Chapter Four: Debates & Trials

The Internet has changed the quantity and quality of data available about individuals' lives, but in many ways business practices and laws have not progressed to ensure individuals' privacy. Some companies, enlightened by survey upon survey documenting consumers' privacy concerns, have improved their practices and a few are supportive of federal legislation. The Federal Trade Commission and Congress have shown interest in ensuring that privacy is protected as the digital economy is embraced. Still, though, the U.S. has no baseline privacy legislation. Instead, as noted elsewhere in this guide, we have a patchwork of privacy laws.

In addition to appropriate privacy legislation, technology itself has the capacity to provide an underlying framework for privacy, providing greater anonymity, confidentiality, and a platform for fair information practices.

This chapter summarizes some of recent privacy debates. The issues can be separated into two main categories:

1. government surveillance, and
2. consumer privacy.

CALEA

The Communications Assistance for Law Enforcement Act (CALEA) was adapted in 1994 to ensure that new telephone network technologies and services did not interfere with law enforcement wiretapping. While Congress intended for CALEA to limit the FBI's control over the telephone system and to strengthen privacy protections, CALEA's implementation has been fraught with dangers to privacy. The FBI dominated the process by insisting that telephone switches include features giving the government more comprehensive surveillance capabilities than it ever had. The Federal Communications Commission (FCC) adapted most of the FBI's wish list, rejecting privacy concerns. Despite a challenge by CDT and others to the FCC decision in the Federal Court of Appeals, most of the features sought by the FBI were mandated.

In March 2004, the FBI petitioned the FCC to extend CALEA to broadband Internet access and to applications that carry voice over the Internet, often referred to as VoIP. CDT and others have submitted comments to the FCC opposing the FBI's request to extend CALEA.

More information:

• CDT CALEA Site
• CDT VoIP Site

PATRIOT Act

In response to the 9/11 attacks, Congress quickly passed the USA PATRIOT Act. While it is important to ensure that those who protect us have the necessary legal tools, the Act grants the Executive Branch broad discretionary powers that infringe on fundamental liberties. Furthermore, some of the Act's provisions are not limited to cases of suspected terrorism, but rather apply generally to criminal investigations.

Under the PATRIOT Act:

• government agents can collect information about patterns of Internet and telephone usage without judicial review;
• ISPs, universities, and network administers can monitor "computer trespassers" without court order;
• the FBI can compel the disclosure of any business records, even sensitive medical, financial, and library borrowing records, upon the claim that they are sought for an intelligence investigation;
• agents investigating any crime can conduct "sneak and peek" searches of homes and offices without notifying affected individuals until days or weeks after;
• the FBI can share grand jury information with the CIA, in essence giving the CIA the benefit of domestic subpoena powers;
• the FBI can carry out wiretaps and secret searches in criminal cases in accordance with the lower FISA (Foreign Intelligence Surveillance Act) standards.

Some of the PATRIOT Act surveillance provisions "sunset" or expire in 2005 unless renewed by Congress.

Expansion of PATRIOT Act (PATRIOT II)

Despite the controversy surrounding the PATRIOT Act, the Administration and some members of Congress are sponsoring legislation that further increases the government's powers. One proposal would give the FBI "administrative subpoena" power, meaning that FBI agents could force businesses and individuals to disclose records or give testimony with no judicial approval.

CDT believes that it is unwise and unnecessary to expand the PATRIOT Act. Congress has not yet finished oversight work to see how the first round of expanded powers are being used, and if they are even effective against terrorism. The sunset clause, which causes some of the surveillance provisions to expire unless renewed, does not take effect until December 31, 2005.

More information:

• Resources on the PATRIOT Act and PATRIOT II
• Coalition letter against the expansion of the PATRIOT Act
• Analysis of PATRIOT Act II by the ACLU

CAPPS II

The federal government and the airlines have long used various "no-fly lists " and other screening techniques in an attempt to keep terrorists off airplanes. The Transportation Security Administration is planning to create CAPPS II (Computer Assisted Passenger Pre-screening System) to improve airline security.

As proposed, CAPPS II would have used commercial databases to authenticate passenger identity. It would have assessed passenger risk using "watch lists" and other classified and unclassified governmental information. Based on the findings, a code would have been assigned to each passenger indicating whether the passenger should be subject to normal screening, additional screening, or referred to law enforcement for questioning and possible detention.

As originally proposed, the expansion of the CAPPS program would have included information about ordinary criminals not suspected of any involvement in terrorism, and, potentially, visa and immigration violators.

In summer of 2004, senior officials at the Department of Homeland Security stated that the agency was scaling back plans for CAPPS II. Both privacy and effectiveness concerns had undermined support for the initial plan. But contrary to some press reports, CAPPS II was not being abandoned.

More information:

• CAPPS II comments

Watch Lists

Watch lists consisting of names of suspected terrorists are a necessary component of the system to protect the nation from terrorism. They might be used in screening air passengers, in issuing visas, and in making employment decisions for certain jobs. It is necessary to have rules for accuracy and mechanisms for redress, so that individuals wrongly accused of being involved with terrorism can get off the list. It is not yet clear what private and public organizations can have access to the lists and what purposes they can be used for.

More information:

• Jerry Berman's testimony on TSC, March 25, 2004
• Markle Task Force Reports

Total Information Awareness and Data Mining

The Total Information Awareness (TIA) project was a Department of Defense from program intended to develop techniques for analyzing intelligence data as well as financial, communications, and travel information in order to identify terrorists and predict future terrorist attacks.

In 2003, Congress stopped funding TIA, but other government agencies have continued to make use of data mining in similar projects. According to a 2004 GAO report, Federal agencies were engaged in 199 data mining projects, 131 of which were operational.

More information:

• GAO report
• CDT Datamining page

Government Privacy Office

A number of countries have created independent privacy offices at the provincial, state and federal levels. Privacy (or "data protection") officers evaluate the data access, use and distribution practices of private and government entities. CDT strongly supports the appointment of independent privacy officers within federal agencies and one at The White House with government-wide responsibilities. It is also worth examining how a federal privacy office might oversee private sector data practices.

More information:

• CDT testimony on privacy officers (Feb. 2004)

Tracking/Locating Technology- Global Positioning System

Technological innovation has brought a new threat to privacy- the spread of tracking technology. Increasingly, as individuals go about their daily lives, data is being collected about where they are.

The Global Positioning System (GPS) was developed by the Department of Defense to determine one's precise location and provide a highly accurate time reference anywhere on Earth. While the system was originally intended for military use, it is open for civilian use, so manufacturers have added GPS capabilities to products ranging from cars to movie making gear. While there are consumer benefits to the system, such as being able to get driving directions while in a car, there are privacy concerns. Recently in Canada, a driver of a rental car was charged $450 for three speeding infractions. The police never stopped the person; rather, the car rental firm saw that he was speeding based on information obtained from a GPS device in the car, which transmitted the data to the rental company without the driver's knowledge.

More information:

• CDT's site on wireless location

Radio Frequency Identification Devices

Radio frequency identification devices (RFIDs), which are microchips that can be embedded into consumer products, are being used by manufacturers of an assortment of products to track goods through the supply chain. The tags come in two forms, passive and active. The passive (battery-less) tags have a lower read-range than active tags. While it is the prerogative of a business to use technology to track its goods before they are sold, important privacy issues arise if the devices are not removed after purchase.

Governments are also taking up RFID technology. Some are considering placing RFIDs in passports. The US Department of Homeland Security is considering using the tags in its US-VISIT program.

More information:

• CDT testimony on RFID
• Consumer and privacy groups position statement on the use of RFID on consumer products
• What are RFIDS?
• Beyond the Bar Code
• Article on applications of the technology

E-911

Mobile telephones produced for American consumers after 2000 are required by law to have location mapping capabilities in order for 9-1-1 operators to determine the position of wireless telephone users when they are in emergency situations. Legislation adopted in May 1999 prohibits cell phone companies from using or disclosing location information in non-emergency situations without prior explicit user consent.

Spyware

Over the last several years, a loosely defined collection of computer software known as "spyware" has become the subject of growing public alarm. Computer users are increasingly finding programs on their computers that they did not know were installed and that they cannot easily uninstall. Those programs create privacy problems and open security holes, they can hurt the performance and stability of computers, and they can lead users to mistakenly believe that the problems they are experiencing are the fault of another application or their Internet provider.

In 2004, Congress was considering legislation to combat the "spyware" problem. A complete solution will require a combination of better enforcement of existing laws, anti-spyware technologies, self-regulatory policies, and legislation.

More information:

• CDT's site on spyware

Spam

In December 2003, Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, known as the "CAN-SPAM" Act. The Act, which took effect on January 1, 2004, created new penalties for sending deceptive spam advertising and imposed other obligations on commercial email. Senders of sexually oriented email are required to add special labels to the headers of such email. With the exception of the labeling requirement, which threatens first amendment rights, CDT supported the core principles of CAN-SPAM.

More information:

• CDT's page on Spam

Do Not Call Bill

In 2002, the FTC established a Do Not Call list that consumers can use to say that they do not want to receive unsolicited telemarketing call. In March 2003, the Do Not Call Implementation Act was signed into law to clarify the authority of the FTC to create the list. The Direct Marketing Association challenged the Act, saying it violated the First Amendment, but in February 2004, the Tenth Circuit Appeals Court upheld the FTC's Do Not Call Registry.

More information:

• Tenth Circuit Appeals Court Decision
• National Do Not Call Registry web site
• FTC Do Not Call Information

Fraud/Identity Theft

A number of bills have been introduced in both the House and the Senate to help solve the increasing identity theft problem. The bills strive to restrict the commercial use of Social Security numbers and other personally identifiable information, and to give the FTC more authority to target ID theft.

For a list of proposed identity theft legislation, view the "Privacy") and the "Authentication and ID" sections of CDT's legislation chart.

In 2003, the Fair and Accurate Credit Transactions Act modified the Fair Credit Reporting Act to give consumers the ability to put fraud alerts in their credit files if they have been victims of identity theft. In order to reduce the exposure of credit card numbers, the act required merchants to print no more than five digits of the number on receipts. In 2004, the Identity Theft Penalty Enhancement Act was adopted, increasing the prison sentences for using stolen credit car d numbers, Social Security numbers, and other personal information to commit crimes.

For more information, refer to the Fair Credit Reporting Act section in "Chapter 3: Existing Federal Privacy Laws" of this guide.

Much of the identity fraud problem arises at the state level, where security holes at state departments of motor vehicles (DMV) have allowed criminals to obtain drivers licenses under false pretenses. CDT recommends that the federal government should monitor state DMV security problems, impose penalties on state DMV officers who accept bribes to issue licenses, and implement pilot programs for security.

More information:

• CDT Policy Post 10.03
• CDT Report: Unlicensed Fraud:How bribery and lax security at state motor vehicle offices nationwide lead to identity theft and illegal driver's licenses

Authentication

Both the public and private sectors have expressed interest in adopting authentication systems, which allow for online verification of identity or authorization. In the public sector, these systems will allow for the government to better meet the needs of the citizens. In the privacy sector, they can facilitate e-commerce and enhance security and trust. However, many authentication systems will collect and share personal information, raising privacy and security concerns.

The Authentication Privacy Principles Working Group, convened by CDT, issued in 2003 an Interim report, which describes methods for organizations to use authentication to perform services without comprising privacy. The guidelines encourage organizations to provide notice, obtain consent, limit the amount of information collected, stored, and shared, and provide accountability.

Bills in the US Congress

Consumer privacy bills were introduced in Congress in recent years to address the identity theft problem, prevent unsolicited commercial phone calls and email, and limit so-called "spyware."

See CDT Legislation Table (108th Congress). As is the case generally with introduced legislation, most of these will not be enacted into law.