employees in 1999 for sending "obscene" messages. Internationally, employer monitoring of e-mail and Internet usage varies from country to country. The Swiss Federal Data Protection Commissioner issued a statement in its annual report explaining the circumstances under which use of Internet and e-mail at the workplace may be monitored.[767] According to the report, surveillance activities by employers are primarily focused on preventing technical malfunctions. Records of an individual's e-mail and Internet use may be evaluated only once an abuse has been identified and the individual is notified of the evaluation.[768] In Hong Kong, the Office of the Privacy Commissioner for Personal Data in 2000 commissioned a survey to examine employer surveillance in the workplace.[769] According to the survey, sixty-four percent of employers had installed at least one type of employee monitoring equipment, but only eighteen percent of the employers had a written policy on employee monitoring. Further, thirty-five percent of respondents did not even know whether such a policy existed.[770] In contrast, France has established stringent policies that protect the privacy of employees' e-mail usage. The French Supreme Court held recently that employers do not have the right to open any of their employees' messages. The Court ruled in a case between Nikon and a former employee that the company had no automatic right to search through an e-mail inbox.[771]>
Courts in the United States have taken various positions in cases involving an employee's use of e-mail and the Internet at work. One court has found that an at-will employee has no reasonable expectation of privacy in the contents of an e-mail voluntarily sent on an employer's e-mail system, even though the employer had assured its employees that e-mail communications would remain confidential and privileged.[772] The court reasoned that once an employee communicated comments to a second person over an e-mail system utilized by the entire company, any reasonable expectation of privacy is lost. And even if an employee had a reasonable expectation of privacy in the contents of an e-mail, a reasonable person would not consider an employer's interception of such communications to be substantial or highly offensive. Another court has held that an employer that has a "business use only" policy for Internet usage may conduct audits of its computer network to identify, terminate, and prosecute unauthorized activity.[773] The court found that while employees may have a legitimate expectation of privacy in their computer equipment, some office practices, regulations, or procedures may reduce such an expectation.[774]>
These cases raise complex legal and ethical questions concerning an employee's fundamental right to privacy and due process, such as: what if an employee is sent an "offensive" e-mail, accidentally or maliciously? The e-mail cannot simply be deleted. It remains logged on the company server, threatening the relationship of trust between employee and management. Or what if an employee is dismissed on the grounds of sensitive personal information (for example, issues relating to sexual preferences, medical conditions, etc.) gathered through a system? This problem also arises when companies monitor all Internet activity looking for visits to "inappropriate" sites. Such surveillance has elements in common with traditional surveillance for hard copy pornography, but there are significant dangers to workers in the realm of electronic surveillance. An employee may accidentally visit a pornographic site upon opening a spam e-mail that links to such a site. Or websites may be accidentally visited when displayed as a "hit" in response to a perfectly innocent search query. The surveillance technology does not, however, distinguish between an innocent mistake and an intentional visit.
The monitoring of chat room visits has also created some distress in the workplace. There is an increasing trend among companies to dismiss or sue employees for divulging company "trade secrets" or defaming the company in chat rooms. These have become known as "John Doe" cases. Because most people log on to chat rooms anonymously or use an alias, once a company observes a certain party in a chat room engaging in "illegitimate" speech, they must subpoena the message-board services such as Yahoo! or America Online, it obtain the identity of the specific author. The service providers often turn over identifying information when presented with a subpoena without any notice to the individual. The number of these cases is rapidly increasing and threatens not only the privacy of employees but also their rights to anonymity and free speech.
There is also an increasing amount of drug testing in many countries. The number of companies using these tests has risen in proportion to the decreasing costs of the tests. For many employees, drug testing is now a standard part of working life. Companies routinely administer tests in the recruitment stage or at intermittent periods during employment, even where there is no evidence of misconduct, poor performance, or any other reason to suspect drug use. There are thousands of easy-to-use kits, which can detect traces of drugs within minutes and without the need for a laboratory, available on the market today. Most of these tests analyze hair or urine samples to detect traces of drugs such as amphetamines, marijuana, cocaine, opiates, and methamphetamines.
Internationally, the use of and justifications for workplace drug testing varies from country to country. In European countries, one of the most frequently used arguments for workplace drug testing and one of the least controversial is that the test is a means of ensuring the safety of employees. In France, Norway, and the Netherlands, only workers in traditional safety-sensitive positions, or those positions which include access to dangerous materials or classified information, are subjected to testing in any form.[775] Accordingly there is less testing and there are more legal restrictions in these countries. In the Netherlands, pre-employment testing is illegal, and in France only the occupational physician may decide to conduct drug tests, not the employer.[776] On the other hand, workplace drug testing is more commonplace in British and Swedish companies, where workers in all types of jobs are tested in order to ensure "business-safety."[777]
A major ethical issue implicated by drug testing is that the process amounts to an unwarranted invasion of privacy. Most guidelines for workplace drug testing, such as the ILO Guiding Principles on Drug and Alcohol Testing of 1996, require that informed consent be obtained before testing. Opponents of testing, such as the German Federal Data Protection Commission and the Swiss Data Protection Commissioner, argue that because workers are dependent on their employers, meaningful consent to workplace drug testing is not possible.[778] This policy is not followed in some countries. In the United Kingdom, failure to comply with a requirement for drug testing that is included in an employment agreement can be interpreted as a disciplinary offence.[779]
Some European constitutions, for example in Belgium and Finland, hold that fundamental rights such as the right to privacy are indivisible and that the individual cannot consent to waive these rights.[780] Privacy issues are often implicated in the realm of workplace drug testing within the larger concerns for data protection. The testing process involves collecting sensitive data both on use of drugs and on medication taken which might influence the test result. The collecting and storage of such information is therefore not only subject to strict controls in many European countries, but also the subject of European rules such as the EU Data Protection and Telecommunications Privacy Directives and the ILO Code of Practice on the Protection of Workers' Personal Data of 1996.[781] In some European countries, the tension between the need for workplace security and the protection of personal information is resolved by strengthening the role of the occupational physician. In Finland, France, Belgium, Germany, and Austria, the drug test results are communicated to the occupational doctor, not to the employer. The doctor is only allowed to inform the employer whether the person is fit for work or not; not what results were revealed from the drug test.
In the United States, courts have upheld the legality of workplace drug testing in many different circumstances. The US Supreme Court upheld regulations mandating blood and urine tests of railroad employees to ensure workplace safety.[782] Courts have also upheld drug testing by schools of all students involved in athletics and extracurricular activities.[783] However, the US Supreme Court recently struck down a policy of performing drug tests on pregnant women in a public hospital, finding that the employees of the hospital are government actors subject to Fourth Amendment limitations.[784]
US courts have also considered the issues of notice and consent in relation to workplace drug testing. Providing notice of future drug tests shields employers from liability for intrusion upon seclusion because the employee has provided explicit consent to take the test. In addition, employers may lawfully condition employment upon successfully passing a drug test. The issue of wide scale preventative drug testing raises a host of other questions concerning privacy, bodily integrity, individual freedom, and the presumption of innocence. The process of testing itself can be hugely invasive. Observers are often present to prevent employees from tampering with samples. In the case of urine testing, the monitor's observation of the drug testing process can be particularly offensive. Consider the case of one employee who felt humiliated while undergoing a urine drug test:
I waited for the attendant to turn her back before pulling down my pants, but she told me she had to watch everything I did. I am a 40-year-old mother of three: nothing I have ever done in my life equals or deserves the humiliation, degradation and mortification I felt.[785]
This type of test can quickly turn from a necessary evil needed to protect lives and reputations into a process of intimidation and harassment. It raises questions about whether the benefits to employers really outweigh the rights and dignity of workers. Companies which manufacture drug testing equipment extol the advantages of drug tests, claiming the tests can save employers thousands of dollars by reducing incidences of absenteeism, low productivity, accidents, injuries, compensation, and health care claims stemming from employees' drug usage. Governments generally have also encouraged testing as part of a larger war on drugs. What employers are not told, however, is that there are also numerous ethical and economic disadvantages to drug testing.
Drug testing fosters a climate of negativity based on suspicion and secrecy rather than trust, openness, and respect. Low morale or resentment among workers may consequently lead to low productivity or profits. In addition, even though individual tests may no longer be expensive because they are so sweepingly administered among employees, the negative costs may be costing employers far more than they are saving them. Catching one or two light drug users for every few thousand people tested is hardly an economical justification for the initial outlay. Even if tests do reveal traces of drugs there is no clear evidence to suggest that mild drug use has a greater effect on productivity than, for example, alcohol. Dismissing workers on grounds of policy and suspicion rather than performance and proof, may result in the loss of valuable employees to the employer. Evidence has not shown that drug testing can deter future use, and it is in no way a substitute for proper guidance, support and counseling. In fact, in an ironic twist, routine testing may even encourage more serious drug usage among employees. As one commentator says:
If one wants to get inebriated on a Friday night and still pass a urine test Monday, smoking a joint would be foolish. Cocaine and alcohol would represent the "safer" choices of intoxicants because alcohol is "legal" and cocaine cannot be detected in the body as long.[786]
Finally, drug testing is inaccurate and can often lead to false and misleading results. A report by the Ontario Information and Privacy Commissioners' Office says up to 40 percent of tests are inaccurate.[787] Highly sensitive tests can be positive even when the drug sought is not present. Some say positive reactions may result from a carry-over following a strong positive earlier or from human error, such as contamination due to failure to cleanse equipment.[788] Others note that certain legal substances can also result in positive tests for illegal drugs. For example, there have been reports of Vicks inhalers resulting in positive tests for amphetamines and methamphetamines, standard anti-inflammatory drugs like Ibuprofen showing up positive on marijuana tests, and even traces of morphine being detected from poppy seeds.[789]
Other issues that raise workplace privacy concerns are employer requirements that employees complete medical tests, questionnaires, and polygraph tests. In the United States, employer use of polygraph testing has been limited by federal statute. Congress passed the Employee Polygraph Protection Act (EPPA),[790] which makes it unlawful for private sector employers to require current or prospective employees to take a lie detector test. The statute exempts public employers at the federal, state, and local levels. However, there are a few exceptions to the EPPA. For example, employers may use polygraphs as part of an ongoing investigation involving economic loss or injury to the employer's business, and employers who provide security services are exempt. One court has held that an employer who performed unauthorized tests using blood and urine samples provided by a job applicant violated the individual's privacy.[791] The court looked to the constitutional right to information privacy recognized in Whalen, and held that unauthorized tests were unconstitutional searches under the Fourth Amendment. In another case, a court found that questionnaires that collected health information about employees were permissible.[792] The court reasoned that an individual's interest in protecting his or her privacy is not as great when the information is sought by the government, is not publicly disseminated, and when measures are in place to protect the privacy of information that is collected. Some states have statutes which restrict the degree to which employers may require potential employees to undergo testing or complete mandatory questionnaires.
Internationally, there are fewer workplace privacy laws that specifically address the use of polygraphs in the employment context. In Europe, honesty testing through mechanical devices, such as polygraphs or voice stress analyzers, or through questionnaires that strive to evaluate workers' attitudes to honesty, are not expressly regulated.[793] Elsewhere, mechanical honesty testing is prohibited by statute in the Canadian territories of New Brunswick and Ontario, and is also prohibited in the Australian State of New South Wales.[794]
Technology that facilitates the right of citizens to participate in the public discourse may threaten privacy, especially when it is associated with the administration of elections and, under certain conditions, the very act of voting.[795] The use of technology in the online[796] and offline[797] voting process is growing in popularity around the world[798]. The Charter of Fundamental Rights of the European Union[799] and the United Nations Universal Declaration of Human Rights'[800] support the right of citizens to both privacy and self-governance. Democracies are universally defined as the most efficient means of supporting self-governance through citizen participation in the form of voting. The secret ballot has long been considered an integral requirement of democractic governance, In 1983, the Strasbourg Conference on Parliamentary Democracy said that genuine democract is protected by "the citozen's right to choose and change government in elections conducted under universal suffrage and by secret ballot.[801]
E-voting technology allows for the first time independent voting in public elections for millions of disabled and language minority voters through the benefit of a secret ballot.[802] Efforts existed prior to the introduction of electronic voting to facilitate independent voting for the blind.[803]
Direct Recording Electronic (DRE) Voting Machines
DRE voting machines produce no tangible evidence of the ballot, but instead save the voters choice to a memory card or disk stored in the voting device.[804] However a hybrid DRE voting machine that uses the technology as a paper ballot-marking device is now available for use in public elections.[805] These DRE paper and paperless voting machines are applicable to online and offline voting systems. They each may use one of two dominant forms of voter interface: push buttons or a touch screen display.[806] DRE voting machines provide privacy to voters through the application of cryptography[807] and assistive technology.[808] The use of smart cards, tokens or the registration of the order in which voters use the machines could each compromise users' privacy.[809]
Automated Tabulation of Paper Ballots
Technology may be used to expedite the counting of paper punch card ballots or optical scan ballots used in public elections.[810] Ballots are collected at polling locations and in most cases transported to a central location for counting.[811] Ballot reading technology may be present in voting locations to allow voters to verify their ballots before leaving them and for counting purposes.[812] This may present privacy problems should the ballot choices be visible to others. Some voting administration procedures if not clear may be interpreted to allow voters to give their ballots to poll workers to place ballots through ballot readers, which threatens ballot secrecy.[813]
Internet Voting
In October 2000, the Internet Corporation held the first binding global Internet Election for Assigned Names and Numbers (ICANN), the technical coordinating entity for the Internet. The election selected Directors for the ICANN Board.[814]
Internet or online voting is still in its infancy with a small number of countries attempting public elections using this method.[815] Most of the public elections attempted involve low-level political contest or decisions. Internet voting may take one of two forms: a polling place Internet voting system and/or a remote Internet voting system. In 1999, an Internet voting project by the European Union (EU) was launched to conduct three years of remote election pilot projects.[816] The EU Commission's Information Society Technologies (IST) 1999 Program for Research, Technology Development and Demonstration[817] funded a three-year Internet voting project that began in 2000. The use of cryptography in three pilot voting projects to protect voter privacy was reported as successful.[818] Trial Internet elections were held in Kistaand, Stockholm, Sweden, Issy-les-Moulineaux, France, and Bremen, Germany.[819]
An Internet voting paradigm raises several privacy questions: are Internet votes cast in secret? Are Internet voters free of intimidation or undue influence by others? How can adequate private space around personal computers acting as voting machines be maintained, and how can data in transit be secure from disclosure or tampering? The answers to these questions will indicate how much Internet voting will help to ensure privacy and voting in the future.
Electronic Voter Registration and Centralized Registration Databases
Electronic voter registration and centralized registration databases present challenges to privacy.[820] To participate in most public elections some form of voter registration is required.[821] Electronic voter registration that establishes centralized databases of personally identifiable information on voters for a region or nation would be a target for identity thieves, manipulation, and tampering.[822] There is also a concern that national voter registration requirements could be used in ways that were not initially disclosed by governments.[823] Some proposals for centralized voter registration would allow governments to check voter registration information against other government-managed databases.[824] In the United States, the Help America Vote Act allows states to check voter registration list with other state databases like those kept for driver's licenses or public assistance, to verify the identity of potential voters.
Absentee Voting or Voting by Mail
Absentee voting or voting by mail exposes voters to the threat that their votes may not be kept secret. Absentee voting systems must ensure that only qualified voters and those who have not participated in the regular election are the only absented ballots counted. These conditions over time have lead to a system of absentee voting that associates each absentee ballot to the voter, which could threaten ballot secrecy.[825]
Nanotechnology is an emerging science in which developers create devices and systems that have novel properties and functions because of their small size.[826] This new technology is believed to have the potential to fundamentally transform the way in which common products are produced by manipulating their component parts on the atomic level.[827] This manipulation is hoped to result in the manufacturing of products that are smaller, stronger, and lighter than those available today.[828]
Nanotechnology will likely raise new challenges to the protection of individual privacy. As nanotechnology makes computing devices smaller and more efficient, collecting, storing, sharing and processing large amounts of information will become easier and cheaper.[829] Nanotechnology has the capability of dramatically expanding surveillance devices and producing new weapons.[830]
Nanotechnology is considered to be in its "pre-competitive" stage, which the federal government defines as having limited application for commercial use. However, the potential is great for both commercial and non-commercial applications. For this reason, US federal resources are being made available for work in several key areas of nanotechnology: biology, materials research, medical, and defense applications.
In 2005, funding for nanotechnology research is to begin under the 21st Century Nanotechnology Research and Development Act of 2003.[831] The National Nanotechnology Advisory Panel, created by the Act, issued a report on nanotechnology in May 2005.[832] According to the report, USD 82 million will be budgeted to examine, among other things, the impact of nanotechnology on personal privacy.[833] Legislation is being developed to spur innovation and place the United States in a leading position with this early stage technology.[834]
The European Union issued its strategy for nanotechnology in 2005 and called for a responsible approach that would examine the "implications for the protection of privacy and personal data."[835]
[164] BVerfG, 1 BvR 2378/98 vom 3.3.2004, Absatz-Nr. (1 - 373), available at http://www.bverfg.de/entscheidungen/rs20040303_1bvr237898.html (in German).
[165] "Grosser Laushcangriff: Definition, Bedeutung, Erklärung im Lexikon", Net Lexicon, available at http://www.lexikon-definition.de/Grosser-Lauschangriff.html (in German).
[166] Basic Law for the Federal Republic of Germany, I. Basic Rights, Articles 1, 13, available at http://www.bundesregierung.de/en/Federal-Government/Function-and-constitutional-ba-,10222/I.-Basic-rights.htm.
