The purpose of this report is to highlight and summarize key technology-related privacy issues affecting consumers today. Readers who want to explore issues in depth should visit the web sites of government agencies, public interest groups, industry associations, and companies. A list of public interest groups that are working on these issues is provided at the end of the report.
BIOMETRICS TECHNOLOGIES
Description of issue. The secret video surveillance of the thousands of football fans who attended the 2001 Superbowl in Tampa, Florida was the first time that many Americans learned of something called "facial recognition biometrics." The technology used was not the common form of video monitoring that we are familiar with in convenience stores, at shopping malls, and on city streets. These systems do not have the capability to identify individuals whose faces are captured on videotape.
In contrast, the system used at the Superbowl and in the restaurant/bar district where many of the revelers gathered was able to identify known criminals and suspected terrorists from among the tens of thousands of faces scanned by the cameras using a biometrics technology called facial recognition biometrics.
Privacy and civil liberties advocates were quick to decry the use of this technology by the Tampa Police Department. It is not difficult to envision how such systems could be used to identify, for example, individuals who participate in public demonstrations against unpopular government actions. The "chilling effect" on individuals would be a likely result.
Biometrics is the term used for the many ways that we humans can be identified by unique aspects of our bodies. Fingerprints are the most commonly known biometric identifier. Other biometric identifiers are hand prints, vein dimensions, our iris designs, blood vessels on our retinas, body odor, the way that we walk, and our voices, among others. Our genetic profile is also unique to each of us. In facial recognition biometrics, the geometry of the face is measured.
The biometrics industry is booming, especially since the terrorist attacks of September 11, 2001.
Looking ahead. Privacy and civil liberties advocates are gravely concerned about the widespread adoption of biometrics systems. I have already discussed the chilling effect that a facial recognition system could have on our First Amendment right to protest government actions in public demonstrations. Such systems could easily be used to develop a database of known dissidents, to be used for social control purposes.
If one biometrics system were widely adopted, say fingerprinting, the many databases containing the digitized versions of the prints could be combined. While such a system is most likely to be developed by the commercial sector for use in financial transactions, government and law enforcement authorities would likely want to take advantage of these massive databases for other purposes, especially if we were to enter a time of social unrest. Indeed, government agencies and law enforcement are the top subscribers to the many databases compiled by private sector information brokers. I will return to the topic of information brokers later.
Privacy and civil liberties advocates have become more vocal about the threats of untrammeled and unregulated uses of biometrics technologies since the aftermath of the 9-11 terrorist attacks. Of the many biometrics technologies that are being developed, facial recognition biometrics is one of the most threatening because it can be deployed secretly, and can be invisible to those surveilled. Further, tests have found that the error rates for facial biometrics technologies are high. As a result, innocent people can be wrongly identified as criminals (false-positives), and known criminals and suspected terrorists can fail to be detected altogether (false-negatives).
Unless our government establishes strict oversight of such systems, many innocent individuals are likely to be apprehended. There must be limits on the kinds of uses that can be made of biometrics technologies by government and law enforcement authorities, as well as clear-cut and expeditious procedures to handle cases of erroneous identification.
VIDEO SURVEILLANCE
Description of issue. Facial recognition video surveillance aside, we have seen the dramatic growth of video monitoring throughout the public and private sectors, both in the U.S. and other countries. The United Kingdom is perhaps the most developed in its use of video monitoring by the government in public places.
Looking ahead. Widespread implementation of garden-variety video surveillance is harmful for several reasons. We are becoming used to being watched, and at earlier and earlier ages. Many schools have installed video monitoring throughout their campuses. An increasing number of day care centers are connected to the Internet so parents can check in on their children. As time goes on, we are not as likely to fight to maintain a strong Bill of Rights (especially the First and Fourth Amendments) the more accustomed we become to video surveillance. A further threat is that "low-tech" video surveillance can be converted into facial recognition biometrics systems with the growth of digital technologies. As the cost of biometrics systems decreases, the temptation to convert low-tech video surveillance units to facial recognition systems will increase.
C. ONLINE PRIVACY AND E-COMMERCE
Description of issue. News stories of Internet privacy threats are commonplace these days. The Internet was designed as an inherently insecure communications vehicle.
Hackers easily penetrate the most secure facilities of the military and financial institutions. Internet companies have designed numerous ways to track web users as they travel and shop throughout cyberspace. "Cookie" is no longer a word associated solely with sweets. It now refers to cyber-snooping. Identity thieves are able to shop online anonymously using the credit-identities of others.
Web-based information brokers sell sensitive personal data, including Social Security numbers, relatively cheaply.
Looking ahead. One of the positive results of media coverage of online privacy is public awareness of the issue. Congressional representatives have taken notice. Some form of an Internet privacy law is expected to be passed in the coming years. But will such a law possess meaningful consumer protections, giving consumers the full complement of the "fair information principles" (FIPs)? Will the principles of notice, consent, access, security, enforcement, redress, and collection limitation be codified into law? Or will an online privacy law be a watered down version, simply notice and choice, or worse, just notice - what privacy advocates call "FIPs-lite?"
It is one thing to mandate that every commercial website provide a privacy policy. It is quite another to require that commercial websites clearly explain their data-collection practices and provide meaningful methods for visitors to prevent their personal information and "clickstream" data from being captured and sold to other companies. So far, legislative bills mandating effective consumer privacy protection provisions have not advanced in Congress.
Knowledgeable individuals can take steps to prevent their web-surfing practices from being captured by the websites they visit. But, realistically, few people have the requisite knowledge or patience to take advantage of such privacy-enhancing strategies.
WORKPLACE MONITORING
Description of issue. Privacy advocates often use these words to describe the workplace: "You check your privacy rights at the door when you enter the workplace." Ubiquitous employee monitoring is now possible. Many forms of monitoring technologies are available in the marketplace and are becoming cheaper each year: video surveillance, telephone monitoring, e-mail and voice mail monitoring, computer keystroke tracking, Internet website monitoring, location tracking using badges worn by employees, and satellite tracking of the company fleet.
What makes matters worse is that these systems can be deployed secretly and invisibly. Employers are not required by law to disclose to their employees that such monitoring is being conducted, with the exception of Connecticut where a state law requires employer disclosure. Similar legislation has failed in Congress and in the California state legislature. The only places where employees can expect to be free from surveillance are in bathrooms and locker rooms, but even this protection is not absolute.
Looking ahead. The future is here. An American Management Association study found that a majority of employers are conducting some kind of monitoring, the most common being e-mail and web-surfing.
Employers make several arguments to justify their use of monitoring systems.
Employers have been successful in making these arguments when aggrieved workers have filed lawsuits for privacy violations. The few court cases have largely been decided in the employers' favor.
Workplace rights advocates recommend that monitoring be relegated to narrow situations where there is "reasonable suspicion," and that random or workplace-wide monitoring be prohibited. Whether a better balance will be adopted by U.S. employers is an open question. Legislation is often motivated by "horror stories." As workplace privacy abuses continue to make the news, there is always the possibility that a handful of precedent-setting court cases could change the landscape.
WIRELESS COMMUNICATIONS AND LOCATION TRACKING
Description of issue. The products and services offered by the wireless industry are advancing at a dizzying pace. Digital cell phones are becoming smaller, cheaper, and smarter. Mobile phone users can send and receive e-mail and pager messages and surf the Internet. Hand-held personal digital assistants, PDAs, are also equipped for wireless communications.
Looking ahead. The vision of many marketers is to be able to deliver location specific advertising to wireless devices. So, if you're traveling through the city on I-494, you might receive a message telling you that just off the next exit is a restaurant that serves your favorite cuisine, Thai food. Or as you walk past Starbucks, you'll be flashed a message offering a special on double lattes.
OJ Simpson found out the hard way that cell phones can serve as location detection devices. His travels in the white Ford Bronco were tracked throughout Southern California because of the ability to triangulate the signals emitted from cell phones to and from the nearest communications towers. In fact, location tracking is now required by federal law. Cell phones must be able to pinpoint the user's location to the nearest 100 feet for emergency assistance.
Unfortunately, the trade-off for these conveniences and personal safety features is personal privacy. We Americans cherish our ability to travel freely and anonymously. But the new generation cell phones threaten to track us everywhere.
The wireless industry is well aware that consumers do not want their communications devices to double as surveillance technologies. Industry representatives are taking steps to develop privacy guidelines. They know that the wireless industry will not thrive unless customer privacy can be protected.
But so far, government regulators have not followed their lead. In August 2002, the Federal Communications Commission turned down the industry's request to adopt wireless location information privacy rules that would cover notice, consent, security and customer integrity.
DATA PROFILING
Description of issue. As we make our way through everyday life, data is collected from each of us, frequently without our consent and often without our realization.
We are not yet to the point where the contents all of these many databases are combined, but we are rapidly heading that direction. In the aftermath of the 9-11 terrorist attacks, government and law enforcement authorities are working with the data profiling industry to develop an airline traveler screening program that draws data from many consumer data files. That system is CAPPS, Computer-Aided Passenger Pre-Screening. Its developers are attempting to create a profiling system that detects traveler anomalies in order to prevent terrorists from boarding.
Privacy and civil liberties advocates are often asked, "what are you afraid of; what do you have to hide; if you haven't done anything wrong, what's there to worry about?." The sentiment behind these questions is that the data being compiled is benign and is not going to harm us. But as law professor Jeffrey Rosen points out in his 2000 book The Unwanted Gaze, you are not your profile. Databases can contain errors. And data compiled from disparate sources and from differing contexts can lead the user to arrive at the wrong conclusions. (The Unwanted Gaze: The Destruction of Privacy in America, by Jeffrey Rosen, Random House, 2000).
[W]hen intimate information is removed from its original context and revealed to strangers, we are vulnerable to being misjudged on the basis of our most embarrassing, and therefore most memorable, tastes and preferences. (p.9)
He used the 1998 subpoena by prosecutor Kenneth Starr of Monica Lewinski's book purchases from a Washington, D.C., bookstore as an example of how profiling can harm individuals. This occurred during the Clinton administration sex scandal. Rosen states:
Privacy protects us from being misdefined and judged out of context in a world of short attention spans, a world in which information can easily be confused with knowledge. (p.8)
Here is another story to illustrate the potential harm of untrammeled data collection and profiling.
In 1998 the Salt Lake Tribune reported that the supermarket chain Smith's Foods was subpoenaed by the U.S. Drug Enforcement Agency (DEA) for its discount card data on several named suspects. Was the DEA looking for high-volume purchases of non-prescription medicines that make up the chemical formula for "speed," like Sudafed? No. They were interested in finding out if these individuals had purchased a lot of plastic "baggies," the presumption being that if you're manufacturing and selling "meth," you will need plastic bags to package it in.
This story should alarm each of us. How many situations can we think of where someone might buy many "baggies" - the parent who wraps school lunches for a large family, the Girl Scout troop leader who makes sandwiches for the girls' outings, the jewelry maker who sells her creations at weekend arts fairs. Yet, if law enforcement were to request supermarket discount card data for "fishing trips," without court-ordered warrants -- something far more likely in the post-9-11 era of weakened checks and balances -- many individuals would be on the suspects list, most if not all of whom would not be drug dealers.
Looking ahead. The supermarket club card story illustrates the fair information principle of secondary usage: Information that has been gathered for one purpose should not be used for other purposes without the consent of the individual (paraphrased from the "use limitation principle," Organization of Economic Cooperation and Development, 1980).
The unfettered collection of data from numerous sources, in an environment where there are few legal restrictions on how the data can be used and merged, will inevitably lead to secondary uses that will violate privacy and trample on civil liberties. The legal protections for privacy in the U.S. are weak. They have been further weakened by the hasty passage of the USA PATRIOT ACT, following the 9-11 terrorist attacks. There are few restrictions in the U.S. on how data can be collected and merged, in contrast to European Union countries, Canada, New Zealand, and Australia.
When I first wrote this report in March 2001, I said the following:
It is not farfetched to envision a future when such data will be used for a variety of secondary uses. If we were to enter a time of social unrest and political turmoil, our government might seek to use such information to investigate dissidents. We do not have to look very far to see such an investigation in our own time - Kenneth Starr's 1998 subpoena of Monica Lewinski's bookstore purchases during the Clinton impeachment proceedings.
The future is here. The terrorist attacks of 9-11 have launched us into just such an era of turmoil and uncertainty. The checks and balances that had previously been counted on to place limits on government access to consumer data have been largely lifted by the USA PATRIOT Act. Some - but not all -- of the provisions of this law come with a sunset provision, so they can be evaluated and even reversed.
This situation is fortified by the strength of the information industries in the legislative arena. When there have been legislative attempts to regulate the collection and use of consumer data by private sector entities, industry associations have responded with a call for self-regulation. To date, this argument has been successful. The direct marketing and information broker industries are virtually unregulated, and their members collect a massive amount of data from consumers. Will such data be used for secondary purposes? We can count on it, especially in this post-9-11 era.
CRIMINAL IDENTITY THEFT
Description of issue. The number one topic of those who contact the hotline of the Privacy Rights Clearinghouse is identity theft -- when an imposter is able to obtain credit in the victim's name by having just a small amount of information about that person, typically the Social Security number (SSN). We refer to this crime as credit-related identity theft.
A growing form of identity theft is what we call criminal identity theft. In 2000 we joined with CALPIRG to conduct a survey of credit-related identity theft victims. One of the findings surprised us - that 12% of those who had experienced credit fraud were also burdened with a wrongful criminal record due to the activities of the imposter. Similarly, Federal Trade Commission statistics show that 15% of the identity theft victims in its database are dealing with criminal identity theft.
Criminal identity theft occurs when the imposter uses the innocent person's identification when arrested, say, for a traffic violation, shoplifting, marijuana possession, or another misdemeanor. When that individual fails to appear in court on the appointed day, a warrant is issued for the arrest of the innocent person.
The warrant may go unused for quite some time - until the unfortunate individual is stopped by law enforcement for speeding or a broken tail light, for example, or when going through U.S. Customs after returning from another country. Then the innocent individual may be arrested or even jailed -- until they can successfully prove that they are being impersonated by someone who used their identification data upon arrest.
It is virtually impossible to clear one's wrongful criminal record. There are no standard procedures, as there are with credit-related identity theft, to wipe the slate clean. Victims must obtain a certificate of clearance from the law enforcement unit where the arrest was made, and/or from the court system in that jurisdiction. But that document is not universally accepted by other law enforcement units.
Looking ahead. Cases of criminal identity theft are going to increase, perhaps substantially, for several reasons. First, credit-related identity theft is on the rise. The Federal Trade Commission says that identity theft is the fastest growing crime in the nation. We know from survey data that approximately one in six such victims will also have to deal with wrongful criminal records.
Second, commercial sector information brokers are collecting an increasing amount of arrest and conviction data and are making it available for a variety of purposes, among them, law enforcement investigations and employment background checks. There is no such thing as a perfectly accurate database. Because these files are not updated as diligently as they should be, and because identity theft is on the rise, those who use such data are going to obtain inaccurate information on countless numbers of innocent individuals.
Law enforcement agencies and court systems at the local, state, and federal levels are going to need to adopt procedures to enable individuals with wrongful criminal records to remove or amend those records. It is likely that laws must be passed to establish such procedures. The California legislature has begun this process, passing laws in recent legislative sessions to assist individuals with wrongful criminal records.
But the process of establishing procedures to enable victims to remove erroneous criminal records data is very complex. Procedures vary from jurisdiction to jurisdiction, and from state to state. Criminal records agencies (the Departments of Justice in each state and the FBI) want to ensure that the accuracy and security of their data files are protected. For the sake of those innocent individuals who are burdened with wrongful criminal records, it is vitally important that this issue be addressed on a national basis, something that is likely to take considerable time.
BACKGROUND CHECKS
Description of issue. Previous sections describe what can happen if data files contain erroneous information. This situation is particularly harmful to job applicants when background checks uncover wrongful criminal records and other inaccurate data. Unless the employer notifies the job applicant of the contents of the investigation, that individual may not learn why he or she was rejected. Federal law requires such disclosure (Fair Credit Reporting Act). But the law contains loopholes that the employer can use to avoid notifying the applicant that negative information in the background investigation resulted in their not being hired.
The information broker industry is growing dramatically. More and more government records are being sold by county and state governments, and to a lesser degree, by federal agencies to private sector data vendors. Companies like Choicepoint and Lexis-Nexis compile records from thousands of sources and make them available to their subscribers, usually law enforcement agencies, private investigators, attorneys, debt collectors, skip-tracers, insurance claims investigators, and media outlets, among others.
Some information brokers provide their databases for a fee on Internet websites, hawking their wares with "spam" messages that promise, "You can find anything about anyone for just $29.95." Anyone with a working credit card account can access these services, whether or not they have a legitimate business purpose. Those who use the services of these online information vendors are under no obligation to report their findings to the data subject.
Looking ahead. The cost of background checks has decreased dramatically in recent years. As a result, more employers are conducting them. Investigations are going beyond a simple reference verification or credit report to include criminal background checks. Since the terrorist attacks of 9-11, an increasing number of employers are conducting background checks of new hires as well as existing employees.
It's fair to say that a significant percent of background checks are retrieving information that is either incorrect or misleading. As discussed in the "data profiling" section above, there is no such thing as a perfect database. Because of loopholes in the law, the subjects of background checks might never know the contents of their investigations and the reasons they are not able to land a job.
Legislative amendments to federal and state laws that govern "investigative consumer reports" must be passed into law in order to prevent a significant number of individuals from being harmed by erroneous reports. California recently amended its investigative consumer reporting act to require that all individuals who are the subject of background checks, with exceptions for suspicion of wrongdoing, have the opportunity to receive a copy of the report.
INFORMATION BROKER INDUSTRY
Description of issue. In previous sections, I discussed some of the privacy-related issues regarding the growing information broker industry. This industry is virtually unregulated except for the background check requirements in the Fair Credit Reporting Act.
A set of voluntary guidelines was adopted by the information broker industry in conjunction with the Federal Trade Commission in 1997. But the guidelines are weak and have resulted in no meaningful privacy protections for U.S. consumers. In addition, the industry group that developed the guidelines, the Individual Reference Services Group, has since disbanded.
Looking ahead. An incident from the November 2000 election illustrates what can go wrong when information broker data files are improperly used to make critical decisions about individuals. The Florida Secretary of State Division of Elections contracted with Database Technologies (DBT), a division of Choicepoint, to check its voter rolls against the data compiled by DBT. Many individuals were wrongly identified as being felons, and turned away at the polls. The original "scrub list," as it was called, included nearly 60,000 names. One county that checked each of the 700 names on its list could only verify 34 as former felons. ("Ex-Con Game," by Greg Palast, Harper's Magazine, March 2002).
Without the effective regulation of this industry, a significant number of individuals are going to suffer privacy violations, lost job opportunities, ruined reputations, and discrimination. So far, the information broker industry has been effective in preventing laws from being passed on the federal level.
PUBLIC RECORDS ON THE INTERNET
Description of issue. One of the hallmarks of our democracy is open government. Most government agency and court records are considered "public" records, primarily so "we the people" can monitor our government. In the past, individuals accessed public records by traveling to the courthouse or to the government office and using the records there, a time-consuming and often expensive task. In recent years, however, a growing number of government agencies and court systems have made these records available on the Internet.
Upon first consideration, it might be thought beneficial for government records to be easily available to the public via the Internet. After all, our government is supposed to be accessible to citizens.
Looking ahead. Unless we are somehow transformed into a tolerant society, our "transparent society," to borrow a term from sci-fi writer David Brin, is going to pose significant problems for a large number of individuals. The full texts of criminal and civil court records, divorce decrees, bankruptcies, and more are slated to be available from government and information broker websites. Employers are likely to use such information to make adverse hiring decisions. Identity thieves will find their pot of gold at the end of the rainbow simply by clicking a mouse. And neighbors and relatives may learn more about us than we are comfortable with.
Georgetown University law professor Jeffrey Rosen wrote The Unwanted Gaze about just such a scenario. He explains the value of privacy protection as follows:
Privacy protects us from being objectified and simplified and judged out of context in a world of short attention spans, a world in which part of our identity can be mistaken for the whole of our identity. (p.115)
There are several potential drawbacks for posting public records online, especially the full texts of court records.
The solution is not to ban public records altogether from the Internet. Instead, records should be selectively redacted, for example, by removing Social Security numbers and financial account data. Instead of publishing the full texts of sensitive proceedings such as divorce cases, on the Internet, just the index information should be published. Certain categories of case files, family court records for example, should be available at the court house and not online. These and other solutions must be sought in order to prevent the negative consequences of publishing public records online, but without losing sight of the need for access to public records in order to provide oversight of our government.
FINANCIAL PRIVACY
Description of issue. As a result of the federal Financial Services Modernization Act, banks, insurance companies, and brokerage firms are now able to affiliate with one another under one corporate roof. This law, known as Gramm-Leach-Bliley (GLB) after its sponsors, was implemented in 2001.
Credit card companies, banks, insurance companies, and brokerage firms may share their respective databases with one another - called affiliate sharing -- but they cannot sell customer data to third parties without providing an opt-out notice to their customers.
Looking ahead. Unless legislation is passed at both the federal and state levels to strengthen the Financial Services Modernization Act, the process of affiliate sharing will enable these merged corporations to assemble customer data files of unprecedented scope. Some financial institutions have more than 2,000 affiliates spanning a broad array of businesses.
While "junk" mail, e-mail, and telemarketing solicitations are a likely result of widespread affiliate sharing of customer data, privacy advocates are even more concerned about the potential for harmful uses of data merging and data profiling:
Decisions on one's credit worthiness might hinge on medical information gleaned from insurance company data. A scam artist might use one's profile as a risk-taking investor to pitch get-rich-quick schemes.
Elderly individuals with cash-rich portfolios could be vulnerable to fraud artists' promises of lucrative returns on risky investments.
The GLB Act contains a provision that enables state legislatures to pass stronger privacy provisions. Indeed, several states have debated privacy bills that allow for an opt-in for third party data sharing, thereby setting the default at no sharing unless the customer says "yes." Iin contrast, the GLB standard is opt-out. For three years, the California legislature has debated bills that would not only require opt-in for third party sharing, but an opt-out for affiliate sharing. Strong lobbying by the financial services industry has succeeded in killing these bills.
Given the high percent of the population favoring strong privacy protection -- 80% to 90% in most polls -- state legislatures and Congress are expected to grapple with this issue for years to come. The financial services industry will exert considerable pressure on Congress to pass an amendment to GLB that prohibits states from enacting stronger privacy measures.
MEDICAL RECORDS CONFIDENTIALITY AND GENETIC PRIVACY
Description of issue. It is not an exaggeration to state that our video rental records have had more privacy protection than our medical records in the past. The Clinton Administration's Health and Human Services Department attempted to rectify this situation by developing privacy regulations as required by the passage of HIPAA, the Health Insurance Portability and Accountability Act.
The HIPAA regulations, effective in April 2003, make significant strides for American healthcare consumers, especially in requiring healthcare institutions to give patients notice of their information practices, and in enabling individuals to gain access to their own medical records. But the Bush Administration has rolled back some of the privacy provisions due to pressure from the healthcare industry, in particular the patient consent requirements.
Another privacy issue on the healthcare front is genetic profiling. The use of genetic data to discriminate in both employment and health insurance is of growing concern to consumers, healthcare professionals, and policymakers alike. In 2001, U.S. News & World Report reported that the railroad company Burlington Northern secretly conducted genetic tests on employees who had filed worker's compensation claims for carpal tunnel syndrome. The company's intention was presumably to be able to reject some claims because of genetic predisposition to the condition, despite the fact that predisposition to this ailment is questionable. (Dana Hawkins, "The dark side of genetic testing," U.S. News & World Report, Feb. 19, 2001)
Looking ahead. Most individuals consider their medical information to be among the most sensitive of any information about them. And many are under the mistaken impression that the Hippocratic oath still holds true today.
Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets. — Hippocrates, 4th Century B.C.
But in truth, one's medical information is an open book in our far-flung healthcare system -- from medical providers, to insurance companies, to self-insured employers, to laboratories, and to payment companies, medical transcriptionists, pharmacies and pharmacy benefits systems, government regulators, and more.
The HIPAA regulations that become effective in 2003 will no doubt serve as a catalyst for healthcare institutions to scrutinize and improve the handling of their patients' medical records. But societal pressures, especially by employers who foot the ever-rising health insurance bill for millions of individuals, will continue to erode what little medical privacy individuals have.
WIRETAPPING AND ELECTRONIC COMMUNICATIONS
Description of issue. The FBI during the Clinton Administration made several attempts to strengthen its wiretapping capabilities, especially of digital telephone communications and Internet communications. Its "Carnivore" technology is a "black box" that can be installed in Internet Service Providers' (ISP) systems to monitor the e-mail traffic of its subscribers.
In the wake of the terrorist attacks of September 11, 2001, the USA PATRIOT Act has made it easier and faster for authorities to obtain telephone wiretaps as well as access to Internet communications. Procedural requirements, notably showing probable cause that a crime had been or was about to be committed, have been weakened.
Looking ahead. The checks and balances provided by the U.S. Constitution and a host of laws have been weakened considerably by the USA PATRIOT Act regarding wiretapping and the interception of e-mail and web-surfing transactions. The law contains a number of secrecy clauses which prevent individuals from reporting ways in which the law is being used. The sunset provisions, which will enable a number of its provisions to be evaluated and possibly overturned, do not apply to the entire law.
Civil liberties organizations are using the Freedom of Information Act (FOIA) to attempt to determine how the Patriot Act is being implemented by government authorities, and whether or not abuses are occurring. In addition, members of Congress who are concerned about widespread violations of civil liberties are attempting to monitor the law's implementation. In light of the secrecy clauses in the law, it is actions such as these that will be needed to shine light on whether or not government authorities have overstepped their bounds.
YOUTH PRIVACY ISSUES
Description of issue. Children and youth are vulnerable to a number of privacy threats.
Looking ahead. While these threats do not necessarily interrelate with one another, it is evident that children and youth are the targets of a great deal of data collection. Congress has acted to limit online data collection from children under age 13 by passing the Children's Online Privacy Protection Act, implemented in April 2000. And the Bush Administration signed into a law a provision to require that schools give parents the opportunity to opt the student out of participation in marketing related surveys that collect personal information. This is part of the No Child Left Behind Act of 2001.
But as we've seen with the other issues discussed in this report, laws are not able to keep up with the fast pace of technology. Children are early adopters of computer and wireless technologies, and are far more skilled than many of their elders in using them. Children are also voracious consumers of the latest trends in clothing, music, sports, and entertainment. Marketers are not likely to bypass the opportunity to collect data from children and to solicit both them and their parents. The tension between laws and technology regarding children will persist for time to come.
DIGITAL RIGHTS MANAGEMENT
Description of issue. The First Amendment gives Americans the right to explore ideas in books, music, and movies without having to identify ourselves. The right to anonymity is a vital foundation stone of our democratic society. Our strong First Amendment tradition protects people with dissenting, unpopular, or controversial ideas.
But the migration of print, music, and images to the Internet has spawned new technologies called "digital rights management" systems (DRM) that infringe upon intellectual freedom. Copyright owners, including the entertainment industry and publishers, are attempting to monitor those who download copyrighted files in order to prevent piracy and ensure payment for their products. In developing DRM systems, they threaten to create technologies that identify those who read, listen to, and view Internet content.
The companies that collect this information will be able to develop profiles of those who access Internet content. And as I've discussed elsewhere in this report, with profiling comes the potential for secondary uses to be made of that data, from marketing to government surveillance.
Looking ahead. Intellectual property scholars point out that copyright and privacy have traditionally been compatible because copyright provisions control public distribution of content. Private use of copyrighted material has been governed by the fair use doctrine, enabling individuals to make limited copies for their own use.
But DRM systems threaten to monitor private use by implementing technologies that capture personally identifiable information for each and every use. A challenge for policymakers and industry is to develop DRM systems that can confirm the eligibility of individuals to access content without identifying the actual user. Another challenge is to preserve the principle of fair use.
DIGITAL TELEVISION AND BROADBAND CABLE TV
Description of issue. We are at the dawn of a revolution in television technology. Our TV sets are going digital. Custom-made television viewing is now possible with set-top boxes like TiVo and ReplayTV that can capture only those TV programs that we want to watch and enable us to view them at any time. These devices rely on two-way communications to send and receive data about consumers' viewing preferences. This data is going to be highly prized by marketers.
In a legal environment of weak privacy protection, consumers have little ability to control what is done with such data. A California state senator introduced legislation in 2000 to create an opt-in right of consent before third parties can obtain data compiled from digital television viewing patterns. The bill was defeated by strong industry lobbying.
Looking ahead. In the era of digital television, TV viewers are likely to be served advertisements based on their unique interests. Many consumers may appreciate this. But privacy advocates are concerned about the secondary uses that could be made of such data. In a post 9-11 world where consumer data is considered fair game for profiling purposes, information obtained from digital TV-viewing is likely to be part of the mix unless laws are passed to give individuals the ability to control data collection and to prevent secondary uses.
Nonprofit public interest groups who are working on these issues include the following:
|
To
send us your comments, questions, and suggestions click
here |
