EPIC/PI - Privacy & Human Rights 2000

Threats to Privacy

Even with the adoption of legal and other protections, violations of privacy remain a concern. In many countries, laws have not kept up with the technology, leaving significant gaps in protections. In other countries, law enforcement and intelligence agencies have been given significant exemptions. Finally, without adequate oversight and enforcement, the mere presence of a law may not provide adequate protection.

There are widespread violations of laws relating to surveillance of communications, even in the most democratic of countries. The U.S. State Department’s annual review of human rights violations finds that over 90 countries illegally monitor the communications of political opponents, human rights workers, journalists and labor organizers. In 1996, a French government commission estimated that there were over 100,000 illegal wiretaps conducted by private parties, many on behalf of government agencies. There were protests in Ireland after it was revealed that the UK was monitoring all UK/Ireland communications from a base in Northern England. In Japan, police were fined 2.5 million yen for illegally wiretapping members of the Communist Party. The Echelon system is used by the United States, UK, Australia, Canada and New Zealand to monitor communications worldwide. (See below)

Police services, even in countries with strong privacy laws, still maintain extensive files on citizens for political purposes not accused or even suspected of any crime. Recently, investigations were held in Denmark, Sweden and Norway, countries with long histories of privacy protection, to investigate illegal spying by intelligence and police officials. In Switzerland, a scandal over secret police spying led to the enactment of a data protection act. In many former Eastern Bloc countries, there are still controversies over the disposition of the files of the secret police.

Companies regularly flaunt the laws, collecting and disseminating personal information. In the United States, even with the long-standing existence of a law on consumer credit information, companies still make extensive use of such information for marketing purposes and banks sell customer information to marketers. In many countries, inadequate security has resulted in the accidental disclosure of thousands of customers’ records.

Trends

It is now common wisdom that the power, capacity and speed of information technology is accelerating rapidly. The extent of privacy invasion – or certainly the potential to invade privacy – increases correspondingly.

The increasing sophistication of information technology with its capacity to collect, analyze and disseminate information on individuals has introduced a sense of urgency to the demand for privacy legislation. Furthermore, new developments in medical research and care, telecommunications, advanced transportation systems and financial transfers have dramatically increased the level of information generated by each individual. Computers linked together by high-speed networks with advanced processing systems can create comprehensive dossiers on any person without the need for a single central computer system. New technologies developed by the defense industry are spreading into law enforcement, civilian agencies, and private companies.

Beyond these obvious aspects of capacity and cost, there are a number of important trends that contribute to privacy invasion:

GLOBALISATION removes geographical limitations to the flow of data. The development of the Internet is perhaps the best known example of a global technology.

CONVERGENCE is leading to the elimination of technological barriers between systems. Modern information systems are increasingly inter-operable with other systems, and can mutually exchange and process different forms of data.

MULTI-MEDIA fuses many forms of transmission and expression of data and images so that information gathered in a certain form can be easily translated into other forms.

Technology transfer and policy convergence

The macro-trends outlined above have had particular effect on surveillance in developing nations. In the field of information and communications technology, the speed of policy convergence is compressed. Across the surveillance spectrum – wiretapping, personal ID systems, data mining, censorship or encryption controls – it is the industrialized countries that invariably set the rules for the rest of the world.[1]

Human rights groups are concerned that much of this technology is being exported to developing countries that lack adequate protections. Currently, there are few barriers to the trade in surveillance technologies. Governments of developing nations rely on First World countries to supply them with technologies of surveillance such as digital wiretapping equipment, deciphering equipment, scanners, bugs, tracking equipment and computer intercept systems. The transfer of surveillance technology from first to third world is now a lucrative sideline for the arms industry.[2]

According to a 1997 report, Assessing the Technologies of Political Control, commissioned by the European Parliament’s Civil Liberties Committee and undertaken by the European Commission’s Science and Technology Options Assessment Office (STOA),[3] much of this technology is used to track the activities of dissidents, human rights activists, journalists, student leaders, minorities, trade union leaders, and political opponents. The report concludes that such technology (which it describes as “new surveillance technology”) can exert a powerful “chilling effect” on those who “might wish to take a dissenting view and few will risk exercising their right to democratic protest.” Large-scale ID systems are also useful for monitoring larger sectors of the population. In the absence of meaningful legal or constitutional protections, such technology is inimical to democratic reform. It can certainly prove fatal to anyone “of interest” to a regime.

Government and citizen alike may benefit from the plethora of IT schemes being implemented by the private and public sectors. New “smart card” projects in which client information is placed on a chip in a card may streamline complex transactions. The Internet will revolutionize access to basic information on government services. Encryption can provide security and privacy for all parties.

However, these initiatives will require a bold, forward looking legislative framework. Whether governments can deliver this framework will depend on their willingness to listen to the pulse of the emerging global digital economy and to recognize the need for strong protection of privacy.

Identity systems

Identity (ID) cards

Identity (ID) cards are in use in one form or another in virtually all countries of the world. The type of card, its function, and its integrity vary enormously. While a majority of countries have official, compulsory, national IDs that are used for a variety of purposes, many developed countries do not. Amongst these are the United States, Canada, New Zealand, Australia, the United Kingdom, Ireland, and the Nordic countries. Those that do have such a card include Germany, France, Belgium, Greece, Luxembourg, Portugal and Spain.

ID cards are established for a variety of reasons. Race, politics and religion were often at the heart of older ID systems. The threat of insurgence, religious discrimination, or political extremism have been all too common motivators for the establishment of ID systems which would force enemies of the State into registration, or make them vulnerable in the open without proper documents.

In recent years, ID cards have been linked to national registration systems, which in turn form the basis of government administration. In such systems – for example Spain, Malaysia, Thailand and Singapore – the ID card becomes merely one visible component of a much larger system. With the advent of microprocessor technology, these cards can also become an interface for receipt of government services. Thus the cards become a fusion of a service technology and a means of identification. At the heart of such plans is a parallel increase in police powers. Even in democratic nations, police retain the right to demand ID on pain of detention.

In a number of countries, these systems have been successfully challenged on constitutional privacy grounds. In 1998, the Philippine Supreme Court ruled that a national ID system violated the constitutional right to privacy.[4] In 1991, the Hungarian Constitutional Court ruled that a law creating a multi-use personal identification number violated the constitutional right of privacy.[5] The 1997 Portuguese Constitution states “Citizens shall not be given an all-purpose national identity number.”

In other countries, opposition to the cards combined with the high economic cost of implementing the systems has led to their withdrawal. Massive protests against the Australia Card in 1987 resulted in the near collapse of the government. In the last year, cards projects in South Korea and Taiwan were stopped after protests. In the United States, government agencies and members of Congress received thousands of letters of protest against a regulation to make state drivers’ licenses into uniform ID cards nationwide.

Biometrics

Biometrics is the process of collecting, processing and storing details of a person’s physical characteristics for the purpose of identification and authentication. The most popular forms of biometric ID are retina scans, hand geometry, thumb scans, fingerprints, voice recognition, and digitized (electronically stored) photographs. The technology has gained the interest of governments and companies because, unlike other forms of ID such as cards or papers, it has the capacity to accurately and intimately identify the target subject.

Biometrics schemes are being implemented across the world. The technology is being used in retail outlets, government agencies, childcare centers, police forces and automated-teller machines. Spain has commenced a national fingerprint system for unemployment benefits and healthcare entitlements. Russia has announced plans for a national electronic fingerprint system for banks. Jamaicans are required to scan their thumbs into a database before qualifying to vote in elections. In France and Germany, tests are under way with equipment that puts fingerprint information onto credit cards. In Mexico, the Federal Election Institute funded a facial recognition system to use in the 2000 elections. In the US and Germany, some air travelers are now subject to scans of their iris before boarding airplanes.[6] Many computer manufacturers are proposing including biometric readers on their systems for security purposes.

An automated immigration system developed by the U.S. Immigration and Naturalization Service (INS) uses hand geometry.[7] In this project, frequent travelers have their hand geometry stored in a “smart” computer chip card. The traveler places a hand onto a scanner, and places the card into a slot. The system is open to all citizens in the visa waiver countries. The scheme may ultimately result in a worldwide identification system for travelers. 80,000 travelers had signed up by December 1998.

The most controversial form of biometrics – DNA identification – is benefiting from new scanning technology that can automatically match DNA samples against a large database in minutes. Police forces in several countries including the United States, Germany and Canada have created national DNA databases. Samples are being routinely taken from a larger and larger groups of people. Initially, it was only individuals convicted of sexual crimes. Then it was expanded to people convicted of other violent crimes and then to arrests. Now, many jurisdictions are collecting samples from all individuals arrested, even for the most minor offenses. New York City Mayor Rudolf Giuliani even proposed that all children have a DNA sample collected at birth. In the United Kingdom, Australia, and the U.S., police have been demanding that all individuals in a particular area voluntarily provide samples or face being considered a suspect.

Surveillance of Communications

Nearly every country in the world has established some form of eavesdropping capability over telephone, fax and telex communications. In most countries, these intercepts are initiated and authorized by law enforcement or intelligence agencies. However, wiretapping abuses have been revealed in most countries, sometimes occurring on a vast scale involving thousands of illegal taps. The abuses invariably affect anyone “of interest” to a government. Targets include political opponents, student leaders and human rights workers.[8]

Law enforcement agencies have traditionally worked closely with telecommunications companies – many until recently controlled by government telecommunications agencies – to formulate arrangements that would make phone systems “wiretap friendly.” These agreements range from allowing police physical access to telephone exchanges, to installing equipment to automate the interception.

The U.S. government has led a worldwide effort to limit individual privacy and enhance the capability of its police and intelligence services to eavesdrop on personal conversations. The campaign has had two strategies. The first is to promote laws that make it mandatory for all companies that develop digital telephone switches, cellular and satellite phones and all developing communication technologies to build in surveillance capabilities; the second is to seek limits on the development and dissemination of products, both in hardware and software, that provide encryption, a technique that allows people to scramble their communications and files to prevent others from reading them.[9]

At the same time, the United States has been promoting greater use of electronic surveillance. FBI Director Louis Freeh has traveled extensively around the world, promoting the use of wiretapping in recently free countries such as Hungary and the Czech Republic. The U.S. pressured countries such as Japan in adopting their first ever laws allowing for wiretapping. The U.S. has also been working through international groups such as the OECD, G-8 and the Council of Europe to promote surveillance.

CALEA, ENFOPOL and Building in Surveillance

In the early 1990s, U.S. law enforcement agencies, led by the Federal Bureau of Investigation, began demanding that all current and future telecommunications systems be designed to ensure that they would be able to conduct wiretaps. After several years of lobbying, the U.S. Congress approved the Communications Assistance for Law Enforcement Act (CALEA) in 1994.[10] The act sets out legal requirements for telecommunications providers and equipment manufacturers on the surveillance capabilities that must be built into all telephone systems used in the United States. However, due to lobbying by the computer industry, the Internet was exempted from the requirements.

While the FBI was lobbying for CALEA in the United States, it also began working with the Justice and Interior Ministers of the European Union towards creating international technical standards for wiretapping.[11] In 1993, the FBI began hosting meetings at its research facility in Quantico, Virginia called the “International Law Enforcement Telecommunications Seminar” (ILETS). The meetings included representatives from Canada, Hong Kong, Australia and the EU. At these meetings, an international technical standard for surveillance, based on the FBI’s CALEA demands, was adopted as the “International Requirements for Interception.”

In January 1995, the Council of the European Union approved a secret resolution adopting the ILETS standards.[12] The resolution was not formally debated and was not made public until late 1996. Following this, many countries adopted the resolution into their domestic laws without revealing the role of the FBI in developing the standard. Following the adoption, the EU and the U.S. offered a Memorandum of Understanding for other countries to sign to commit to the standards. A number of countries including Canada and Australia immediately signed the MOU. Others were encouraged to adopt the standards to ensure trade. International standards organizations, including the International Telecommunications Union and the European Telecommunication Standardisation Institute (ETSI), were then successfully approached to adopt the standards.

The ILETS group continued to meet. A number of committees were formed and developed a more detailed standard extending the scope of the interception standards. The new standards were designed to apply to a wide range of communications technologies, including the Internet and satellite communications. It also set more detailed criteria for surveillance across all technologies. The result was a 42-page document called ENFOPOL 98 (the EU designation for documents created by the EU Police Cooperation Working Group).[13]

In 1998, the document became public and generated considerable criticism. The committees responded by removing most of the controversial details and putting them into a secret operations manual that has not been made publicly available. The new document, now called ENFOPOL 19, expanded the type of surveillance now to include “IP address (electronic address assigned to a party connected to the Internet), credit card number and E-mail address.”[14] In April 1999, the Council proposed the new draft council resolution to adopt the ENFOPOL 19 standards into law in the EU.

In May 1999, the European Parliament approved the ENFOPOL 19 resolution.[15] However, the vote was criticized for being taken late on a Friday with only 20 percent of the delegates present, and was reversed by the Council of Ministers. The rejection has not stopped the ETSI from continuing their work on developing wiretapping standards.[16]

Internet Surveillance and Black Boxes

Following closely on the success of forcing telecommunications equipment manufacturers and companies to build in surveillance capabilities, intelligence and law enforcement agencies have turned their attention to force Internet Service Providers to facilitate surveillance of their users. A number of countries are demanding that ISPs install “black boxes” on their systems that can monitor the traffic of their users.

The actual workings of these black boxes are unknown to the public. What little information has been made public has revealed that many of the systems are based on “packet sniffers” typically employed by computer network operators for security and maintenance purposes. These are specialized software programs running in a computer that is hooked into the network at a location where it can monitor traffic flowing in and out of systems. These sniffers can monitor the entire data stream searching for key words, phrases or strings such as net addresses or e-mail accounts. It can then record or retransmit for further review anything that fits its search criteria. In many of the systems, the boxes are connected to government agencies by high speed connections. The U.S. FBI has developed a system called “Carnivore” that places a PC running Windows NT at an Internet Service Provider’s offices and can monitor all traffic about a user including e-mail and browsing.[17] According to press reports, Carnivore “can scan millions of e-mails a second” and “would give the government, at least theoretically, the ability to eavesdrop on all customers’ digital communications, from e-mail to online banking and Web surfing.”[18] In response to the public uproar over Carnivore, Attorney General Janet Reno announced that the technical specifications of the system would be disclosed to a “group of experts” to allay public concerns.[19] EPIC has filed suit demanding access to all relevant information, including the sourcecode for the system.

In some countries, there have been laws or decrees enacted to require the systems to facilitate surveillance. Russia has been the leading country in this effort, but according to Russian computer experts, the U.S. government advised them on implementation. In 1998, the Russian Federal Security Service (FSB) issued a decree on the System for Operational Research Actions on the Documentary Telecommunication Networks (SORM-2) that would require Internet Service Providers to install surveillance devices and high speed links to the FSB which would allow the FSB direct access to the communications of Internet users without a warrant.[20] ISPs are required to pay for the costs of installing and maintaining the devices. When an ISP based in Volgograd challenged FSB’s demand to install the system, the local FSB and Ministry of Communication attempted to have its license revoked. The agencies were forced to back off after the ISP challenged the decision in court. In a separate case, the Supreme Court ruled in May 2000 that SORM-2 was not a valid ministerial act because it failed several procedural requirements.

Following the Russian lead, in September 1999, Ukrainian President Leonid Kuchma proposed requiring that Internet Service Providers install surveillance devices on their systems based on the Russian SORM system. The rules and a subsequent bill were attacked by the Parliament and withdrawn. However, in August 1999, the security service visited a number of the large ISP who were reported to have installed the boxes.

In the Netherlands, a new Telecommunications Act was approved in December 1998 which requires that Internet Service Providers have the capability by August 2000 to intercept all traffic with a court order and maintain users logs for three months.[21] The bill was enacted after XS4ALL, a Dutch ISP, refused to conduct a broad wiretap of electronic communications of one of its subscribers. The Dutch Forensics Institute[22] has developed a “black-box” that is used to intercept Internet traffic at an ISP. The black box is under control of the ISP and is turned on after receiving a court order. The box is believed to look at authentication traffic of the person to wiretap and divert the person’s traffic to law enforcement if the person is online.

More recently, the UK Parliament approved the Regulation of Investigatory Powers Act in July 2000. It requires that ISPs provide a “reasonable interception capability” in their networks. The intercepted traffic will be forwarded to a Government Technical Assistance Centre based in the headquarters of a branch of British Intelligence. While the legislation itself does not mention a black box, a government-sponsored report raised the likelihood that they would be necessary.

Not satisfied with national efforts based on laws, governments have begun demanding that computer and networking companies build in these capabilities. In 1999, the FBI approached the Internet Engineering Task Force, an Internet standards body, and asked that it facilitate net surveillance by designing communications protocols to facilitate surveillance.[23] The initiative was strongly opposed. The group held a meeting in November 1999 and found that the consensus was against the proposal. In April 2000, the group came out with an official position opposing the recommendation.[24]

Cyber-crime

A related effort for enhancing government control of the Internet and promoting surveillance is also being conducted in the name of preventing “cyber-crime,” “information warfare” or “protecting critical infrastructures.” Under these efforts, proposals to limit online privacy of net users are being introduced as a way to prevent computer hackers from attacking systems.

The lead bodies internationally are the European Union, the Council of Europe and the G-8, a high level organization made up of eight major industrialized countries.[25] The United States has been active behind the scenes in developing and promoting these efforts.[26] After meeting secretly for years, the organizations recently made public proposals that would place restrictions on online privacy, anonymity and encryption in the name of preventing cyber-crime.

Since 1997, the Council of Europe’s Committee of Experts on Crime in Cyber-space (PC-CY) has been meeting and drafting an international treaty. In April 2000, the Council of Europe released the “Draft Convention on Cyber-crime.”[27] According to the COE, the U.S. was “very active” in its development.

The draft treaty requires countries to pass laws on cyber-crime and agree to promote mutual assistance in enforcing laws and conducting investigations. Among the provisions, it requires that countries enact laws guaranteeing that users provide access to all files on a system under penalty of jail including their encryption keys. It bans security tools that probe systems for known problems, and requires that ISPs keep detailed logs of their users for an undefined period of time, said to be somewhere between 40 days and a year. To make it more difficult politically to oppose, copyright and child porn provisions have also been included. After working on this for three years, the COE left blank in the public document two sections on interception of communications. It is expected that these sections will facilitate cross-border wiretaps and are likely to include the ILETS/ENFOPOL requirements.

The draft is expected to be completed by December 2000 and will be open for signature by the member countries by September 2001. The Convention is open to the 52 members of the Council of Europe and to countries that were involved in the development, which includes the United States, Canada, Japan and South Africa. At the G-8 meeting in Paris in July 2000, the French Government, which will be the Presidency of the EU, recommended that the convention be opened to all countries.

The proposal has already been criticized by privacy experts on a number of grounds and a group of prominent security experts for the limitations on security software.[28] The EU’s Data Protection Working Group has expressed concern about efforts to require ISPs to preserve information for law enforcement purposes.[29]

The G-8 has been meeting since 1996 on the issue. At the Birmingham, England meeting on May 18, 1998, the G8 adopted a recommendation on ten principles and a ten-point action plan on high-tech crime. The ministers announced, “We call for close cooperation with industry to reach agreement on a legal framework for obtaining, presenting and preserving electronic data as evidence, while maintaining appropriate privacy protection, and agreements on sharing evidence of those crimes with international partners. This will help us combat a wide range of crime, including abuse of the Internet and other new technologies.” In July 2000, the Group of 8 met in Paris to discuss responses to cyber-crime.

The Council of Ministers of the European Union reached a Common Position on the convention in May 1999.[30] In July 2000, the Commission announced that it is planning a new directive for fighting cyber-crime.[31]

National Security and the “Echelon system”

In the past several years, there has been considerable attention given to mass surveillance by intelligence agencies of international and national communications. Investigations have been opened and hearings held in parliaments around the world about the “Echelon” system coordinated by the United States.

Immediately following the Second World War, in 1947, the governments of the United States, the United Kingdom, Canada, Australia and New Zealand signed a National Security pact known as the “Quadripartite,” or “United Kingdom - United States” (UKUSA) agreement. Its intention was to seal an intelligence bond in which a common national security objective was created. Under the terms of the agreement, the five nations carved up the earth into five spheres of influence, and each country was assigned particular signals intelligence (SIGINT) targets.

The UKUSA Agreement standardized terminology, code words, intercept handling procedures, arrangements for cooperation, sharing of information, Sensitive Compartmented Information (SCI) clearances, and access to facilities. One important component of the agreement was the exchange of data and personnel.

The strongest alliance within the UKUSA relationship is the one between the U.S. National Security Agency (NSA), and Britain’s Government Communications Headquarters (GCHQ). The NSA operates under a 1952 presidential mandate, National Security Council Intelligence Directive (NSCID) Number 6, to eavesdrop on the world’s communications networks for intelligence and military purposes. In doing so, it has built a vast spying operation that can reach into the telecommunications systems of every country on earth. Its operations are so secret that this activity, outside the U.S., occurs without any legislative or judicial oversight. The most important facility in the alliance is Menwith Hill, an Air Force base in the north of England. With over two dozen radomes and a vast computer operations facility, the base has the capacity to eavesdrop on vast chunks of the communications spectrum. With the creation of Intelsat and digital telecommunications, Menwith Hill and other stations developed the capability to eavesdrop on an extensive scale on fax, telex and voice messages.

The current debate over NSA activities has erupted because of two recent European Parliament (EP) studies that confirm the existence in Britain of a network of signals intelligence bases operated by the NSA. The publication in 1997 of the first EP report, “An Appraisal of the Technologies of Political Control,”[32] stated that the NSA had established an integrated communications surveillance capability in Europe.

It also described a communications intelligence sharing sub-system known as “Echelon,” which is said to be capable of scanning particular communications to detect information of interest. The Echelon sub-system also catalogues intelligence for sharing with various consumers in the UKUSA countries based on clearance and need-to-know. According to informed sources that served within the National Security Council, the Echelon sub-system was greatly expanded in the 1980s to include new functions in order to keep pace with technological advances in telecommunications and data networking.

What is more important about Echelon is what the sub-system is not. First, Echelon is not a worldwide communications surveillance system. The system by which the United States conducts communications intelligence gathering is known as the United States Signals Intelligence System (USSS). The collection of intelligence that involves “U.S. persons” (U.S. citizens, legal residents, and foreign residents visiting the United States) is governed by United States Signals Intelligence Directive 18 (USSID 18), which is titled “Limitations and Procedures in Signals intelligence Operations of the USSS.” The Australian Defense Signals Directorate operates under a similar regulation known as “Rules on SIGINT and Australian Persons.” Other directives cover other aspects of signals intelligence gathering by the five SIGINT agencies individually and jointly.

In a 1999 report, the oversight Commissioner for the Canadian Communications Security Establishment (CSE), Claude Bisson, stated that his “review and analysis indicates that CSE is not using its technology to target Canadian communications . . . in keeping with the policy of the government, CSE goes to considerable effort to avoid collecting Canadian communications.” Bisson cited regulations that govern the collection of intelligence on Canadians, “CSE has policies and practices to address the safeguarding and proper handling of inadvertently collected Canadian communications in accordance with the laws of Canada, including the Privacy Act, the Criminal Code, and the Canadian Charter of Rights and Freedoms.”[33] Following New Zealand parliamentary protests over the SIGINT base at Waihopai near Blenheim on the South Island, Prime Minister Helen Clark also referred to the intelligence relationship between New Zealand’s SIGINT agency, the Government Communications Security Bureau (GCSB) and the NSA. She stated that the GCSB is aware of all communications intelligence sent to NSA from the Waihopai satellite communications intercept facility and that the station does not intercept economic intelligence.

Second, contrary to media reports, no intelligence official has ever confirmed that Echelon is the name of NSA’s worldwide SIGINT system. For example, the Director of Australia’s Defense Signals Directorate, Martin Brady, in a letter sent to Australia Nine Network’s “Sunday” program, stated, “DSD does cooperate with counterpart signals intelligence organizations overseas under the UKUSA relationship.” This was widely reported as a confirmation of Echelon’s role as a stand-alone international surveillance system. In fact, Echelon is one system of hundreds of similarly named cover term systems that make up the USSS. In his 1999 Report, CSE Commissioner Bisson also referred to the UKUSA system. He stated, “CSE is both a collector of foreign communications intercepts and a recipient of communications intercepts collected by Second Parties,” which he went on to identify by name: Australia, New Zealand, United Kingdom, United States.[34]

In 1999, a second EP report, “Interception Capabilities 2000”[35] set out the technical specifications of the interception system. The report describes the merger of Echelon and the International Law Enforcement Telecommunications Seminar (ILETS). In time, two vast systems - one designed for national security and one for law enforcement - will merge, and in the process will compromise national control over surveillance activities.

Of particular interest to the European Parliament were allegations that the NSA was beefing up its commercial espionage activities. Although the NSA and other U.S. intelligence officials deny that the U.S. SIGINT System is used for commercial espionage, they do admit that intercepted intelligence that indicates bribery and other unfair trade practices is brought to the attention of senior U.S. policymakers, and, in some cases, is briefed in a sanitized form to the U.S. companies threatened by the unfair trade practices.

However, the U.S. SIGINT base at Bad Aibling in the Bavarian Alps of Germany may have a more expanded mission than countering bribery and unfair trade deals. According to intelligence expert Erich Schmidt-Eenboom, the Bad Aibling base, while not actually committing economic espionage (confirmed by a German parliamentary delegation that visited the base in June 2000), does conduct financial intelligence gathering. Schmidt-Eenboom said, “the antannae and satellites in Bad Aibling are now directed at Switzerland and Liechtenstein where there is more to be uncovered about secret bank accounts and money laundering.”[36] These reports of financial network snooping by NSA and its allies, along with similar reports that the NSA illegally penetrated bank computers and networks in Switzerland, Liechtenstein, Cyprus, Russia, Greece, South Africa, and South Africa looking for accounts of Serb President Slobodon Milosevic and his family and associates in order to loot them, indicates that NSA’s protestations that it does not conduct economic espionage are both misleading and inaccurate.

Parliamentarians in Germany, Norway, France, Italy, Denmark, Finland, the Netherlands, and Sweden subsequently raised concerns. A plenary session of the European Parliament took the unprecedented step of openly debating the activities of the NSA. In a Consensus Resolution of all major parties, the Parliament signaled its concern by calling for more openness and accountability of this once hidden activity. However, in April 2000, the Parliament agreed to appoint a Temporary Committee to look into the so-called Echelon system. The Greens and other small leftist and right-wing parties claimed that instead of establishing a full Committee of Inquiry, the large parties -- Conservatives, Socialists, and Liberals -- were attempting to weaken the investigation of Echelon by only appointing a Temporary Committee which, under EP rules, lacks the subpoena power of a Committee of Inquiry.

In June 1999, the U.S. House of Representatives Permanent Select Committee on Intelligence ordered the NSA to hand over documents relating to Echelon. The NSA, for the first time in the Committee’s history, refused to do so, claiming attorney/client privilege.[37] In May 1999, Representative Bob Barr, worried by the potential breach of constitutional privacy rights, introduced an amendment to the fiscal 2000 Intelligence Authorization Act requiring the Director of Central Intelligence, the director of NSA, and the Attorney General to submit a report outlining the legal standards being employed within project Echelon to safeguard the privacy of American citizens.

Reacting to pressure from House Permanent Select Committee on Intelligence Chairman Port Goss, the NSA turned over the documents Congress previously requested. Following a lawsuit brought under the Freedom of Information Act, NSA provided redacted copies of these documents to EPIC. Among other things, they indicate that the level of authority for NSA to provide SIGINT reports to other agencies of the federal government has been delegated to lower levels within NSA. They also indicate special NSA rules for handling intercepted communications of or about First Lady Hillary Rodham Clinton and former President Jimmy Carter.[38]

These recent events have left observers contemplating two profound conclusions. First, as long as the UKUSA SIGINT partners police and govern their own operations outside of actual effective parliamentary and judicial oversight, there is good reason to believe that SIGINT can be turned against individuals and groups exercising civil and political rights. There is ample evidence that the activities of Greenpeace, Christian Aid, Amnesty International, the International Committee to Ban Landmines, the Tibetan government-in-exile, and the International Committee of the Red Cross have been targeted by UKUSA agencies. Second, there is an increasing blurring between the activities of intelligence agencies and law enforcement. The creation of a seamless international intelligence and law enforcement surveillance system has resulted in the potential for a huge international network that may, in practice, negate current rules and regulations prohibiting domestic communications surveillance by national intelligence agencies.

Tools for fighting surveillance

The law enforcement efforts to demand greater powers for surveillance has also resulted in a greater interest in tools that prevent eavesdropping. These tools are generally written by users concerned about their privacy in the U.S. and Europe.

Encryption has become the most important tool for protection against surveillance. A message is scrambled so that only the intended recipient will be able to unscramble, and subsequently read, the contents. Pretty Good Privacy (PGP) is the best-known encryption program and has hundreds of thousands of users, including human rights groups.[39] An open source program called GNU Privacy Guard is being developed as a free replacement that will allow anyone to view the full source of the system to ensure that it does not allow for secret surveillance.[40]

“Anonymous remailers” strip identifying information from e-mails and can stop traffic analysis. They have also generated opposition from police and intelligence services. In Finland, a popular anonymous remailer had to be shut down due to legal challenges that forced the operator to reveal the name of one of the users.

More advanced tools that merge the functions of anonymous remailers and encryption have also been developed. The Mixmaster anonymous remailers used encryption links between anonymous remailers to hide the identity of the original sender by sending the message randomly through a series of remailers before delivering it to the final destination. Freedom.net provides a fully encrypted link between the user and secure servers run by the company to prevent wiretapping and encrypted headers so that users can receive email without even the company knowing who is using the system.

Users should be aware that not all tools are effective as protecting privacy. Some are poorly designed while others may be designed to facilitate law enforcement access.[41]

Electronic Commerce

Surveillance by law enforcement is not the only concern users should have about their online privacy. The growth of the Internet and electronic commerce has dramatically increased the amount of personal information that is collected about individuals by corporations. As consumers surf the net and engage in routine online transactions, they leave behind a trail of personal details, often without any idea that they are doing so. Much of this information is routinely captured by the computers that log all activities on their systems.

Most on-line companies keep track of users’ purchases. This information ranges from the trivial to the most sensitive and, unless adequately protected, can be used for purposes that seriously harm the interests of the consumer. Other companies gather personal information from visitors by offering personalized services such as news searches, free email and stock portfolios. They then sell, trade or share that information among third party companies without the consumer’s express knowledge or consent. The perceived value of this kind of information is behind the stock-market valuations of many dotcom companies.

Many on-line companies, for example, provide lists of their customers’ e-mail addresses to companies that specialize in sending unsolicited commercial e-mail (spam). Other companies mine e-mail address from sources such as messages posted on mailing lists, from newsgroups, or from domain name registration data. This results in consumers being barraged by advertisements and “once-off” deals by companies or people they have never even heard of. Studies show that consumers resent spam both for the time it takes to process and for the loss of privacy resulting from their e-mail address circulating freely on countless directories.[42]

Probably even more worrying is the increasing practice of “online profiling” Internet users. Companies, including Internet Service Providers, web site hosts and others, monitor users as they travel across the Internet, collecting information on what sites they visit, the time and length of these visits, search terms they enter, purchases they make or even “click-through” responses to banner ads. In the off-line world this would be comparable to, for example, having someone follow you through a shopping mall, scanning each page of every magazine you browse though, every pair of shoes that you looked at and every menu entry you read at the restaurant. When collected and combined with other data such as demographic or “psychographic” data, these diffuse pieces of information create highly detailed profiles of net users. These profiles have become a major currency in electronic commerce where they are used by advertisers and marketers to predict a user’s preferences, interests, needs and possible future purchases. Most of these profiles are currently stored in anonymous form. However, there is a distinct likelihood that they will soon be linked with information, such as names and addresses, gathered from other sources, making them 100 percent personally identifiable.

The most pervasive tracking technology is the cookie. The cookie is a small file containing an ID number that is placed on a user’s hard drive by a website. Cookies were developed to improve websites’ ability to track users over a session. The cookie can also notify the site that the user has returned and can allow the site to track the user’s activities across many different visits. The use of cookies expanded greatly when it was realized that a single cookie could be used across many different sites. This led to the development of advertising network companies that can track users across thousands of sites. The largest ad service is DoubleClick, which has agreements with over 11,000 websites and maintains cookies on 100 million users, each linking to hundreds of pieces of information about the user’s browsing habits. A more secretive manner of tracking Internet users takes place through the use of web bugs, invisible images that also place cookies on users’ computers. As of July 2000, DoubleClick had placed web bugs on over 60,000 different web pages.[43]

The line between online tracking and offline databases has also become blurred in the U.S. In 1999, DoubleClick announced that it was buying Abacus, owner of the largest direct marketing lists in the country, with information on the purchasing habits of 90 percent of all U.S. households, and that DoubleClick was going to merge information from the purchasing databases with information from online browsing. Following a public outcry, the company suspended its plan to merge personal data with profiles.[44] However, in July 2000 the Federal Trade Commission reached an agreement with the Network Advertisers Initiative, a group consisting of the largest online advertisers including DoubleClick, which will allow for online profiling and any future merger of such databases to occur with only “opt-out” consent.[45]

Not satisfied with cookies, which can be rejected or deleted by a user, the industry is also now developing more permanent methods of identifying users. In 1999, Intel announced that it was including a serial number in each new Pentium III chip that could be accessed by websites and internal corporate networks.[46] Most of the manufacturers suppressed the number after a consumer boycott was announced, and Intel announced in 2000 that it is dropping the serial number in future chips. Meanwhile, a number of companies, including, Microsoft and RealAudio, have been discovered using the internal networking number found in most computers as another identifier.[47] The Internet Engineering Task Force has developed specifications for the next version of the Internet’s underlying protocols called IPv6 that will assign a unique permanent ID number to every device hooked into the net, which could one day include refrigerators and VCRs.[48]

As noted above, there are tools available that can be used to protect the privacy of users in many cases. These technologies are known as “Privacy Enhancing Technologies” (PETs). Ones that can be useful include anonymous web browsers, remailers and encryption. There are also many that are offered by industry that are not privacy protective. Many of these systems, such as Microsoft’s Passport and the World Wide Web Consortium’s (W3C) Platform for Privacy Preferences (P3P), are designed more to facilitate data sharing than to protect users.[49] They are also frequently used by US industry as justification for not passing laws. The European Commission in 1998 looked as some PETs and stated that the tools would not replace a legal framework but could be used to compliment existing laws.[50]

Other companies are trying a different approach, offering to become “information brokers.” Under many of these systems, users provide information to the company, which then provides it to a third-party website with the consent of the user. These sites raise a question of trust. Given that many of them are run by the same Internet companies that are also major privacy invaders, the user must wonder why they should volunteer providing information to these companies. They are also frequently used by U.S. industry as justification for not passing laws.

A common practice among online companies is to sign on to a “seal” program in order to provide consumers with a sense of security that their personal information is being protected. These programs follow the traditional seal programs in laying down certain eligibility standards which participant companies must respect in order to get a compliance seal. The better seal programs conduct monitoring and compliance checks, provide educational information, offer consumer dispute resolution, and enforce sanctions against errant companies. There are many disadvantages of seal programs operating within a self-regulatory system. All too often, seal program operators have been shown to be ineffective and reluctant to take enforcement measures against their members including companies such as Microsoft. A 1999 Forrester research report found that, “because independent privacy groups like TRUSTe and BBBOnline earn their money from e-commerce organizations, they become more of a privacy advocate for the industry -- rather than for consumers.”[51]

Finally, Internet security also raises serious problems for privacy. Many web sites are poorly secured against accidental releases or deliberate attacks.[52] In March 2000, De Beers lost 35,000 names, addresses, phone numbers and e-mail addresses of people inquiring about buying diamonds following a security breach. In April 2000, it was revealed that an unknown Microsoft engineer had included a backdoor into its webserver software. If someone typed “Netscape engineers are weenies!” backwards, they would have access to the websites and associated data. In August 2000, Kaiser Permanente, a top U.S. health insurer, admitted that it had compromised the confidentiality and privacy of its members when it sent over 800 e-mail messages, many containing sensitive information, to the wrong members.[53]

Spy TV: Interactive Television & “T-Commerce”

The convergence of communications networks, computers and mass media into an interactive network combining television and the Internet is the next progression of the technology currently being developed. Already, the new boxes are replacing the traditional cable TV set-top box with an interactive device that also includes the functions of a limited personal computer and video recorder. At the same time, personal computers are regularly equipped with TV tuner cards to handle advanced video operations.

The designers of these new appliances paint a pleasant picture of the conveniences that will be available with these new systems. They anticipate that viewers will be able to make spur of the moment purchases over their boxes, based on what their favorite star is wearing or on an individually tailored ad that appears between shows. Communities will be formed as people chat live about the plots of their favorite shows or sporting events. Vast libraries of movies and shows will be available for renting on demand by just pressing a button on the remote control. The industry calls this “T-Commerce” for Television Commerce. Millions of users are expected to be using these in just the next few years, and the ad revenue to justify the new expensive boxes is expected to hit $5 billion by 2004.

Interactiveness has been the dream of the television industry since the invention of the TV. For several decades, there have been a series of expensive tests that have failed because the technology has been crude and expensive.[54] The change that now makes ITV possible is the evolution of the Internet and its underlying protocols and the advancement of digital television. These protocols are now being used to allow for interactive high-speed access to the Internet over existing cable lines. Slowly, intelligent cable TV boxes which can use broadband and interactive cable systems are being deployed in some places.

A number of companies have jumped into this new market in the last few years. The largest players are America Online and Microsoft. Microsoft purchased WebTV in 1998 and has also been including interactive television abilities in their operating systems for several years. Thus far, because of poor service, little interactive programming, and relatively high prices, the number of users has not significantly grown. They also are hampered by needing to use telephone lines to communicate with the service in most areas as cable lines are slowing becoming converted to interactive communications. America Online has announced that it will start deploying AOL TV in the United States in 2000. When its merger with media giant Time-Warner is complete, it will have control over a significant portion of the cable television lines and television shows in the U.S. It is expected that AOL will use that market power to force the development of more interactive television and the deployment of interactive boxes that will be capable of tracking users even if they do not wish to use the functions.

Meanwhile, there are other companies that have developed devices that will automatically record television shows for viewers and make recommendations for new shows based on viewers’ previous behavior. These systems also send some information on the viewers’ habits back to the central offices. TiVO and ReplayTV are two of the major manufacturers of such systems. Many of these features will be included in future WebTV and AOL TV boxes.

Behind the hype, the technical details are a more chilling. The new systems are being designed, like their Internet predecessors, to track every activity of users as they surf the net through the boxes. They also are being designed to track the shows and commercials users watch and to use that information to tailor advertising for the greatest effect.[55] Rupert Murdoch said in the NewsCorp annual report, “It will tell us not only who our customers are, but what they buy, what they watch, what they read and what they want.”[56] George Orwell’s vision of the television that watches you will soon be a standard consumer appliance.

Unlike personal computers that give users control over their actions and choices, the new ITV systems are generally based on a sealed “black box” controlled by the company which gives the user little or no control. In the WebTV box, users are not able to refuse cookies or delete them afterwards. The systems are closed and it is difficult, if not impossible, for even advanced users to identify what the system is doing. It will also prevent users from being able to use their own software.

There are other significant differences in that the media is more top-down, and corporatized than the Internet, which is decentralized and allows nearly any user to set up his own web site and become a content producer. Many of the ITV providers describe their systems as “closed gardens” that will only show content that the providers have a financial interest in. Other information will either be banned or be slower or more difficult to locate and view.

Audio Bugging

Advances in technology are also making it easier and cheaper to conduct covert audio surveillance. Bugs come in many shapes and sizes. They range from micro engineered transmitters the size of an office staple, to devices no bigger than a cigarette packet that are capable of transmitting video and sound signals for miles. Many of the bugs are cleverly camouflaged. They are hidden in everything from umbrella stands to light shades. Sometimes, the infiltrator will hide them in a business or sports trophy where they will stay indefinitely. The latest bugs remain active with their own power supply for around ten years.

Laws restricting the use of covert audio devices vary widely across the world. Many countries have provisions in their general wiretap laws that also cover the use of bugs. The European Court of Human Rights has ruled several times that all signatories of the Convention must enact laws governing their use. While it is illegal in most circumstances in the U.S. to use or sell such devices, the British market had no restrictions whatever until recently. As one private investigator told the London Daily Telegraph, “It’s a game anyone can play.” Millions of bugs are sold every year in Asian countries such as Hong Kong and Japan.

The devices are used for a variety of reasons. In many Asian countries, use of the devices for industrial espionage is widespread. They are also frequently used in the workplace or in homes. Law enforcement and intelligence agencies also use the devices but according to government records in the U.S., Canada and other countries, they are used much less frequently than traditional wiretaps for law enforcement purposes.

Video Surveillance

In recent years, the use of video surveillance cameras (also called Closed Circuit Television, or CCTV) to monitor public and private spaces throughout the world has grown to unprecedented levels. The leader in this trend is the United Kingdom, where it is estimated that between 150 and 300 million pounds per year is now spent on a surveillance industry involving an estimated 200,000 cameras monitoring public spaces.[57] Most towns and cities are moving to CCTV surveillance of public areas, housing estates, car parks and public facilities. Growth in the market is estimated at fifteen to twenty per cent annually. Many Central Business Districts in Britain are now covered by surveillance camera systems involving a linked system of cameras with full pan, tilt, zoom and infrared capacity. Their use on private property is also becoming popular.[58]

The CCTV trend is not confined to Britain. CCTV activity in Norway has prompted specific inclusion of such surveillance in the data protection act. Meanwhile, CCTV activity has grown markedly in North America and Australia to monitor public squares. In New York City, the NYCLU Surveillance Camera Project identified 2,397 cameras in Manhattan.[59] In Singapore, they are widely employed for traffic enforcement and to prevent littering.

These systems involve increasingly sophisticated technology. Features include night vision, computer-assisted operation, and motion detection facilities that allow the operator to instruct the system to go on red alert when anything moves in view of the cameras. Camera systems increasingly employ bulletproof casing and automated self-defense mechanisms. The clarity of the pictures is usually excellent, with many systems being able to read a cigarette packet at a hundred meters. The systems can often work in pitch black, bringing images up to daylight level. The technologies are converging with sophisticated software programs that are capable of automated recognition of faces, crowd behavior analysis, and in certain environments, intimate scanning of the area between skin surface and clothes. In Newham, UK, a facial recognition system that can scan faces against a database of millions of photographs in seconds is already in place to identify people “of interest.” The U.S. government is funding “passive millimeter wave technology” that allows police to peer under clothing to see if a person is carrying contraband or weapons. The power and capabilities of cameras will continually increase, while the cost and size will decrease. It is reasonable to assume that covert visual surveillance will in some environments be ubiquitous.

Some observers believe this phenomenon is dramatically changing the nature of cities. The technology has been described as the “fifth utility.”[60] CCTV is being integrated into the urban environment in much the same way as the electricity supply and the telephone network in the first half of the century. CCTV is profoundly changing the nature of the urban environment, and is now an important part of the core management of cities. Visual surveillance is becoming a fixed component in the design of modern urban centers, new housing areas, public buildings and even the road system. CCTV images may in the future be viewed as just one more type of necessary data, and considered a “value added” product.

Their use has come under greater criticism recently and recent research by the Scottish Centre for Criminology found that the cameras did not reduce crime, nor did they improve public perception of crime problems.[61] Researchers at the University of Hull, UK found that the cameras were frequently used for other reasons:

40 percent of people were targeted for “no obvious reason,” mainly “on the basis of belonging to a particular or subcultural group.” “Black people were between one-and-a-half and two-and-a-half times more likely to be surveilled than one would expect from their presence in the population.”
30 percent of targeted surveillances on black people were protracted, lasting nine minutes or more, compared with just 10 percent on white people.
People were selected primarily on the basis of “the operators’ negative attitudes towards male youth in general and black male youth in particular. ... [I]f a youth was categorised as a ‘scrote’ they were subject to prolonged and intensive surveillance.”
Those deemed to be “out of time and out of place” with the commercial image of city centre streets were subjected to prolonged surveillance. “Thus drunks, beggars, the homeless, street traders were all subject to intense surveillance.”
“Finally, anyone who directly challenged, by gesture or deed, the right of the cameras to monitor them was especially subject to targeting.”[62]

Campaigns have been started in several countries to stop their spread.[63] In 1997 and 1999, the city of Oakland, California voted to reject their use.[64]

There has also been greater activity by data protection commissioners as the technology merges with information systems and contains information on identifiable individuals. In July 2000, the UK Data Protection Commissioner issued a code of practice on the use of CCTV. The code sets out guidelines for the operators of CCTV systems and makes clear their obligations under the recently implemented Data Protection Act 1998.[65]

Satellite Surveillance

Developments in satellite surveillance (also called “remote sensing”) are also occurring at a fast pace, and embrace features similar to those of more conventional visual surveillance. Satellite resolution has constantly improved over the past decade. Since the end of the Cold War, companies such as EarthWatch, Motorola and Boeing have invested billions of dollars to create satellites capable of mapping the most minute detail on the face of the earth.

A commercial satellite capable of recognizing objects the size of a student’s desk was launched from the U.S. in September 1999 and began releasing images in October 2000.[66] The Ikonos is most powerful commercial imaging satellite ever built. Its parabolic lens can recognize objects as small as one meter anywhere on earth and the according to the company, viewers can see individual trees, automobiles, road networks, and houses. The satellite, owned by Denver company Space Imaging, will be the first of a new generation of high resolution satellites using technology formerly restricted to government security agencies. Another ten companies have received licenses to launch equally powerful satellites and several are expected to launch shortly.[67]

The technology is already being used for a vast range of purposes from media reporting of war and natural disasters, to detecting unlicensed building work and even illegal swimming pools. Public interest groups are using the information to show images of nuclear testing by countries and even images of secret U.S. bases such as Area 51 in Nevada.[68]

While industry looks for the opportunity to exploit current spy satellite technology, a great deal of effort is being made to integrate the existing images with ground-based Geographic Information System (GIS) databases than can provide detailed data on human activity. Double clicking on a satellite image of an urban area can reveal precise details of the occupants of a target house. The “Open Skies” policy accepted worldwide means that there are few restrictions of the use of the technology.[69]

But the companies have a distance to go before they catch up with governments. It is estimated that the current generation of secret spy satellites such as the Ikon/Keyhole-12 can recognize objects as small as 10cm across and some analysts say that it can image a license plate.[70] Boeing recently landed a 10-year contract from the U.S. Government for a Future Imagery Architecture (FIA) to replace the KH satellites and the ground infrastructure.[71] The FIA is based on a constellation of new satellites that are smaller, less expensive, and placed in orbit to allow for real-time surveillance of battlefields and other targets.

Workplace Privacy

Workers around the world are frequently subject to some kind of monitoring by their employers. Employers supervise work processes for quality control and performance purposes. They collect personal information from employees for a variety of reasons, such as health care, tax, and background checks.

Traditionally this monitoring and information gathering involved some form of human intervention and either the consent, or at least the knowledge, of employees. The changing structure and nature of the workplace, however, has led to more invasive and often, covert, monitoring practices which call into question employee’s most basic right to privacy and dignity within the workplace. The progress in technology has facilitated an increasing level of automated surveillance. Now the supervision of employee’s performance, behavior and communications can be carried out by technological means, with increased ease and efficiency. The technology currently being developed is extremely powerful and can extend to every aspect of a workers life. Software programs can record keystrokes on computers and monitor exact screen images, telephone management systems (TMS) can analyze the pattern of telephone use and the destination of calls, and miniature cameras and “Smart” ID badges can monitor an employee’s behavior and movements.

Advances in science have also pushed the boundaries of what personal details and information an employer can acquire from an employee. Psychological tests, general intelligence tests, performance tests, personality tests, honesty and background checks, drug tests, and medical tests are routinely used in workplace recruitment and evaluation methods. A recent report by the American Management Association found that 43 percent of companies carry out basic skills testing, 69 percent test for specific skills and 46 percent used some kind psychological evaluation.[72] Since the discovery of DNA there has also been an increased use of genetic testing, allowing employers to access the most intimate details of a person’s body in order to predict susceptibility to diseases, medical or even behavioral conditions. The success of the Human Genome Project will likely make this kind of testing more prevalent.

Employers’ collection of personal information and use of surveillance technology is often justified on the grounds of health and safety, customer relations or legal obligation. However, in many cases workplace monitoring can seriously compromise the privacy and dignity of employees. Surveillance techniques can be used to harass, discriminate and to create unhealthy dynamics in the workplace.

Legal Background

Privacy advocates have long maintained that providing notice of a monitoring or surveillance policy should, as a bare minimum, be required before employers can engage in such invasive activities. They support strong privacy principles in the workplace such as the International Labor Office’s “Code of Practice on the Protection of Workers’ Personal Data,” which protect employees’ personal data and fundamental right to privacy in the technological era.[73] These guidelines were issued by the ILO in 1997, following three comprehensive studies on international workers’ privacy laws.[74] The general principles of the code are:

personal data should be used lawfully and fairly; only for reasons directly relevant to the employment of the worker and only for the purposes for which they were originally collected;
employers should not collect sensitive personal data (e.g., concerning a worker’s sex life, political, religious or other beliefs, trade union membership or criminal convictions) unless that information is directly relevant to an employment decision and in conformity with national legislation;
polygraphs, truth-verification equipment or any other similar testing procedure should not be used;
medical data should only be collected in conformity with national legislation and principles of medical confidentiality; genetic screening should be prohibited or limited to cases explicitly authorized by national legislation; and drug testing should only be undertaken in conformity with national law and practice or international standards;
workers should be informed in advance of any advance monitoring and any data collected by such monitoring should not be the only factors in evaluating performance;
employers should ensure the security of personal data against loss, unauthorized access, use, alteration or disclosure; and
employees should be informed regularly of any data held about them and be given access to that data.

The code does not form international law and is not of binding effect. It was intended to be used “in the development of legislation, regulations, collective agreements, work rules, policies and practical measures.” Unfortunately, however, the laws differ greatly from country to country and in some there are few legal constraints on workplace surveillance. In the U.S., for example, the courts have typically been slow to recognize employees’ rights to privacy. There have not yet been any satisfactory and uniform determination of what level of privacy employees are entitled to and how that privacy should be protected. Many believe that since employers have ownership or “control” over the working premises, its contents and facilities, that employees give up all rights and expectations to privacy and freedom from invasion. Others simply avoid the question by making employees consent to surveillance, monitoring and testing as a condition of employment. Legislation has recently been introduced, however, which would prevent employers from secretly monitoring the communications and computer use of their employees.[75]

In European countries, the collection and processing of personal information is uniformly protected by the Data Protection Directive. The 1997 Telecommunication directive, however, which provides for the confidentiality of communications is aimed at “public” systems and so would not cover privately owned systems in the workplace.[76] Nonetheless, many European countries, such as Austria, Germany, Norway and Sweden have strong labor codes and privacy laws which directly or indirectly prohibit or restrict this kind of surveillance.[77] In July 2000, the UK Data Protection Commissioner also issued a new draft code of guidance for employer/employee relationships.[78] The code states the obligations of employers under the Data Protection Act, and also takes into account the presumed requirements of the soon to be implemented Human Rights Act 1998. It lays down strong principles of data protection, prohibits the making of decisions solely on basis of automated data, requires employers to notify employees of surveillance policies and places limits on the extent of monitoring which can take place. It requires the explicit consent of employees before sensitive data such as medical or information can be collected and places strict limitations on drug, alcohol, genetic, aptitude and psychometric testing within the workplace.

Performance Monitoring

Automated workplace monitoring has become increasingly common in recent years. Even in workplaces staffed by highly skilled information technology specialists, bosses demand the right to spy on every detail of a workers performance. Modern networked systems can interrogate computers to determine which software in being run, how often, and in what manner. A comprehensive audit trail gives managers a profile of each user, and a panorama of how the workers are interacting with their machines. Software programs can also gives managers total central control individual PCs. A manager can now remotely modify or suspend programs on any machine, while at the same time reading and analyzing email traffic and Internet activity.

An employer can monitor the level of use of a computer through monitoring the number of keystrokes a word processing employee enters in a specified period of time or the amount of time a computer is idle during the workday. Numerous technologies are available which monitor and analyze the performance of IT workers. Some allow network administrators to observe an employee’s screen in real time, scan data files and e-mail, analyze keystroke performance, and even overwrite passwords. Once this information is collected, it can be analyzed by standard processing programs to determine a worker’s performance profile. These monitoring products are sold at very low prices and have infiltrated the market. A recent study by the American Management Association report found that forty-five percent of major U.S. firms record and review employee communications and activities on the job and that one of four companies said they had fired employees for misuse of telecommunication equipment.[79] These snooping programs have also become popular not just among employers but also law enforcement agencies, private attorneys and investigators and suspicious lovers.

In the workplace, the use of CCTV is usually limited to environments where the workers are confined to an office. Where staff are more mobile, companies are now using a range of technologies to track geographic movements.[80] Advances in this area now allow carrier companies to place an electronic mechanism (described as a geostationary satellite-based. mobile communications system)[81] on trucks that then sends back to a main terminal the exact position of the vehicle at all times. In this way, carrier companies can ensure that no side trips nor other deviations are taken from the prescribed route.[82] Wide area systems such as Trackback are in use throughout the UK.

Telephone Monitoring

Telephone surveillance has become endemic throughout the private and public sector. In the U.S., employers have broad discretion to monitor employees’ calls for “business purposes.” Companies are extensively using telephone analysis technology. Call center workers for British Telecom are regularly presented with a comprehensive analysis sheet, showing their performance relative to other workers. Airline reservations clerks in the U.S. and elsewhere wear telephonic headsets that monitor the length and content of all telephone calls, as well as the duration of their bathroom and lunch breaks.[83] In one instance, telephone calls received by airline reservation agents were electronically monitored on a second-by-second basis: agents were allowed only 11 seconds between each call and 12 minutes of break time each day.[84] Other airline reservationists have complained that they are evaluated based on how many times they use a customer’s name during a call or how often they try to overcome a customer’s initial objections to buying a ticket.

The level of sophistication of telephone surveillance systems can be astonishing. Some systems can record all transactional activity on a phone, together with destination numbers and times. Other technology can then process and analyze this data. A British program called “Watcall,” produced by the Harlequin company, can analyze telephone calls and group them into “friendship networks” to determine patterns of use.[85] Voice mail systems are also subject to systematic or random monitoring by managers. Most new systems have default pass codes for administrators, and these can open all message boxes.

E-mail and Internet Use Monitoring

Computers and networks are particularly conducive to surveillance. Employers can monitor e-mail by randomly reviewing e-mail transmissions, by specifically reviewing transmissions of certain employees, or by selecting key terms to flag e-mail. In the latter case software analyses a company’s entire e-mail traffic phrase by phrase, and draws conclusions about whether a message is legitimate company business. It can be instructed to search for specific keywords and “damaging” phrases. Some programs can even use algorithms to analyze communications patterns and turn them into images. Monitors can then look at these images to follow traffic patterns and detect whether sensitive data is at risk. Many employers rely on software for remote monitoring of e-mail messages. With a few clicks they can see every e-mail message that employees send or receive and determine whether they are “legitimate” or not. Managers give a variety of reasons for installing such software. Some say it is to protect trade secrets or preventing sexual harassment incidents. Others want to prevent oversized-mails clogging networks and using too much bandwidth. Others simply don’t want employees “wasting” company time by using the systems for personal activities. In an ideal world, this monitoring should follow the conventional format, i.e., identical to the quality check that has applied to correspondence sent out on company letterhead. However, the speed and efficiency of e-mail means that digital communication involves a vast intersection with personal correspondence. It also has features more in common with an internal memo, for which there has always been less monitoring and management.

In July of this year, Dow Chemical Company in the U.S. fired 50 employees and threatened 200 others with suspension after they found “offensive” material in their e-mail. The company opened the personal e-mail of more than 7,000 employees.[86] Similarly, the New York Times fired 23 employees last year for sending “obscene” messages. These cases raise complex legal and ethical questions concerning an employee’s fundamental right to privacy and due process. What if employees are sent “offensive” e-mails by accident or maliciously? The e-mail cannot simply be deleted. It remains logged on the company server, threatening the relationship of trust between employee and management. Or what if an employee is dismissed on the grounds of sensitive personal information (for example relating to sexual preferences, a medial condition, etc.) gathered through a system? This problem also arises when companies monitor all Internet activity looking for visits to “inappropriate” sites. At first sight, such surveillance has elements in common with traditional surveillance for hard copy pornography, but there are significant dangers to workers in the realm of electronic surveillance. The use of spam e-mail to advertise X rated sites results in workers entering sites that appear to be quite benign. Or websites may be accidentally visited when displayed as a “hit” in response to a perfectly innocent search query. The surveillance technology does not, however, distinguish between an innocent mistake and an intentional visit.

The monitoring of chat room visits has also created some distress in the workplace. There is an increasing trend among companies to dismiss and/or sue employees for divulging company “trade secrets” or defaming the company in chat rooms. These have become known as “John Doe” cases. As most people log on to chat rooms anonymously or using an alias, once a company observes a certain party in a chat room engaging in “illegitimate” speech, they must subpoena the message-board services such as Yahoo or America Online, to obtain the identify the specific author. The service providers often turn over identifying information when presented with a subpoena without any notice to the individual. The number of these cases is rapidly increasing and threatens not only the privacy of employees but also their rights to anonymity and free speech.

Drug Testing

There is also an increasing amount of drug testing in many countries. The number of companies using these tests has risen proportionately with the decreasing costs of the tests. For many employees, drug testing is now a standard part of working life. Companies routinely administer tests in the recruitment stage or at intermittent periods during employment even where there is no evidence of misconduct, poor performance or any other reason to suspect drug use. There are thousands of easy to use kits, which can detect traces of drugs within minutes and without the need for a laboratory, available on the market today. Most of these tests analyze hair or urine samples to detect traces of drugs such as amphetamines, marijuana, cocaine, opiates and methamphetamines

The issue of widescale “preventative” drug testing raises a whole host of questions concerning privacy, bodily integrity, freedom and the presumption of innocence. The process of testing itself can be hugely invasive. Observers are often present to prevent employees tampering with samples. In the case of urine testing this can be particularly offensive. Consider the case of one employee who wrote:

I waited for the attendant to turn her back before pulling down my pants, but she told me she had to watch everything I did. I am a 40-year-old mother of three: nothing I have ever done in my life equals or deserves the humiliation, degradation and mortification I felt.[87]

This type of test can quickly turn from a necessary evil needed to protect lives and reputations to intimidation and harassment. It raises questions about whether the benefits to employers really outweigh the rights and dignity of workers. Manufacturing companies wishing to sell their products obviously claim they can. They extol the advantages of drug tests, claiming they can save employers thousands by reducing incidences of absenteeism, low productivity, accidents, injuries, compensation and health care claims. Governments generally have also encouraged testing as part of a larger war on drugs. What employers are not told, however, is that there are also numerous ethical and economic disadvantages to drug testing.

Drug testing fosters a climate of negativity based on suspicion and secrecy rather than trust, openness and respect. Low morale or resentment among workers may consequently lead to low productivity or profits. In addition, even though individual tests may no longer be expensive, because they are so sweepingly administered among employees, they may be costing employers far more than they are saving them. Catching one or two light drug users for every few thousand people tested is hardly an economical justification for the initial outlay. Even if tests do reveal traces of drugs there is no clear evidence to suggest that mild drug use has a greater effect on productivity than, for example, alcohol. Dismissing workers on grounds of policy and suspicion rather than performance and proof, may result in the loss of valuable employees to the employer. Testing does not involve good management policy. Evidence has not shown that drug testing can deter future use, and it is in no way a substitute for proper guidance, support and counseling. In fact, in an ironic twist, routine testing may even encourage more serious drug usage among employees. As one commentator says:
If one wants to get inebriated on a Friday night and still pass a urine test Monday, smoking a joint would be foolish. Cocaine and alcohol would represent the “safer” choices of intoxicants because alcohol is “legal” and cocaine cannot be detected in the body as long.[88]

Finally, drug testing is inaccurate and can often lead to false and misleading results. A report by the Ontario Information and Privacy Commissioners’ Office says up to 40 per cent of tests are inaccurate.[89]^. Highly sensitive tests can be positive even when the drug sought is not present. Some say positive reactions may result from a carry-over following a strongly positive earlier or from human error, such as contamination due to failure to cleanse equipment.[90] Others note that certain legal substances can also result in positive tests for illegal drugs. For example, there have been reports of Vicks inhalers resulting in positive tests for amphetamines and metamphetamines, standard anti-inflammatory drugs like Ibuprofen showing up positive on marijuana tests, and even traces of morphine being detected from poppy seeds. [91]

Genetic Testing

As DNA and genetic databases become more common world-wide, there has been a concurrent rise in the use of testing by employers. Although there are legitimate uses of genetic testing, such as the prevention of occupational diseases, there is also a serious danger that employers will use these tests to discriminate against current or potential employees. Without legal intervention, information indicating, for example, whether someone is prone to a debilitating illness or even an “undesirable” condition (such as laziness or depression) may be used by employers to discriminate against employees.

Genetic testing is a particularly intrusive invasion of privacy involving as it does the very “core” or “make-up” of an individual. Moreover, this testing may have implications not only for the individual but also one’s family, gender, community or race. The ACLU notes that “some genetic conditions are associated (sometimes inappropriately) with certain racial or ethnic groups. For example, sickle cell anemia is associated with African-Americans, and predisposition for breast cancer ... with Ashkenazi Jews.”[92]

Although genetic testing is still not as common as, for example, drug testing within the workplace, there are strong indications that it becoming an increasing practice for employers. In 1982, a U.S. federal government survey found that 1.6 percent of companies were using genetic testing for employment purposes.[93] A follow up survey in 1989 found that number increased to 5 percent. A recent American Management Association study now finds that 15 percent of major U.S. firms are conducting some kind of genetic testing or “testing for susceptibility to workplace hazards.”[94]

Recognizing this danger, a number of international bodies have recommended that the use of genetic testing within the workplace should be carefully circumscribed by law. In 1989, the European Parliament issued a resolution recommending legislation to prohibit genetic testing for the purposes of selecting workers or examining employees without their consent. It advised that employees must be informed of any analysis and implications of genetic data before tests are carried out and allowed withdraw from testing at any time.[95] The Council of Europe has also recommended that “the admission to, or the continued exercise of . . . employment, should not be made dependent on the undergoing of tests or screening.”[96] Similarly, the World Medical Association (WMA) has issued statements to this effect. In 1992, issuing a Declaration on the Human Genome Project, it recommended the adoption of laws similar to those which prohibit “the use of race discrimination in employment or insurance.”[97] In May 2000, it announced that it will draw up guidelines on the development of centralized health storage databases which will address “the issues of privacy, consent, individual access and accountability.”[98]

Perhaps because it is still a relatively new phenomenon, few countries around the world have yet to adopt specific laws on genetic testing. In many cases this kind of testing may be indirectly prohibited by existing labor codes.[99] It is also possible that the use of genetic data by employers to discriminate against workers may violate equal-opportunity or anti-discrimination laws. In the U.S., for example, it has been suggested that genetic testing could violate the 1964 Civil Rights Act which prohibits discrimination in employment on the basis of “race, sex, national origin, and religion,” or the Americans with Disabilities Act of 1990, which prohibits discrimination in employment against a “qualified individual with a disability.”[100] However, these protections are no substitute for clear and meaningful guidelines and there is ample evidence to suggest that discrimination in the workplace is already occurring.[101]

[1] Simon Davies and Ian Hosein, “Liberty on the Line” in Liberating Cyberspace (Pluto Press, London, 1998)

[2] Big Brother Incorporated, Privacy International site: <http://www.privacy.org/pi/reports/.

[3] Science and Technology Options Assessment (STOA). Ref : project no. IV/STOA/RSCH/LP/politicon.1 <http://cryptome.org/stoa-atpc.htm>.

[4] Philippine Supreme Court Decision of the National ID System, July 23, 1998, G.R. 127685. <http://bknet.org/laws/nationalid.html>.

[5] Constitutional Court Decision No. 15-AB of 13 April 1991,

<http://www.privacy.org/pi/countries/hungary/hungarian_id_decision_1991.html>.

[6] Iris scans take off at airports, ComputerWorld, July 17, 2000.

[7] See INS INSPASS Pages <http://www.ins.usdoj.gov/graphics/Howdoi/INSpass.htm>.

[8] U.S. Department of State Country Report on Human Rights Practices for 1997, January 30, 1998.

[9] See David Banisar and Simon Davies, “The Code War,” Index on Censorship, January 1998.

[10] See EPIC Wiretap Pages: http://www.epic.org/privacy/wiretap/

[11] See ENFOPOL Timeline 1991-1999, <http://www.telepolis.de/tp/english/special/enfo/6382/1.html >.

[12] Council Resolution of 17 January 1995 on the lawful interception of telecommunications, Official Journal of the European Communities November 4, 1996 <http://europa.eu.int/eur-lex/en/lif/dat/1996/en_496Y1104_01.html>.

[13] ENFOPOL 98. <http://www.telepolis.de/tp/deutsch/special/enfo/6326/1.html>.

[14] Draft COUNCIL RESOLUTION of on the lawful interception of telecommunications in relation to new technologies ENFOLPOL 19, 15 March 1999 (22.03 <http://www.fipr.org/polarch/enfopol19.html>.

[15] See http://futurezone.orf.at/futurezone.orf?read=detail&id=994

[16] See e.g. ETSI, Security Techniques Advisory Group (STAG), Definition of user requirements for lawful interception of telecommunications; Requirements of the law enforcement agencies, ETR 331, December 1996. ETSI, Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON); Security; Studies into the Impact of lawful interception, ETSI TR 101 750 V1.1.1 (1999-11), November 1999; Intelligent Networks (IN); Lawful interception, ETSI EG 201 781 V1.1.1 (2000-07).

[17] ^{Testimony of Robert Corn-Revere, before the Subcommittee on the
Constitution of the Committee on the Judiciary, United States House of
Representatives, The Fourth Amendment and the Internet, April 6, 2000.} <http://www.house.gov/judiciary/corn0406.htm>.

[18] “FBI's System to Covertly Search E-Mail Raises Privacy,” Legal Issues, Wall Street Journal, July 11, 2000.

[19] “Reno to double-check Carnivore's bite,” Reuters, July 13, 2000.

[20] Russia Prepares To Police Internet, The Moscow Times, July 29, 1998. More information in English and Russian is available from the Moscow Libertarium Forum <http://www.libertarium.ru/libertarium/sorm/>.

[21] Telecommunications Act <http://www.minvenw.nl/dgtp/data/tweng.doc>. Rules pertaining to telecommunications (Telecommunications Act), December 1998, <http://www.minvenw.nl/hdtp/hdtp2/wetsite/engels/index.html>.

[22] Dutch Forensics Institute Homepage: <http://www.holmes.nl/>.

[23] “Net Wiretapping: Yes or No?” Wired News, October 13, 1999.

[24] See RFC 2804, IETF Policy on Wiretapping <http://www.faqs.org/rfcs/rfc2804.html>.

[25] Dr Paul Norman, “Policing 'high tech crime' in the global context: the role of transnational policy networks,” <http://www.bileta.ac.uk/99papers/norman.htm>.

[26] See http://www.privacyinternational.org/issues/cybercrime/ for details.

[27] COE, Draft Treaty on Cybercrime <http://conventions.coe.int/treaty/en/projets/cybercrime.htm>.

[28] Statement of Concerns, July 20, 2000. <http://www.cerias.purdue.edu/homes/spaf/coe/index.html>.

[29] European Commission Data Protection Working Group, Recommendation 3/99 on the preservation of traffic data by Internet Service Providers for law enforcement purposes, Adopted on 7 September 1999. <http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp25en.htm>.

[30] Common position 99/364/JAI, of 27 May 1999, of the Council on negotiations relating to the Draft Convention on Cyber Crime held in the Council of Europe. <http://europa.eu.int/scadplus/leg/en/lvb/l33084.htm>.

[31] “European Union Ministers Vow Cyber Crime Crackdown,” Reuters, July 29, 2000.

[32] Published by STOA (Science and Technology Options Assessment). Ref : project no. IV/STOA/RSCH/LP/politicon.1

[33] Annual Report of the CSE Commissioner 1998-1999, <http://www.dnd.ca/menu/press/Reports/A_Report/CDS_Annual_Report_e.htm>.

[34] ibid.

[35] Report to the Director General for Research of the European Parliament (Scientific and Technical Options Assessment programme office) on the development of surveillance technology and risk of abuse of economic information. This study considers the state of the art in Communications intelligence (Comint) of automated processing for intelligence purposes of intercepted broadband multi-language leased or common carrier systems, and its applicability to Comint targeting and selection, including speech recognition. <http://cryptome.org/dst-1.htm>.

[36] “Germany voices concerns over Echelon and wonders who is listening.” ZDNet Germany, June 30, 2000.

[37] “Congress, NSA butt heads over Echelon”, Federal Computer Week, June 3, 1999.

[38] Documents available at: http://www.epic.org/privacy/nsa/documents.html

[39] PGP International Page: http:/www.pgpi.com/

[40] Homepage: http://www.gnupg.org/

[41] EPIC maintains a list of tools at http://www.epic.org/privacy/

[42] For more information on SPAM generally and how to reduce it see, http://www.junkbusters.com, http://www.cauce.org/

[43] To find the number of web bugs used on pages by Internet advertisers, see http://www.tiac.net/users/smiths/privacy/wbfind.htm.

[44] For more background information on this deal see http://www.epic.org/doubletrouble/.

[45] Electronic Privacy Information Center (EPIC) and Junkbusters. ‘Network Advertising Initiative: Principles not Privacy’, July 28, 2000. <http://www.epic.org/privacy/internet/NAI_analysis.html>.

[46] See http://www.bigbrotherinside.org/

[47] See Richard Smith, Internet Privacy Issues. <http://www.tiac.net/users/smiths/privacy/index.htm>.

[48] See http://www.junkbusters.com/ht/en/new.html#IPv6

[49] EPIC and Junkbusters, ‘Pretty Poor Privacy: An Assessment of P3P and Internet Privacy’, June 2000, <http://www.epic.org/reports/prettypoorprivacy.html>.

[50] Opinion 1/98: Platform for Privacy Preferences (P3P) and the Open Profiling Standard (OPS), <http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp11en.htm>.

[51] Forrester Research Inc, “Privacy Wake-Up Call,” September 1, 1999.

[52 See eg. Eric Murray, SSL Server Security Survey, July 31, 2000 showing that encryption on most e-commerce sites is inadequate. <http://www.meer.net/~ericm/papers/ssl_servers.html>. ]

53 See, “Sensitive Kaiser E-Mails Go Astray,” Washington Post, August 10, 2000.

[54] See L. J. Davis, The Billionaire Shell Game: How Cable Baron John Malone and Assorted Corporate Titans Invented a Future Nobody Wanted (1998) for a review of the early failures of the industry.

[55] See David Burke, Spy TV (Slab-O-Concrete Press, 1999). <http://www.spyinteractive.com/spyinteractive/>.

[56] Cited in Privacy Journal, October 1999.

[57] House of Lords, Science and Technology Committee, Fifth report, “Digital images as evidence”, 3 February 1998, London.

[58] Stephen Graham, John Brooks, and Dan Heery “Towns on the Television : Closed Circuit TV in British Towns and Cities”; Centre for Urban Technology, University of Newcastle upon Tyne.

[59] NYCLU Surveillance Camera Project <http://www.nyclu.org/surveillance.html>.

[60] Stephen Graham, The Fifty Utility, Index on Censorship, issue 3, 2000. <http://www.indexoncensorship.org/300/gra.htm>.

[61] Home Page: <http://www.scotcrim.u-net.com/researchc.htm>.

[62] Dr Clive Norris and Gary Armstrong, “The unforgiving Eye: CCTV surveillance in public space,” Centre for Criminology and Criminal Justice at Hull University. <http://merlin.legend.org.uk/~brs/archive/stories97/Suspects.html>.

[63] see Privacy International, CCTV Pages, <http://www.privacyinternational.org/issues/cctv/index.html>. Watching Them, Watching Us - UK CCTV Surveillance Regulation Campaign <http://www.spy.org.uk/>.

[64] ACLU, Second Attempt Fails to Install Spy Cams on Oakland Streets,

<http://www.aclunc.org/aclunews/news499/oakland-cams.html?video#first_hit>.

[65] See http://wood.ccta.gov.uk/dpr/dpdoc.nsf

[66] See http://www.spaceimaging.com/

[67] CBS, “Satellites Change How We See the Earth,” <http://cbsnews.cbs.com/now/story/0,1597,34059-412,00.shtml>.

[68] See eg, Federation of American Scientists, Dimona Photographic Interpretation Report <http://www.fas.org/nuke/guide/israel/facility/dimona_pir.html>.

[69] ibid

[70] “Spy Satellites: the Next Leap Forward,” International Defense Review, January 1, 1997.

[71] “Boeing to build new US satellites,” Jane's Defence Weekly, September 15, 1999.

[72] AMA, ‘Workplace Testing: Basic Skills, Job Skills, Psychological Measurement’, 2000 . <http://www.amanet.org/research/stats.htm>.

[73] ‘Protection of workers' personal data’, An ILO Code of Practice, Geneva, International Labour Office, 1997.

[74] International Laobour Office, Conditions of Work Digest: Worker’s Privacy Part I: Protection of Personal Data, (1991)10 (2); Worker’s Privacy Part II: Monitoring and Surveillance in the Workplace,(1993) 12(1); and) Worker’s Privacy Part III: Testing in the Workplace, (1993) 12(2).

[75] The "Notice of Electronic Monitoring Act" (S.2898 and H.R.4908), introduced July 20, 2000.

[76] Directive Concerning the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector (Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997), <http://www2.echo.lu/legal/en/dataprot/protection.html>.

[77]For a review of these laws see International Labour Office, Conditions of Work Digest, Op Cit.

[78 Issued under section 51 (3) (b) of the UK Data Protection Act 1998.] ^{Available at
<http://www.dataprotection.gov.uk>.}

[79 American Management Association, "Workplace Monitoring and Surveillance," 1999. < ]http://www.amanet.org/research/monit/index.htm

[80 Laura Pincus Hartman, “The Economic and Ethical Implications of New Technology on]

[Privacy in the Workplace,” Business and Society Review, March 22, 1999.]

81 ^{“Bulkmatic Equips Fleet with
OmniTRACS System,” Qualcomm Press release, December 19, 1996.
<http://www.qualcomm.com/Press/pr961219c.html>.}

[82 Qualcomm Press release, December 19, 1996. ]

83 Laura Pincus Hartman, “The Economic and Ethical Implications of New Technology on Privacy in the Workplace,” Business and Society Review, March 22, 1999.

84 Charles Pillar, “Bosses with X-Ray Eyes,” MacWorld., July 1993.

85 Simon Davies, “Watch out for the Old Bill”, Daily Telegraph, April 29, 1997.

86 ‘Dow Chemical Fires Employees Over Inappropriate E-mails’, ABCNEWS.com, July 27, 2000.

[87 ]From a letter to the American Civil Liberties Union describing a workplace drug test. See, ACLU, Drug Testing: A Bad Investment, September 1999. <http://www.aclu.org/issues/worker/drugtesting1999.pdf>.

[88 ]Ethan A. Nadelmann. "Drawing the Line on Drug Testing". IntellectualCapital.Com. October 14, 1999. <http://www.lindesmith.org/library/ethan_drugtesting2.html>.

[89 ]Information and Privacy Commissioner/Ontario, Workplace Privacy: The Need for a Safety-Net, November 1993. <http://www.ipc.on.ca/english/pubpres/sum_pap/papers/safnet-e.htm>.

[90 ]Morgan, John P. "Problems of Mass Urine Screening for Misused Drugs." Journal of Psychoactive Drugs. Vol. 16(4) (1984): 305-317. available at The Lindesmith Center - Drug Policy Foundation <http://www.lindesmith.org/library/grmorg2.html>.

[91 ]National Academy of Sciences, "Under the Influence? Drugs and the American Work Force", 1994. Also, ACLU, Drug Testing: A Bad Investment, September 1999. <http://www.aclu.org/issues/worker/drugtesting1999.pdf>.

[92 ]American Civil Liberties Union: Genetic Discrimination in the Workplace Fact Sheet. <http://www.aclu.org/issues/worker/gdfactsheet.html>.