|
 |
|
|||||
 |
Is privacy a realistic possibility in the twenty-first century? Will the "Digital Age" be one in which individuals maintain, lose, or gain control over information about themselves? Will it be possible to preserve a protected sphere from unreasonable government and private sector intrusion?
Without question, the growth of government and commercial transactions and the increase in technological developments over the last 50 years have heightened threats to privacy. Today the Internet accelerates the trend toward increased information collection and facilitates unprecedented flows of personal information. Cellular telephones and other wireless communication technologies generate information about an individual's location and movements in a manner not possible until now. Electronic communication systems generate vast quantities of transactional data that can be readily collected and analyzed. And law enforcement agencies, particularly at the federal level, place increasing emphasis on electronic surveillance.
Confronted by these challenges, there are still grounds for optimism. While dangers to privacy capture our attention, they sometimes lead us to understate the unprecedented gains in privacy protection that have also been achieved over the last half of the twentieth century. In many cases the legal system has laid a foundation for privacy protection through court decisions, state and federal legislation, and self-regulation. For example:
In many instances, users of new technologies have taken their privacy into their own hands. They have demanded and availed themselves of powerful new technologies to protect their privacy. And individuals have found - and used - the avenues afforded them by new communications media to make vocal their demands for privacy. New technologies and standards enable users to protect their privacy are on the way.
These privacy gains can be augmented and many threats to privacy can be overcome if citizens band together for reform and enlightened policy. The hope for progress, in sum, lies in the hands of engaged citizens who avail themselves of the legal, technological, and political opportunities to act in the marketplace and the political arena. Advocates, committed to reform, must communicate that promise to the public. To do otherwise risks convincing individuals that they are powerless in the face of the rise of digital technology and that their only choice in the era of information is to do nothing. Recent history, technological developments, and the action of an informed public make the case for something different: given the necessary legal and technological tools and a clear voice, citizens can demand and achieve good privacy protection. The answer to whether privacy can still be protected is an emphatic yes. What is critical in making privacy a reality in the twenty-first century is the conviction of citizens that privacy is possible.
In the United States, the concept of privacy has evolved since it was first articulated by Justice Brandeis in 1898. His definition of privacy - "The right to be let alone" (Brandeis and Warren, 1890) - has been influential for nearly a century. In the 1960s, 1970s, and 1980s, the proliferation of information technology (and concurrent developments in the law of reproductive and sexual liberties) prompted further and more sophisticated legal inquiry into the meaning of privacy. Justice Brandeis's vision of being "let alone" no longer suffices to define the concept of privacy in today's digital environment, where personal information can be transported and distributed around the world in seconds.
At the end of 2000, ideas about privacy are more complex, reflecting the rapid and remarkable advances in computing that have made possible both unprecedented monitoring and the unprecedented collection, storage, manipulation, and sharing of data.
Today, when we talk about privacy, we are often talking about personal autonomy as it relates to information about an individual. Privacy entails an individual's right to control the collection and use of his or her personal information, even after he discloses it to others. When individuals provide information to a doctor, a merchant, or a bank, they expect that those professionals or companies will collect the information they need to deliver a service and use it for that sole purpose. Individual expect that they have the right to object to any further use. Implementation of principles of fair information practices - notice, choice, access, security, and enforcement - is key to preserving this autonomy by ensuring that an individual's privacy interests in his or her personal information are protected.[ 1 ]
Privacy today also refers to protection from government surveillance. The Fourth Amendment, originally intended to protect citizens from physical searches and seizures, establishes an expectation of privacy in communications as well. New technologies that enhance the ability of law enforcement to monitor communications and compile an array of information about an individual test the limits of Fourth Amendment protections and require that we revisit and redefine our established ideas about this constitutional protection.
Advances in communications technologies over the last half century significantly challenge individual privacy. Deployment of rapid and powerful computing technologies has vastly enhanced the ability to collect, store, link, and share personal information. This ability to manipulate information has played a critical role in reshaping the American economy, making it possible to predict consumer demand, manage inventories, serve individual consumer requirements, and tailor marketing techniques. But to do this successfully, businesses require and use information about individuals, which means that the demand for personal information, and business efforts to acquire it from customers, constantly increase.
Undoubtedly, the Internet has made this kind of data collection and analysis easier and more efficient. Rather than rely on secondary sources of consumer information, or engage in cumbersome telephone and mail-in information collection practices, companies can collect data online, through registration and as a transaction is carried out. Technologies such as "cookies," written directly onto a user's hard drive, enable websites to collect information about online activities and store it for future use. Using cookies, companies can track a consumer's online activities, creating a wealth of behavioral and preference information. This information can be collected over multiple websites, potentially creating a rich dossier about consumers, including their preferences and their online behavior.
Cellular networks generate data by collecting information about the cell site and location of the person making or receiving a call. Location information may be captured when the phone is merely on - that is, even if it is not handling a call. Both government and the private sector are interested in this location information. While the government seeks to build added surveillance features into the network and ensure that it can access the increasingly detailed data the network captures, the private sector is using this new information to provide emergency "911" services and is considering its potential for advertising.
Enhancements to law enforcement surveillance capabilities also raise serious privacy concerns. Wireless services provide phones that are readily tapped at central switches. Wireless phone location information generated when a person makes or receives a call can be obtained by law enforcement by subpoena or court order. Email messages are in some respects easier to intercept than regulator mail. Technology has freed law enforcement intercepts from the constraints of geography, allowing intercepted communications to be transported hundreds or thousands of miles to a monitoring facility. And computer analysis allows agencies to review vast amounts of information about personal communications patterns far more easily.
Although threats to privacy have loomed large in recent decades, advances in privacy have also been significant. If, when we talk about privacy, we mean personal autonomy and protection against unwarranted government surveillance, recent history gives us reason to be hopeful about the future of privacy.
In the landmark Berger v. New York (1967) and Katz v. United States (1967) cases, the Supreme Court ruled that electronic surveillance constituted search and seizure and was covered by the privacy protections of the Fourth Amendment. In Berger, the court condemned lengthy, continuous, or indiscriminate electronic surveillance, [ 2 ] but in Katz, the court indicated that a short surveillance, narrowly focused on interception of a few conversations, was constitutionally acceptable if approved by a judge in advance and based on a special showing of need. Congress responded to these rulings by regulating wiretapping, establishing a system of protections intended to compensate for the intrusive aspects of electronic surveillance. According to the Senate report, the legislation had "as its dual purpose (1) protecting the privacy of wire and oral communications, and (2) delineating on a uniform basis the circumstances and conditions under which the interception of wire and oral communications may be authorized (U.S. Senate, 1968: 66).
In 1972, the government took first steps to address the collection and storage of information through computer technologies. Elliot L. Richardson, secretary of the Department of Health Education and Welfare, appointed an Advisory Committee on Automated Personal Data Systems to explore the impact of computerized record keeping on individuals. In the committee's report, published a year later, the advisory committee proposed a code of fair information practices. These principles form the basis of the Privacy Act of 1974, a response to privacy concerns raised by Watergate-era abuses that addressed collection of information by the federal government. Creating the principles of fair information practices proved to be seminal work; they have formed the basis for all subsequent codes and laws related to information collection at the state and federal level and in international agreements and treaties.
Congress acted to regulate wiretapping in national security cases in 1978 through another statute, the Foreign Intelligence Surveillance Act (FISA). In 1986 Congress addressed the challenges to privacy presented by the emergence of wireless services and the digital era with the adoption of the Electronic Communications Privacy Act (ECPA). ECPA addressed wireless voice communications and electronic communications of a nonvoice nature, such as email or other computer-to-computer transmissions. ECPA was intended to reestablish the balance between privacy and law enforcement, which had been tipped by the development of communications and computer technology and changes in the structure of the communications industry.
While gains in privacy protection in the 1970s focused on limiting government surveillance, the rapid advances in computing and in Internet communications and commerce have turned the focus toward information privacy. In the late 1990s, individuals achieved new gains in the privacy of personal information. More work toward legislative protection remains to be done.
Medical Information. In the early 1990s society witnessed tremendous changes in both the collection and the use of health information. The transition from fee-for-service health care to managed care led to demand for unprecedented depth and breadth of personal information. At the same time the environment for information began to move rapidly from paper forms to electronic media, giving organizations a greater ability to tie formerly distinct information together and send it easily through different sources. To address theses concerns, the Clinton Administration issued new rules under the 1996 Health Insurance Portability and Accountability Act to protect the privacy of medical records. This set the first comprehensive federal standards for transactions that, until then, were regulated by a patchwork of state laws.
Children. Congress passed the Children's Online Privacy Protection Act (COPPA) to protect children's personal information from its collection and misuse by commercial websites.[ 3 ] COPPA, which went into effect on April 21, 2000, requires commercial websites and other online services directed at children 12 and under, or that collect information regarding users' age, to provide parents with notice of their information practices and obtain parental consent prior to the collection of personal information from children.
Consumer Information. The late 1990s brought the first steps toward protection of information collected from consumers online. Efforts on the part of government and business to require that companies doing business online comply with fair information practices represent an unprecedented step toward empowering consumers to protect the privacy of their personal information. In the past, information collected from consumers online or offline was not subject to fair information practices - consumers received no notice about a company's information policy, were afforded no choice about how the information might be used, and had no recourse when the privacy of their information was not respected. Importantly, consumers had no avenue for redress when information about them had been used improperly. The advent of the Internet brought a new focus on information collection practices and new self regulatory oversight.
As the debate continues about protecting consumer information, growing effort is being directed toward baseline legislation requiring companies to comply with fair information practices and to submit to a dispute resolution process. For the first time, we are on the way to investing individuals with rights in their information and with an avenue of recourse for privacy violations.
Progress in law is only one area in which privacy has been enhanced in the last century. Applications of technology that limit the collection of transactional information that can be tied to individuals has proliferated, giving individuals tools to protect their own privacy. From anonymous mailers and web browsers that allow individuals to interact anonymously to encryption programs that protect email messages as they pass through the network, individuals can harness the technology to promote their privacy.
Some tools developed to protect privacy exploit the decentralized and open nature of the Internet. These tools may limit the disclosure of information likely to reveal identity, or decouple this identity from other information. Others create cashlike payment mechanisms that provide anonymity to individual users, vastly reducing the need to collect and reveal identity information.
Encryption. Encryption tools provide an easy and inexpensive way for a sender to protect information by encoding information so that only a recipient with the proper key can decode it.
Encryption is particularly important because of the inherent difficulties of securing the new digital media. The open decentralized architecture that is the Internet's greatest strength also makes it hard to secure. Internet communications often travel "in the clear" over many different computers in an unpredictable path, leaving them open for interception. An email message from Washington to Geneva might pass through New York one day or Nairobi the next - making it susceptible to interception in any country where lax privacy standards leave it unprotected. Encryption provides one of the only ways for computer users to guarantee that their sensitive data remains secure regardless of what network - or what country - it might pass through.
The recent relaxation of export laws in the United States should ensure that stronger encryption technologies will be built into commercial products. As this begins to occur, it will be important to educate consumers on how they can protect themselves using these tools.
The Platform for Privacy Preferences. Developed by the World Wide Web Consortium, the Platform for Privacy Preferences (P3P) is emerging as an industry standard that provides a simple, automated way for users to gain more control over the use of personal information on websites they visit. P3P-enabled websites make information about a site's privacy policies available in a standard, machine-readable format. The P3P standard is designed to automatically communicate to users a website's stated privacy policies and how they compare with the user's own policy preferences. Users are then able to make choices about whether to visit a website on the basis of the site's privacy policy.
P3P does not set minimum standards for privacy, nor can it monitor whether sites adhere to their own stated procedures. However, P3P technologies gives control to web users who want to decide whether and under what circumstances to disclose personal information.
Equally important to the strides in privacy is the voice of individuals.
Using email, websites, listservers, and newsgroups, individuals connected to the Internet are able to quickly respond to perceived threats to privacy. Individuals protested when Internet advertising company DoubleClick's plan to link personally identifiable information collected offline with that collected online was revealed. Negative media coverage, coupled with plummeting stock prices, forced DoubleClick to pull back from its plan. Similarly, when Intel released its Pentium III microprocessor with technology that facilitates the tracking of individuals across the World Wide Web, outcry in the Internet community prompted Intel not only to install a software patch that disabled the technology but also to discontinue its installation in the next model, Pentium IV. Clearly the Internet provides users with a wide forum for discussion and a powerful platform from which to spread their message. Through the Internet and other media, the active vigilance of individuals can and does force the government and the private sector to reckon with a growing and vocal privacy constituency.
Recent history has presented enormous threats to privacy, but the public has also made significant gains in privacy protection through legislation, technological tools, and action in the marketplace and the political arena. Privacy is a work in progress, and more work remains to be done. In particular, baseline legislation to address the collection of consumer data is a critical resource that would assure individuals consistent application of principles of fair information practices and an effective redress mechanism. Industry must continue to develop and refine privacy-enhancing software so that they keep pace with new business models and new technologies. In the debate about privacy, individuals must continue to use the Internet and new communications technologies to make their views clearly heard and understood.
Is privacy something we can reasonably hope for in the twenty-first century? If recent history is any indicator, it is. But whether or not we achieve the kind of privacy we want ultimately depends on whether citizens are willing to organize and act as they have in the past. That will happen only if the public believes privacy is possible.
Equally important is the newfound voice of individuals. Through the use of email, web sites, listservers, and newsgroups, individuals on the Internet can quickly respond to perceived threats to privacy. Whether it is a proposal before the Federal Reserve Board requiring banks to "Know Your Customers," or the release of a product like Intel's Pentium III that could facilitate the tracking of individuals across the World Wide Web, Internet users have a forum for discussion, and a platform from which to spread their message. This active vigilance can and does force the government and the private sector to contend with a growing and vocal privacy constituency.
1 Under principles of fair information practice, an individual must first receive adequate notice about what information is being collected about him and how it is to be used. Second, the individual must be able to make choices about the use of information collected about him. Third, the individual must be allowed reasonable access to information maintained about her. Fourth, information about an individual must be secured, so that its accuracy and integrity is maintained. Finally, collectors of information must be subject to an enforcement mechanism that assures their compliance with fair information practices and provides individuals with a means of recourse when their rights in their data have not been respected.
2 See Berger v. New York 388 U.S. 59 (1967); Katz v. United States, 389 U.S. 354-59 (1967).
3 The Federal Trade Commission promulgated the Children's Online Privacy Protection Rule in 1998.
Brandeis, Louis D. and Samuel D. Warren. "The Right to Privacy" Harvard Law Review 4 (1890).
U.S. Senate. Omnibus Crime Control and Safe Streets Act. Rept. No. 90-1097 (1968).
  |
The Center For Democracy & Technology |