« ForrigeFortsett »
mained the same. A diary is a diary is a diary. But storing those personal thoughts and reflections on a remote server eliminates many of the privacy protections they were afforded when they were under the bed or on the hard-drive. Rather than the Fourth Amendment protections—including a warrant based on probable cause, judicial oversight, and notice—the individuals recorded thoughts may be obtained from the service provider through a mere court order with no notice to the individual at all.
B. Medical records in cyberspace To bring home what this means in a business setting lets look at medical records. Hospitals, their affiliated clinics and physicians are using intranets to enable the sharing of patient, clinical, financial, and administrative data. Built on Internet technologies and protocols, the private networks link the hospital's information system, to pharmacy and laboratory systems, transcription systems, doctors and clinic offices and others. The U.S. government is contemplating the development of a federal governmentwide computer-based patient record system.23 According to news reports, the Internet and World Wide Web-based interfaces are under consideration.24 The private sector is moving to integrate network computing into the a sensitive area of our lives—the doctors office. 25
As computing comes to medicine, the detailed records of individuals' health con. tinue to move not just out of our homes, but out of our doctors offices. While the use of network technology promises to bring information to the fingertips of medical providers when they need it most, and greatly ease billing, prescription refills, and insurance pre-authorizations, it raises privacy concerns.
In the absence of comprehensive federal legislation to protect patient privacy, the protections afforded by ECPA and other statutes are of utmost importance. Unfortunately, the protections afforded to patient data may vary greatly depending upon how the network is structured, where data is stored, and how long it is kept. If records are housed on the computer of an individual doctor then access to that data will be governed by the Fourth Amendment.26 Law enforcement would be required to serve
the doctor with a warrant or subpoena and the doctor would receive notice and have the chance to halt an inappropriate search. Under federal law, the patient however, would receive no notice and have no opportunity to contest the production of the records. When information is in transit between a doctor and a hospital through a network, law enforcement's access is governed by the warrant requirements of ECPA, and neither doctor nor patient receive prior or contemporaneous notice. If the records are stored on a server leased from a service provider the protections are unclear. They may be accessible by mere subpoena. If they are covered by the “remote computing” provisions of ECPA this would severely undermine privacy in the digital age.
In addition to concerns about government access to personal health information, recent news stories have focused the public on the misuse of personal health information by the private sector-particularly when its digitized, stored and manipulated. Recently the Washington Post reported that CVS drug stores and Giant Food were disclosing patient prescription records to a direct mail and pharmaceutical company. The company was using the information to track customers who failed to refill prescriptions-sending them notices encouraging them to refill and to consider other treatments. Due to public outrage and perhaps the concern expressed by Senators crafting legislation on the issue of health privacy-CVS and Giant agreed to halt the marketing disclosures.28 But the sale and disclosure of personal health information is big business. In a recent advertisement Patient Direct Metromail advertised that it had 7.6 million names of people suffering from allergies, 945,000 suffering from bladder-control problems, and 558,000 suffering from yeast infections.29
23 “Why the Government Wants a Computerized Patient Record,” Health Data Network News, Vol. 7, No. 6, March 20, 1998, p.1. “The development of a federal
24 Id. at 8.
25 See generally, “Six Boston Hospitals Turn To the Internet as a clinical Network Tool," Health Data Network News, Vol. 6, No. 6, June 20, 1997, p. 1; “More Clearinghouses Conclude the Internet Makes Economic Sense,” Id.; and, “Hospital Banks on Web Technology for Integration,” Health Data Network News, Nol. 6, No. 16, Nov. 20, 1997, p. 3.
26 The record-keeper would have Fourth Amendment protections. Whether the patient's privacy is protected at all would largely depend upon state law, which is scattered and inconsistent. Until a federal law protecting individual's privacy in health information is crafted to protect data regardless of where it is stored or whose control it is under privacy is in danger.
27 18 U.S.C. $ 2703 (b)
29“Medical Privacy is Eroding, Physicians and Patients Declare,” San Diego Union-Tribune, February 21, 1998, B1.
The sale and disclosure of what many perceive as less sensitive information is also raising privacy concerns. 30 This past summer AOL announced plans to disclose its subscribers telephone numbers to business partners for telemarketing. heard loud objections from subscribers and advocates opposed to this unilateral change in the "terms of service agreement” covering the use and disclosure of personal information. 32 In response, AOL decided not to follow through with its proposal.33
As we move forward we must ask, will personal records be afforded differing levels of privacy protection merely because of where and how they are stored? Will individuals be the arbiters of their own privacy, able to make decisions about who knows what about them? How will individual privacy be protected in interactions in the private sector.
C. The case of Timothy R. McVeigh 34 In January news stories broke about a highly decorated seventeen-year veteran of the U.S. Navy who was to be discharged based on information obtained by the Navy from America Online.35 The facts surrounding the incident raise many concerns with privacy in the online world. Using an AOL screenname "boysrch,” Timothy McVeigh sent an email to a civilian Navy volunteer. The urious volunteer looked up the screenname in AOL's member profile directory and discovered that the subscriber identified himself as “Tim, from Honolulu, Hawaii, employed by the military, and gay." The volunteer passed the screen name and profile information on to her husband, a Navy officer. It eventually landed in the hands of the Judge Advocate General who undertook an investigation. A Navy paralegal called AOL's customer service and asked for information about the subscriber belonging to the screenname “boysrch." AOL identified Timothy R. McVeigh as the subscriber.
According to the administrative separation proceedings, the Navy paralegal had not obtained a warrant, a court order, a subpoena, or Timothy McVeigh's consent prior to contacting AOL, and was therefore in violation of ECPA. In its statement arguing against Timothy McVeigh's request for an injunction, the Navy stated that ECPA puts the obligation on AOL to withhold information, not on the government to follow appropriate procedures.36 Equally troubling is the fact that because the statute penalizes only “knowing or intentional" violations, it is unclear whether a cause of action will succeed for this violation of privacy and ECPA.
This case illustrates a number of weaknesses of ECPA. ECPA limits the disclosure of information to the government but allows online service providers and others to disclose information, other than the contents of communications, about subscribers to other parties. 37 Is the disclosure of information to the Navy, or more generally the government, an individual's only privacy concern? We can certainly imagine scenarios in which information tying a screenname, and possibly online activities, to an individual's real world identity would substantially invade an individual's privacy and potentially enable further harm to befall him. Of specific concern would be the disclosure of information about children in such a setting. While the government's access to this information, and subsequent actions based upon it, are the source of harm in the McVeigh incident, it is quite possible to imagine a situation equally troubling involving the disclosure of such information to a private party.38 A second troubling aspect of ECPA revealed by the McVeigh case is that the lack of a statutory exclusionary rule coupled with penalties that only focus on intentional violations do not create incentives for parties to effectively implement its requirements. In the McVeigh case ECPA itself may not limit the use of the illegally obtained information. While the Constitution may, the lack of a statutory exclusionary rule undermines the goal of assuring that the government follow appropriate procedures designed to protect privacy at the front-end. Similarly, the existing penalty structure set out in ECPA does not encourage proactive behavior to protect privacy. In the incident involving McVeigh, AOL claimed that they did not know they were providing information to a government agent, and therefore under the existing statutory penalties they may not be liable.
30 "Internet power feeds public fear," USA Today, August 13, 1997, A1. 31 “AOL will share users' numbers for telemarketing,” Washington Post, July 24, 1998, E1; “Soon AOL users will get junk calls, not just busy signals and email ads,” July 24, 1998, B6.
32 See letter to Steve Case, President of AOL from the Center for Democracy and Technology, Electronic Frontier Foundation, EFF-Austin, National Consumers League, Privacy Rights Clearinghouse, and Voters Telecommunications Watch.
33“AOL cancels plan for telemarketing: Disclosure of member's numbers protested,” July 25, 1997, G1.
34 On January 26, 1998 The United States District Court for the District of Columbia issued a preliminary injunction barring the Navy from dismissing McVeigh.
35 “Don't chat, don't tell? Navy case tests privacy limits," Wall Street Journal, January 14, 1998, B1.
36"AOL says it shouldn't have identified sailor,” Wall Street Journal, January 22, 1998, B10. 37 18 U.S.C. 82703 (c)
38 Privacy concerns with the disclosure of personal information about a specific individual to private citizens and institutions were the impetus behind two recent tightenings of privacy protections. In 1994 the Driver's Privacy Protection Act (DPPA) was passed in response to the murder of Rebecca Schafer, whose killer used department of motor vehicle records to locate her. The law sets limits on the disclosure of motor vehicle operator permits, motor vehicle titles, and motor vehicle registrations by motor vehicle departments. Under the DPPA, individuals must be informed of and given the opportunity to prohibit a) requests for their individual record (an "individual look-up"); and, b) disclosures for the bulk distribution of surveys, marketing or solici
D. We know where you are and what you're doing. An example of the power of transactional data comes from the “location" information available through many cellular networks. In the course of processing calls, many wireless communications systems collect information about the cell site (location) of the person making or receiving a call. Location information can be useful, as Ted Rappaport, the inventor of the hand-held cell phone locator, stated, “If you could know accurately where things are, not only would you feel safer because emergency services could find you, but law enforcement could use it more easily to track the bad guys.
." 39 But as one reporter put it, “Cellular telephones, long associated with untethered freedom, are becoming silent leashes ." 40 The technology is proceeding in the direction of providing more precise location information, a trend that has been boosted by the rulings of the Federal Communications Commission in its “E911” (enhanced 911) proceeding, which requires service providers to develop a locator capability for medical emergency and rescue purposes.
41 Location information may be captured when the phone is merely on, even if it is not handling a call.42 Private sector uses of this information are also under consideration. A company in Japan is experimenting with a World Wide Web site that allows anyone to locate a phone and the person carrying it by merely typing in the phone number.43
In the online environment, transactional data can do more than just track the individuals location. It can provide insight into their thoughts, their affiliations, ad their politics. It can reveal whether they are at home or at work. In a world where transactional data captures the full contours of a person's life it is time to provide it with stronger privacy protections. V. Recommendations
As we consider privacy in the changing communications environment we must ask whether the assumptions of a previous time and technology, and legal distinctions based upon them, continue to make logical sense. Or more importantly, whether they provide protections reflective of our commitment to individual privacy autonomy, dignity, and freedom. Policies designed to implement the Fourth Amendment developed in a 20th century world of paper records—even as extended to protect transient voice communications—may not be applicable to 21st century technologies where many of our most important records are not "papers” in our "houses” but
tations. More recently the Individual References Services Group, a group of companies that pro vide composite profiles of individuals based on data from both public and private sources, crafted a set of self-regulatory guidelines that limit access to their "look-up services.” One service offered by IRSG member companies is the ability to access profiles of specific individuals. Like the "indivdualized look-ups” possible at motor vehicle departments or through the IRSG member companies, the disclosure of information to private parties that links an individual to her online identity (screenname) raises privacy concerns. If such information is provided to the wrong person, at the wrong time, it may lead to additional harm to the individual.
39"Using cell phones to reach out and find someone: evolving technology will soon be able to pinpoint all mobile dialers," USA Today, December 16, 1997, 6D.
40 “Technology that tracks cell phones draw fire," New York Times, February 23, 1998, p. D3.
41 In June 1996, the FCC adopted a Report and Order and Notice of Proposed Rulemaking in Docket 94-102, requiring wireless service providers to modify their systems within 18 months to enable them to relay to public safety authorities the cell site location of 911 callers. Further, the FCC ordered carriers to take steps over the next 5 years to deploy the capability to provide latitude and longitude information of wireless telephone callers within 125 meters. Finally, the FCC proposed requiring at the end of the year period that covered carriers have the capability to locate a caller within a 40 foot radius for longitude, latitude and altitude, thereby, for example, locating the caller within a tall building. In re Revision of the Commission's Rules to Ensure Compatibility with Enhanced 911 Emergency Calling Sys., CC Docket No. 94-102, Report and Order and Further Notice of Proposed Rulemaking (last modified Jan. 2, 1997) (hereinafter FCC E-911 Order) <http://www.fcc.gov/Bureaus Wireless/Orders/1996/fcc96264.txt>. 42 Albert Gidari, Locating Criminals by the Book, CELLULAR BUS. (June 1996) at 70. 13“The scariest phone system,” Fortune, October 13, 1997, p. 168.
“bytes” stored electronically and our communications rather than disappearing into thin air are captured and stored at distant “virtual” locations for indefinite periods of time.
To address privacy in the electronic communications environment the Congress should:
Reexamine the need for limits on the disclosure and use of personal information by private entities. Both the Federal Trade Commission and the Department of Commerce are engaged in initiatives designed to promote “fair information practice principles” in the online environment. We are encouraged that Congress is exploring protections for individual privacy during private sector activities. In considering this issue we recommend that discussions focus on the Code of Fair Information Practices developed by the Department of Health, Education and Welfare (HEW) in 1973 44 and the Guidelines for the Protection of Privacy and Transborder flows of Personal Data, adopted by the Council of the Organization for Economic Cooperation and Development in 1980. 45
Reconsider how the lines have been drawn between records entitled to full Fourth Amendment protection and business records 46 that fall outside the protection of the Fourth Amendment. There are now essentially four legal regimes for access to electronic data: (i) the traditional Fourth Amendment standard, for records stored on an individual's hard drive or floppy disks; (ii) the Title III-ECPA standard, for records in transmission; (iii) the business records held by third-parties, available on
44 1. There must be no personal data record-keeping systems whose very existence is secret;
2. There must be a way for an individual to find out what information is in his or her file and how the information is being used;
3. There must be a way for an individual to correct information in his or her records;
4. Any organization creating, maintaining, using, or disseminating records of personally identifiable information must assure the reliability of the data for its intended use and must take precautions to prevent misuse; and
5. There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without his or her
consent. Report of the Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, U.S. Dept. of Health, Education & Welfare, July 1973.
451. Collection limitation: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or
consent of the data subject.
2. Data quality: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
3. Purpose specification: The purposes for which personal data a re collected should be speci. fied not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
4. Use limitation: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the “purpose specification” except: (a) with the consent of the data subject; or (b) by the authority of law.
5. Security safeguards: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
6. Openness: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
7. Individual participation: An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him:
· within a reasonable time;
in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and, (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified completed or amended.
8. Accountability: A data controller should be accountable for complying with measures which give effect to the principles stated above.
46 In 1976 with US v. Miller, the Supreme Court began a line of cases holding that individuals have no constitutionally protected privacy interests in personal information contained in the business records held by third parties. In 1979, in Smith v. Maryland, the Court applied Miller to the electronic world ruling that the use of a pen register to collect the phone numbers dialed on a surveilled line did not implicate Fourth Amendment interests. While Congress responded to both decisions crafting procedural rules to govern law enforcement access to bank and telephone records, the Miller and Smith decisions leave personal information divulged or generated during business transactions without privacy protections—unless Congress steps in to craft them. United States v. Miller, 425 U.S. 435 (1976); Smith v. Maryland, 442 U.S. 735 (1979).
a mere subpoena with no notice to the individual subject of the record; and, (iv) a third, the scope of which is probably unclear, for records stored on a remote server, such as the research paper (or the diary) of a student stored on a university server or the records (including the personal correspondence) of an employee stored on the server of the employer. As the third and fourth categories of records expand because people find it more convenient to store records remotely, the legal ambiguity, and lack of strong protection grows more significant and poses grave threats to privacy in the digital
environment. Heighten the standard for access to transactional data. Transactional data are in many ways a person's digital fingerprints, although far more easily captured. Transactional records provide unprecedented information about the places, people, and activities that comprise the individual's daily life.
Create a privacy entity to provide expertise and institutional memory, a forum for research and exploration, and a source for guidance and policy recommendations on privacy issues. The existing crisis-driven approach to responding to privacy concerns has hindered the development of sound rational policy and failed to keep pace with changes in technology. The US needs an independent voice empowered with the scope, expertise, and authority to guide public policy. Such an entity has important roles to play on both the domestic and international fronts. Without an independent voice, privacy rights in the United States will not be afforded adequate consideration and protection in emerging media.
Encourage the development and implementation of technologies that support privacy on global information networks. Technological mechanisms for protecting privacy are critically important on the Internet and other global medium. Developing meaningful privacy protections in the online environment requires us to realize that our laws and Constitutional protections may not follow our citizens, their communications, or their data as it travels through distant lands. Technology can provide protections regardless of the legal environment.
Strong encryption is the backbone of technological protections for privacy. Today technical tools are available to send anonymous email, browse the World Wide Web anonymously, and purchase goods with the anonymity of cash. The World Wide Web Consortium's Platform for Privacy Preferences, currently under development, will provide an underlying framework for privacy-allowing Web sites to make their information practices available to visitors and individuals to set privacy rules that control the flow of data during interactions with Web sites.47 This effort has involved non-profit, for-profit and government representatives.
The U.S. should encourage the development of privacy-enhancing technologies that address the need either to eliminate data collection, or where data collection occurs: to limit the data collected; to communicate data practices; and, to facilitate individualized decision-making where consistent with policy. 48
Collaborate with other governments, the public interest community and the business community to develop global solutions for the decentralized network communications environment.
Thank you for the opportunity to participate in this important discussion about protecting privacy in the online environment.
Mr. COBLE. Mr. Rotenberg.
47 Public drafts of the specification and implementation guide should be available shortly at http://www.w3c.org/
48 These incorporate the basic concepts of three recommendations of the Danish and Canadian Privacy Commissioners:
eliminate the collection of identity information, or if it is needed keep it separate from other information; minimize the collection and retention of identifiable personal information; and, make data collection and use transparent to data subjects and provide them with the ability to control the disclosure of their personal information, particularly identity information.