There is no explicit right to privacy in the United States Constitution. The Supreme Court has ruled that there is a limited constitutional right of privacy based on several provisions in the Bill of Rights. This includes a right to privacy from government surveillance into an area where a person has a "reasonable expectation of privacy"[2809] and also in matters relating to marriage, procreation, contraception, family relationships, child rearing and education.[2810] Some states within the country have incorporated explicit privacy protections into their state constitutions.[2811]
However, the United States has taken a sectoral approach to privacy regulation so that records held by third parties, such as consumer marketing profiles or telephone calling records, are generally not protected unless a legislature has enacted a specific law.[2812] The Court has also recognized a right of anonymity[2813] and the right of political groups to prevent disclosure of their members' names to government agencies.[2814]
The United States Supreme Court has considered several important privacy cases over the last few years. In January 2000, the Supreme Court heard Reno v. Condon, a case addressing the constitutionality of the Drivers Privacy Protection Act (DPPA), a 1994 law that protects drivers' records held by state motor vehicle agencies. In a unanimous decision, the Court found that the information was "an article of commerce" and can be regulated by the federal government.[2815] In June 2001, the Supreme Court ruled in the case of Kyllo v. United States that the use of a thermal imaging device, without a warrant, to detect heat emanating from a person's residence constituted an illegal search under the Fourth Amendment. The Fourth Amendment protects individuals from intrusions into areas where there is a "reasonable expectation of privacy."[2816] In November 2000, the Supreme Court ruled held that suspicionless vehicle checkpoints, used to discover and interdict illegal narcotics, violate the Fourth Amendment.[2817] Also, in March 2001, the Supreme Court held that a state hospital cannot perform diagnostic tests to obtain evidence of criminal conduct without the patient's consent; such a test is unreasonable and violates the Fourth Amendment.[2818]
In the 2001 term, the Supreme Court addressed anonymity, searches on buses, and student privacy. In Watchtower Bible, the Court invalidated a law that required registration with the government before individuals could engage in door-to-door solicitation. The Court held that a pre-registration requirement violated the First Amendment, which guarantees freedom from government restrictions on free expression, and individuals' right to anonymity.[2819] In United States v. Drayton, the Court held that the Fourth Amendment does not require police officers to advise bus passengers of their right not to cooperate and to refuse consent to searches.[2820] Student privacy was diminished in a series of cases involving drug testing, "peer grading," the practice of allowing a fellow student to score a test, and the right to sue under a federal student privacy law. In Earls, the Court held that random, suspicionless drug testing of students involved in non-athletic extracurricular activities was justified under the "special needs" exception to the Fourth Amendment.[2821] In Falvo, the Court held that both peer grading and the reporting aloud of peer grades did not violate the Family Educational Rights and Privacy Act of 1974 (FERPA).[2822] In Gonzaga, the Court held that the FERPA does not give individuals a right to sue for violations of privacy.[2823]
In the 2002 term, the Supreme Court ruled that a "Megan's Law statute," which requires sex offenders to have their pictures and addresses put on the Internet, does not violate the Ex Post Facto clause of the Constitution.[2824] In a related case, Connecticut Dept. of Public Safety v. Doe, the Court unanimously held that inclusion in a public sex offender registry, without a separate hearing on the offender's risk to the community, does not violate the Due Process Clause of the Constitution.[2825] In a far-reaching opinion, the Supreme Court ruled in Lawrence v. Texas that a state law that prohibited homosexual sodomy violated the due process rights of the Constitution.[2826] The Court reversed an earlier opinion in which it had upheld sodomy statutes.[2827] Justice Kennedy writing for the Court, said that "The petitioners are entitled to respect for their private lives. The state cannot demean their existence or control their destiny by making their private sexual conduct a crime." Significantly, Justice Kennedy also cited with approval the Europeam Court of Human Rights and other foreign courts that have affirmed the "rights of homosexual adults to engage in intimate, consensual conduct." The decisions were brought to the attention of the high court in an amicus brief filed by the former UN High Commissiomer for Human Rights.[2828]
The Privacy Act of 1974 protects records held by United States Government agencies and requires agencies to apply basic fair information practices.[2829] Its effectiveness is significantly weakened by administrative interpretations of a provision allowing for disclosure of personal information for a "routine use" compatible with the purpose for which the information was originally collected. Limits on the use of the Social Security Number have also been undercut in recent years because Congress has approved new purposes for the identifier[2830] and because the private sector employs the identifier for many purposes with virtually no safeguards for the individual.[2831] The Act also allows certain agency systems of records to be exempt from accuracy and other requirements. In March 2003, the Department of Justice announced that it would exempt the National Crime Information Center (NCIC) from data quality standards in the Privacy Act.[2832] The NCIC contains 39 million criminal records, and is used by over 80,000 law enforcement agencies. The change was strongly opposed by a broad coalition of organizations and individuals across the United States.[2833] A report from the General Accounting Office, released in July 2003, found uneven compliance with Privacy Act requirements.[2834] The GAO report stated that agency officials:
[I]dentified barriers to improved compliance that include a need for more OMB leadership and guidance on the Act, low agency priority given to implementing the Act, and insufficient training on the Act. In the absence of consistent compliance with the Privacy Act, the government cannot adequately assure the public that all legislated individual privacy rights are being protected.
There is no independent privacy oversight agency in the United States. The Office of Management and Budget plays a limited role in setting policy for federal agencies under the Privacy Act, but it has not been particularly active or effective. In 1999 a Chief Counselor for Privacy was appointed within the Office of Management and Budget to coordinate federal stances towards privacy. The Counselor had only a limited advisory capacity. The new Bush Administration has eliminated this position.
The Federal Trade Commission (FTC) has oversight and enforcement powers for the laws protecting children's online privacy, consumer credit information and fair trading practices but has no general authority to enforce privacy rights.[2835] The FTC has received thousands of complaints but has issued opinions in only a few cases. It has also organized a series of workshops[2836] and surveys, which have found that industry protection of privacy on the Internet is poor, but the FTC had long said that the industry should have more time to make self-regulation work. In a shift from this position, in June 2000, the FTC recommended in a report to the United States Congress that legislation is necessary to protect consumer privacy on the Internet due to the dismal findings in a survey of online privacy policies.[2837] Since issuing that report, the new Chairman of the Commission appointed by President Bush has recommended that more study is necessary before legislation is passed to protect Internet Privacy.[2838] However, the agency has sought additional powers to pursue cross-border fraud, much of which involves privacy-invasive telemarketing or spam.[2839]
In recent years, the FTC has focused on enforcing existing law in the areas of telemarketing, spam, pretexting, and children's privacy.[2840] In January 2002, the FTC proposed changed to the Telemarketing Sales Rule to tighten use of individuals' account numbers, and to create a national do-not-call list for individuals who wish to opt-out of telemarketing.[2841] Enrollment began in June 2003. At the time of publication, more than twenty-three million individuals have registered for the FTC Do Not Call list.
The FTC's actions under federal "unfair and deceptive" practices law essentially have created a "common law" of privacy in the country. Thus, when the agency brings suit against a company for certain privacy-invasive practices, it can have industry-wide effect. Recent cases against pharmaceutical giant Eli Lily,[2842] Microsoft Passport,[2843] and American Student List[2844] have improved privacy protections nationwide. The American Student List case, in particular, is likely to change many common industry practices.[2845] That case stands for the proposition that federal law is violated where companies conceal or omit material secondary uses of personal information, a common practice of many private-sector profilers.
The United States has no comprehensive privacy protection law for the private sector. A patchwork of federal laws covers some specific categories of personal information.[2846] These include financial records,[2847] health information,[2848] credit reports,[2849] video rentals,[2850] cable television,[2851] children's (under age thirteen) online activities,[2852] educational records,[2853] motor vehicle registrations,[2854] and telemarketing.[2855] The end of 1999 brought increased scrutiny on financial privacy. In 1999, the Michigan Attorney General sued several banks for revealing that they were selling information about their customers to marketers. Other banks across the country subsequently admitted that they were also selling customer records. The Gramm-Leach-Bliley Act, which eliminated traditional ownership barriers between different financial institutions such as banks, securities firms and insurance companies, set weak protections on financial information that is likely to be shared among merged institutions. In spite of the low level of protections conferred, the effective date of the privacy provisions were pushed back from November 2000 until July 2001. The law allows information sharing amongst affiliates, but offers individuals a limited opt-out for information sharing among non-affiliates. Consumer privacy was improved under the law when the FTC determined that the Social Security Number qualified as non-public personal information, thus subject to the notice and opt-out requirements in certain contexts. The data industry has been unsuccessful in challenging this determination.[2856]
The year 2000 also saw the sole federal law governing information use online go into effect. The Children's Online Privacy Protection Act (COPPA), passed by Congress in 1998 and requiring parental consent before information is collected from children under the age of thirteen, went into effect in April 2000.[2857] Protections for medical records were finally introduced in the United States in 2001. In October 1999, the Department of Health and Human Services issued draft regulations protecting medical privacy. The final rules were issued on December 20, 2000 and went into effect in April 2001. The large number of exemptions provided limits the protection offered by the new rules. Doctors, hospitals, and health services companies will be able to send targeted health information and product promotions to individual patients and there is no opt-out right to limit this marketing use of medical data.[2858] There is also a variety of sectoral legislation on the state level that may give additional protections to citizens of individual states.[2859] The tort of privacy was first adopted in 1905 and all but two of the 50 states recognize a civil right of action for invasion of privacy in their laws.[2860]
In April 2003, the first federal regulation protecting individually identifiable health information became effective for enforcement. The Standards for Privacy of Individually Identifiable Health Information, commonly known as the "HIPAA Privacy Rule," provide basic protections for individually identifiable health information and give individuals rights with respect to the information about them. The Privacy Rule is permissive in nature because it permits several types of disclosures but requires only disclosures to the individual or his personal representative and to the Secretary of Health and Human Services for the purpose of enforcement. The Privacy Rule allows state laws to remain in place where state law provisions provide greater protection. State laws deal with health information in areas such as access to medical records, regulation of licenses for medical professionals and organizations, regulations for entitlement programs, mental health records, records related to conditions such as HIV/AIDS, and reproductive rights.[2861] The federal Privacy Rule contains civil penalties for non-compliance and will be enforced by the Office for Civil Rights within the Department of Health and Human Services. The Rule also contains criminal penalties for malicious misappropriation and misuse of health information, which will be enforced by the Department of Justice.
As the mapping of the human genome has been completed, the use of genetic testing information became an area of particular concern. In response to this concern, the Senate is considering the Genetics Nondiscrimination Act of 2003[2862] in May 2003. The bill would prohibit health insurance plans from denying enrollment or charging premiums on the basis of an individual's or family members' genetic information. It also prohibits health insurers from basing premiums of a group health plan on the basis of genetic information of plan members or their families. The bill prohibits disclosures or collection (requesting, requiring or purchasing) of genetic information for underwriting purposes. In addition, it prohibits the use of genetic information in employment decisions and applies the same procedures and remedies as apply to other forms of employment discrimination.[2863] Following the model of the HIPAA Privacy Rule, the Genetic Nondiscrimination Act provides basic protections for genetic information while permitting greater protection under other federal and state measures.[2864]
There has been significant debate in the United States in recent years about the development of privacy laws covering the private sector. The White House and the private sector maintain that self-regulation is sufficient and that no new laws should be enacted except for a limited measure on medical and genetic information. There have been many efforts in Congress to improve privacy. Since January 2001, there have been well over 200 bills introduced in the House and Senate.[2865]
There is also substantial activity in the states. In recent years, Massachusetts and Hawaii have considered comprehensive privacy bills for the private sector. California passed a Social Security Number bill that will prevent the printing of the identifier on forms, invoices, and identification badges. The bill also gives individuals greater power to control their credit report once fraud is suspected.[2866] California also passed a Database Protection Law[2867] that requires notice to individuals when their personal information was accessed as a result of a security breach or accident.[2868] Minnesota enacted a bill that requires Internet Service Providers to give notice and obtain user authorization before using personal information for secondary purposes.[2869] In a statewide referendum, North Dakota residents established opt-in protections for financial information.[2870] Additionally, Georgia enacted a privacy law that prohibits private businesses from discarding documents or computer components that contain personal information.[2871]
Internet privacy has remained the hottest issue of the past few years. Several profitable companies, including eBay.com, Amazon.com, drkoop.com, and Yahoo.com have either changed users' privacy settings or have changed privacy policies to the detriment of users.[2872] A series of companies, including Intel and Microsoft, were discovered to have released products that secretly track the activities of Internet users.[2873] Users have filed several lawsuits under the wiretap and computer crime laws. In several cases, TRUSTe, an industry-sponsored self-regulation watchdog group ruled that the practices did not violate its privacy seal program. Significant controversy arose around online profiling, the practice of advertising companies to track Internet users and compile dossiers on them in order to target banner advertisements. The largest of these advertisers, DoubleClick, ignited widespread public outrage when it began attaching personal information from a marketing firm it purchased to the estimated 100 million previously anonymous profiles it had collected.[2874] The company backed down due to public opposition, a dramatic fall in its stock price and investigations from the FTC and several state attorneys general. In July 2000 the Federal Trade Commission reached an agreement with the Network Advertisers Initiative, a group consisting of the largest online advertisers including DoubleClick, which will allow for online profiling and any future merger of such databases to occur with only the opt-out consent.[2875] In January 2001, the FTC dropped its investigation of DoubleClick. However, several private lawsuits were filed against DoubleClick. In January 2001, DoubleClick closed its online profiling division, and in May 2002, privacy class actions suits against the company were settled that resulted in little or no benefit to Internet users.[2876] Intel announced in May 2000 that it was dropping the incorporation of unique identifiers in its next-generation computer processors following a consumer boycott.[2877]
Several industry spokespeople, including Intel's Chairman Andrew Grove, have been supportive of federal Internet privacy legislation in order to stave off the states' recent efforts to enact such protections on their own.[2878]
The United States Department of Commerce and the European Commission in June 2000 announced that they had reached an agreement on the Safe Harbor negotiations that would allow United States companies to continue to receive personal data from Europe. The European Parliament adopted a resolution in early July seeking greater privacy protections from the arrangement.[2879] The Commission announced that it was going to continue with the agreement without changes. Over three hundred and fifty companies have joined the Safe Harbor.[2880]
Surveillance of wire, oral and electronic communications for criminal investigations is governed by the Omnibus Safe Streets and Crime Control Act of 1968 and the Electronic Communications Privacy Act of 1986 ("Title III").[2881] Police are required to obtain a court order based on several legal requirements before capturing the content of a communication. Surveillance for national security purposes is governed by the Foreign Intelligence Surveillance Act (FISA) that has less rigorous requirements.[2882] The number of FISA orders reached an all-time high in 2002, with 1,228 applications presented to, and approved by, the secret FISA Court.[2883]
The use of electronic surveillance under Title III has more than tripled in the last ten years. In 2002, a total of 1,358 federal and state wiretaps were completed. The vast majority of the wiretaps were authorized for narcotics investigations. Seventy-seven percent of wiretaps were directed at portable devices such as cellular phones and pagers. Law enforcement encountered encryption in 18 of the wiretaps, however, police were able to access the plaintext of the communications in all cases.[2884] The question of police decryption methods has recently been raised in the case of United States v Nicodemo Scarfo. In this case, the FBI surreptitiously installed a key logger device on the defendant's computer in order to capture his Pretty Good Privacy encryption passphrase. The defense successfully argued before a federal court in New Jersey that it should be granted access to the details of the key logger technique, in order to determine the legality of the search. The judge directed the government to produce a report "detailing how the key logger device functions" by August 31, 2001.[2885] In December 2001, the judge upheld the legality of the key logger device, and ruled that further exposure of its workings "would cause identifiable damage to the national security of the United States."[2886]
In December 2001, the FBI confirmed the existence of a technique called "Magic Lantern."[2887] This device would reportedly allow the agency to plant a Trojan horse keystroke logger on a target's computer by sending a computer virus over the Internet; rather than require physical access to the computer as is now the case. Controversy arose surrounding this announcement, as anti-virus companies argued that they could not leave a hole in their protection software to allow for Magic Lantern's surreptitious placement on computers. Doing so, they argued, would create a conflict of interests. Moreover if each country's law enforcement agency developed a similar form of virus, each virus would have to be excluded from anti-virus companies' products: translating the purpose of the software, and affecting consumer trust.
The federal wiretap laws were amended by the Communications Assistance to Law Enforcement Act in 1994 that required telephone companies to redesign their equipment to facilitate electronic surveillance.[2888] The Federal Communications Commission issued regulations in November 1998 implementing the law.[2889] The regulations include several additional provisions including requiring that all mobile phone companies facilitate location tracking of users. Privacy groups challenged the implementation of the law in federal court and telecommunications companies, who argued that the regulations give the government more power than authorized under the law and the Constitution.[2890] In August 2000, the United States Court of Appeals for the District of Columbia Circuit ruled that law enforcement agencies must meet the highest legal standard before using these new surveillance capabilities.
The intelligence agencies have also pushed for more authority and funding to conduct surveillance of Internet communications, arguing that this is necessary to protect the nation's infrastructure from "information warfare." In July 2000, it was revealed that the FBI had developed a system called "Carnivore" that is placed at an ISP's offices and can monitor all traffic about a user including e-mail and browsing.[2891] Earthlink, a major ISP, announced that it refused to install the system in its network.[2892] After the system was discovered, Attorney General Reno promised to conduct a review of its privacy protections.[2893] In the fall of 2000, the Justice Department commissioned a team of experts at the Illinois Institute of Technology Research Institute (IITRI) and the Illinois Institute of Technology Chicago-Kent College of Law to undertake an independent review of the carnivore system. The IITRI group issued its final report on Carnivore in December 2000 and made several recommendations for changes to the system.[2894] These recommendations have not yet been implemented by the Justice Department and the system remains in use today. In May 2002, EPIC obtained Freedom of Information Act (FOIA) documents on Carnivore that indicated that the program may have hindered the government's anti-terrorism investigation by overcollecting data in violation of wiretapping laws.[2895]
The USA PATRIOT Act, which passed in the wake of the September 11, 2001 attacks, significantly weakened privacy protections in federal wiretapping statutes.[2896] The Act extended the "pen register" portions of federal wiretapping law, allowing Carnivore to be used to collect traffic data based on a mere certification of a prosecutor that it would collect information relevant to an ongoing investigation.[2897] The bill made computer crimes and terrorism predicate offenses for initiation of a federal wiretap.[2898] The bill authorizes national application of a wiretap order, that is, a court in one jurisdiction can issue a warrant that could apply anywhere in the country.[2899] Courts can issue roving wiretaps, giving law enforcement the ability to monitor many different devices that a suspect may use.[2900] Although supporters of the USA PATRIOT Act claimed that a sunset provision in the bill would limit police power, only some of the new surveillance authority will expire. Also, several states followed suit by passing state legislation that loosens protections against wiretaps.[2901]
Following the USA PATRIOT Act, Congress further weakened privacy protections against wiretapping in passing the Cyber Security Enhancement Act (CSEA).[2902] The CSEA allows communications providers to voluntarily provide government agents with access to the contents of customer communications without consent based on a "good faith" belief that an emergency justifies the release. The same section grants law enforcement the power to install pen register and trap and trace devices without a court order where there is an ongoing attack on a "protected computer." Any computer involved in interstate commerce or communications qualifies as a "protected computer." Further, the law introduces fines and twenty-year prison terms for offenders who recklessly cause or attempt to cause serious bodily injury.
The government established an official Department of Homeland Security (DHS) in 2002, combining twenty-two agencies and an estimated USD38 billion budget.[2903] This cabinet level agency will have increased law enforcement and information sharing powers but more limited open government responsibilities. For instance, the legislation allows the department to share intelligence and grand jury information with state and local authorities, but broadly exempts "critical infrastructure information" submitted to the agency from the open government laws.
Limited privacy protections were included in the legislation creating the DHS. The legislation created a civil rights officer and a separate privacy officer charged with the responsibility of compliance with the Privacy Act, with formulating privacy impact assessments for rules proposed by the Department, and with preparing an annual report to Congress. Other portions of the bill prohibit the government from creating a citizen snitch program called the "Terrorism Information Prevention System." The department is statutorily barred from developing a national identification system or card.
The past year has seen a new trend towards the increased use of video surveillance cameras linked with facial recognition software in public places.[2904] This kind of technology was first used at the 2001 Super Bowl in Tampa, Florida to compare the faces of attendees to faces in a database of mug shots. Public usage of the technology then spread to the Ybor City district of Tampa, where the technology encountered much public opposition. In August 2001, the Tampa City Council held a vote on whether they should terminate their contract with Visionics, but they narrowly decided to keep using the software. Virginia Beach, Virginia, received funding in 2001 from the Virginia Department of Criminal Justice Services to install a system that can scan and process the facial images of tourists visiting the town. Face recognition technology is still not reliable and remains unregulated by US laws. Studies sponsored by the Defense Department have also shown the system is right only 54 percent of the time and can be significantly compromised by changes in lighting, weight, hair, sunglasses, subject cooperation, and other factors.[2905] Tests on the face recognition systems in operation at Palm Beach Airport in Florida, and Boston Logan Airport have also shown the technology to be ineffective and error-ridden.[2906]
There have been several proposals to create a National ID in the wake of the September terrorist attacks.[2907] Most of these efforts have sought the creation of a national identification system through the standardization of state driver's licenses.[2908] There are also more limited attempts to create national identification systems through "enhanced visa" documents and "trusted traveler" programs.
In 2002, the government initiated several privacy-invasive programs as a result of the September 11, 2001 attacks. Among these are the United States Visitor and Immigrant Status Indicator Technology program (US VISIT)[2909] system, which requires visitors to the country to submit a biometric identifier to the government. Certain countries will be exempt from the requirement, if their citizens already possess a government-issued identification card with biometric identifiers. Additionally, immigration authorities, in conjunction with several other federal agencies, are currently in the initial stages of implementing the Student and Exchange Visitor Information System (SEVIS). SEVIS is an Internet-based system that allows schools to transmit student information to the government for purposes of tracking and monitoring non-immigrant and exchange students. Accessible information includes a student's personally identifiable information, admission at port of entry, academic information, such as changes in program of study, and disciplinary information. Schools will be required to transmit such information to the Bureau of Citizenship and Immigration Services (BCIS, formerly the Immigration and Naturalization Service) for the duration of a student's stay in the United States. The USA PATRIOT Act required that SEVIS be fully implemented by January 1, 2003.
Total Information Awareness (TIA) and the Enhanced Computer-Assisted Passenger Profiling System (CAPPS-II) represent some of the greatest post-September 11, 2001 risks to civil liberties and privacy. TIA is a program of the Defense Advanced Research Projects Agency (DARPA) that intends to scan ultra-large databases of personal information to detect the "information signature" of terrorists. The program is headed by Admiral John Poindexter, and has been renamed "Terrorism Information Awareness" to pacify critics.[2910] Congress acted to limit the project in February 2003 by requiring DARPA to submit a detailed report on TIA. At the time of publication, the Congress is considering more substantial limitations on TIA. The House of Representatives has specified that TIA cannot be deployed against US Citizens without prior Congressional approval.[2911] The Senate has suspended all funding for the program. Recent news reports indicate that John Poindexter will soon resign.[2912]
CAPPS-II aims to conduct background risk assessments on all air travelers before they fly on commercial airliners. The profiling system will rely on experimental data-mining technology to sift through data from various commercial and government databases, assigning different "risk scores" to passengers. Based on these scores, passengers will either be denied boarding, subjected to a more intrusive physical search, or passed through normal screening. Civil libertarians have noted that CAPPS-II may be scaled to other settings in the future, such as train stations, bus stations, or even the entrances of public buildings.[2913] In July 2003, the Department of Homeland Security indicated that there would be further revisions to the CAPPS program.[2914]
The Foreign Intelligence Surveillance Court of Review (FISCR) convened for its first controversy in 2002, and broadly expanded the Department of Justice (DOJ)'s surveillance authority under FISA. The Court held that the Department of Justice could use looser foreign intelligence standards to conduct criminal investigations in the United States. In doing so, the Court of Review reversed a unanimous lower opinion that revealed a pattern of FBI misrepresentations and cast serious doubt on the veracity and accuracy of claims made by the DOJ and the FBI in support of requests for approval of national security and anti-terrorism surveillance. The lower court found that DOJ and FBI officials had submitted erroneous information in more than seventy-five applications for search warrants and wiretaps and had improperly shared intelligence information with agents and prosecutors handling criminal cases on at least four occasions.[2915]
As a result of these problems, the court refused to give DOJ the broad new surveillance powers it sought to employ after the September 11 terrorist attacks. Nevertheless, the Court of Review reversed the earlier decision, and permitted the government to remove the separation that has long existed between officials conducting surveillance on suspected foreign agents and criminal prosecutors investigating crimes.[2916]
In July 2003, the Department of Housing and Urban Development announced guidelines for "Homeless Management Information Systems" (HMIS).[2917] HMIS was created in order to track homeless populations in order to deliver more efficient services. However, the system as proposed by HUD is unnecessarily privacy invasive, and requires the homeless to give their name, SSN, date of birth, medical information, benefits information, and a history of services rendered to them. HMIS, if adopted as proposed, will enable law enforcement and national security interests to obtained detailed information on the homeless with ease.
The Freedom of Information Act (FOIA) was enacted in 1966 and has been amended several times.[2918] It allows for access to federal government records by any requestor, except those held by the courts or the White House. However, there are numerous exceptions, long delays at many agencies, and little oversight unless a requestor files a lawsuit to enforce its rights. It was amended in 1996 by the Electronic Freedom of Information Act to specifically provide access to records in electronic form.[2919] Most recently, the Congress enacted a "critical infrastructure information" (CII) exemption to the FOIA for the newly-formed DHS. This exemption would shield information voluntarily provided to the government by private entities on security information from the FOIA.[2920] Once disclosed to the government, CII could not be used against the company in civil litigation, and government agents who disclose the information would be subject to criminal penalties and fines. Since the creation of this loophole for the DHS, other agencies have sought similar exemptions from the FOIA. There are also laws in all states on providing access to government records.[2921]