It may take some years to fully evaluate the effects of September 11, 2001 on privacy and civil liberties. Shortly after the events of that day, previous proposals were re-introduced, and new policies with similar objectives were drafted to extend police surveillance authority. Two years on, the political landscape has shifted significantly in many, if not most, countries.
The policy changes were not limited to the United States, as a large number of countries responded to the threat of terrorism. With terrorist actions around the world, including in Bali, Russia, Morocco, and Saudi Arabia, governments have seized on these events as opportunities to create and enhance their powers. The country reports in this survey outline, in more detail, the many legislative shifts that took place around the world. Terrorism politics is truly global.
The changes in anti-terrorism laws are not the only policy transformations in response to terrorism. The mere threat of terrorism has changed political discourse. In some cases, the war on terrorism has given new life to previously failed proposals such as ID cards in the United Kingdom; only recently has the UK government returned to the rhetorics of terrorism to shore up support for the cards while previously fraud and asylum seekers were used.[63] When terrorism was not part of the government's official rhetorics, supporting members of parliament and the media continued to relate ID cards with strategies to combat terrorism.
In some cases, policies have been adopted from other countries with little consideration to the variances in political dynamics. Hong Kong attempted to harmonize its laws on sedition with mainland China, requiring a standardization of criminalised groups. Malaysia decided against repealing its Internal Security Act 1960 involving detention.[64]
In other cases, the mere increase of state power is immediately associated with the war on terrorism; whether requiring the removal of veils for drivers license photos,[65] secret seizure of packages from the media,[66] clamping down on train-spotters and -photographers,[67] chasing down opposition parties,[68] and the equation of terrorism to separatism[69] and its implications,[70] or suppressing dissent,[71] amongst others. Canada is attempting to create a travelers' database for anti-terrorism purposes, and other crimes; the United Kingdom managed to pass data retention laws in the legislative environment of the aftermath of September 2001; while retained data could be accessed, under another law, for practically any crime. In the US, concerns have arisen regarding the use of counter-terrorism powers to seize funds from foreign banks that do business in the US for investigations that are unrelated to terrorism.[72]
In other situations, these laws may be passed and used to suppress dissent. In Italy, the Interior Minister warned of warned of a growing climate of 'widespread political illegality'; mixed together Islamic terrorist groups, endogenous leftwing armed groups, anarchist insurrectionaries, and right wing groups as a common threat.[73] Moldova's bill to fight extremism coincides with the government's intention to minimize dissent as it allows the banning of political parties, public and religious associations, and medial outlets if they promote violent overthrow of country's territorial integrity, undermining state power, or setting up illegal armed organizations.[74] Georgia's bill, drafted in consultation with European colleagues according to a state security ministry official,[75] provides for restricting or suspending the activities of organizations that receive foreign funding and whose activities "threaten Georgia's national interests," but fails to define those interests.[76]
While the legal landscape is shifting and affecting many components of human rights, and not only privacy, in many cases these policies are founded upon its curtailment.
The immediate period after September 2001 was a time of fear, flux and uncertainty. The United Nations responded with Resolution 1368 calling on increased cooperation between countries to prevent and suppress terrorism.[77] NATO invoked Article 5, claiming an attack on any NATO member country is an attack on all of NATO; legislatures responded accordingly. The Council of Europe condemned the attacks, called for solidarity, and also called for increased cooperation in criminal matters.[78] Later the Council of Europe Parliamentary Assembly called on countries to ratify conventions combating terrorism, lift any reservations in these agreements, and extend the mandate of police working groups to include "terrorist messages and the decoding thereof."[79] The European Union responded similarly, pushing for a European arrest warrant, common legislative frameworks for terrorism, increasing intelligence and police cooperation, freezing assets and ensuring passage of the Money Laundering Directive.[80] The OECD furthered its support for the Financial Action Task Force on Money Laundering and, along with the G-7[81] and the European Commission, called for the extension of its mandate to combat terrorist financing.[82] These calls for international cooperation were perceived by many as impetus to create new laws.
The European Commission considered requiring every member state of the European Union to make cyber-attacks punishable as a terrorist offence. New Zealand minimized public consultation on a proposed law to freeze the financial assets of suspected terrorists because the government felt it was bound by United Nations Security Council resolutions. France expanded police powers to search private property without warrants. Germany reduced authorization restraints on interception of communications, and increased data sharing between law enforcement and national security agencies.
Australia and Canada both introduced laws to redefine terrorist activity and to grant powers of surveillance to national security agencies (ASIO and CSIS respectively) for domestic purposes if terrorist activity or a terrorist affiliation is suspected. India passed a law to allow authorities to detain suspects without trial, conduct increased wiretapping, and seize funds and property. The United Kingdom passed a law permitting the retention of data for law enforcement purposes in contravention to existing data protection rules. The United States passed several laws, including the USA-PATRIOT Act, which increases surveillance powers and minimizes oversight and due process requirements.
Within this deluge of new policy proposals in the immediate period after September 2001, several trends may be identified.
Almost every country that changed its laws to reflect the environment following September 2001 increased the ability of law enforcement and national security agencies to perform interception of communications, and transformed the powers of search and seizure, and an increase in the type of data that can be accessed.
The novelty in these initiatives tends to arise in the reduced authorization requirements and oversight. This included initiatives to weaken due process requirements; as occurred in Canada where the first anti-terrorism bill proposed that law enforcement agencies would no longer be required to justify the need for the wiretap. That is, in existing law, the judge authorizing the interception would need to be satisfied that "other investigative procedures have been tried and have failed, other investigative procedures are unlikely to succeed or the urgency of the matter is such that it would be impractical to carry out the investigation of the offence using only other investigative procedures."[83] In the law, an exception is established for all offences that fall under the broad category of "terrorist activity." Other parts of the law allow for interception authorization by the Minister of Defense instead of requiring judicial authorization.
There is also a general increase in the breadth of application of these powers, by incorporating and including new technologies and communications infrastructures, permitting additional government agencies to use these powers, and formalize roving powers. The USA-PATRIOT Act codified the use of Carnivore-style Internet surveillance technology, granting access to sensitive traffic data with only a court order rather than a judicial warrant. Moreover, the reporting regime in the United States was weakened with amendments to the Foreign Intelligence Surveillance Act so that fewer warrants would have to be requested and reported because the expiration time period was increased, and 'generic' orders could be requested allowing one warrant to be served on multiple service providers.
Attempts to differentiate the authorization and oversight requirements based on the communications-technology also occurred. The Australian government proposed in its Telecommunications Interception Legislation Amendment Bill 2002 to grant powers to intercept and read e-mail, SMS and voice mail messages without a warrant because these communications were considered access to 'stored' data rather than 'intercepted' in real-time. This proposed act was rejected in the Senate in June 2002;[84] however, the Government claims that it "remains of the view that the approach adopted in the bill with respect to stored information is appropriate. However, to avoid holding up this important package of legislation, the government has agreed to remove these provisions from the bill and to deal with the issue at a later date."[85] This did not stop a significant increase in interceptions in Australia however. According to parliamentary findings, in the past year there were 17,000 mail investigations, 2514 wiretaps, and access to 733,000 telephone bills; a remarkable increase from previous years.[86]
In 2000, the United Kingdom proposed a policy to require the retention of communications traffic data for up to 7 years by a central government authority.[87] While the proposal faced significant resistance in the public discourse at that time, in December 2001 a similar policy was introduced and passed under the United Kingdom's anti-terrorism law in response to the events of September 2001. The new European Union directive on data protection in electronic services also supports the creation of such data retention laws within the European community and is consistent with international pressure to weaken data protection. In October 2001, President Bush sent a letter to the President of the European Commission requesting that the European Union "[c]onsider data protection issues in the context of law enforcement and counterterrorism imperatives," and as a result to "[r]evise draft privacy directives that call for mandatory destruction to permit the retention of critical data for a reasonable period."[88] Building from previously articulated concerns that "[d]ata protection procedures in the sharing of law enforcement information must be formulated in ways that do not undercut international cooperation,"[89] the United States Department of Justice submitted several recommendations to the European Commission working group on cybercrime, including the recommendation that
Any data protection regime should strike an appropriate balance between the protection of personal privacy, the legitimate needs of service providers to secure their networks and prevent fraud, and the promotion of public safety.[90]
This perspective was reiterated in May 2002, this time by the Group of 8 Justice and Interior Ministers, requesting that countries
Ensure data protection legislation, as implemented, takes into account public safety and other social values, in particular by allowing retention and preservation of data important for network security requirements or law enforcement investigations or prosecutions, and particularly with respect to the Internet and other emerging technologies.[91]
Individuals and citizens are at the same time losing subject access rights under data protection and freedom of information regimes. In the interests of critical infrastructure protection, access to information is being reduced, limiting government accountability. Meanwhile, in order to protect sensitive investigative and intelligence data, subject access requests are restricted as some data banks are being exempted from both data protection and freedom of information laws.
Several policies were introduced to enable and promote increased data sharing, both within and across government agencies, and with the private sector. The sharing of data between agencies introduces purpose-creep where data collected for one purpose is used for another, but also introduces highly sensitive data to arms of government that can not be expected to protect the data adequately.
There are significant shifts in the policies and practices in the United States with changes to the Attorney General Guidelines regulating the actions and capabilities of the Department of Justice and FBI, increased sharing of information between the FBI and CIA supported by the USA-PATRIOT Act, and proposed policies to increase sharing with local law enforcement agencies. The United States is not alone in introducing such policies. The United Kingdom is proposing "joined-up government" within its consultation paper on modernizing government and public services[92] to create "data-sharing gateways" and provide "seamless" services. It also tried unsuccessfully to allow practically any government agency to gain access to the traffic data of individuals under the Regulation of Investigatory Powers Act, including local councils and parishes.[93]
The increased flow of data is also coming from the private sector. The United Kingdom and Canada proposed laws to grant law enforcement agencies access to travelers' information. The United Kingdom Home Office has recommended that it gain access to information from every passenger before international flights.[94] The Canadian policy proposed to grant both the federal law enforcement and the intelligence agencies access to air passenger information, regardless of domestic or international travel, and to match this data with other personal information[95] for a wide number of purposes and investigations, not limited only to terrorism.[96]
Similarly, the European Union considered granting Europol access to the Schengen Information System, including privileges to change the information held on travelers.[97] Data sharing between financial institutions and with government agencies also increased. New money laundering agreements and regulations have been introduced to increase surveillance of transactions, and even expanded to include hedge funds and money transfer firms.[98] Donations to charities are receiving further scrutiny as both the charities and the donors are monitored to investigate links with terrorist groups.[99] Some financial institutions are also sharing personal information between themselves in order to minimize risk of clients being terrorists, or "undesirables."[100]
Following from data sharing, there are several proposals to create profiles or increase the existing profiles of individuals. This occurs in several stages; the most immediate appears to be the profile of travelers. There are proposals for a next generation computer-assisted passenger prescreening system that will bring in data from credit-reporting agencies and other companies,[101] and even previous flights and registries, set for data mining.[102] Other proposals include trusted-traveler programs involving biometrics in both the United States and Germany,[103] similar to schemes used at Ben Gurion Airport in Tel Aviv.[104] Some airports have also installed face-recognition technologies, while similar technologies are being implemented at national monuments, and even beaches.
In the longer term there are several proposals to increase profiling of citizens and non-citizens. These proposals are typically enhanced and complemented by national identification schemes, enhanced with biometrics. There was considerable discussion in the United States in introducing such a national ID card scheme but no formal policy was introduced. Meanwhile non-citizens may already be tracked at border entry points and as they move within the country. A system called Student and Exchange Visitor Information System keeps track of foreign students to ensure that they are still registered and maintains a log of their addresses.
The United Kingdom proposed the adoption of entitlement cards in an effort to deal with immigration and illegal work and identity theft, but also supported by the fight against terrorism. Similarly, Hong Kong planned to introduce a biometric chip identity card to verify fingerprints to authenticate travelers into China.
None of the above trends were necessarily new; the novelty is the speed in which these policies gained acceptance, and in many cases, became law in the period following September 2001.
New policies to combat terrorism continue to emerge. The United States continues to lead with new policies, technologies, and practices. The importance of the US policies is that they tend to influence policies and citizens of other countries. By September 2002, the Office of Management and Budget counted fifty-eight new regulations responding to terrorism;[105] by March 2003 the General Accounting Office counted nine new National Strategies;[106] there have been innumerable laws passed at the federal and state levels [107]; countless changes in administrative measures, including the Attorney General Investigative Guidelines; and some attention has been given to policies and projects from various departments, not limited to the Terrorism Information Awareness Program (TIA) and Computer Assisted Passenger Prescreening (commonly referred to as CAPPS II). Some of these are covered in more detail below.
The management of US borders continues to receive policy attention. There are increased interviews of visa applicants, requirements for machin- readable passports from other countries, and plans to track foreign visitors by collecting information such as fingerprints and photos. The Transportation Security Administration's CAPPS II system, that would profile travelers is still being developed, to use "dynamic intelligence information to select passengers for enhanced screening" authenticated from "publicly and commercially available databases" to "run against terrorist or other appropriate federal government systems, an aggregate numerical threat score will be generated," in less than five seconds.[108] In March 2003 a Committee amendment was passed requiring a report within 90 days on the potential impact of CAPPS II on privacy and civil liberties.
Meanwhile, US Customs officials have been meeting with EU officials regarding the transfer of and access to passenger personal data, as required under Aviation and Transportation Security Act 2001. The EU's Article 29 working group on data protection noted several problems with the proposed data sharing, including the retention time (proposed period of 7-8 years was considered unjustified), an excessive amount of data being requested.[109]
Several other programs for datasharing and data mining exist, including the Terrorism Information Awareness Program, renamed in May 2003 from Total Information Awareness. This program is developed within the Pentagon Information Awareness Office, to "imagine, develop, apply, integrate, demonstrate and transition information technologies, components, and prototype closed-loop information systems that will counter asymmetric threats by achieving total information awareness useful for preemption, national security warning, and national security decision making."[110]
Further data collection measures that were controversial in 2003 included the registration of immigrants and fingerprinting. The National Security Entry-Exit Registration System (NSEERS) involved the registration of nearly 82,000 male immigrants and visitors from predominantly Muslim countries, leading to possibly 13,000 deportations.[111] The information will be stored in a secure government database along with travel data, photos; and will be matched against other data held on potential terrorists.[112] Officials have admitted, according to the New York Times, that only eleven individuals have been identified to have links to terrorism.[113] Another system, the Student and Exchange Visitor Information System (SEVIS), to track the nearly one million foreign students in the US, has also been problematic due to poor technology and limited resources.[114]
There have also been several developments in surveillance law. The use of the USA-PATRIOT Act has been questioned and reported upon in the past year. There have been attempts at extending its contentious measures that are supposed to sunset at the end of 2005.[115] Finally, in February 2003 a draft bill was uncovered, entitled the Domestic Security Enhancement Act of 2003 that contains several new powers including the ability to strip citizenship, wiretaps without court orders, secret detentions, limits on the challenging of secret evidence, increased use of DNA without court orders and consent, increased data sharing, and increased international cooperation in search and seizure and extradition.
Other countries have found novel means of implementing invasive policies and practices. The global legal landscape is fragmented. In some countries there are no specific terrorism laws as yet, such as in Belgium. Other countries have been very active in implementing laws.
Among the remarkable legal developments include laws on increasing the powers of law enforcement and national security agencies to arrest and detain individuals. Australia has been the leader, outside of the US. In 2002, the Australian Parliament considered at least eight bills on terrorism. The most controversial has been the Australian Security Intelligence Organisation Legislation Amendment (Terrorism)Bill 2002. An earlier version of the bill gave rise to a 27-hour debate that had to be shut down by the Prime Minister in the fall of 2002.[116] Reintroduced in late 2002 and debated intensely in 2003, it was passed in June 2003. The law allows for warrants to detain citizens eighteen years of age and older for seven days if it is believed that the citizen has information that may be useful to combat terrorism; while citizens from age sixteen may be detained if they are suspected of terrorist activity. Interrogation may occur for three eight-hour periods. The warrants may be applied successively, with no limit.
Earlier drafts of the bill gave rise to significant concern from the opposition and civil society; many of these concerns continue unabated. The Australian law society has articulated concerns regarding limitations on the right against self-incrimination.[117] The opposition parties prevented the application of the law unto citizens of age fourteen to sixteen. Meanwhile amendments to limit the successive application for warrants were voted down. The law does include a three-year sunset provision.
Similar laws on detention have arisen elsewhere. Columbia is proposing to amend its constitution to give police forces the power to make arrests, conduct searches without warrants, and detain individuals for 36 hours without judicial authorization. The Senate has already approved this proposal, while the House of Representatives is expected to do so at the end of July.[118] Canada's antiterrorism law, enacted in December 2001, allowed for preventative arrests without warrant and investigative hearings. Since then, the Solicitor General of Canada has released a report noting that the detention power has not been used,[119] nor have investigative hearings been convened.[120]
Egypt extended its emergency laws for another three years allowing for similar powers of detention. Egypt has been applying the extension continuously since 1981.[121] The US Department of State has expressed concerns regarding these powers, as the Egyptian government applies emergency courts for cases not linked to national security, while also referring civilians to military tribunals for non-violent offences.[122]
In the period following the bombings in Bali, the Indonesian government decreed to the law enforcement agencies the power to detain individuals without evidence.[123] This power evolved into law in March 2003 where individuals could be detained for six months based on prima facie evidence, while also allowing intelligence to be used as evidence, and increased abilities to conduct interception of communications, among other powers.[124] Similar to the Egyptian situation, the US Department of State has also made public its concerns regarding the application of state powers, particularly in the conviction of political activist in June 2003.[125]
Kenya has also received some terrorist attention. Following alerts from the United Kingdom and the United States, the Kenyan government published a Suppression of Terrorism Bill in June 2003; subsequently published in full by the Daily Nation newspaper.[126] The bill provides for the power to detain any person in a place which is subject of an urgent search permit; any police officer above rank of inspector may detain a suspect incommunicado for up to thirty-six hours without access to lawyer; while also granting immunity to the police for application of "reasonable force."[127] In broadening those who can be identified as terrorist, the bill includes any given individual who "(a) wears an item of clothing; or (b) wears, carries or displays an article, in such a way or in such circumstances as to arouse reasonable suspicion that he is a members or supporter of a declared terrorist organization shall be guilty of an offence and shall be liable on conviction to imprisonment for a term not exceeding six months, or both."[128]
South Africa's draft bill contains similar provisions. Providing food, drink and clothing to a member of a terrorist organization;[129] definition of terrorism is broad to include act "likely to intimidate the public or a segment of the public;" media also oppose because could compel public and journalists to become snoops.[130]
The Philippines has also been actively confronting terrorism and devising new policies. A proposed law provides for longer periods of detention without a warrant, and the Anti-Terrorism Action Council (including eight cabinet members and governor of the Central Bank) may authorize the interception of communications and freezing of bank accounts.[131]
There are alternative wordings for legalizing detention and other coercive powers, however. South Africa's proposed bill also proposes detention powers in its bail procedures,[132] despite promises from the government otherwise.[133] The Tanzanian bill requires "cooperation with the authorities" on the basis of perceived international commitments.[134] Sudan is applying its powers, given to a special branch to prosecute terrorism suspects, and particularly "religious extremists and armed bandits."[135]
In early 2002 some progress had been made on legal appeals regarding detention. In the United Kingdom, a Special Immigration Appeals Tribunal decided against the government's policy on detention because it was specifically targeting non-British citizens, and thus in contravention of the European Convention of Human Rights equal protection clauses. The government quickly appealed, however, and the Court of Appeals decided in October 2002 that detention is in fact lawful, provided that the detainees are a threat to national security.
More initiatives have been introduced to increase and enhance identification and enable profiling. The Philippines[136] and the United Kingdom[137] are considering ID cards in order to combat terrorism.
Canada has also been actively considering the adoption of ID Cards. The reasoning behind its introduction, according to the Minister of Citizenship and Immigration is that the US will soon require the fingerprinting of Canadians as they pass through the US-Canada border. "If you have that entry-and-exit program when you will have to be fingerprinted, you will say, 'I'm a Canadian citizen, why do you need my fingerprints and what are you going to do with it?' Well, wouldn't you like to have a debate among ourselves and say, as Canadians, we will build that the Canadian way? If we can have the technology with our own scanners, we can say we will take care of our own people with our own scanners."[138] The House of Commons select committee on Citizenship and Immigration is convening on the issue at the time of this report's publication. Meanwhile, the Canadian government has also been pursuing, under its Public Safety Bill, giving law enforcement authorities access to travel information, even within Canada. This is a separate initiative from the Canadian Customs and Revenue Agency's proposal to retain travel information for six years. Recently that proposal has been altered to purge non-customs related data after it is no longer used, and to implement access controls on the database of travel.
Australia has been actively pursuing the concept of a smart passport that includes digital photos. The government has run a trial of SmartGate application at Sydney Airport that was heavily criticized as involving ineffective and flawed technology.[139] At the same time, the Australian government has also been pushing for an advanced passenger processing system at Asian-Pacific Economic Cooperation forum (APEC).[140]
The New Zealand Customs Service began receiving advance passenger lists in 2003 from airlines under its Customs and Excise Act. The airlines would "feed data directly to the CS's computer system" before landing; and this information is checked for "people of interest." This system is seen as a first step to setting up Advance Passenger Processing system that will identify problematic passengers prior to boarding flights.[141]
In the European Union, the Spanish government put forward a proposal for a Directive requiring carriers to collect and send data on all passengers at the time of boarding to law enforcement agencies in destination countries or face fines.[142]
Some legal developments pertain directly to information technology use. Cuba's law on combating terrorism includes hacking.[143] New Zealand's counter-terrorism bill could force individuals to disclose their passwords, even in non-terrorism related investigations, or face three months in jail or a fine of NZD$2000.[144] Kenya's bill includes an offence for "collection of information for terrorist purposes," i.e, "collects, makes or transmits a record of information of a kind likely to be useful to a person committing or preparing an act of terrorism; or possesses a document or record containing information of that kind shall be guilty of an offence' term not exceeding ten years; 'transmit' includes by telephone, e-mail, voicemail, or other telecommunications method; and make available on the Internet. "It is a defense for a person charged with an offence under this section to satisfy the court that he had a reasonable excuse for his action or possession."
It is increasingly difficult to identify the sources of laws, however. Several countries have introduced new laws because of a felt imperative to model changes in other countries. For example, Kenyan opposition party members accuse the United Kingdom and the United States for pressuring Kenya; and they note that the definition of terrorism in the Kenyan bill is taken from section 802 of PATRIOT Act. This was denied by the Justice and Constitutional Affairs assistant minister Robinson Njeru Githae, as reported by the Nairobi-based newspaper, The Nation: "We have not to reinvented the wheel. What we have done is to pick the best of Suppression of Terrorism Act in the Commonwealth countries and given it a Kenyan outlook."[145]
Another source of law includes international treaties. Romania's recently passed law on corruption includes components of the Council of Europe Convention on Cybercrime. Many countries are trying to ratify and implement into law the approximately twelve United Nations conventions on anti-terrorism. Governments report regularly to the United Nations Security Council committee on Resolution 1373 on their progress in adopting these convention.[146] However, they are also adding to and interpreting these conventions. For example, New Zealand Justice Minister Phil Goff stated in April 2003 that the new Counter Terrorism Bill "was the final step in adopting the last of twelve United Nations conventions aimed at fighting terrorism... It will give police and customs officers more powers to fight terrorism, including enabling police to use tracking devices, and will allow evidence found in the investigation of one crime to be used in the prosecution of another."[147] These additional powers are not included within the standard conventions.
It is therefore important to note not only the laws in other countries, but also the activities of international governmental organizations. These organizations have been very active in developing counter-terrorism policy tools and mechanisms.
The African Union, formerly the Organization of African Unity, released a convention in August 2002 in order to promote the criminalization of terrorist acts, and extradition and mutual legal assistance regimes.[148] While this convention contains controversial concepts with respect to civil liberties, it is far from being unique considering the developments in recent years in such conventions as the Council of Europe Convention on Cybercrime.
The Asian-Pacific Economic Cooperation forum (APEC) held a summit in October 2002 in order to promote growth and fight against terrorism. An agreement emerged from the Mexico summit that aims to halt terrorist financing, and to promote cybersecurity.
More recently, the Association for Southeastern Asian Nations held a summit in late June and early July of 2003. Among outcomes included an agreement to obtain and share evidence amongst member countries, share bank records, cooperate in the freezing of foreign assets, and conduct searches and seizures upon request from fellow members; all in the aim to combat terrorism and cross-border crime. [149] An uncommon development, however, is the lack of agreement on extradition. Discussions have also occurred on the issue of secure identity documents.
The Group of 8 industrialized countries (G8) is the primary source of discussion on secure passports. At the May 2003 summit of Justice and Home Affairs ministers in Paris, the United Kingdom reportedly promoted computerized passports.[150] The ministers unanimously stressed the importance of developing biometric technologies with the goal of developing a common framework for biometric passports, as is being discussed by the International Civil Aviation Organization. There was some disagreement, according to reports, that the French and the US differed on which form of biometrics should be promoted (the US was pushing for iris scans or 'other innovative technologies', the French were for fingerprints).[151] In the end, according to the ICAO, facial recognition was adopted at the end of May 2003.[152] Other issues addressed by ministers included critical infrastructure protection, child pornography, and enhancing financial investigations. In this last issue of discussion, the G8 ministers promoted the work of experts who "identified 29 best practice principles on tracing, freezing, seizing and confiscating crime-related assets," while admitting that "these principles and good practices are ambitious." [153]
The G8 Evian summit of heads of government met in June 2003. At this summit the G8 created the Counter-Terrorism Action Group (CTAG), which would support the UN Counter-Terrorism Committee for 'capacity building'.[154] The proposal was led by the US, with the goal to create a group that would deal with "terrorist financing, customs and immigration controls, illegal arms trafficking, police and law enforcement"; "will identify relevant international best practices, codes, and standards in combating terrorism"; "target counterterrorism assistance to priority countries"; and "work with International Financial institutions to strengthen counterterrorism financing measures."[155]
The Commonwealth Secretariat also engaged in work to promote capacity building. In 2002 the secretariat developed "Implementation Kits for International Counter-Terrorism Conventions," a form of 'do-it-yourself' manual for governments, covering all twelve multilateral treaties drawn up between 1963 and 1999 by the UN and other inter-governmental fora.[156] In September 2002, the secretariat also released "Model Legislative Provisions on Measures to Combat Terrorism" that provides for defining specified entities' a variety of offenses and their investigation, interception of communications and admissibility as evidence. The model provisions also establish procedures for trials, promotion of information sharing, ensure extradition and mutual legal assistance, empower governments to seize evidence, manage charities, outline refugee application refusals, and allow for the removal of persons.[157]
The intergovernmental policy area of financial regulations is dominated by the output of the Financial Action Task Force (FATF). In the early 1990s the FATF developed its forty recommendations on combating money laundering. In April 2002, the FATF released guidance for financial institutions for detecting terrorist financing; and conducted consultation on forty recommendations for terrorist financing, thus extending its remit beyond money laundering. In June 2003 the new recommendations were adopted. According to the FATF:
The FATF recognises that countries have diverse legal and financial systems and so all cannot take identical measures to achieve the common objective, especially over matters of detail. The Recommendations therefore set minimum standards for action for countries to implement the detail according to their particular circumstances and constitutional frameworks. The Recommendations cover all the measures that national systems should have in place within their criminal justice and regulatory systems; the preventive measures to be taken by financial institutions and certain other businesses and professions; and international co-operation.[158]
The acknowledgement of flexibility is due to, according to reports, disagreement on regulatory procedures between American and German delegations.[159] The recommendations include the requirement that institutional secrecy laws are not used to inhibit implementation, and recommend against the keeping of anonymous accounts, with some recommendations on identification as 'due diligence'. Co-operation between countries is also recommended, as is the removal of unduly restrictive conditions for this cooperation to take place. The scope of application also increases; non-financial businesses including lawyers and notaries except when under privilege.
Inter-governmental organizations in the Europe have been very active as well. The Southeastern Europe Cooperation Initiative (SECI) Regional Center for Fight Against Cross-Border Crimes had its first meeting of 'Mission Force for Fight Against terrorism' (sic), in June 2003. Held in Turkey, eighty-five representatives attended from Albania, Bulgaria, Bosnia-Herzegovina, Croatia, Hungary, Macedonia, Moldova, Romania, Greece, Slovenia and Serbia-Montenegro. According to Turkish Security Director General Gokhan Aydiner, "Turkey has been trying for years to bring the issue of terrorism onto agenda of the world. In some countries, terrorist organizations and their members are considered fighters of freedom. Those who staged gory actions in which thousands of people lost their lives, continue their terrorism activities without any punishment." [160] According to media reports, the task force aimed to cover organized crimes and terrorism, development of common operational plans, financial sources of terrorist organizations.
The Organization for Security and Cooperation in Europe (OSCE) began a new initiative with its first annual security review conference in June 2003. A speech by US Ambassador Cofer Black, Coordinator for Counterterrorism, called on the OSCE to continue fighting terrorism, to encourage FATF adherence, to implement UN conventions (noting that only 38% of OSCE states have become parties to all 12), and to do the utmost to prevent spread of small arms and light weapons. He also called for closer cooperation with the UN, G8, ICAO to develop international standards and in turn to encourage regional implementation. Particularly, he called for cooperation on the issue of travel document security with G8 and ICAO.[161] This was supported by 'several delegations', as it was felt that "this work could make a significant, real contribution not only to the war on terrorism, but also to the fight against organized crime and illegal immigration, all issues that many delegations had identified as threats to their security and stability."[162]
The vast majority of these meetings of inter-governmental organizations outlined above were closed. In the coming months and years, however, their work, findings, conclusions, and conventions will be affecting national policy discourse.
This will be particularly the case in the European Union and primarily the output of the Council, where there is more of a binding requirement to enact policies at the national level. As accession countries to the EU begin their process of legal harmonization, interpretation and guidance on EU policies will require scrutiny. The EU has been active in all of the issues covered above. In 2001 and 2002 the Council Framework Decision on a European arrest warrant was developed and is currently being implemented into national law. A Working Party on Terrorism has been convening to develop measures to exchange information between member states, the creation computer-aided preventative searches on the basis of offender profiles (particularly the compiling of travel patterns).[163] These profiles may include method and means of travel, 'physical distinguishing features (e.g. battle scars)', education, places of stay, methods of communication, psycho-sociological features, family situation, expertise in advanced technologies; with the aim to identify terrorists before an act is carried out. A proposed innovation includes searching through "relevant national databases (e.g. registers of residents, registers of foreigners, universities etc.') subject to the provisions of national law, for person who need to be vetted more closely by the security authorities."[164]
The EU has also developed a "roadmap" regarding the implementation of an "EU Action Plan in the fight against terrorism." This roadmap includes the discussion of counter-terrorism in political dialogues with third countries and other multilateral fora. The EU has been particularly active in meetings with Asian countries, and in meetings with the US on mutual legal assistance.[165] The roadmap also consists of enhancing preventing of crime involving the use of electronic communications systems, measures to counter insider dealing, transparency criteria for legal entities, initiatives to draw up a common list of terrorist organizations, and the 'systematic transmission to Europol of any piece of data relevant to terrorism', while complying with international obligations regarding protection of fundamental rights and ensuring 'a balance between data protection and police efficiency', among other initiatives.
While the anti-terrorism policy developments outlined above and later in this report have shifted the legal and technological landscape for privacy, there have been some developments in the area of civil liberties and terrorism.
In the US, opposition to the USA-PATRIOT Act has grown. In response to the law, some librarians have begun to tape warnings to computer screens that usage could be subject to scrutiny by law enforcement agencies; in some cases they are destroying records of reading habits and sign-up logs of computer use.[166] There have been successful amendments on TIA and CAPPS II related policies to call for studies of the privacy and civil liberties implications of these programs. Finally, in many districts and cities, there is oppostion to the PATRIOT Act. More than one hundred local governments have passed laws against the Act.[167]
Changes in proposed and existing laws are occurring for several reasons elsewhere in the world. In Hong Kong, after protests including one involving over 400,000 demonstrators, the government appears to have backed down on changes to the Basic Law to deal with sedition.[168] Jordan rescinded Article 150 of its penal code, which was introduced in response to the events of September 11. The Article had allowed for "permanent or temporary closure" of publications that "carry false or libellous information that can undermine national unity or the country's reputation', and publications carrying articles that incite 'crimes, strikes, illegal public assemblies or undermining public order."[169]
In the most severe case, Peru has been forced to review sentences given out to 1,800 people when the high court handed down a decision rejecting the anti-terrorism decrees established under the Fujimori government as unconstitutional.[170] These decrees included trials for treason before hooded military judges and life sentences without review, [171] including on free expression related offences.[172]
The effectiveness of opposition may take some time to take full effect. After India's antiterrorism bill became law, it has been reported that the entire opposition to the government walked out on parliament. [173] Since its enactment, however, and after its use to detain some politicians, the parliament has constituted a Review Committee to ensure that the powers are not misused for non-terrorism purposes.[174]
For the few laws enacted after September 2001 that already contained sunset provisions and parliamentary reviews, many of these reviews are upcoming. Many powers are also being questioned in the courts, questioned in the marketplace, and by civil society. The track records and experiences of similar powers across countries may be useful in calling these powers into question; at least as a counter to the call of governments to harmonize more intrusive powers.
Identity (ID) cards are in use in one form or another in virtually all countries of the world. The type of card, its functions, and integrity vary enormously. While several countries have official, compulsory, national ID cards that are used for a variety of purposes, many countries do not. These include Australia, Canada, India, Ireland, New Zealand, the United States and the Nordic countries. Those that do have such a card include Belgium, Egypt, France, Germany, Greece, Hong Kong, Malaysia, and South Africa.
Nationwide ID systems are established for a variety of reasons. Race, politics and religion often drive the deployment of ID cards.[175] The fear of insurgence, religious differences, immigration, or political extremism have been all too common motivators for the establishment of ID systems that aim to force undesirables in a State to register with the government, or make them vulnerable in the open without proper documents.
In recent years technology has rapidly evolved to enable electronic record creation and the construction of large commercial and state databases. A national identifier contained in an ID card enables disparate information about a person that is stored in different databases to be easily linked and analyzed through data mining techniques. ID cards are also becoming "smarter" - the technology to build microprocessors the size of postage stamps and put them on wallet-sized cards has become more affordable. This technology enables multiple applications such as a credit card, library card, health care card, driver's license and government benefit program information to be all stored on the same national ID along with a password or a biometric identifier. Governments in Finland, Malaysia, and Singapore have experimented with such "Smart" ID cards. In July 2002, the Labor government in the United Kingdom launched a six-month public consultation process on whether the United Kingdom should adopt an "entitlement card" with similar features.[176] Critics contend that such cards, especially when combined with information contained in databases, enable intrusive profiling of individuals and create a misplaced reliance on a single document, which enables precisely the type of fraud the cards are meant to eliminate.[177]
In several countries, these systems have been successfully challenged on constitutional privacy grounds. In 1998, the Philippine Supreme Court ruled that a national ID system violated the constitutional right to privacy.[178] In 1991, the Hungarian Constitutional Court ruled that a law creating a multi-use personal identification number violated the constitutional right of privacy.[179] The 1997 Portuguese Constitution states "Citizens shall not be given an all-purpose national identity number." [180]
In other countries, opposition to the cards combined with the high economic cost and other logistical difficulties of implementing the systems has led to their withdrawal. Massive protests against the Australia Card in 1987 resulted in the near collapse of the government. Card projects in South Korea and Taiwan were also stopped after widespread protests. In the United States plans to convert the state driver's license into a nationwide system of identification have stalled because of the stiff resistance from a broad coalition of civil society groups.[181]
Biometrics is the identification or verification of someone's identity on the basis of physiological or behavioral characteristics. Biometrics involves comparing a previously captured unique characteristic of a person to a new sample provided by the person. This information is used to authenticate or verify that a person is who they said they were (a one-to-one match) by comparing the previously stored characteristic to the fresh characteristic provided. It can also be used for identification purposes where the fresh characteristic is compared against all the stored characteristics (a one-to-many match). New biometric technology attempts to automate the identification or verification process by converting the provided biometric into an algorithm, which is then used for matching purposes. The computer matching technique necessarily produces either false positives, where a person is incorrectly identified as someone else, or false negatives, where a person who is meant to be identified by the system is not correctly identified. The two error rates are dependent, so for example reducing the number of false positives increases the number of false negatives. The tolerance level is adjusted depending on the need for security in the application.
The most popular forms of biometric ID are fingerprints, retina/iris scans, hand geometry, voice recognition, and digitized (electronically stored) images. The technology is gaining interest from governments and companies because, unlike other forms of ID such as cards or papers, it can be more difficult to alter or tamper with one's own physical or behavior characteristics. Important questions remain, however, about the effectiveness of the automated biometric matching techniques, particularly for large-scale applications.[182] Critics also argue that widespread deployment of biometric identification technology could remove the veil of anonymity or pseudo-anonymity in most daily transactions through the creation an electronic trail of people's movements and habits.[183]
Biometrics schemes are being implemented across the world. The technology is widely used in small settings for access control to secure locations such a nuclear facility or bank vault. It is increasingly being used for broader applications such as retail outlets, government agencies, childcare centers, police forces and automated-teller machines. Spain has commenced a national fingerprint system for unemployment benefits and healthcare entitlements. Russia has announced plans for a national electronic fingerprint system for banks. Jamaicans are required to scan their thumbs into a database before qualifying to vote in elections. In France and Germany, tests are under way with equipment that puts fingerprint information onto credit cards. Many computer manufacturers are considering including biometric readers on their systems for security purposes.
The most controversial form of biometrics - DNA identification - is benefiting from new scanning technology that can automatically match DNA samples against a large database in minutes. Police forces in several countries including Canada, Germany, and the United States have created national DNA databases. Samples are being routinely taken from a larger group of people. Initially, it was only individuals convicted of sexual crimes. Then it was expanded to people convicted of other violent crimes and then to arrests. Now, many jurisdictions are collecting samples from all individuals arrested, even for the most minor offenses. Former New York City Mayor Rudolf Giuliani even proposed that all children have a DNA sample collected at birth. In Australia, the United Kingdom, and the United States, police have been demanding that all individuals in a particular area voluntarily provide samples or face being considered a suspect. United States Attorney General Ashcroft has testified that he has asked the FBI to increase the capacity of its database from 1.5 million to 50 million profiles.[184]
At the same time, DNA data has been used as exculpatory evidence in many criminal trials.
Most countries around the world regulate the interception of communications by governments and private individuals and organizations. These controls typically take the form of constitutional provisions protecting the privacy of communications and laws and regulations that implement those requirements.
There has been great pressure on countries to adopt wiretapping laws to address new technologies. These laws are also in response to law enforcement and intelligence agencies pressure to increase surveillance capabilities. In Japan, wiretapping was only approved as a legal method of investigation in 1999. Other countries such as Australia, Belgium, Germany, New Zealand, South Africa and the United Kingdom have all updated their laws to facilitate surveillance of new technologies.
The United States government has been at the forefront of promoting greater use of electronic surveillance. Former FBI Director Louis Freeh traveled extensively around the world, promoting the use of wiretapping in newly democratic countries such as Hungary and the Czech Republic. At the same time, the United States has led world efforts to ensure that all communications technologies have built-in surveillance capabilities and to prohibit the manufacture and use of equipment that cannot be eavesdropped upon. The United States has also been working through international organizations such as the OECD, G-8 and the Council of Europe to promote surveillance.
It is recognized worldwide that wiretapping and electronic surveillance are a highly intrusive form of investigation that should only be used in limited and unusual circumstances. Nearly all major international agreements on human rights protect the right of individuals from unwarranted invasive surveillance.
Nearly every country in the world has enacted laws on the interception of oral, telephone, fax and telex communications. In most democratic countries, intercepts are initiated by law enforcement or intelligence agencies only after it has been approved by an judge or some other kind of independent magistrate or high level official and generally only for serious crimes. Frequently, it must be shown that other types of investigation were attempted and were not successful There is some divergence on what constitutes a 'serious crime', and appropriate approval.
Several countries including France and the United Kingdom have created special commissions that review wiretap usage and monitor for abuses. These bodies have developed an expertise in the area that most judges who authorize surveillance do not have, while they also have the ability to conduct follow up investigations once a case is complete. In other countries, the privacy commissioner or data protection authority has some ability to conduct oversight of electronic surveillance.
An important oversight measure that many countries employ is the requiring of annual public reporting of information about the use of electronic surveillance by government departments. These reports typically provide summary details about the number of uses of electronic surveillance, the types of crimes that they are authorized for, their duration and other information. This is a common feature of wiretap laws in English-speaking countries and many others in Europe. Countries that issue annual reports on the use of surveillance include Australia, Canada, France, New Zealand, Sweden, the United Kingdom, and the United States. Meanwhile in the Netherlands, the Minister of Justice in April 2003 announced that he saw no additional value in maintaining a log of the frequency of wiretaps, or installing a special functionary to oversee the warranty process.[185]
These countries recognize that it is necessary to allow for people outside governments to know about its uses to limit abuses. They are widely used in many countries by the Parliaments for oversight and also by journalists, NGOs and others to examine the activities of law enforcement. The reports have shown an increase in the use of surveillance in many countries including Australia,[186] the United States, and the United Kingdom while others such as Canada have remained steady. Most recently, however, Canada has reduced the amount of reporting; despite statutory requirements, annual reports from the Solicitor General on surveillance activities have not been released since 1999. [187]
These laws are designed to ensure that legitimate and normal activities in a democracy such as journalism, civic protests, trade union organizing or political opposition are free from being subjected to unwarranted surveillance because they have different interests and goals than those in power. It also ensures that relatively minor crimes, especially those that would not generally involve telecommunications for facilitation, are not used as a pretext to conduct intrusive surveillance for political or other reasons.
However, wiretapping abuses have been revealed in most countries, sometimes occurring on a vast scale involving thousands of illegal taps. The abuses invariably affect anyone "of interest" to a government. Targets include political opponents, student leaders and human rights workers.[188] This can occur even in the most democratic of countries such as Denmark and Sweden, where it was recently disclosed that intelligence agencies were conducting surveillance of thousands of left-leaning activists for nearly forty years.
The United Nations Commissioner on Human Rights in 1988 made clear that human rights protections on the secrecy of communications broadly covers all forms of communications:
Compliance with Article 17 requires that the integrity and confidentiality of correspondence should be guaranteed de jure and de facto. Correspondence should be delivered to the addressee without interception and without being opened or otherwise read. Surveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited.[189]
The need for greater protection is recognized by many democratic countries around the world. Most recently, the German Federal Constitutional Court is considered whether the interception laws passed in 1998 are constitutional; the results of this case are expected in the fall of 2003.[190]
Increasingly new standards, technologies and new policies are complicating the situation.
In the past fifteen years, the United States government has led a worldwide effort to limit individual privacy and enhance the capability of its police and intelligence services to eavesdrop on personal conversations. This campaign had two strategies. The first is to promote laws that make it mandatory for all companies that develop digital telephone switches, cellular and satellite phones and all developing communication technologies to build in surveillance capabilities; the second is to seek limits on the development and dissemination of products, both in hardware and software, that provide encryption, a technique that allows people to scramble their communications and files to prevent others from reading them.[191]
Law enforcement agencies have traditionally worked closely with telecommunications companies to formulate arrangements that would make phone systems "wiretap friendly." These agreements range from allowing police physical access to telephone exchanges, to installing equipment to automate the interception. Because most telecommunications operators were either monopolies or operated by government telecommunications agencies, this process was generally hidden from public view.
Following deregulation and new entries into telecommunications in the United States in the early 1990s, law enforcement agencies, led by the FBI, began demanding that all current and future telecommunications systems be designed to ensure that they would be able to conduct wiretaps. After several years of lobbying, the United States Congress approved the Communications Assistance for Law Enforcement Act (CALEA) in 1994.[192] The act sets out legal requirements for telecommunications providers and equipment manufacturers on the surveillance capabilities that must be built into all telephone systems used in the United States. In 1999, at the request of the Federal Bureau of Investigation, an order was issued under CALEA requiring carriers to make available the physical location of the antenna tower that a mobile phone uses to connect at the beginning and end of a call.[193]
Due to heavy lobbying, the Internet Service Providers in the United States have so far been exempted from implementing these technical requirements. In other countries the computer industries have not been so fortunate. In Australia the Telecommunications Act 1997 places obligations on telecommunications operators to positively assist law enforcement in the performance of their duties and to provide an interception capability. The costs of these obligations are borne by the operators themselves.[194] Furthermore, the 2001 Cybercrime Act allows executing officers to require a "specified person" with "knowledge of a computer or a computer system" to provide assistance in accessing, copying or converting data held on or accessible from that computer. Failing to provide this assistance is an offence punishable by six months imprisonment. [195]
In the United Kingdom the Regulation of Investigatory Powers Act 2000 requires that telecommunications operators maintain a "reasonable interception capability" in their systems and be able to provide on notice certain "traffic data."[196] It also imposes on obligation on third parties to hand over encryption keys. These requirements were recently clarified in the Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002.
In the Netherlands, a new Telecommunications Act was approved in December 1998 that required that Internet Service Providers have the capability by August 2000 to intercept all traffic with a court order and maintain users logs for three months.[197] The law was enacted after XS4ALL, a Dutch ISP, refused to conduct a broad wiretap of electronic communications of one of its subscribers. In New Zealand, the Telecommunications (Residual Powers) Act 1987 requires network operators to assist in the operation of a call data warrant (equivalent to the United States trap and trace or pen register warrant). [198] An obligation to assist in the operation of a full interception warrant is now also being considered in New Zealand. The Telecommunications (Interception Capabilities) Bill currently being drafted by the Government would require all Internet Service Providers and telephone companies to upgrade their systems so that they are able to assist the police and intelligence agencies intercept communications. It would also require a telecommunications operator to decrypt the communications of a customer if that operator had provided the encryption facility.[199]
In January 2002, a new Law on the surveillance of mail and telecommunications entered into force in Switzerland, requiring ISPs to take all necessary measures to allow for interception.[200] In contrast, the Austrian Federal Constitutional Court held, in a decision[201] in February 2003, that the law compelling telecommunications service providers to implement wiretapping measures at their own expense is unconstitutional.[202] Most recently, Poland and New Zealand have been reported as proposing and adopting new laws requiring ISPs to monitor and record communications transactions.
International cooperation played a significant role in the development of these standards.In 1993, the FBI began hosting meetings at its research facility in Quantico, Virginia called the "International Law Enforcement Telecommunications Seminar" (ILETS). The meetings included representatives from Canada, Hong Kong, Australia and the European Union. At these meetings, an international technical standard for surveillance, based on the FBI's CALEA demands, was adopted as the "International Requirements for Interception." In January 1995, the Council of the European Union approved a secret resolution adopting the ILETS standards.[203] Following this, many countries adopted the resolution into their domestic laws without revealing the role of the FBI in developing the standard. Following the adoption, the European Union and the United States offered a Memorandum of Understanding (MOU) for other countries to sign to commit to the standards. Several countries including Canada and Australia immediately signed the MOU. Others were encouraged to adopt the standards to ensure trade. International standards organizations, including the International Telecommunications Union (ITU) and the European Telecommunication Standardisation Institute (ETSI), were then successfully approached to adopt the standards.
The ILETS group continued to meet. Several committees were formed and developed a more detailed standard extending the scope of the interception standards. The new standards were designed to apply to a wide range of communications technologies, including the Internet and satellite communications. It also set more detailed criteria for surveillance across all technologies. The result was a 42-page document called ENFOPOL 98 (the European Union designation for documents created by the European Uni Police Cooperation Working Group).[204]
In 1998, the document became public and generated considerable criticism. The committees responded by removing most of the controversial details and putting them into a secret operations manual that has not been made publicly available. The new document, now called ENFOPOL 19, expanded the type of surveillance to include "IP address (electronic address assigned to a party connected to the Internet), credit card number and E-mail address."[205] In April 1999, the Council proposed the new draft council resolution to adopt the ENFOPOL 19 standards into law in the European Union. The Council of Ministers revised the document and, in June 2000, approved a resolution calling for countries:
to ensure that, in the development and implementation - in cooperation with communication service providers - of any measures which may have a bearing on the carrying out of legally authorised forms of interception of telecommunications, the law enforcement operational needs...are duly taken into account.[206]
The annex for the document sets out detailed guidelines for interception requirements for "all telecommunications services, circuit and packet-switched, fixed and mobile networks and services." It expands the coverage of the original International User Requirements (IURs) to now include networking technologies, without acknowledging that technologies such as computer networking generate more and greater details of information including web browsing and mobile location information and thus applying traditional surveillance analogies result in more intrusive surveillance.
A related development has been the use of "black boxes" on ISP networks to monitor user traffic. The actual workings of these black boxes are unknown to the public. What little information has been made public reveals that many of the systems are based on "packet sniffers" typically employed by computer network operators for security and maintenance purposes. These are specialized software programs running in a computer that is hooked into the network at a location where it can monitor traffic flowing in and out of systems. These sniffers can monitor the entire data stream searching for key words, phrases or strings such as net addresses or e-mail accounts. It can then record or retransmit for further review anything that fits its search criteria. In many of the systems, the boxes are connected to government agencies by high-speed connections.
The April 2000, it was publicly revealed that the FBI had developed and was using an Internet monitoring system called "Carnivore" (now called DCS 1000).[207] The system places a PC running Windows NT at an ISP's offices and can monitor all traffic about a user including e-mail and browsing. Carnivore "can scan millions of e-mails a second" and "would give the government, at least theoretically, the ability to eavesdrop on all customers' digital communications, from e-mail to online banking and Web surfing." [208] In response to the public uproar over Carnivore, Attorney General Janet Reno announced that the technical specifications of the system would be disclosed to a "group of experts" to allay public concerns. [209] In the fall of 2000, the Justice Department commissioned a team of experts at the IIT Research Institute and the Illinois Institute of Technology Chicago-Kent College of Law (IITRI) to undertake an independent review of the carnivore system. The IITRI group issued its final report on Carnivore in December 2000 and made several recommendations for changes to the system.[210]
In some countries, there have been laws or decrees enacted to require the systems to build in these boxes. Russia was the first country where this requirement was made public, and according to Russian computer experts, the United States government advised them on implementation. In 1998, the Russian Federal Security Service (FSB) issued a decree on the System for Operational Research Actions on the Documentary Telecommunication Networks (SORM-2) that would require ISPs to install surveillance devices and high-speed links to the FSB which would allow the FSB direct access to the communications of Internet users without a warrant. [211] ISPs are required to pay for the costs of installing and maintaining the devices. When an ISP based in Volgograd challenged FSB's demand to install the system, the local FSB and Ministry of Communication attempted to have its license revoked. The agencies were forced to back off after the ISP challenged the decision in court. In a separate case, the Supreme Court ruled in May 2000 that SORM-2 was not a valid ministerial act because it failed several procedural requirements.
Following the Russian lead, in September 1999, Ukrainian President Leonid Kuchma proposed requiring that ISPs install surveillance devices on their systems based on the Russian SORM system. The rules and a subsequent bill were attacked by the Parliament and withdrawn. However, in August 1999, the security service visited several the large ISPs who were reported to have installed the boxes.
In the Netherlands, following the passage of the 1998 Telecommunications Act (see above), the Dutch Forensics Institute[212] developed a "black-box" for ISPs to install on their networks. The black box would be under control of the ISP and turned on after receiving a court order. The box would look at authentication traffic of the person to wiretap and divert the person's traffic to law enforcement if the person is online. Due to the inability of ISPs to adopt the requirements of the law, however, its implementation has been delayed.
In China, a system know as the "Great Firewall" routes all international connections through proxy servers at official gateways, where Ministry for Public Security (MPS) officials identify individual users and content, define rights, and carefully monitor network traffic into and out of the country. At a 2001 security industry conference, the government announced an ambitious successor project known as "Golden Shield." Rather than relying solely on a national intranet, separated from the global Internet by a massive firewall, China will now build surveillance intelligence into the network, allowing it to "see," "hear" and "think."[213] Content-filtration will shift from the national level to millions of digital information and communications devices in public places and people's homes.[214] The technology behind Golden Shield is incredibly complex and is based on research developed largely by Western technology firms, including Nortel Networks, Sun Microsystems and others. The Golden Shield efforts do not signal an abandonment of other avenues of access and content control. For example, details are only beginning to emerge about a new "black box" device, derived from technology previously used in airline cockpit data recorders, and broadly similar to the Carnivore system. Chinese Internet police would use the black box technology to monitor dissidents and collect evidence on illegal activities.[215]
New methods of surveillance, and in particular those capable of circumventing encryption, are also being developed. One such technological device is a "key logger" system. A key logger system records the keystrokes an individual enters on a computer's keyboard. Keystroke loggers can be employed to capture every key pressed on a computer keyboard, including information that is typed and then deleted. Such devices can be manually placed by law enforcement agents on a suspect's computer, or installed "remotely" by placing a virus on the suspect's computer that will disclose private encryption keys.
The question of such surreptitiouspolice decryption methods arose in the case of United States v Scarfo.[216] There, the FBI manually installed a key logger device on the defendant's computer in order to capture his PGP encryption password. Once they discovered the password, the files were decrypted, and incriminatory evidence was found. In December 2001, the United States FBI confirmed the existence of a similar technique called "Magic Lantern."[217] This device would reportedly allow the agency to plant a Trojan horse keystroke logger on a target's computer by sending a computer virus over the Internet; rather than require physical access to the computer as is now the case. The new Danish Anti-Terrorism law, enacted in June 2002, appears to give law enforcement the power to secretly install this kind of snooping software on the computers of criminal suspects.[218]
As new telecommunications technologies emerge, many countries are adapting existing surveillance laws to address the interception of networked and mobile communications. These updated laws pose new threats to privacy in many countries because the governments often simply apply old standards to new technologies without analyzing how the technology has changed the nature and sensitivity of the information. It is crucial for the protection of privacy and human rights that transactional data created by new technologies is given greater protection under law than traditional telephone calling records and other transactional information found in older systems.
In the traditional telephone system, transactional data usually takes the form of telephone numbers or telephone identifiers, the call metrics (e.g., length of call, time and date), countries involved, and types of services used. This data is usually collected and processed by telephone companies for billing and network efficiency (e.g., fault correction) purposes. While this data is stored by telephone companies, it is available to law enforcement authorities. Communications content, i.e. conversations, are not stored routinely. As a result, the obstacles to law enforcement access to this data were minimal: traffic data was available, legally less sensitive, and so accessible with lower authorization and oversight requirements. The content of communications was treated as more sensitive, and more invasive, and more difficult to collect, thus typically requiring greater authorization and oversight mechanisms.
Different communications infrastructures give rise to different forms of transactional data, however. When surfing the net, a user can visit dozens of sites in just a few minutes and reveal a great deal about their personal situation and interests. This can include medical, financial, social interests and other highly sensitive personal information. As the Council of Europe acknowledges in the Explanatory Report of the Convention on Cybercrime:
The collection of this data may, in some situations, permit the compilation of a profile of a person's interests, associates and social context. Accordingly Parties should bear such considerations in mind when establishing the appropriate safeguards and legal prerequisites for undertaking such measures.[219]
The detailed and potentially sensitive nature of the data makes it more similar to content of communications than telephone records.
Similarly, location information generated by mobile communications infrastructure, such as mobile phones and mobile IP, is more sensitive than the mere location of a fixed telephony communication. The location information of mobile communications can provide details of an individual's movements and activities and whom they have met with. This location information may be combined with other transactional information such as websites visited using the mobile device, individuals called, search engine requests; all used to create a considerable profile. This affects a wide variety of human rights beyond the right of privacy including the rights of free speech and assembly.
Moreover, newer mobile communications protocols are becoming increasingly specific about location data, and the availability of this information is becoming part of the actual communications protocol. That is, the means of identifying the location of a device is becoming more precision-based, and this location information is communicated to several parties, not necessarily only between the device and the mobile communications operator. As a result, the location of the device can be more easily discerned, not necessarily requiring access to the data held by the operator.
In addition to this data that naturally arises from the functioning of a wireless network, there are other initiatives driving the development of technologies that build in location-tracking capabilities. For example, in the United States, the Federal Communications Commission (FCC) directed wireless telephone service providers to begin implementing Automatic Location Identification (ALI) for emergency (911) calls by October 1, 2001. The ALI "accuracy standards" require providers to develop capabilities that will permit the location of users with the following degrees of precision: for handset-based solutions - 50 meters for 67 percent of calls, 150 meters for 95 percent of calls; for network-based solutions - 100 meters for 67 percent of calls, 300 meters for 95 percent of calls.[220] Other wireless devices and services increasingly are coming into use, including wireless personal digital assistants (PDAs), wireless Internet access, and automotive navigation and assistance services (telematics), which when combined with Global Positioning Satellite capabilities, can determine the physical locations of users very precisely.
While there is likely to be strong commercial and law enforcement demand for the collection and use of the location data generated by these services, a legal framework to protect privacy specifically with respect to location information has not yet been implemented. In the absence of legal clarity, some operators have been keeping this kind of data indefinitely. In October 2001, British mobile operator Virgin Mobile revealed that that it had retained all call records since it was created in 1999. Similarly, in November 2001, it was reported that Irish operators, Eircell and Digifone, were holding customer records for more than six years. In both cases, the operators, stated that they believed they were required to keep these records under the law. [221]
The level of legal protection afforded to other traffic data is similarly unclear. Policies generally treat all of this transactional data as 'traffic data'; this data then bears the protections afforded under the traditional telephone system. The United Kingdom in its Regulation of Investigatory Powers Act 2000 accepted, after an extensive debate, that there are varying levels of sensitivity to this data, and separates 'traffic data' (source and destination of a transaction used for routing within a network) from the more sensitive 'communications data' that includes URLs, domain names, etc. The latter requires greater authorization and oversight procedures. Not all countries have pursued this line of reasoning.
Previous United States policy differentiated between traffic data on cable and telephone communications. The Cable Act traditionally protected traffic data to a greater degree than telephone traffic data. Now that cable infrastructure is used for internet communications (which were previously used over telephone lines, and thus traditional laws applied), successive White House administrations worked to erase this distinction, finally succeeding with the USA-PATRIOT Act. Rather than deal with the specifics of digital communications media and services, the changes in United States law reduces the protections of traffic data for all communications to what had previously existed for telephone communications data. This was clearly intended, under the guise of technological neutrality. According to Attorney General Ashcroft:
Agents will be directed to take advantage of new, technologically neutral standards for intelligence gathering... Investigators will be directed to pursue aggressively terrorists on the internet. New authority in the legislation permits the use of devices that capture senders and receivers addresses associated with communications on the Internet.[222]
On May 30, 2002, the European Parliament voted on the new European Union Electronic Communications and Privacy Directive.[224] In a remarkable reversal of their original opposition to data retention, the members voted to allow each European Union government to enact laws to retain the traffic and location data of all people using mobile phones, SMS, landline telephones, faxes, e-mails, chatrooms, the Internet, or any other electronic communication devices, to communicate. The new Directive reverses the 1997 Telecommunications Privacy Directive by explicitly allowing European Union countries to compel Internet service providers and telecommunications companies to record, index, and store their subscribers' communications data.[225] The data that can be retained includes all data generated by the conveyance of communications on an electronic communications network ("traffic data") as well as the data indicating the geographic position of a mobile phone user ("location data").[226] The contentsof communications are not covered by the data retention measures. These requirements can be implemented for purposes varying from national security to criminal investigations and prevention, and prosecution of criminal offences, all without specific judicial authorization.
Although this data retention provision is supposed to constitute an exception to the general regime of data protection established by the directive, the ability of governments to compel Internet service providers and telecommunications companies to store all data about all of their subscribers can hardly be construed as an exception to be narrowly interpreted. The practical result is that all users of new communications technologies are now considered worthy of scrutiny and surveillance in a generalized and preventive fashion for periods of time that States' legislatures or governments have the discretion to determine. Furthermore, because of the cross-border nature of Internet communications, this Directive is likely to have negative repercussions for citizens of other countries. There is a significant risk that non-European Union law enforcement agencies will seek data held in Europe that it can not obtain at home, either because it was not retained or because their national law would not permit this kind of access.
During the debates on the Directive, many members of the European Parliament, and the European Union privacy commissioners consistently opposed data retention, arguing that, these policies are in contravention of data protection practices of deletion of data once it is no longer required for the purpose for which it was collected; and also in contravention of proportionality principles in accordance with constitutional laws and jurisprudence. Similarly, the Global Internet Liberty Campaign, a coalition of 60 civil liberties groups organized a campaign and drafted an open letter to oppose data retention. The letter was sent to all European Parliament members and heads of European Union institutions after more than 16,000 individuals from 73 countries endorsed it in less than a week.[227]The letter asserted that data retention (for reasons other than billing purposes) is contrary to well-established international human rights conventions and case law.
While a few other countries have already established data retention schemes (Belgium, Denmark, France, Spain, Switzerland and the United Kingdom) the implementation phase of the Directive's data retention provision may be bumpy in other Member States. Already in the United Kingdom, after a review by a parliamentary committee, significant questions have been raised regarding the legality, invasiveness, and the financial burdens involved in data retention.[228] The Directive may be seen as being in conflict with the constitutions of some European Union countries, with respect to fundamental rights such as the presumption of innocence, the right to privacy, the secrecy of communications, or freedom of expression.[229]In Finland, because of concerns regarding freedom of speech and privacy, content retention requirements have been reduced to three weeks at most, and for Internet traffic data no retention is required. [230]
Meanwhile, the situation is uncertain in Austria, Germany, Greece, Italy, Luxembourg, Portugal, and Sweden as they consider or question the means through which they can establish retention policies.[231] In Ireland, proposals from the Department of Justice have been poorly received from the industry, the Data Protection Commissioner, the Department of Communications, and the Marine and Natural Resources.[232] Industry associations in several countries[233] and the International Chamber of Commerce have all announced their concerns with general retention laws.[234] In all, nine states have established laws so far; while ten out of fifteen EU governments favor a "harmonizing" EU measure.[235]
A related effort for enhancing government control of the Internet and promoting surveillance is also being conducted in the name of preventing "cyber-crime," "information warfare" or protecting "critical infrastructures." Under these efforts, proposals to increase surveillance of the communications and activities of Internet users are being introduced as a way to prevent computer intruders from attacking systems and to stop other crimes such as intellectual property violations.
The lead bodies internationally are the Council of Europe and the G-8, while there has also been some activity within the European Union.[236] The United States has been active behind the scenes in developing and promoting these efforts.[237] After meeting behind closed doors for years, these organizations finally, in 2000, made public proposals that would place restrictions on online privacy and anonymity in the name of preventing cyber-crime.
The Council of Europe is an intergovernmental organization formed in 1949 by West European countries. There are now 43 member countries. Its main role is "to strengthen democracy, human rights and the rule of law throughout its member states." Its description also notes that "it acts as a forum for examining a whole range of social problems, such as social exclusion, intolerance, the integration of migrants, the threat to private life posed by new technology, bioethical issues, terrorism, drug trafficking and criminal activities."
On September 8, 1995, the Council of Europe approved a recommendation to enhance law enforcement access to computers in member states. The Recommendation of the Committee of Ministers to Member States Concerning Problems of Criminal Procedure Law Connected with Information states:
Subject to legal privileges or protection, investigating authorities should have the power to order persons who have data in a computer system under their control to provide all necessary information to enable access to a computer system and the data therein. Criminal procedure law should ensure that a similar order can be given to other persons who have knowledge about the functioning of the computer system or measures applied to secure the data therein.
Specific obligations should be imposed on operators of public and private networks that offer telecommunications services to the public to avail themselves of all necessary technical measures that enable the interception of telecommunications by the investigating authorities.
Measures should be considered to minimize the negative effects of the use of cryptography on the investigation of criminal offenses, without affecting its legitimate use more than is strictly necessary.
In 1997, the Council of Europe formed a Committee of Experts on Crime in Cyber-space (PC-CY). The group met in secret for several years drafting an international treaty and in April 2000, released the "Draft Convention on Cyber-crime, version 19." Several subsequent versions were released until version 27 was released in June 2001.
The convention has three parts. Part I proposes the criminalization of on-line activities such as data and system interference, the circumvention of copyright, the distribution of child pornography, and computer fraud. Part II requires ratifying states to pass laws to increase their domestic surveillance capabilities to cater for new technologies. This includes the power to intercept internet communications, gain access to traffic data in real-time or through preservation orders to ISPs, and access to secured or "protected" data. The final part of the treaty requires all states to cooperate in criminal investigations. So, for example, country A can request country B to utilize any of the aforementioned investigative powers within country B for a crime that is being investigated in country A. There is no requirement for the crime in country A to actually qualify as a crime in country B, i.e. no requirement for dual-criminality. In this sense, the convention is the largest mutual legal assistance regime in criminal matters ever created.
The draft convention text was strongly criticized by a wide variety of interested parties including privacy and civil liberties groups for its promotion of surveillance and lack of controls such as authorization requirements and dual criminality;[238] prominent security experts for previously articulated limitations on security software;[239] and industry for the costs of implementing the requirements, and the challenges involved in responding to requests from 43 different countries. The European Union's Data Protection Working Group has expressed concern regarding the convention's implications upon privacy and human rights, concluding that:
The Working Party therefore sees a need for clarification of the text of the articles of the draft convention because their wording is often too vague and confusing and may not qualify as a sufficient basis for relevant laws and mandatory measures that are intended to lawfully limit fundamental rights and freedoms.[240]
The convention text was finalized in September 2001. After the terrorist attacks on the United States, the convention was positioned as a means of combating terrorism. A signing ceremony took place in November 2001 where it was signed by thirty countries, and later signed by another four. The Convention is open to the members of the Council of Europe and to countries that were involved in the development, which includes the United States, Canada, Japan and South Africa.
The convention will come in to force once ratified by five signatories states, of which three must be members of the Council of Europe. Once it is in force, other non-COE countries like China and Singapore can also ask to join. The Australian government announced in July 2001 that its bill on computer crime, which requires users to provide encryption keys, is based on the Convention.[241] So far only Albania, Croatia, and Estonia have ratified the convention. Romania has incorporated some of the language of the convention into its law on transparency and corruption.[242]
A protocol on Racism and Xenophobia was released in November 2002. This protocol will require the criminalization of certain forms of Internet speech that some might find offensive. [243] The Bush Administration has already stated that it will not support the protocol.[244] There was some discussion of a second protocol on "terrorist messages and the decoding thereof," however discussion on this matter has not advanced publicly.[245]
The G-8 is made up of the heads of state of eight industrialized countries in the world (Canada, France, Germany, Italy, Japan, Russia, the United Kingdom, and the United States. The European Commission participates as an observer). The leaders have been meeting annually since 1975 to discuss issues of importance, including economics and finance, transnational organized crime, terrorism, and the information society.
Since 1995, the G-8 has become increasing more involved in the issue of high-tech crime, and has created working groups and issued a series of communiqués from the leaders and actions plans from justice ministers. Much of this work has been coordinated by the Lyon Group, established formally in 1997.
At the Birmingham, England summit in May 1998, the G-8 adopted a recommendation on ten principles and a ten-point action plan on high-tech crime. The ministers announced:
We call for close cooperation with industry to reach agreement on a legal framework for obtaining, presenting and preserving electronic data as evidence, while maintaining appropriate privacy protection, and agreements on sharing evidence of those crimes with international partners. This will help us combat a wide range of crime, including abuse of the Internet and other new technologies.
The G-8 has met several times with industry and is actively promoting requirements that Internet Service Providers maintain records of all of their users' activities in case there is a future need to investigate a crime that might have occurred. These requirements were strongly criticized at a meeting held by the G-8 in Japan in 2001 where industry and a civil liberties group were invited and a draft press release and guidelines that promoted data retention had to be withdrawn after they had already been made public.
The G-8 has continued its activity in the area of law enforcement and combating terrorism, however. Throughout 2002 several summits involving Finance Ministers, Justice and Interior Ministers, and heads of state have released several statements regarding increased surveillance, traceability of communications,[246] and data retention.[247] Increased cooperation across borders was discussed at length; and as with the Council of Europe convention, no requirements of dual-criminality or double-criminality are necessary.
In July 2000, the Commission announced plans for a new directive for fighting cyber-crime.[248] A communication was released in January 2001.[249] While similar to the Council of Europe convention in many ways, the Commission's proposal also included proposals regarding data retention and the reduction of anonymity. These policies were sought within "public forums" (only with limited invited speaking slots) in the fall of 2001, with unclear and unpublished results.
The retention proposal was sought in the alternative forum of the Directive on Privacy and Electronic Commerce in the European Parliament. The substantive law measures of criminalizing data and systems interference and defining other such offences are being pursued as a Council Framework Decision, currently in draft mode.[250] This initiative is designed to be consistent with the CoE and G-8 activities.
In contrast to many of these law enforcement-driven initiatives, the Organisation for Economic Cooperation and Development (OECD) has tended to take a broader view of security issues. In 1992, the OECD issued Guidelines for the Security of Information Systems.[251] Containing nine principles, the Guidelines stress the importance of ensuring transparency, proportionality and other democratic values when establishing measures, practices and procedures for the security of information systems. In the fall of 2001, the OECD Working Party on Information Security and Privacy (WPISP) established a group of experts to conduct a review of these guidelines (such a review must take place every five years). The group of experts met four times between December 2001 and June 2002 and recommended several changes. OECD released the revised guidelines in the fall of 2002. Although the guidelines have been substantially revised, the need to ensure key democratic values, such as openness, transparency and the protection of personal information, is nonetheless reiterated in the principles.
In the past several years, there has been considerable attention given to mass surveillance by intelligence agencies of international and national communications. Investigations have been opened and hearings held in parliaments around the world about the "Echelon" system coordinated by the United States.
Immediately following the Second World War, in 1947, the governments of the United States, the United Kingdom, Canada, Australia and New Zealand signed a National Security pact known as the "Quadripartite," or "United Kingdom - United States" (UKUSA) agreement. Its intention was to seal an intelligence bond in which a common national security objective was created. Under the terms of the agreement, the five nations carved up the earth into five spheres of influence, and each country was assigned particular signals intelligence (SIGINT) targets.
The UKUSA Agreement standardized terminology, code words, intercept handling procedures, arrangements for cooperation, sharing of information, Sensitive Compartmented Information (SCI) clearances, and access to facilities. One important component of the agreement was the exchange of data and personnel.
The strongest alliance within the UKUSA relationship is the one between the United States National Security Agency (NSA), and Britain's Government Communications Headquarters (GCHQ). The NSA operates under a 1952 presidential mandate, National Security Council Intelligence Directive (NSCID) Number 6, to eavesdrop on the world's communications networks for intelligence and military purposes. In doing so, it has built a vast spying operation that can reach into the telecommunications systems of every country on earth. Its operations are so secret that this activity, outside the United States, occurs with little or no legislative or judicial oversight. The most important facility in the alliance is Menwith Hill, a Royal Air Force base in the north of England. With over two dozen domes and a vast computer operations facility, the base has the capacity to eavesdrop on vast chunks of the communications spectrum. With the creation of Intelsat and digital telecommunications, Menwith Hill and other stations developed the capability to eavesdrop on an extensive scale on satellite-borne fax, telex and voice messages.
The current debate over NSA activities has focused on the existence of a signals intelligence system known as "Echelon." United States officials have refused to confirm the existence of this or any other surveillance systems. In May 2001, the European Parliament's Temporary Committee on the Echelon Interception System (established in July 2000) issued a report concluding that "the existence of a global system for intercepting communications... is no longer in doubt."[252] According to the committee, the Echelon system (reportedly run by the United States in cooperation with Britain, Canada, Australia and New Zealand) was set up at the beginning of the Cold War for intelligence gathering and has developed into a network of intercept stations around the world. Its primary purpose, according to the report, is to intercept private and commercial communications, not military intelligence.
The report recommended "self-protection" by EU citizens and companies, and encouraged further development and use of encryption technology within Europe to protect communications against surveillance. The report also recommended actions to be taken by the European Parliament during its September 2001 session in Strasbourg. These included provisions for the United States to (1) Negotiate and sign an agreement with the European Union (European Union) requiring both parties to "observe, vis-à-vis the other, the provisions governing the protection of the privacy of citizens and the confidentiality of business communications applicable to its own citizens and firms;" (2) sign the International Covenant on Civil and Political Rights so complaints by individuals could be submitted to the Human Rights Committee created by the covenant; (3) negotiate with Member States a code of conduct akin to that of the European Union; and (4) begin a dialog with the European Union on economic intelligence gathering. (On this point the Committee did not find widespread evidence of Echelon being used primarily for economic intelligence gathering). The Committee also recommended that Germany and the United Kingdom condition further authorization of United States communications interception operations within their territories on United States compliance with the European Convention on Human Rights. No further action on these recommendations has been taken.
Prior to issuing its report, the Temporary Committee traveled to Washington, DC to meet with senior Bush administration government and intelligence officials to discuss Echelon. When they arrived, however, their meetings with these officials at the Departments of State, Commerce and Defense, the CIA and the NSA were cancelled at the last minute. The European Parliament subsequently issued a Resolution protesting this move.[253]
The work of the recent Temporary Committee was based on two earlier reports of the European Parliament. The first, "An Appraisal of the Technologies of Political Control,"[254] was published in 1997 and stated that the NSA had established an integrated communications surveillance capability in Europe. It described Echelon as a communications intelligence sharing sub-system capable of scanning particular communications to detect information of interest. In 1999, the second European Parliament report, "Interception Capabilities 2000" set out the technical specifications of the interception system.[255] The report described the merger of Echelon and the International Law Enforcement Telecommunications Seminar (ILETS) stating that in time, the two vast systems - one designed for national security and one for law enforcement - would merge, and in the process will compromise national control over surveillance activities.
These recent events have left observers contemplating two profound conclusions. First, as long as the UK-USA SIGINT partners police and govern their own operations outside of actual effective parliamentary and judicial oversight, there is good reason to believe that SIGINT can be turned against individuals and groups exercising civil and political rights. There is ample evidence that the activities of Greenpeace, Christian Aid, Amnesty International, the International Committee to Ban Landmines, the Tibetan government-in-exile, various anti-globalization movements like the Independent Media Center, and the International Committee of the Red Cross have been targeted by UKUSA agencies. Second, there is an increasing blurring between the activities of intelligence agencies and law enforcement. The creation of a seamless international intelligence and law enforcement surveillance system has resulted in the potential for a huge international network that may, in practice, negate current rules and regulations prohibiting domestic communications surveillance by national intelligence agencies.
Advances in technology are also making it easier and cheaper to conduct covert audio surveillance. Bugs come in many shapes and sizes. They range from micro engineered transmitters the size of an office staple, to devices no bigger than a cigarette packet that are capable of transmitting video and sound signals for miles. Many of the bugs are cleverly camouflaged. They are hidden in everything from umbrella stands to light shades. Sometimes, the infiltrator will hide them in a business or sports trophy where they will stay indefinitely. The latest bugs remain active with their own power supply for around ten years.
Laws restricting the use of covert audio devices vary widely across the world. Many countries have provisions in their general wiretap laws that also cover the use of bugs. The European Court of Human Rights has ruled several times that all signatories of the Convention must enact laws governing their use. While it is illegal in most circumstances in the United States to use or sell such devices, the British market had no restrictions whatever until recently. As one private investigator told the London Daily Telegraph, "It's a game anyone can play." Millions of bugs are sold every year in Asian countries such as Hong Kong and Japan.
The devices are used for a variety of reasons. In many Asian countries, use of the devices for industrial espionage is widespread. They are also frequently used in the workplace or in homes. Law enforcement and intelligence agencies also use the devices but according to government records in the United States, Canada and other countries, they are used much less frequently than traditional wiretaps for law enforcement purposes.
Surveillance cameras (also called Closed-Circuit Television or CCTV[256]) are increasingly being used to monitor public and private spaces throughout the world. The leader is the United Kingdom, where between 150 and 300 million pounds per year is spent on expanding a surveillance industry that has an estimated 1.5 million cameras watching public spaces.[257] Many central business districts in Britain are now covered by surveillance camera systems involving a linked system of cameras with full pan, tilt, zoom and night vision or infrared capability. CCTV systems are also in wide use in several other European countries where they are closely regulated. Surveillance of public spaces has grown markedly in the United States and Australia. In New York City, the NYCLU Surveillance Camera Project identified 2,397 cameras in Manhattan.[258] The Mayor of Washington, DC has proposed a "London style" blanket surveillance of public areas to cover the several public protests that takes place in the capital.[259] In Singapore, cameras are widely deployed for traffic enforcement and to prevent littering. Several governments are now considering using surveillance systems as an anti-terrorism tool. Some observers believe the surveillance camera phenomenon is dramatically changing the nature of cities. The technology has been described as the "fifth utility," where CCTV is being integrated into the urban environment in much the same way as the electricity supply and the telephone network in the first half of the century. [260]
Governments and law enforcement authorities have used video surveillance in various circumstances ranging from the prevention of crimes, the safety of urban environments and government buildings, traffic control,[261] the monitoring of demonstrators,[262] and in the context of criminal investigations. In the United States, several cities have started implementing sophisticated systems of surveillance. In Washington, DC, surveillance cameras have been placed on national monuments, such as the Lincoln Memorial. New York, Tampa, Virginia Beach,[263] Chicago have also started installing cameras. In the United Kingdom, the government and police authorities have covered the country with more than 1.5 million cameras, some of them being used to check the license plates of cars entering cities, and even the face of drivers,[264] making CCTV the single most heavily funded non-criminal justice crime prevention measure.[265]
In Europe, because the very encompassing data protection legal framework of the European Union Data Protection Directive applies to video surveillance records, privacy authorities have started drawing up guidelines aimed at implementing the Directive's data protection principles to the field of video surveillance. The European Commission, in a recent consultation aimed at evaluating how the Directive had been implemented in practice as regards the processing of sound and image data, concluded that no change was required to the current rules for it to be applicable to the processing of personal data in the context of video surveillance, although more practical guidance was definitely needed.[266] In July 2000, the United Kingdom Data Protection Commissioner issued a code of practice on the use of CCTV. The code sets out guidelines for the operators of CCTV systems and makes clear their obligations under the recently implemented Data Protection Act 1998.[267] Also in 2000, the Greek Data Protection Commissioner issued a directive prohibiting the use of CCTV, except in certain circumstances.[268] In Sweden, the 1998 Law on Secret Camera Surveillance restricts the use of video surveillance. Norway's Personal Data Registers Act of 2000 also provides specific rules for video surveillance. In Canada, various provinces' privacy commissioners have established video surveillance guidelines, while Canada's Privacy Commissioner was very active in limiting surveillance cameras[269] by, e.g., launching a lawsuit against the Royal Canadian Mountain Police, calling their use of the system an unconstitutional breach of privacy.[270] The District of Columbia City Council and the United States Congress, after conducting several hearings,[271] urged the Metropolitan Police Department to draw up detailed guidelines governing the use of its video surveillance system. The District of Columbia City Council is currently considering regulations that will subject video surveillance to the same restrictions that are imposed on electronic surveillance, including requiring judicial and public oversight over the system's operation.[272] In the United States, video surveillance is not regulated by federal legislation although some States have adopted statutes prohibiting the use of video surveillance for peeping purposes, while a few police departments have established video surveillance guidelines.[273]
As surveillance systems appear poised to become a part of the urban landscape, scholars, data protection commissioners, legislators, and the public are beginning to grapple with the implications and purposes of this new technology, and to ask questions about its assumed effectiveness.[274]
The camera system is allegedly designed to serve as a deterrent to crime and for evidence gathering purposes. Generally these systems have been rolled out with little prior research into the effectiveness or appropriateness of the technology, as in most cases the deployment is driven by a public relations need to create the impression of heightened security.[275] The evidence supporting the effectiveness of the camera system has been inconclusive. The most important and comprehensive research to date is the United Kingdom Home Office meta-study that has systematically reviewed the best studies done in the past that have analyzed the effectiveness of CCTV systems.[276] Other studies, released earlier, found that in many areas with CCTV crime increased and that street lighting was a more effective deterrent. [277]In March 2002, a report issued by researchers at the University of Hull in United Kingdom, found that cameras do not have a major impact on most criminal activity, and even where they appear to have an effect it is because that crime is often just displaced elsewhere.[278] Recent studies conducted by the Scottish Center for Criminology have yielded similar results.[279] Questions are now surfacing about the use of cameras in Australia.[280] The United States General Accounting Office recently released a report on the use of CCTV by law enforcement in Washington, DC, evaluating how law enforcement agencies[281] have responded to civil liberties risks flowing from CCTV surveillance systems.[282]
Campaigns have begun in several countries to stop the spread of surveillance camera systems,[283] and to monitor the deployment of cameras in several cities. [284] In Washington, DC, EPIC has launched Observing Surveillance [285] to document the presence of surveillance cameras in the nation's capital. For the past four years, an international coalition composed of artists, scientists, engineers, scholars, and others have declared December 24 to be "World Sousveillance" day, and have staged several public protests to draw attention to the use of surveillance cameras.[286]
The debate over the appropriateness of surveillance technology is likely to become sharper as the technology becomes increasingly sophisticated. New systems can digitally record images, which facilitate easy archiving, recovery, and sharing of information. Features include night vision, computer-assisted operation, and motion detection facilities that help improve the operator's attentiveness by sounding an alert if suspicious activity is taking place.[287] The clarity of the pictures is usually excellent, with many systems being able to read a newspaper at a hundred meters. Technology is also being developed to spot patterns in the surveillance data such as recognizing faces, analyzing crowd behavior, and scanning the intimate area between skin surface and clothes using "passive millimeter wave technology" to search for contraband or weapons.[288] Research into these technologies is receiving significant government funding for crime fighting and anti-terrorism purposes.[289]
Tremendous progress in video surveillance technologies have led to the miniaturization of cameras and enabled wireless connectivity and access through the Internet. These developments, together with the fact that more and more people use them in a private setting and for private purposes, either to protect their property (security cameras), look after their children and nannies ("nanny cams")[290], or send pictures to each other by mobile phone[291] raises several questions as to the extent to which people are ready to be observed everywhere they go in public places, or even, in private areas.
Video surveillance is also being increasingly used by private actors for law enforcement type purposes: to monitor their properties, business and commercial areas;[292] to watch for thieves and pickpockets in shopping malls[293] and casinos;[294] to keep an eye on private gated communities and passengers in aircraft;[295] or to detect drug dealing activities at schools,[296] In countries where there are no rules regulating video surveillance, it is relevant to question whether those private actors' monitoring activities should be limited, or at least be subject to the same constraints as government agents are.
Face recognition technology utilizes computerized pattern matching technology to automatically identify peoples' faces. While it is still very much in its infancy, it raises significant public policy questions because it enables the covert identification and classification of people in public. The borough of Newham in the United Kingdom first deployed a face recognition system to scan faces against a database to identify people "of interest." The Reykjavik airport in Iceland was among the first airports to use the technology. In the United States, this same kind of face recognition technology was used at the 2001 Super Bowl in Tampa, Florida to compare the faces of attendees to faces in a database of mug shots. There was widespread public outcry, prompting some to call the event the "Snooper Bowl."[297]
Face recognition technology is still not reliable. For instance, it was not accurate enough for use in the Salt Lake Winter Olympic games where the security chief said that "it's just not proven technology yet."[298] Studies sponsored by the United States Defense Department have also shown the system is right only fifty-four percent of the time and can be significantly compromised by changes in lighting, weight, hair, sunglasses, subject cooperation, and other factors.[299] Tests on the face recognition systems in operation at Palm Beach Airport in Florida,[300] and Boston Logan Airport have also shown the technology to be ineffective and error-ridden.[301]
As the power and capabilities of surveillance technology increases while the cost and size of systems decreases, there will be further incentives to use the technology. Critics see this trend as a reason to develop appropriate regulations to safeguard privacy and to prevent the misuse of the technology.[302]
Developments in satellite surveillance (also called "remote sensing") are also occurring at a fast pace, and embrace features similar to those of more conventional visual surveillance. Satellite resolution has constantly improved over the past decade. Since the end of the Cold War, companies such as EarthWatch, Motorola and Boeing have invested billions of dollars to create satellites capable of mapping the most minute detail on the face of the earth.
A commercial satellite capable of recognizing objects the size of a student's desk was launched from the United States in September 1999 and began releasing images in October 2000.[303] The Ikonos is the most powerful commercial imaging satellite ever built. Its parabolic lens can recognize objects as small as one meter anywhere on earth and, according to the company, viewers can see individual trees, automobiles, road networks, and houses. The satellite, owned by Denver company Space Imaging, will be the first of a new generation of high resolution satellites using technology formerly restricted to government security agencies. Another ten companies have received licenses to launch equally powerful satellites and several are expected to launch shortly.
The technology is already being used for a vast range of purposes from media reporting of war and natural disasters, to detecting unlicensed building work and even illegal swimming pools. Public interest groups are using the information to show images of nuclear testing by countries and even images of secret United States bases such as Area 51 in Nevada.[304]
While industry looks for the opportunity to exploit current spy satellite technology, a great deal of effort is being made to integrate the existing images with ground-based Geographic Information System (GIS) databases than can provide detailed data on human activity. Double clicking on a satellite image of an urban area can reveal precise details of the occupants of a target house. The "Open Skies" policy accepted worldwide means that there are few restrictions of the use of the technology.[305]
But the companies have a distance to go before they catch up with governments. It is estimated that the current generation of secret spy satellites such as the Ikon/Keyhole-12 can recognize objects as small as 10cm across and some analysts say that it can image a license plate.[306] Boeing recently landed a 10-year contract from the United States Government for a Future Imagery Architecture (FIA) to replace the KH satellites and the ground infrastructure.[307] The FIA is based on a constellation of new satellites that are smaller, less expensive, and placed in orbit to allow for real-time surveillance of battlefields and other targets.
Surveillance by law enforcement is not the only online privacy risk. The growth of the Internet and electronic commerce has dramatically increased the amount of personal information that is collected about individuals by corporations. As consumers engage in routine online transactions, they leave behind a trail of personal details, often without any idea that they are doing so. Much of this information is routinely captured in computer logs.
Most on-line companies keep track of users' purchases. This information ranges from the trivial to the most sensitive and, unless adequately protected, can be used for purposes that seriously harm the interests of the consumer. Other companies gather personal information from visitors by offering personalized services such as news searches, free e-mail and stock portfolios. They then sell, trade, or share that information among third party companies without the consumer's expressed knowledge or consent. The perceived value of this kind of information is behind the stock-market valuations of many dotcom companies.
Many on-line companies, for example, provide lists of their customers' e-mail addresses to companies that specialize in sending unsolicited commercial e-mail (spam). Other companies mine e-mail address from sources such as messages posted on mailing lists, newsgroups, or domain name registration data. In one test by the US Federal Trade Commission, an e-mail address posted in a chat room began receiving spam within eight minutes of submitting a post.[308] Mining or harvesting e-mail addresses produces a barrage of online advertisements. Studies show that consumers resent spam both for the time it takes to process and for the loss of privacy resulting from their e-mail address circulating freely on countless directories.[309] Furthermore, spam can result in significant economic loss to the consumer. A 2001 report by the European Commission found that "Internet subscribers worldwide are paying an estimated EUR10 billion (~USD9 billion) a year in connection costs to receive junk e-mails."[310] The European Union's Privacy and Electronic Communications Directive prohibits unsolicited commercial marketing by e-mail without "opt-in" consent.[311] In Japan two new anti-spam laws were passed in 2002. The laws allow users of the Internet and text-enabled mobile phones to opt-out of spammers' contact lists, and require that all unsolicited commercial e-mail be clearly identified.[312]
Many companies, including Internet Service Providers, search engine firms, and web-based businesses, monitor users as they travel across the Internet, collecting information on what sites they visit, the time and length of these visits, search terms they enter, purchases they make, or even "click-through" responses to banner ads. In the off-line world this would be comparable to, for example, having someone follow you through a shopping mall, scanning each page of every magazine you browse though, every pair of shoes that you looked at and every menu entry you read at the restaurant. When collected and combined with other data such as demographic or "psychographic" data, these diffuse pieces of information create highly detailed profiles of net users. These profiles have become a major currency in electronic commerce where they are used by advertisers and marketers to predict a user's preferences, interests, needs and possible future purchases. Most of these profiles are currently stored in anonymous form. However, there is a distinct likelihood that they will soon be linked with information, such as names and addresses, gathered from other sources, making them personally identifiable.
The most pervasive tracking technology is the cookie. The cookie is a small file containing an ID number that is placed on a user's hard drive by a website. Cookies were developed to improve websites' ability to track users over a session. The cookie can also notify the site that the user has returned and can allow the site to track the user's activities across many different visits. The use of cookies expanded greatly when it was realized that a single cookie could be used across many different sites. This led to the development of advertising network companies that can track users across thousands of sites. The largest ad service, DoubleClick, has agreements with over 11,000 websites and maintains cookies on 100 million users; each linking to hundreds of pieces of information about the user's browsing habits. It is possible to configure the common browsers to reject or send a warning notice before cookies are set. This does not provide much protection, however, as websites will often refuse access to users who do not accept cookies or send out so many repeated attempts that the user accepts the cookie in order to get uninterrupted access.
A more secretive manner of monitoring online users takes place through the use of web bugs. Web bugs are invisible graphics that are placed on Web sites or in e-mails in order to track visitors to that Web site or the recipients of e-mails (often spam). A Web bug on a Web site collects information such as the IP address of the visiting computer, the browser being used, the time of the 'hit', and also a previously set cookie value. In an e-mail a Web bug is used to discover if and when the e-mail message was read, how many times it was forwarded, and the IP address of the recipient. A marketing e-mail directing users to Web sites can also be used to link the e-mail addresses of those that later visit the site to their cookie data. Web bugs can also be used in newsgroup messages to track readers. [313]
In the offline world, profiling has been thriving for decades.[314] Profiling companies build personally identifiable databases based on a plethora of sources including supermarket purchases, product warranty cards, public records, census records, magazine and catalog subscriptions, and surveys. This is done in the absence of legislation that would prevent dossier building. Companies also "enhance" dossiers that they already own by combining or "overlaying" information from other databases. For instance, a business may request a name and phone number directly from the customer, and then use this information to purchase other personal details. These dossiers may link individual's identities to any number of facts deemed private by advanced societies including medical conditions, physical characteristics, and lifestyle preferences.
The line between online and offline profiling has become more and more blurred. In 1999, DoubleClick announced that it was buying Abacus, owner of the largest direct marketing lists in the country, with information on the purchasing habits of 90 percent of all United States households, and that DoubleClick was going to merge information from the purchasing databases with information from online browsing. Following a public outcry, the company suspended its plan to merge personal data with profiles. However, in July 2000 the Federal Trade Commission reached an agreement with the Network Advertisers Initiative, a group consisting of the largest online advertisers including DoubleClick, which will allow for online profiling and any future merger of such databases to occur with only "opt-out" consent.[315]
Another important player in this move towards complete identification of Internet users is the Microsoft Corporation. In 2001 Microsoft began aggressively promoting the Passport and Hailstorm services in preparation for the launch of Microsoft XP, the newest version of the Windows operating system. Passport is an online identification and authentication system, which employs a single sign-on system to facilitate e-commerce and browsing among different web sites that require a user to identify oneself. Once a user signs on to Passport, other affiliated sites visited by the user receive information about the user. Passport stores user information in a central database. The Passport service is intended to give Microsoft and Passport affiliates the ability to send unsolicited commercial e-mail to Internet users and to profile their activities. To register for Passport, a user must submit an e-mail address. Users can also submit their real name, city/locale, gender, age, occupation, marital status, personal statement, hobbies and interest, favorite quote, favorite things, a personal photo, and a home page. Hailstorm was a group of services[316] that Microsoft intended to provide from central servers. In theory it would have collected an extraordinary range of consumer information. Privacy and consumer groups in the United States filed a series of complaints against Passport and Hailstorm with the Federal Trade Commission in 2001, detailing the risks to privacy and security in these systems. In July 2002, European Union (European Union) officials confirmed publicly that they were pursuing an investigation into Passport for breach of European privacy laws.[317] In January 2003, the EU Working Party on Data Protection - Article 29 issued an opinion requiring substantial changes to Microsoft Passport.[318] Among other things, the opinion requires Microsoft to allow users to restrict the use and sharing of information for commercial and marketing purposes.
A competitor to Microsoft's Passport, Project Liberty, is being developed by a coalition of companies.[319] This identification system is similar to Microsoft's single sign-on, however, it allows users to choose what companies will receive personal information.[320]
Attempts at developing more permanent methods of identifying users have been underway for years. In 1999, Intel announced that it was including a serial number in each new Pentium III chip that could be accessed by websites and internal corporate networks. Most of the manufacturers suppressed the number after a consumer boycott was announced, and Intel announced in 2000 that it is dropping the serial number in future chips. Microsoft and RealAudio were discovered using the internal networking number found in most computers as another identifier for online users. Microsoft's Windows Media Player contains a globally-unique identifier (GUID) that can be tracked by website operators. The Internet Engineering Task Force has developed specifications for the next version of the Internet's underlying protocols called IPv6 that will assign a unique permanent identification number to every device hooked into the net, which could one day include refrigerators and Video Cassette Recorders. Finally, the Media Access Control address embedded in many network cards are unique and can be used to identify many computers.
The privacy of online consumers can also be seriously compromised by security breaches. Many web sites are poorly secured against both physical and electronic attacks.[321] In December 2002, thieves stole hard drives containing the unencrypted personal information of over 500,000 United States servicemen from the Triwest Corporation.[322] In March 2000, following a security breach, De Beers lost 35,000 names, addresses, phone numbers and e-mail addresses of people inquiring about buying diamonds. In April 2000, it was revealed that an unknown Microsoft engineer had included a backdoor into its web server software. If someone typed, "Netscape engineers are weenies!" backwards, they would have access to the websites and associated data. In August 2000, Kaiser Permanente, a top United States health insurer, admitted that it had compromised the confidentiality and privacy of its members when it sent over 800 e-mail messages, many containing sensitive information, to the wrong members.[323] Similarly in July 2001, Eli Lilly, the makers of the anti-depressant drug Prozac, revealed the names and e-mail addresses of over 700 patients that subscribed to the company's e-mail service for information on the drug and other issues.[324]
Many companies offer what are known as "information brokering" services, whereby users provide information to the company, which then provides it to a third-party website with the consent of the user. These sites raise a question of trust. Given that many of them are run by the same Internet companies that are also major privacy invaders, the user must wonder why they should volunteer providing information to these companies.
A common practice among online companies is to sign on to a "seal" program in order to provide consumers with a sense of security that their personal information is being protected. These programs follow the traditional seal programs in laying down certain eligibility standards which participant companies must respect in order to get a compliance seal. The better seal programs conduct monitoring and compliance checks, provide educational information, offer consumer dispute resolution, and enforce sanctions against errant companies. There are many disadvantages of seal programs operating within a self-regulatory system. All too often, seal program operators have been shown to be ineffective and reluctant to take enforcement measures against their members including companies such as Microsoft.[325] A 1999 Forrester research report found that, "because independent privacy groups like TRUSTe and BBBOnline earn their money from e-commerce organizations, they become more of a privacy advocate for the industry - rather than for consumers."[326]
There are tools available that can be used to protect the privacy of users in many cases. These technologies are known as "Privacy Enhancing Technologies" (PET) and are aimed at eliminating or minimizing the collection of personally identifiable information. Encryption is an important tool for protection against certain forms of communications surveillance. When properly implemented, a message is scrambled (i.e., encrypted) so that only the intended recipient will be able to unscramble (i.e., decrypt), and subsequently read, the contents. Pretty Good Privacy (PGP) is the best-known encryption program and has hundreds of thousands of users. An alternative is the open source program called GNU Privacy Guard (GPG) that allows anyone to view the full source of the system to ensure that it does not allow for secret surveillance.[327] Cryptographic modules are also implemented in applications; for example web browsers, in order to maintain some confidentiality in electronic commerce transactions, include Secure Sockets Layer (SSL) to encrypt sessions between users and servers.
It is important to note that encryption of content alone does not prevent the disclosure of traffic data; that is, it is still clear that person A is e-mailing person B, or that person A is visiting web site W. Other applications are available to maintain the privacy of these transactions. "Anonymous remailers" strip identifying information from e-mails and can deter traffic analysis.[328] Services such as Anonymizer provide anonymous websurfing, anonymous e-mail messaging, banner ad and pop-up blocking, and automated deletion of cookies and web bugs after Internet sessions.[329]
There have been significant setbacks in the effort to develop commercially viable privacy enhancing techniques. In October 2001, Zero Knowledge Systems ceased to operate the Freedom Network, which used to provide a fully encrypted and pseudonymous link between the user and secure servers, and replaced it with a simpler proxy-based service. In February 2002, several flaws were discovered in SafeWeb, an anonymous-surfing technology originally funded by the Central Intelligence Agency. [330] In March 2002, Network Associates, the company that provided the commercial version of PGP, discontinued support for the application. [331] The international (free) version continues to be available from PGP International.[332]
At the same time, human rights groups and even large corporations explored new techniques to protect online privacy. The Canadian-based Privaterra worked with NGOs to encourage the use of strong encryption techniques and other methods for online privacy.[333] Hacktivism efforts continued with new efforts to empower dissident political organizations operating over the Internet. In July 2002, the international hacker group, Hacktivismo,[334] announced a new free service called "Camera Shy" to allow users to conceal messages in ordinary image files on the Internet. The browser-based steganography[335] application automatically scans and decrypts content straight from the Internet and leaves no traces on the user's system.[336] The same group released a developer version of a free secure and anonymous web tool called "Six/Four" in February 2003. The global giant American Express is offering a system known as "Private Payments" to enable more private online commerce.[337] Under this system a limited life transaction number, instead of the cardholder's credit card number, is used to make online purchases. [338]
It is important to distinguish between genuine privacy enhancing techniques and data security technologies that seek to render processing safe but not to reduce the disclosure and processing of identifiable data.[339] Moreover, there are many products offered by industry that are not privacy protective. Many of these systems, such as Microsoft's Passport and the World Wide Web Consortium's Platform for Privacy Preferences (P3P), are designed to facilitate data sharing rather than to limit disclosure of personal information.[340]
Electronic Numbering (ENUM) is an Internet infrastructure that will allow a single number to reference contact or other information in a public database.[341] Individuals or businesses holding an ENUM account will be able to store information, including phone numbers, e-mail addresses, voicemail numbers, fax numbers, or any other type of data in the ENUM database. Persons wishing to contact the entity would use the ENUM to query a public database for the stored information.
ENUM raises a host of privacy issues that are yet to be resolved. Most importantly, because of the different ways in which ENUM can provide means to contact a person, ENUM has the potential to become a Globally Unique Identifier (GUID). At a more fundamental level, issues of notice and individual participation have yet to be resolved. Since the ENUM database is public, one can assume that it will be mined for commercial and government surveillance purposes. This may lead to an unprecedented amount of spam, as a single ENUM can reveal multiple methods of contacting a person.
Radio Frequency Identification (RFID) is a type of automatic identification system which enables data to be transmitted by portable tags to readers that process the data according to the needs of a particular application. The data transmitted by the tag may provide identification or location information, or specifics about the product tagged, such as price, color, or date of purchase. RFID may also be used to identify documents and currency. RFID may even be deployed to identify individuals.
While barcodes have historically been the primary means of tracking products, RFID systems are rapidly becoming the preferred technology for keeping tabs on people, pets, products, and even vehicles. One reason for this is because the read/write capability of an active RFID system enables the use of interactive applications. Also, the tags can be read from a distance and through a variety of substances such as snow, fog, ice, or paint, where barcodes have proved useless.[342] RFID systems enable tagged objects to speak to electronic readers over the course of a product's lifetime-from production to disposal-providing retailers with an unblinking, voyeuristic view of consumer attitudes and purchase behavior. [343]
The debate over RFID technology touches upon many controversial policy issues. At its most fundamental, widespread use of RFID tags could enable corporations to track every move consumers make. Corporations which compile the data transmitted by the tags could determine which products a consumer purchases, how often products are used, and even where the product - and by extension the consumer - travels. By aggregating data to form consumer profiles, corporations could make inferential assumptions about a consumer's income, health, lifestyle, buying habits, and travels. This information could be sold to governments to create dossiers of individual citizens, or simply sold to other corporations for marketing purposes. While the ability of RFID readers to collect data from tags once a consumer has left a store or moved beyond the readers' range is currently limited, many consumer groups and privacy advocates note that RFID technology is quickly advancing, while measures to protect individual privacy by limiting the amount and type of information corporations can collect about consumers is lacking.
Opponents of RFID tags have proposed measures to side-step the chips' relentless information-gathering, ranging from disabling the tags by crushing or puncturing them, boycotting the products of companies which use or plan to implement RFID technology, or carrying blocker tags that impair readers by simulating the signals of many different RFID tags.
Currently, RFID tags are not widely used in consumer products because the price of the tags is still prohibitively expensive.[344] However, developments in RFID technology are yielding systems with larger memory capacities, wider reading ranges, and faster processing. [345] Over the next few years, industry experts expect to see a broad range of RFID pilots, and even several fully integrated systems, launched. Recently, Microsoft Corporation announced that it would develop software that will enable retailers, manufacturers, and distributors to use RFID tags to track goods within stores and factories, as well as programs specifically designed to use the new retail tagging technology.[346]
Many organizations have considered implementing RFID technology. Gillette and Wal-Mart had teamed up to test specially designed shelves that would allow for real-time tracking of inventory levels.[347]The "smart shelves" would read radio frequency waves emitted by microchips embedded in millions of shavers and other products.[348] But, perhaps in a nod to public opposition to the devices, Wal-Mart recently announced that it would limit the use of RFID tags to warehouses and distribution centers.[349] In a similar fashion, Italian clothier Benetton announced that it would implant RFID tags in the apparel products it retails, only to cancel its plans in the wake of public opposition to the move.[350] However, New Hanover County Public Library in North Carolina recently installed a self-checkout workstation and a self-return book drop powered by VTLS, Inc., the international market leader in technology for library automation.[351]Three more libraries have made commitments with that same company for installing RFID technology.
Tire manufacturer Michelin recently began fleet testing of a radio frequency tire identification system for passenger and light truck tires. [352] In addition, the European Central Bank is moving forward with plans to embed RFID tags as thin as a human hair into the fibers of Euro bank notes by 2005, in spite of consumer protests.[353] The tags would allow currency to record information about each transaction in which it is passed.[354]Governments and law enforcement agencies hail the technology as a means of preventing money-laundering, black-market transactions, and even bribery demands for unmarked bills.[355] However, consumers fear that the technology will eliminate the anonymity that cash affords.
While RFID technology has not become widespread in the U.S., corporations in Europe and Asia have moved forward with plans to tag consumer products. The German conglomerate Metro is developing "stores of the future," in which groceries and household items sold in its Extra stores will be equipped with RFID tags.[356]Marks & Spencer, one of the largest retailers in the United Kingdom, is developing a massive project to tag clothing.[357] The project is a follow-up to the company's implementation of RFID tags into 3.5 million produce delivery trays in 2002.[358] In addition, an RFID system was recently unveiled at the Tokyo International Book Fair 2003 that would allow booksellers to track consumers' in-store reading preferences.[359]
Also, Alexandra Hospital in Singapore recently began a new tracking system in its accident and emergency department in the wake of the Severe Acute Respiratory Syndrome (SARS) scare.[360]Under this system, all patients, visitors, and staff entering the hospital are issued a card embedded with an RFID chip, so that if anyone is later diagnosed with SARS, a record of all other individuals with whom that person has been in contact can be immediately determined.[361] Other hospitals in Singapore are expected to adopt similar technology.[362]
Many individuals and non-government organizations have voiced strong opposition to widespread implementation of RFID tags.[363]One organization opposing the use of RFID tags is Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN). CASPIAN located a number of internal public relations documents that discuss how RFID developers plan to "neutralize opposition" to the technology.[364] The documents, prepared by the public relations firm Fleishman-Hillard, suggest that: "Political climate and shifting public perception require a proactive plan that...mitigates possible public backlash" to RFID adoption.[365] CASPIAN has proposed federal legislation known as "RFID Right to Know Act of 2003," which calls for mandatory labels on RFID-equipped products so that consumers can identify and make informed choices about purchasing products installed with tracking chips.[366] CASPIAN issued a press release outlining the proposed legislation in June 2003.[367]
Increasingly, information is being harvested from public records to create detailed profiles on individuals. Public records may contain many types of personal information that are commercially valuable. These include: Social Security numbers, birth records, arrest information, civil case history, criminal case history, addresses, drivers license information, land sales transactions, records of asset holdings, ownership of corporations, marital status, presence of children, employment status, and health information.
Maintaining accessible public records is important for scholarship, research, journalism, and governmental accountability. However, allowing unrestricted use of public records enables private, commercial, and governmental interests to invade individuals' privacy.[368]
The advent of remote electronic access to public records systems has raised the specter of vastly increased data mining and profiling. Mining a public records database soon will no longer require the time and expense involved in traveling to the physical location of the records. Data miners will be able to remotely access public records systems and use widely available software to harvest personal information. This harvesting of personal information already has had a substantial impact on individuals. In 2002, the Wall Street Journal reported that drug maker Eli Lilly had terminated employees for decade-old convictions discovered in dossiers aggregated from public records.[369]
Unrestricted commercial harvesting of public records has enabled the American government to obtain detailed dossiers on citizens with ease. Through private-public partnerships, several profiling companies make consumer dossiers available to the government. One company in particular, ChoicePoint, has emerged as the leading provider for law enforcement and other government agencies.[370] ChoicePoint maintains web pages customized for individual federal agencies to facilitate the sale of public record information to police.[371] As a result of FOIA requests initiated by EPIC, it was discovered that ChoicePoint was selling the national ID databases of several Latin American countries to the American immigration law enforcement agency.[372] Since that revelation, several Central and South American countries have initiated investigations into the legality of the information transfer.
Several companies have developed Digital Rights Management (DRM) systems to prevent the unauthorized use of digital files.[373] DRM technologies can control file access (number of views, length of views), altering, sharing, copying, printing, and saving. These technologies may be contained within the operating system, program software, or in the actual hardware of a device. Some DRM technology can disable users' machines for unauthorized access to files. InTether Point-to-Point, for instance, imposes "penalties" for those who attempt an "illegal use" of a digital file.[374] Penalties include automatic rebooting of the users' machine, or destruction of the file the user is attempting to access.
These technologies have been developed with little regard for privacy protection. DRM technology usually requires the user to reveal his or her identity and rights to access the file. Upon authentication of identity and rights to the file, the user can access the content.
These systems can prevent anonymous consumption of content, and could be employed to profile users' preferences or to limit access to digital books, music, or programs. DRM technologies may "...enable an unprecedented degree of intrusion into and oversight of individual decisions about what to read, hear and view."[375] For instance, a DRM technology called Copyright Agent quietly scans peer to peer networks to discover whether users possess illegal content. If a copyright violation is found, the program automatically informs the users' Internet Service Provider that his or her service should be severed.[376]
In February 2002, the European Commission Information Society Directorate held a workshop on DRM technologies to examine, among other issues, their effects on privacy.[377] Similar workshops have also been held at the US Department of Commerce Technology Administration[378] and the Berkeley Center for Law and Technology.[379]
In June 2002, Microsoft released information regarding its new "Palladium" initiative, which was renamed in 2003 to "Next-Generation Secure Computing Base."[380] Through software and hardware controls, Palladium would place Microsoft as the gatekeeper of identification and authentication. Additionally, systems embedded in both software and hardware would control access to content, thereby creating ubiquitous DRM schemes that can track users and control use of media. Microsoft expects to have elements of the system in place by 2004.
In August 2002, the US Federal Communications Commission issued a notice of proposed rulemaking to consider whether digital television signals should incorporate a Digital Broadcast Flag. Such a flag would mark digital content as "protected" and direct devices to limit individuals' use of the content. EPIC recommended against the adoption of a Digital Television Broadcast Flag mandate unless it incorporates privacy protections for viewer data. The Broadcast Flag could erode anonymity in consumption of media and circumvent well-established public policy that protects viewer data.[381]
In June 2003, Microsoft and American Online agreed to cooperate in the development of digital rights management systems.[382]
As the architecture of authentication is developed and established through de jure, de facto, and technical standards, there are significant privacy implications especially where authentication is confused with identification. Authentication is considered essential for security, and it has a role to play in safeguarding privacy. It involves the verification of some claim, where the claim could be an attribute (e.g., "I am over the age of twenty-one years"), a set of attributes, or identity. That is, identification is not necessary for authentication; the latter is a much broader notion than the former. Hence, the most important points to understand are that authentication is not equivalent to identification nor does authentication require identification in most cases.
In the best-case scenario, authentication is anonymous. For example, authenticating a transaction by the use of cash does not disclose the user's personally identifiable information.
For cases where anonymity is not possible, individuals could choose to authenticate some attribute or some fact in order to receive a given service. Here, authentication would involve the selective disclosure of some information that allows for the verification of the integrity of a transaction without the disclosure of the user's identity. For example, to authenticate whether a user is permitted to purchase alcohol, it should be sufficient for the user to authenticate that he or she is at least 21-years of age without disclosing his or her identity.
In the worst-case scenario, authentication requires the disclosure of the user's actual identity and is implemented in such a way that every transaction an individual enters, whether surfing the web, sending e-mail, accessing government services, and purchasing on-line, can be traced, tracked, audited, and compiled to an unprecedented degree.
Consequently, the key issues are what exactly is disclosed when authentication occurs, whether this involves the disclosure of personally identifiable information, and whether this is necessary and proportionate with respect to the nature of the transaction.
Policy processes often predetermine the form of authentication being considered in the very definition of the terms. Many of these processes, however, began in the midst of the cryptography policy debate in the 1990s, and carry much of the baggage from that era, such as the reliance on Trusted Third Parties[383] and X.509 identity certificates with limited signing capabilities.[384]
In the past, authentication has been inappropriately and incorrectly equated with identity. For example, the International Standard Organization (ISO)[385] defines authentication as "the provision of assurance of the claimed identity of an entity." Industry Canada's definition, found in a 2000 consultation document on an authentication framework, is "proof that users are who they claim to be (or that computer devices, software, etc. are what they purport to be)."[386] Digital signature statutes around the world have been developed to allow for digital signatures to be used to sign legal documents (and extended logically to sales transactions, or signing documents and messages); embedded within these statutes again is identity-centrism, which is not necessarily a requirement of analogue-world signatures.
Likewise, at the commercial level, identity disclosure is supported by the terminology. Consider the following statement from a senior vice president of the Information Technology Association of America:[387]
When people are online, they want to know with whom they are dealing. They want to know that people are who they say they are, and are going to follow through with commitments made over the Internet and thus supporting identity-disclosure for electronic transactions. Public Key Infrastructure ("PKI") vendors are supporting this view with the use of the X.509 standard of certificates that are bound to an identity by a Certificate Authority.
Even the Internet Engineering Task Force (IETF) defines authentication as being identity-centric that is, "[t]he process of verifying an identity claimed by or for a system entity."[388] Additionally, the IETF has also been working on PKI standards that bind identities to public keys. Whenever these narrow articulations of digital signatures and certificates are used in access control contexts or for other purposes beyond signing legal documents, the interpretive application of authentication becomes suspect. This poses a serious conflict with privacy principles, most notably informational self-determination as every time authentication occurs, assured-identity is disclosed, either through direct identification or through personally identifiable information.
At the political level, authentication and identity are mistakenly considered synonymous. The Group of eight industrialized countries (G8) has been working on the issue of authentication on two fronts. Under the auspices of the Lyon Subgroup on high-technology crime, the G8 has been proposing repeatedly[389] the use of user authentication when on-line, and the use of machine authentication to create traceability in electronic transactions for investigative purposes and to gather evidence. In a separate forum, the G8 developed the Okinawa Charter on Global Information Society[390] where the requirement for authentication was bound with initiatives to resolve the digital divide. As a result, the two forums and the two sets of interest converge around authentication: the ability to support verification of the validity of transactions for the purpose of security, and the ability to identify individuals for surveillance.
A public key infrastructure (PKI) has been heralded as the solution to many security problems. The infrastructure involves individuals with public and private keys which are semantically altered into certificates and signature keys respectively. Trust is developed through this transformation of the public key into a certificate: the owner of the public key registers the key with a central authority (CA) who binds the identity of the individual with the key, creating the certificate. This certificate is then used to verify transactions signed with the private/signature key, and parties in a transaction can therefore ascertain the identity of the individual. The issue then becomes one of scale: if one certificate is issued by government for the use of gaining access to government services (as is often the proposed scheme under the auspice of Information Society projects, including the G8 Charter for example), then this very same certificate, or at least infrastructure of CAs may be used for purchases on-line with several service providers, or merely gaining access to information.[391] The fundamental problem is that these certificates unavoidably travel along with each and every action taken, and so transactions relying on the public key bind a trail of information to the identity of the user. These unique identifiers are passed on not only to the intended access provider but (inherently to the PKI mechanism) also to third parties who have no business in knowing the details of the transaction (such as the providers of authorization databases and online certificate status verifiers).
Authentication mechanisms are used within multiple applications varying from toll-machines through to copyright protection mechanisms. The inscription of identity within these technologies is occurring already. Mobile phones have authentication techniques that assure that a specific card is registered to a specific phone which is then registered to a specific individual; with next generation mobile phone applications, these devices will be used for electronic transactions, and geographic-based transactions, which will all be based upon the identity of the individual. There have been proposals to also implement national ID cards into these mobile telephones.
Smartcards are the preferred technology for enabling digital signatures. These cards will be used for credit card transactions, and gaining access to other services such as prescription medicine, tolls for transportation, telephone calling cards, and even age-verification. The privacy risks from smartcards comes from their use as secure forms of pointers to database records containing identifiable information about their holder. Smartcards are thus built upon an identity-centric authentication infrastructure. In the future this trend of privacy-invasion may continue on to biometrics, and the prevention of piracy; but so long as identification details are kept on the card, the cards will remain not only a privacy threat, but a security risk as well.[392]
Identification is not authentication, and in most cases authentication does not require identification. However, as a result of political, infrastructural, and technological initiatives on identity-centric authentication, we are faced not only with vastly reduced privacy in all levels of life, but we also face challenges of functionality. The source of these challenges range from data protection regimes, efficiency of data communications and storage, resources and costs, and issues surrounding revocation and non-repudiation.
From the privacy perspective, the worst-case scenario is that every transaction from purchasing transportation tickets through to accessing information on web sites will be identity-centric. The Microsoft Corporation is attempting to create such an identity-centric system through the promotion of the Microsoft Passport and Hailstorm services platform.[393] Passport is an online identification and authentication system that requires the submission of personal information. Increasingly, Passport membership is becoming a requirement for access to services on the Internet. Microsoft has stated that its "dream" is for every Internet user to have a Passport.[394]
Shifting to a world of perfect-identity may meet the interests of industry and government in ascertaining the identity of whom they are transacting with; however there are rising functionality challenges. These challenges may provide sufficient incentives for government and industry to begin looking for alternative regimes of authentication that are not necessarily identity-centric.
Although the political and commercial emphasis has been placed often upon identity-centric infrastructure where identity disclosure is required, alternative solutions do exist that allow for informational self-determination. That is, a user may select which attribute or claim is to be disclosed in the authentication process while still maintaining the security benefits. Such solutions promote the notion of users having greater control over their own personal data, and minimizing the risks of all of the interested actors due to the above-mentioned functional challenges.[395] Without these alternatives and resisting inescapable identity disclosure, we will be forced to endure the political, commercial, and technical settlement of identity-disclosure for all transactions resulting in an infrastructure of surveillance that will transform how we view traditional controls such as checkpoints, identity cards, and passport controls.
In March 2003, there were over twenty-eight million domain registrations in the .com, .net, and .org domains, the three largest generic top-level domains for the Internet.[396] These include businesses, individuals, media organizations, non-profit groups, public interest organizations, political, and religious organizations, and support groups. These domain name registrants share their services, ideas, views, activities, and more by way of websites, e-mail, newsgroups, and other Internet media. While some use the Internet to conduct fraud, other domain name registrants have legitimate reasons to conceal their identities and to register domain names anonymously. For example, political, artistic and religious groups around the world rely on the Internet to provide information and express views while avoiding persecution. Concealing actual identity may be critical for political, artistic, and religious expression.[397]
The Internet Corporation for Assigned Names and Numbers (ICANN), a private-sector corporation that coordinates policy for the Internet,[398] has established contractual arrangements with the registries that manage the top-level domains and the registrars that sell the domain names to the registrants. ICANN requires the public disclosure on the Internet of domain name registrants' contact information (such as mailing address), administrative contact information, technical contact information, domain name and servers, and other information.[399] This information is referred to as "WHOIS" data. Its public availability has raised new privacy issues.
The WHOIS database was originally intended to allow network administrators to find and fix problems with minimal hassle to maintain the stability of the Internet. It now exposes domain name registrants' personally identifiable information to many other users for many other purposes.[400] For example, anyone with Internet access, including stalkers, corrupt governments cracking down on dissidents, spammers, aggressive intellectual property lawyers, police agents without legal authority, have access to WHOIS data.[401]WHOIS data lends itself to both good faith and bad faith uses, and investigating fraud is only one of many uses of WHOIS data.[402]
The recently revised ICANN policy for WHOIS policy requires registrants to provide accurate WHOIS information, or otherwise forgo a domain name.[403] Privacy experts have noted that requiring accurate WHOIS data and then publicly disclosing the data have serious implications on free speech.[404]
The ICANN WHOIS policies conflict with international privacy laws, including the EU Data Protection Directive, which require the establishment of a legal framework to ensure that when personal information is collected it is used only for its intended purpose.[405] Experts have also commented that data protection guidelines are needed for WHOIS.[406]
The President of ICANN has recommended that ICANN develop a program for future work on WHOIS.[407] The newly created WHOIS Steering Committee will study WHOIS issues, and develop recommendations to form Task Forces to carry out the policy development process on the major issues identified.[408] EPIC is serving on the WHOIS Privacy Steering Committee that will work to devise such a program.[409]
While ICANN has considerable authority over the development of WHOIS policies for the general top-level domains, such as .com, .org, and .net, it is unclear whether ICANN will be able to exercise similar control over the country-code top-level domains, such as .uk and .de, which may choose to follow national policies. For example, it appears that country code top-level domains, such as .ca, may adopt policies for WHOIS data that provide more protection than are available under the current ICANN policies.[410]
The convergence of communications networks, computers and mass media into an interactive network combining television and the Internet is the next progression of the technology currently being developed. Already, the new boxes are replacing the traditional cable TV set-top box with an interactive device that also includes the functions of a limited personal computer and video recorder. At the same time, personal computers are regularly equipped with TV tuner cards to handle advanced video operations.
The designers of these new appliances paint a pleasant picture of the conveniences that will be available with these new systems. They anticipate that viewers will be able to make spur of the moment purchases over their boxes, based on what their favorite star is wearing or on an individually tailored ad that appears between shows. Communities will be formed as people chat live about the plots of their favorite shows or sporting events. Vast libraries of movies and shows will be available for renting on demand by just pressing a button on the remote control. The industry calls this "T-Commerce" for Television Commerce. Millions of users are expected to be using these in just the next few years, and the ad revenue to justify the new expensive boxes is expected to hit USD5 billion by 2004.
Interactivity has been the dream of the television industry since the invention of the TV. For several decades, there have been a series of expensive tests that have failed because the technology has been crude and expensive.[411] The change that now makes ITV possible is the evolution of the Internet and its underlying protocols and the advancement of digital television. These protocols are now being used to allow for interactive high-speed access to the Internet over existing cable lines. Slowly, intelligent cable TV boxes, which connect to broadband and interactive cable systems, are being deployed.
Several companies have jumped into this new market in the last few years. The largest players are America Online and Microsoft. Microsoft purchased WebTV in 1998 and has also been including interactive television abilities in their operating systems for several years. Thus far, because of poor service, little interactive programming, and relatively high prices, the number of users has not significantly grown. They also are hampered by the need to use telephone lines to communicate with the service in most areas as cable lines are slowly becoming converted to interactive communications. America Online has announced that it will start deploying AOL TV in the United States in 2000. When its merger with media giant Time-Warner is complete, it will have control over a significant portion of the cable television lines and television shows in the United States. It is expected that AOL will use that market power to force the development of more interactive television and the deployment of interactive boxes that will be capable of tracking users even if they do not wish to use the functions.
Meanwhile, there are other companies that have developed devices that will automatically record television shows for viewers and make recommendations for new shows based on viewers' previous behavior. The new systems are being designed, like their Internet predecessors, to track every activity of users as they surf the net through the boxes. They also are being designed to track the shows and commercials users watch and to use that information to tailor advertising for the greatest effect.[412] Rupert Murdoch said in the NewsCorp annual report, "It will tell us not only who our customers are, but what they buy, what they watch, what they read and what they want."[413] George Orwell's vision of the television that watches you will soon be a standard consumer appliance.
Even where systems are designed not to report back this kind of information, there is increasing pressure from the content industries to build systems this way so that they can monitor viewer's habits and protect against copyright infringement. This year, SONICBlue Inc., the maker of Replay TV, a personal video recorder, was sued by the entertainment studios who argued that features allowing users to pause, fast forward, and skip commercials violated their copyrights. As part of the lawsuit, the studios requested all data that the company had on its customers viewing habits, including what shows were recorded, watched, and forwarded to friends. Because the ReplayTV 4000 product did not transmit this sort of data back to the company, SONICblue had no data to provide to the studios. It was, therefore, ordered by a court to re-engineer its product and install software to record TV usage data and transmit that data back to SONICblue so that it could then be turned over to the studios. This order was overturned in May 2002 but the issue is likely to resurface.[414]
Unlike personal computers that give users control over their actions and choices, the new ITV systems are generally based on a sealed "black box" controlled by the company that gives the user little or no control. In the WebTV box, users are not able to refuse cookies or delete them afterwards. The systems are closed and it is difficult, if not impossible, for even advanced users to identify what the system is doing. It will also prevent users from being able to use their own software.
There are other significant differences in that the media is more top-down, and corporatized than the Internet, which is decentralized and allows nearly any user to set up his own web site and become a content producer. Many of the ITV providers describe their systems as "closed gardens" that will only show content that the providers have a financial interest in. Other information will either be banned or be slower or more difficult to locate and view.
Some video game consoles provide an Internet access functionality[415] that requires subscribers to register much of their personal information (name, address, telephone number, e-mail address, credit card number, etc.). The game consoleshard disk also record all the games played and their patterns, names of all the players involved in a game, scores obtained, and other similar information, and transmits the data to the console manufacturer the next time the player connects.[416] The next generation consoles (Xbox 2, PlayStation 3 and PSX) that will be launched in 2005 clearly aim at ousting interactive TV set-top boxes from the center of home entertainment by offering, in addition to games, the same services as set-top boxes: personal video recorder (such as Tivo and ReplayTV), e-commerce, e-mail, web access, photo albums, DVDs, home movie and music.
Genetic data poses unique privacy issues since it can serve as an identifier and can also convey sensitive personal information. Not only does genetic information provide a fingerprint through variations in genetic sequences; it also provides a growing amount of information about genetic diseases and predispositions.
Errors in the genetic code are responsible for an estimated 3,000 to 4,000 hereditary diseases, including Huntington's disease, cystic fibrosis, neurofibromatosis, Duchenne muscular dystrophy, and many others. Furthermore, altered genes are now known to play a part in cancer, heart disease, diabetes, and many other common diseases. In these more common and complex disorders, genetic alterations increase a person's risk of developing that disorder. The disease itself results from the interaction of such genetic predispositions and environmental factors, including diet and lifestyle.[417]
Even more controversial than genetic predisposition to disease is the fact that "genes do appear to influence behavior."[418] Genes have been found to influence homosexuality, thrill seeking and tendencies towards violent criminal behavior.[419] Twin and adoption studies have shown that "nearly all behaviors that have been studied show moderate to high inheritability - usually to a somewhat greater degree than do many common physical diseases."[420]
The prevailing scientific opinion is that most behavior and human diseases are not the result of a single mutation or gene. Rather, most facets of human development "represent the culmination of lifelong interactions between our genome and the environment."[421] Currently available scientific knowledge thus does not seem to provide a strong link between an individual's genetic sequence and that person's eventual development of disease or personality traits; such conclusions are often speculative or, at best, matters of probability.
However, it is an area of scientific development that is undergoing rapid change and the body of knowledge about the human genome is increasing rapidly. The human genome sequence was published in February 2001, immediately kicking off a debate of the future of genetic technology and its impact on society - including privacy.[422] For example, United States Senators James M. Jeffords and Tom Daschle have commented, "[o]ne of the most difficult issues is determining the proper balance between privacy concerns and fair use of genetic information."[423]
Both the general public and scientific researchers have recognized that safeguards for genetic information are needed. For example, polls have found that 86% of adults believe that doctors should ask permission before conducting any genetic testing and 93% believe that researchers should do the same before any analysis.[424] Dr. Francis S. Collins, Director of the National Human Genome Research Institute, has observed that "in genetics research studies, we are seeing individuals who opt not to participate in research because of their fear that this information could fall into the wrong hands and be used to deny them a job or a promotion."[425]
Unlike fingerprints, DNA sequences are not unique (identical twins have different fingerprints but the same DNA profiles). DNA identification works by comparing particular regions of two samples and looking for differences rather than comparing entire DNA sequences. Identification is actually a process of combining several such comparisons and calculating the probability that the two samples are a false match. "Provided that tests are actually looking at different regions of the genome, and provided that the genetic patterns aren't 'structured' within a community by inbreeding, using multiple tests can reduce the chance of a false match from one in a hundred to one in a million or even one in 500 million. But they can't entirely eliminate the chance of a false match."[426] That has proven to be true in at least one instance. In Britain, a DNA match between evidence left at the scene of a robbery and an individual who had already been entered into that country's DNA database turned out to be false despite calculated odds of 37 million to one that a false match would occur. According to a FBI spokesman, "[t]here's a greater chance that you'll find a close match as the databases get bigger."[427] Besides false matches, some criminals have become reportedly more savvy at manipulating results of DNA identification.[428]
Law enforcement agencies are increasingly relying upon DNA evidence, thus making it important that any genetic data collected is uncontaminated and accurately processed. Judges and courts have issued warrants,[429] indictments[430] and even convictions[431] based solely on DNA identification.
DNA identification is also heavily relied upon in order to exonerate previously convicted criminals. One of the best-known efforts is the Innocence Project at the Cardozo School of Law, Yeshiva University. Founded in 1992 by Professor Barry Scheck, the clinical law program provides legal assistance to persons challenging their convictions based on DNA evidence. The clinic has participated in thirty-six of the sixty-three convictions that have been overturned on the basis of DNA evidence since the 1980s. On the basis of the proportion of cases that have been overturned and related FBI data, the Innocence Project estimates that thousands of individuals wrongly convicted could be freed if provided with easier access to DNA testing.[432] Similar Innocence Project programs have also started at the University of Wisconsin Law School, the University of Washington School of Law and the Santa Clara University of Law. [433]
Despite the recognition of such limitations, there is a push for more and larger DNA databases. DNA databases are often created from a strictly law enforcement purpose, usually related to violent offenders, but have expanded in purpose and scope. "In less than a decade, we have gone from collecting DNA from convicted sex offenders - on the theory that they are likely to be recidivists and that they frequently leave biological evidence - to data banks of all violent offenders; to juvenile offenders in 29 states; to testing of persons who have been arrested, but not convicted of a crime."[434] In the United States, local, state and federal law enforcement agencies contribute samples from crime scenes and those convicted of violent crimes into a national database to look for potential matches.[435] In April 2003, the Bush Administration proposed that DNA profiles from juvenile offenders and from adults who have been arrested but not convicted would be added to the FBI's national DNA database.[436] The White House also indicated it would spend about USD 1 billion over five years to promote the use of of DNA for law enforcement purposes.[437]
Other countries such as Great Britain are similarly considering proposals to expand their own national DNA databases.[438] Several Australian states have been considering laws that would permit the creation of a national DNA database.[439] One Australian legislator has even called for collecting DNA samples from babies at birth.[440]
Other, non-law enforcement related DNA databases have also emerged. Since the early 1990s, all personnel serving in the United States Armed Forces have been required to submit DNA samples to ensure later identification. The United States military's DNA depository "contains 2.1 million index card-sized files with the name, Social Security number, fingerprint and blood sample of every active duty military person."[441] However, the program has faced resistance within the military's own ranks. In 1996, two United States Marines faced court-martials when they refused to provide DNA samples for the identification program.[442]
In addition to government-related DNA identification, a new industry - paternity testing - has emerged, placing large amounts of genetic data wholly under private sector control. Despite the controversy surrounding law enforcement collection of DNA, a larger proportion of genetic identification is done to establish paternity. In the United States, part of the reason for the rise in paternity DNA testing are federal requirements for identifying fathers in order to receive child support.[443] Paternity testing previously required blood samples and was more difficult to perform than currently used DNA tests - which may only require a few strands of hair.[444]
Advances in technology have made genetic testing easier and faster. According to genetic testing companies, kits costing USD 100 to USD 2,000 are available for over 400 diseases with hundreds more coming on the way.[445] The easy availability of tests vastly increases the amount of information at an individual's disposal. More problematic is the possibility that individuals will not able to control when such testing is conducted or how the results may be used. The two most controversial areas of genetic testing are in the workplace and the provision of medical and life insurance. Also, as in genetic identification, genetic testing is prone to quality control issues. A 1999 survey of genetic testing facilities found that of the 245 laboratories examined, 36 failed to meet high quality assurance standards.[446]
Several countries, such as Iceland and Estonia are building nationwide DNA databases for medical research. Many of these undertaking are encouraged by pharmaceutical companies and other business enterprises looking to make profits from new medical procedures and services. Some efforts have be made to establish legal frameworks for these databanks.[447]
While genetic screening has become easier and cheaper, treatment of genetic disease lags behind. Thus, while someone may have the ability to determine if they are at high-risk of disease, many people may choose not to find out due to the inability to take any precautionary measures. The concept of a "right not to know" would apply in these situations, allowing a person to control whether she has a certain genetic make-up.
For example, Huntington's disease is an inherited neurological disease that results in death by a person's late 30s or early 40s after extended deterioration of both mental and physical control. There is no treatment for the condition yet a reliable test for Huntington's does exist. The inheritability of the disease is straightforward; the children of a person with Huntington's will have a fifty-percent chance of also being affected. The resistance to knowing one's propensity for Huntington's is borne out in surveys finding that only 66 percent of those at risk of developing Huntington's would test themselves with 15 percent of that group indicating they would contemplate suicide if they tested positive. Of those indicating that they would not want to test themselves, 30 percent indicated they would consider suicide if they did find out that they would manifest the disease.[448] Due to the emotional and psychological impact that such information would have, many people in these situations exercise their "right not to know" by refusing to test themselves.
In practice, maintaining a "right not to know" can be difficult. Due to the simple inheritability of Huntington's, one family member's decision to test herself for Huntington's will reveal information about other family members. For example, if a daughter decides to test herself for Huntington's due to a history of the disease through her mother's side of the family, the test results would indicate whether or not her mother also has the disease - thus compromising the mother's desire not to know.[449]
As DNA and genetic databases become more common world-wide, there has been a concurrent rise in the use of testing by employers. Although there are legitimate uses of genetic testing, such as the prevention of occupational diseases, there is also a serious danger that employers will use these tests to discriminate against current or potential employees. Without legal intervention, information indicating, for example, whether someone is prone to a debilitating illness or even an "undesirable" condition (such as laziness or depression) may be used by employers to discriminate against employees.
Genetic screening in the workplace has been conducted for decades but, based on limited polling of employers, still seems relatively rare when compared to general medical information accessed by employers. Some of the earliest genetic screening took place as early as the 1960s. Dow Chemical conducted genetic monitoring (genetic tests conducted over time to detect possible mutagenic effects of the workplace environment) from 1964-1977.[450] In 1982, a United States federal government survey found that 1.6 percent of companies were using genetic testing for employment purposes.[451]
Despite the uncertainty about how commonly workplace genetic testing takes place, it has happened. In 1994, employees at the Lawrence Berkeley National Laboratory at the University of California - Berkeley discovered the laboratory's surreptitious practice of testing its employee blood and urine samples for syphilis, sickle cell anemia and pregnancy.[452] The laboratory, funded by the United States Department of Energy, conducts non-classified research and had been testing its employees for decades.[453] In subsequent litigation, the government argued that since its employees had agreed to a general medical examination, they had no reason to expect that genetic testing would not also be conducted. The government also argued notice was provided via a list of tests to be conducted posted on an examining room wall. The government in the federal district court but the United States Court of Appeals for the Ninth Circuit reversed and concluded the conditions being tested for raised "the highest expectations of privacy."[454] In 2000, the laboratory settled with employees for USD2.2 million, ceased conducting the tests and allowed earlier test results to be reviewed and deleted.
More recently, in February 2001, an employee of the Burlington Northern Santa Fe Railroad in the United States sued the company for conducting tests for a genetic predisposition associated with carpal tunnel syndrome. The company had allegedly collected blood samples from 125 employees and tested 18 of those samples without employee consent. The employee filing the suit had refused to contribute a blood sample and was told he would be investigated. The lawsuit alleges violation of disability law and existing legal prohibitions on genetic testing by employers.[455]
While closely tied to workplace genetic testing (as employers may avoid hiring certain individuals to due to a perceived increase in the amount need for insurance coverage), genetic testing has also begun to be used in the provision of life and medical insurance directly. In February 2001, Norwich Union Life, one of Britain's largest insurers, admitted using genetic tests for breast and ovarian cancer and Alzheimer's disease to evaluate applicants. Moreover, Norwich Union Life was violating the industry's code of conduct since the genetic tests had not been approved by the government's Human Genetics Commission.[456] The controversial practice resulted in some individuals paying higher insurance premiums based on genetic predispositions, creating political pressure to outlaw the use of genetic data by insurers in the United Kingdom altogether.[457]
While representatives of Norwich Union Life claimed that the genetic tests were not compulsory, simply providing lower premiums for people that do not test positive for genetic tests can lead to rampant genetic testing. An "assessment spiral" will result when one company offers discounts for those with a particular genetic profile, creating pressure on competitors to offer similar discounts in order to keep "low-risk" policy holders and resulting in higher premiums for those that are not tested or do not possess the correct genetic make-up.[458] Thus, non-compulsory genetic testing can easily lead to genetic discrimination.
Recognizing the issues implicated in widespread genetic testing, several international bodies have recommended that genetic testing should be carefully circumscribed by law. In 1989, the European Parliament issued a resolution recommending legislation to prohibit genetic testing for the purposes of selecting workers or examining employees without their consent. It advised that employees must be informed of any analysis and implications of genetic data before tests are carried out and allowed withdraw from testing at any time.[459] The Council of Europe has also recommended that "the admission to, or the continued exercise of...employment, should not be made dependent on the undergoing of tests or screening."[460] Similarly, the World Medical Association (WMA) has issued statements to this effect. In 1992, issuing a Declaration on the Human Genome Project, it recommended the adoption of laws similar to those that prohibit "the use of race discrimination in employment or insurance."[461]In May 2000, it announced that it would draw up guidelines on the development of centralized health storage databases that will address "the issues of privacy, consent, individual access and accountability."[462] In 1997, the United Nations Educational, Scientific and Cultural Organization (UNESCO) adopted a Universal Declaration on the Human Genome and Human Rights, outlining the rights of individuals to control the collection and use of genetic information.[463]
In many cases, genetic testing may be indirectly prohibited by existing labor codes.[464]It is also possible that the use of genetic data by employers to discriminate against workers may violate equal opportunity or anti-discrimination laws. In the United States, for example, genetic testing may violate the 1964 Civil Rights Act that prohibits discrimination in employment on the basis of "race, sex, national origin, and religion," or the Americans with Disabilities Act of 1990, which prohibits discrimination in employment against a "qualified individual with a disability."[465]
Governments are also beginning to address the privacy issues directly. In the United States, most laws applying to genetic discrimination, testing or identification have been passed by states rather than the federal government. As of 1997, twelve states prohibit genetic discrimination in employment, 16 states prohibit genetic discrimination in insurance and more than 40 states have established DNA databases for law enforcement purposes.[466] In 2000, President Clinton issued an executive order prohibiting the use of genetic information in federal agency hiring and promotion decisions.[467]
Workers around the world are frequently subject to some kind of monitoring by their employers.[468] Employers supervise work processes for quality control and performance purposes. They collect personal information from employees for a variety of reasons, such as health care, tax, and background checks.
Traditionally, this monitoring and information gathering in the workplace involved some form of human intervention and either the consent, or at least the knowledge, of employees. The changing structure and nature of the workplace, however, has led to more invasive and often, covert, monitoring practices which call into question employees' most basic right to privacy and dignity within the workplace. Progress in technology has facilitated an increasing level of automated surveillance. Now, the supervision of employee performance, behavior, and communications can be carried out by technological means, with increased ease and efficiency. The technology currently being developed is extremely powerful and can extend to every aspect of a worker's life. Software programs can record keystrokes on computers and monitor exact screen images, telephone management systems can analyze the pattern of telephone use and the destination of calls, and miniature cameras and "Smart" ID badges can monitor an employee's behavior, movements, and even physical orientation.
Advances in science have also pushed the boundaries of what personal details and information an employer can acquire from an employee. Psychological tests, general intelligence tests, performance tests, personality tests, honesty and background checks, drug tests, and medical tests are routinely used in workplace recruitment and evaluation methods. Since the discovery of DNA, there has also been an increased use of genetic testing, allowing employers to access the most intimate details of a person's body in order to predict susceptibility to diseases, medical, or even behavioral conditions. The success of the Human Genome Project will likely make this kind of testing more prevalent. Currently, genetic testing is prohibitively expensive for many employers, and not used as frequently as other forms of medical or drug testing. Article 21 of the European Union Charter of Fundamental Rights provides explicitly that "any discrimination based on...genetic features...shall be prohibited."[469]
Employers' collection of personal information and use of surveillance technology is often justified on the grounds of health and safety, customer relations, or legal obligation. However, according to a recent study by the Privacy Foundation,it is actually thelow cost of surveillance technologies more than anything else that contributes to the increased monitoring.[470] In many cases, workplace monitoring can seriously compromise the privacy and dignity of employees. Surveillance techniques can be used to harass, to discriminate, and to create unhealthy dynamics in the workplace.
Privacy advocates have long maintained that providing notice of a monitoring or surveillance policy should, at a bare minimum, be required before employers can engage in such invasive activities. Advocates support strong privacy principles in the workplace such as the International Labor Office's "Code of Practice on the Protection of Workers' Personal Data," which protects employees' personal data and fundamental right to privacy in the technological era.[471] These guidelines were issued by the International Labor Office in 1997, following three comprehensive studies on international workers' privacy laws.[472] The general principles of the code are:
personal data should be used lawfully and fairly; only for reasons directly relevant to the employment of the worker and only for the purposes for which they were originally collected;
employers should not collect sensitive personal data (e.g., concerning a worker's sex life; political, religious, or other beliefs; or trade union membership or criminal convictions) unless that information is directly relevant to an employment decision and is collected in conformity with national legislation;
polygraphs, truth-verification equipment or any other similar testing procedure should not be used;
medical data should only be collected in conformity with national legislation and principles of medical confidentiality; genetic screening should be prohibited or limited to cases explicitly authorized by national legislation; and drug testing should only be undertaken in conformity with national law and practice or international standards;
workers should be informed in advance of any advance monitoring, and any data collected by such monitoring should not be the only factors in evaluating performance;
employers should ensure the security of personal data against loss, unauthorized access, use, alteration or disclosure; and
employees should be informed regularly of any data held about them and be given access to that data.
The code does not form international law and is not of binding effect. It was intended to be used "in the development of legislation, regulations, collective agreements, work rules, policies and practical measures." Unfortunately, however, the laws differ greatly from country to country, and in some countries there are few legal constraints on workplace surveillance.
In the United States, for example, the courts have typically been slow to recognize employees' rights to privacy. There has not yet been any satisfactory and uniform determination of what level of privacy employees are entitled to and how that privacy should be protected. Many believe that since employers have ownership or "control" over the working premises, and its contents and facilities, that employees give up all rights and expectations to privacy and freedom from invasion. Others simply avoid the question by making employees consent to surveillance, monitoring, and testing as a condition of employment. Legislation has recently been introduced, however, which would prevent employers from secretly monitoring the communications and computer use of their employees.[473]
US public sector employees are protected by several laws. The Fourth Amendment applies not only to law enforcement officers, but to government officials and employers as well. A constitutional right to information privacy, recognized in Whalen v. Roe,[474] can protect against employer disclosures of employees' personal information. Other laws which may protect the privacy of public employees include relevant state constitutional provisions, federal and state wiretap laws, the Americans with Disabilities Act (ADA), the federal Privacy Act, and the common law privacy torts. In addition, depending on the type of employment contract governing the work agreement, public employees may have recourse under contractual remedies. However, most employment agreements are considered "at will," which means that employees may be dismissed for any or no reason, provided sufficient notice is given. One exception to this general rule is that employees may not be dismissed for a reason that violates public policy, such as for not complying with a privacy-invasive procedure. Should this occur, employees can sue for wrongful termination in violation of public policy.
US private sector employees have some, but not all, of the protections afforded public sector employees. The Fourth Amendment and many state constitutions do not apply to private employers. However, the federal wiretap law applies to both public and private sector employers. Private sector employees may also establish recourse for invasions of privacy under the ADA, breach of contract theories, and privacy torts.
Internationally, regulations governing the compilation and use of employees' personal data vary significantly. In European countries, the collection and processing of personal information is protected by the EU Data Protection and the Telecommunication Privacy Directives.[475] That last Directive, however, provides for the confidentiality of communications for "public" systems and therefore would not cover privately owned systems in the workplace.[476] However, the principles laid out in these directives are general in scope and their application to workplace privacy issues is not always clear.
Nonetheless, many European countries, such as Austria, Germany, Norway and Sweden have strong labor codes and privacy laws that directly or indirectly prohibit or restrict this kind of surveillance. In Finland, a new law on Data Protection in Working Life entered into force in October 2001. In October 2000, the United Kingdom Privacy Commissioner issued "The Employment Practices Data Protection Code," a draft code of guidance for employer/employee relationships.[477] In March 2002, the first part of this code, regarding data protection in recruitment and selection of employees, was issued.[478] In October 2002, the Information Commission released part two of the code, which covers employment records. One significant provision requires that any sickness and accident records, detailing the medical cause of any absence be maintained separately from medical records that do not reveal medical conditions.[479] Two further parts on monitoring at work and medical information and testing will be issued over the next few months. In 1999, the Swedish government established a Committee to study workplace privacy issues. In March 2002, the Committee issued a proposal recommending specific legislation to protect the personal information of current employees, former employees and employment applicants in both the private and public sectors.[480] In May 2002, the European Union Article 29 Data Protection Working Party issued a working paper on monitoring and surveillance of electronic communications in the workplace. The document set out a list of questions to be asked before any monitoring measure is put in place for example: Is the monitoring activity transparent to the workers? Is it necessary? Could not the employer obtain the same result with traditional methods of supervision? Is the processing of personal data proposed fair to the workers? Is it proportionate to the concerns that it tries to allay? The working paper also set out principles employers should bear in mind when processing workers' personal data. These principles include: finality (data must be collected for a specific and legitimate purpose); transparency (workers should know which data the employer is collecting about them); and security (the employer must implement security measures at the workplace to ensure the safety of the personal data of workers).[481]
In October 2002, the European Commissioner for Employment and Social Affairs launched a formal consultation initiative to improve the protection of workers' personal data throughout the EU. [482]The substance of the consultation addressed issues such as the effectiveness of employee consent in safeguarding personal data, access to, and the processing of medical data within the employment context, identifying the permissible scope of drug and genetic testing, and employer monitoring and surveillance of employees. Currently, both the International Labor Organization (ILO) and the Council of Europe have established specific guidelines establishing data protection in the employment relationship.[483] In addition, Article 8 of the EU Charter of Fundamental Rights refers to the protection of personal data, and Articles 21, 26, and 31 contain provisions relevant to the protection of employees' private data.[484]
There have also been developments outside of Europe on this issue. In June 2002, the Hong Kong Data Protection Commission issued a draft code of practice on workplace for public consultation. The draft code covers telephone, closed-circuit television, e-mail and computer usage and possibly location monitoring.[485] In Australia, the Privacy Amendment (Private Sector) Act 2000 put in place limited restrictions on employers' monitoring of communications by requiring the establishment of formal e-mail use policies that must be made clear to all employees. It also requires employers to prove that the monitoring of e-mails is justifiable-for instance, on grounds of employees' excessive use of e-mail, distributing offensive material, suspected criminal activities, or passing on of sensitive information.[486] However, the legislation grants exemptions to small businesses and the media and also exempts all employee records in any industry sector.
Employer searches of an employee's workspace raises important privacy issues. In the public sector, the US Supreme Court has held that whether an employee has a reasonable expectation of privacy in a workspace is to be decided on a case-by-case basis because of the great variety of workplace settings.[487] The Court also held that a public employer's intrusions, even into constitutionally protected privacy interests of government employees for either non-investigatory, work-related purposes or for investigations of work-related misconduct, should be judged under a standard of reasonableness. The Court noted that requiring an employer to obtain a warrant whenever he or she wished to enter an employee's workspace for work-related purpose would seriously disrupt business routine and be unduly burdensome. In terms of workplace computer searches, a federal court has held that an employee has a reasonable expectation of privacy in the contents of an office computer, but an investigatory search for evidence of work-related employee misconduct is constitutionally reasonable if the search is justified at its inception and is of appropriate scope (i.e., reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct).[488] In addition, government employers cannot require employees to undergo unreasonable searches under the Fourth Amendment as a condition of employment, but the search is permissible if the employee consents to the search.
In the private sector, employees may have a reasonable expectation of privacy in certain areas and personal items. One court has held that an employee who is under no suspicion of wrongdoing and secures a locker with her own lock and with the employer's consent has a reasonable expectation of privacy in the locker and its contents.[489] In addition, employers may be liable if they reveal confidential information about their employees.[490] Public sector employees have an additional course of redress for the disclosure of personal information by an employer by means of a civil action under the constitutional right to information privacy.[491]
Employers are increasingly turning to video surveillance to monitor the activities of employees. In answering the question of whether an employer's use of video surveillance is permissible, US courts have examined an employee's expectation of privacy in the area being monitored, as well as considered any applicable laws or regulations governing such a search. Federal courts have held almost unanimously that silent video surveillance is not prohibited by Title I of the Electronic Communications Privacy Act (ECPA) of 1986.[492] But video surveillance that includes the ability to record conversations would violate Title I. Silent video surveillance is subject to the Fourth Amendment's protections against unreasonable searches, but at least one court has held that the Fourth Amendment is only implicated if an employee has a reasonable expectation of privacy in the area being surveilled.[493] If employees have no reasonable expectation of privacy in an area under observation-such as in a locker area that can be viewed by anyone who enters-the Fourth Amendment is not violated, regardless of the nature of the search.
Internationally, video surveillance is used extensively for many different reasons. Australia spent substantially more money per capita than any other industrialized nation on video surveillance equipment.[494] Video cameras are now one of the most commonly used surveillance devices in the Australian workplace, and their use is regulated by The Workplace Video Surveillance Act of 1998.[495] Video surveillance is justified as a security measure to deter theft, vandalism, or other unauthorized intrusions, and to monitor employee conformance with occupational health and safety procedures, as well as general performance.
Workplace surveillance in New Zealand is prevalent, and often occurs beyond the reach of the law given the deregulated labor market, according to a report issued by the Office of the Privacy Commissioner.[496] The current policy in New Zealand is to leave negations involving workplace surveillance to employment agreements between employers and employees rather than establishing legislation regulating such activities, although employment law and contractual implied terms of fair dealing offer employees some protections. New Zealand employers are entitled to take reasonable steps to monitor employee performance, to safeguard working conditions, and to secure the place of business. Employees, in turn, are generally granted protections to safeguard their person, property, and private conversations and beliefs, and are provided with avenues to amend irrelevant, inaccurate, or incomplete facts that are considered in employment decisions.
Automated workplace monitoring has become increasingly common in recent years. Even in workplaces staffed by highly skilled information technology specialists, employers demand the right to spy on every detail of a worker's performance. Modern networked systems can interrogate computers to determine which software is being run, how often, and in what manner. A comprehensive audit trail gives managers a profile of each user, and a panorama of how the workers are interacting with their machines. Software programs can also give managers total central control of individual PCs. A manager can now remotely modify or suspend programs on any machine, while at the same time reading and analyzing e-mail traffic and Internet activity. A recent report by the American Management Association found that nearly eighty percent of major US companies monitor employees at work by checking communications such as telephone conversations, computer files, e-mails and Internet connections or by using video surveillance for performance evaluation and security purposes.[497]
An employer can monitor the level of use of a computer by surveilling the number of keystrokes an employee enters into a word processing program in a specified period of time or the amount of time a computer is idle during the workday. Numerous technologies are available which monitor and analyze the performance of IT workers. Some allow network administrators to observe an employee's screen in real time, scan data files and e-mail, analyze keystroke performance, and even overwrite passwords. Once this information is collected, it can be analyzed by standard processing programs to determine a worker's performance profile. These monitoring products are sold at very low prices and have infiltrated the market. These snooping programs have also become popular not just among employers but also law enforcement agencies, private attorneys, investigators, and suspicious lovers.
The use of video cameras and closed circuit televisions (CCTV) is another common way of monitoring employees within the workplace. Even areas where employees would previously have enjoyed high expectations of privacy, such as bathrooms or locker rooms, have come under increasing surveillance. Postal workers in New York City found hidden cameras in restroom stalls and waiters in the Boston Sheraton were secretly videotaped in the hotel locker room. [498] Where staff are more mobile, companies are now using a range of technologies to track geographic movements.[499] Some hospitals now require nurses to wear badges on their uniforms so they can be located constantly. [500] Advances in this area now allow carrier companies to place an electronic mechanism (described as a geostationary satellite-based mobile communications system) [501] on trucks that then sends back to a main terminal the exact position of the vehicle at all times. In this way, carrier companies can ensure that no side trips nor other deviations are taken from the prescribed route.[502] Wide area systems such as Trackback are in use throughout the United Kingdom.
Telephone surveillance has become endemic throughout the private and public sector. In the United States, employers have broad discretion to monitor employees' calls for "business purposes." Companies are extensively using telephone analysis technology. Call center workers for British Telecom are regularly presented with a comprehensive analysis sheet, showing their performance relative to other workers. Airline reservations clerks in the United States and elsewhere wear telephonic headsets that monitor the length and content of all telephone calls, as well as the duration of their bathroom and lunch breaks.[503] In one instance, telephone calls received by airline reservation agents were electronically monitored on a second-by-second basis: agents were allowed only 11 seconds between each call and 12 minutes of break time each day.[504] Other airline agents have complained that they are evaluated based on how many times they use a customer's name during a call or how often they try to overcome a customer's initial objections to buying a ticket.
The level of sophistication of telephone surveillance systems can be astonishing. Some systems can record all transactional activity on a phone, together with destination numbers and times. Other technology can then process and analyze this data. A British program called "Watcall," produced by the Harlequin company, can analyze telephone calls and group them into "friendship networks" to determine patterns of use.[505] Voice mail systems are also subject to systematic or random monitoring by managers. Most new systems have default pass codes for administrators, and these can open all message boxes.
Computers and networks are particularly conducive to surveillance. The Privacy Foundation study[506] found that fourteen million employees in the United States are subject to this kind of surveillance on a continuous basis. This number obviously increases dramatically when random surveillance checks are included. Employers can monitor e-mail by randomly reviewing e-mail transmissions, by specifically reviewing transmissions of certain employees, or by selecting key terms to flag e-mail. In the latter case, software analyzes a company's entire e-mail traffic phrase by phrase, and draws conclusions about whether a message is legitimate company business. It can be instructed to search for specific keywords and "damaging" phrases. Some programs can even use algorithms to analyze communications patterns and turn them into images. Monitors can then look at these images to follow traffic patterns and detect whether sensitive data is at risk.
Many employers rely on software for remote monitoring of e-mail messages. With a few clicks they can see every e-mail message that employees send or receive and determine whether they are "legitimate" or not. Managers give a variety of reasons for installing such software. Some say it is to protect trade secrets or preventing sexual harassment incidents. Others want to prevent oversized-mails clogging networks and using too much bandwidth. Still others simply don't want employees "wasting" company time by using the systems for personal activities. In an ideal world, this monitoring should follow the conventional format, i.e., identical to the quality check that has applied to correspondence sent out on company letterhead. However, the speed and efficiency of e-mail means that digital communication involves a vast intersection with personal correspondence. It also has features more in common with an internal memo, for which there has always been less monitoring and management.
According to the American Management Study[507] nearly two thirds of all companies discipline employees for abuse of e-mail or Internet connections and twenty-seven percent dismiss employees for those reasons. In 2000, Dow Chemical Company fired fifty US employees and threatened two hundred others with suspension after they found "offensive" material in their e-mail. The company opened the personal e-mail of more than 7,000 employees.[508] Similarly, the New York Times fired twenty-three employees in 1999 for sending "obscene" messages.
Internationally, employer monitoring of e-mail and Internet usage varies from country to country. The Swiss Federal Data Protection Commissioner issued a statement in its annual report explaining the circumstances under which use of Internet and e-mail at the workplace may be monitored.[509] According to the report, surveillance activities by employers are primarily focused on preventing technical malfunctions. Records of an individual's e-mail and Internet use may be evaluated only once an abuse has been identified and the individual is notified of the evaluation.[510] In Hong Kong, the Office of the Privacy Commissioner for Personal Data in 2000 commissioned a survey to examine employer surveillance in the workplace.[511] According to the survey, sixty-four percent of employers had installed at least one type of employee monitoring equipment, but only eighteen percent of the employers had a written policy on employee monitoring. Further, thirty-five percent of respondents did not even know whether such a policy existed.[512]In contrast, France has established stringent policies that protect the privacy of employees' e-mail usage. The French Supreme Court held recently that employers do not have the right to open any of their employees' messages. The Court ruled in a case between Nikon and a former employee that the company had no automatic right to search through an e-mail inbox.[513]
Courts in the United States have taken various positions in cases involving an employee's use of e-mail and the Internet at work. One court has found that an at-will employee has no reasonable expectation of privacy in the contents of an e-mail voluntarily sent on an employer's e-mail system, even though the employer had assured its employee's that e-mail communications would remain confidential and privileged.[514] The court reasoned that once an employee communicated comments to a second person over an e-mail system utilized by the entire company, any reasonable expectation of privacy is lost. And even if an employee had a reasonable expectation of privacy in the contents of an e-mail, a reasonable person would not consider an employer's interception of such communications to be substantial or highly offensive. Another court has held that an employer that has a "business use only" policy for Internet usage may conduct audits of its computer network to identify, terminate, and prosecute unauthorized activity.[515] The court found that while employees may have a legitimate expectation of privacy in their computer equipment, some office practices, regulations, or procedures may reduce such an expectation.[516]
These cases raise complex legal and ethical questions concerning an employee's fundamental right to privacy and due process, such as: what if an employee is sent an "offensive" e-mail, accidentally or maliciously? The e-mail cannot simply be deleted. It remains logged on the company server, threatening the relationship of trust between employee and management. Or what if an employee is dismissed on the grounds of sensitive personal information (for example issues relating to sexual preferences, medical conditions, etc.) gathered through a system? This problem also arises when companies monitor all Internet activity looking for visits to "inappropriate" sites. Such surveillance has elements in common with traditional surveillance for hard copy pornography, but there are significant dangers to workers in the realm of electronic surveillance. An employee may accidentally visit a pornographic site upon opening a spam e-mail that links to such a site. Or websites may be accidentally visited when displayed as a "hit" in response to a perfectly innocent search query. The surveillance technology does not, however, distinguish between an innocent mistake and an intentional visit.
The monitoring of chat room visits has also created some distress in the workplace. There is an increasing trend among companies to dismiss or sue employees for divulging company "trade secrets" or defaming the company in chat rooms. These have become known as "John Doe" cases. Because most people log on to chat rooms anonymously or use an alias, once a company observes a certain party in a chat room engaging in "illegitimate" speech, they must subpoena the message-board services such as Yahoo! or America Online, to obtain the identity of the specific author. The service providers often turn over identifying information when presented with a subpoena without any notice to the individual. The number of these cases is rapidly increasing and threatens not only the privacy of employees but also their rights to anonymity and free speech.
There is also an increasing amount of drug testing in many countries. The number of companies using these tests has risen in proportion to the decreasing costs of the tests. For many employees, drug testing is now a standard part of working life. Companies routinely administer tests in the recruitment stage or at intermittent periods during employment, even where there is no evidence of misconduct, poor performance, or any other reason to suspect drug use. There are thousands of easy-to-use kits, which can detect traces of drugs within minutes and without the need for a laboratory, available on the market today. Most of these tests analyze hair or urine samples to detect traces of drugs such as amphetamines, marijuana, cocaine, opiates, and methamphetamines.
Internationally, the use of and justifications for workplace drug testing varies from country to country. In European countries, one of the most frequently used arguments for workplace drug testing and one of the least controversial is that the test is a means of ensuring the safety of employees. In France, Norway, and the Netherlands, only workers in traditional safety-sensitive positions, or those positions which include access to dangerous materials or classified information, are subjected to testing in any form.[517] Accordingly there is less testing and there are more legal restrictions in these countries. In the Netherlands, pre-employment testing is illegal, and in France only the occupational physician may decide to conduct drug tests, not the employer.[518] On the other hand, workplace drug testing is more commonplace in British and Swedish companies, where workers in all types of jobs are tested in order to ensure "business-safety."[519]
A major ethical issue implicated by drug testing is that the process amounts to an unwarranted invasion of privacy. Most guidelines for workplace drug testing, such as the ILO Guiding Principles on Drug and Alcohol Testing of 1996, require that informed consent be obtained before testing. Opponents of testing, such as the German Federal Data Protection Commission and the Swiss Data Protection Commissioner, argue that because workers are dependent on their employers, meaningful consent to workplace drug testing is not possible.[520] This policy is not followed in some countries. In the United Kingdom, failure to comply with a requirement for drug testing that is included in an employment agreement can be interpreted as a disciplinary offence.[521]
Some European constitutions, for example in Belgium and Finland, hold that fundamental rights such as the right to privacy are indivisible and that the individual cannot consent to waive these rights.[522] Privacy issues are often implicated in the realm of workplace drug testing within the larger concerns for data protection. The testing process involves collecting sensitive data both on use of drugs and on medication taken which might influence the test result. The collecting and storage of such information is therefore not only subject to strict controls in many European countries, but also the subject of European rules such as the EU Data Protection and Telecommunications Privacy Directives and the ILO Code of Practice on the Protection of Workers' Personal Data of 1996.[523] In some European countries, the tension between the need for workplace security and the protection of personal information is resolved by strengthening the role of the occupational physician. In Finland, France, Belgium, Germany, and Austria, the drug test results are communicated to the occupational doctor, not to the employer. The doctor is only allowed to inform the employer whether the person is fit for work or not; not what results were revealed from the drug test.
In the United States, courts have upheld the legality of workplace drug testing in many different circumstances. The US Supreme Court upheld regulations mandating blood and urine tests of railroad employees to ensure workplace safety.[524] Courts have also upheld drug testing by schools of all students involved in athletics and extracurricular activities.[525]However, the US Supreme Court recently struck down a policy of performing drug tests on pregnant women in a public hospital, finding that the employees of the hospital are government actors subject to Fourth Amendment limitations.[526]
US courts have also considered the issues of notice and consent in relation to workplace drug testing. Providing notice of future drug tests shields employers from liability for intrusion upon seclusion because the employee has provided explicit consent to take the test. In addition, employers may lawfully condition employment upon successfully passing a drug test. The issue of wide scale preventative drug testing raises a host of other questions concerning privacy, bodily integrity, individual freedom, and the presumption of innocence. The process of testing itself can be hugely invasive. Observers are often present to prevent employees from tampering with samples. In the case of urine testing, the monitor's observation of the drug testing process can be particularly offensive. Consider the case of one employee who felt humiliated while undergoing a urine drug test:
I waited for the attendant to turn her back before pulling down my pants, but she told me she had to watch everything I did. I am a 40-year-old mother of three: nothing I have ever done in my life equals or deserves the humiliation, degradation and mortification I felt.[527]
This type of test can quickly turn from a necessary evil needed to protect lives and reputations into a process of intimidation and harassment. It raises questions about whether the benefits to employers really outweigh the rights and dignity of workers. Companies which manufacture drug testing equipment extol the advantages of drug tests, claiming the tests can save employers thousands of dollars by reducing incidences of absenteeism, low productivity, accidents, injuries, compensation, and health care claims stemming from employees' drug usage. Governments generally have also encouraged testing as part of a larger war on drugs. What employers are not told, however, is that there are also numerous ethical and economic disadvantages to drug testing.
Drug testing fosters a climate of negativity based on suspicion and secrecy rather than trust, openness, and respect. Low morale or resentment among workers may consequently lead to low productivity or profits. In addition, even though individual tests may no longer be expensive because they are so sweepingly administered among employees, the negative costs may be costing employers far more than they are saving them. Catching one or two light drug users for every few thousand people tested is hardly an economical justification for the initial outlay. Even if tests do reveal traces of drugs there is no clear evidence to suggest that mild drug use has a greater effect on productivity than, for example, alcohol. Dismissing workers on grounds of policy and suspicion rather than performance and proof, may result in the loss of valuable employees to the employer. Evidence has not shown that drug testing can deter future use, and it is in no way a substitute for proper guidance, support and counseling. In fact, in an ironic twist, routine testing may even encourage more serious drug usage among employees. As one commentator says:
If one wants to get inebriated on a Friday night and still pass a urine test Monday, smoking a joint would be foolish. Cocaine and alcohol would represent the "safer" choices of intoxicants because alcohol is "legal" and cocaine cannot be detected in the body as long.[528]
Finally, drug testing is inaccurate and can often lead to false and misleading results. A report by the Ontario Information and Privacy Commissioners' Office says up to forty percent of tests are inaccurate.[529] Highly sensitive tests can be positive even when the drug sought is not present. Some say positive reactions may result from a carry-over following a strong positive earlier or from human error, such as contamination due to failure to cleanse equipment.[530] Others note that certain legal substances can also result in positive tests for illegal drugs. For example, there have been reports of Vicks inhalers resulting in positive tests for amphetamines and methamphetamines, standard anti-inflammatory drugs like Ibuprofen showing up positive on marijuana tests, and even traces of morphine being detected from poppy seeds.[531]
Other issues that raise workplace privacy concerns are employer requirements that employees complete medical tests, questionnaires, and polygraph tests. In the United States, employer use of polygraph testing has been limited by federal statute. Congress passed the Employee Polygraph Protection Act (EPPA)[532] which makes it unlawful for private sector employers to require current or prospective employees to take a lie detector test. The statute exempts public employers at the federal, state, and local levels. However, there are a few exceptions to the EPPA. For example, employers may use polygraphs as part of an ongoing investigation involving economic loss or injury to the employer's business, and employers who provide security services are exempt. One court has held that an employer who performed unauthorized tests using blood and urine samples provided by a job applicant violated the individual's privacy.[533] The court looked to the constitutional right to information privacy recognized in Whalen, and held that unauthorized tests were unconstitutional searches under the Fourth Amendment. In another case, a court found that questionnaires that collected health information about employees were permissible.[534] The court reasoned that an individual's interest in protecting his or her privacy is not as great when the information is sought by the government, is not publicly disseminated, and when measures are in place to protect the privacy of information that is collected. Some states have statutes which restrict the degree to which employers may require potential employees to undergo testing or complete mandatory questionnaires.
Internationally, there are fewer workplace privacy laws that specifically address the use of polygraphs in the employment context. In Europe, honesty testing through mechanical devices, such as polygraphs or voice stress analyzers, or through questionnaires which strive to evaluate workers' attitudes to honesty, are not expressly regulated.[535] Elsewhere, mechanical honesty testing is prohibited by statute in the Canadian territories of New Brunswick and Ontario, and is also prohibited in the Australian State of New South Wales.[536]