|
|
|
Privacy
GLOSSARY
Carnivore The
code name of a software program developed for the FBI to monitor
e-mail and other Internet traffic; it is installed on the premises
of an Internet service provider.
Cookie A record of
a visit to a Web site; by itself, a cookie cannot identify the visitor.
Hotmail A free Internet
e-mail service owned by Microsoft. Hotmail does not check the validity
of registrant identities, thus one may obtain an e-mail address
without revealing one's true identity. Other companies, including
Yahoo, offer similar, free e-mail accounts.
Magic Lantern The
code name of a virus-like software program developed for the FBI
to capture the user's keystrokes as they are typed, defeating any
encryption program the user relies on to protect the privacy of
e-mail and other electronic communications; it can be surreptitiously
installed, via e-mail or other means, on a user's computer.
Privacy The state
of being free from unsanctioned intrusion.
Screen saver A computer
program designed to prolong the useful life of computer monitors;
many are offered free over the Internet.
BACKGROUND
[APRIL 1, 2002] For Americans, individual liberty
includes a right to personal privacy, as manifested in the Fourth
Amendment to the U.S. Constitution. The amendment was written in
an age—long before the advent of computer databases and digital
communications—when an invasion of privacy perforce was a physical,
manual, focused, short-term, expensive, and relatively obtrusive
act that might involve entering premises, intercepting and opening
mail, questioning acquaintances, and, later, tapping a telephone
line or taking photographs—all without the subject's permission
or knowledge.
Today's invasion of privacy is more likely to be virtual,
automated, unobtrusive, inexpensive, and lifelong. Others can find
out what we buy and from whom, what we say and to whom, what we
read, what turns us on, what turns us off, what ails us, where we
go, and even whether we exceed the speed limit in getting there.
Not only has the secluded and shuttered 18th century home held inviolable
by the Fourth Amendment been replaced by a 21st century glass house,
but technology also has given Peeping Tom much more powerful binoculars.
DISCUSSION
Michigan's first public act of the new millennium,
P.A. 1 of 2000, was privacy legislation, and the state attorney
general's office reports that Internet privacy is one of the main
consumer concerns. But legislation may not be enough to halt the
erosion of privacy in the Internet age. Human ingenuity, greed,
and carelessness can overcome the best-intentioned legislation,
and in the shrinking, borderless world of the Internet, state and
local legislation can conflict with federal law, other nations'
laws, and a growing body of international law.
Two key questions are emerging:
- Is privacy—among other democratically derived
civil liberties—compatible with the privatization of America's
critical information infrastructure and its governing functions?
- Does the rapid evolution of technology, relative
to the necessary slowness of deliberative democracy, put privacy
legislation in perpetual catch-up mode and thus render it ultimately
ineffectual?
The view often is expressed that increasing our computer
defenses should not come at the expense of civil liberties, that
the very freedoms we seek to protect should not be undermined. Some
point out that technology empowers both law enforcers and lawbreakers,
and the latter cannot be stopped without impinging on personal privacy
at least to some extent. Others say that lost in all the rhetoric
is consideration of who has the right to own and control a citizen's
private information.
But perhaps the bigger challenge is whether technology's
rapid evolution renders privacy moot. For example, while a good
deal of attention currently is being paid to the intrusive activities
of large corporations, we may be overlooking smaller “spyware”
operators and their hidden programs, sometimes bundled (unknown
to the recipient) with screen savers and other free computer programs.
Much more intrusive than passive “cookies,” spyware
actively can track the Web sites and pages a user accesses, create
a profile of the user's interests, deliver tailored pop-up ads,
and even collect the personal and financial information people submit
when they use the Internet to order goods or subscribe to services.
In some cases, spyware operators hide behind essentially anonymous
e-mail addresses (such as provided by Hotmail, Yahoo, and others)
or a P.O. box number and may operate abroad as well. It is questionable
whether legislation can protect Internet privacy at all, given the
absence of borders on the Internet and the rapid evolution of spyware.
Substantial legislative activity, nationally and in
Michigan, reflects public concerns about Internet, medical, financial,
and genetic privacy. Exhibit 1 summarizes
major privacy-related legislation enacted or introduced in Michigan
since 1999. The fundamental issues underlying the concerns include
ownership and control of personal data, national security, the expansion
of personal data down to the genetic level, and identity theft.
We can distinguish between two principal privacy intruders:
the private sector and the government. Private parties may seek
to intrude not only for institutional security (e.g., monitoring
employee e-mail) but also for sales, marketing, and promotional
purposes. Intrusion of privacy by government is confined largely
to record keeping and security concerns and bound by Constitutional
guarantees to a standard of accountability higher than that which
binds private parties.
Private-Sector Intrusion
Opt In versus Opt Out
Since we cannot survive in modern society without
sometimes sharing our financial, medical, and other private information
with strangers, the central issue becomes one of ownership and control:
Who owns our private information, and should it be used by others
with—or without—our explicit permission?
Many commercial Web site owners and advertisers that
collect personal data from us use it for marketing or other purposes
unless we take the initiative to ask that it not be so used;
in other words, unless we specifically opt out. Businesses
have been criticized and sued for not always making it clear that
this is their policy and/or for making it difficult or tedious for
customers to opt out. Under pressure from consumer groups and sometimes
the threat of prosecution, some companies have switched to a policy
of not using customer information for purposes other than the transaction
at hand unless customers take the initiative to authorize such use;
in other words, unless they specifically opt in.
The Pew Internet and American Life Project finds that
86 percent of Internet users support an opt-in standard in regard
to collection of personal information, which is at odds with the
opt-out alternative favored by industry groups and endorsed by the
Federal Trade Commission (FTC). The issue extends to telephone-user
privacy: Telecommunication companies now are seeking permission
to sell “customer proprietary network information,”
which includes names, addresses, calling records, and service options
used. Consumer groups, citing the Pew data, are urging the FTC to
insist on an opt-in standard for this proposal. In a case involving
similar circumstances, however, a federal judge ruled that there
was inadequate evidence that an opt-in standard would protect customer
privacy interests, thus, in that instance it violated the First
Amendment.
What happens when the stranger to whom you have entrusted
personal information gets married and endows to the spouse all his/her
worldly goods—including your data? The 1999 federal Gramm-Leach-Bliley
Act allows banks, insurance companies, and brokerage companies to
merge or affiliate and share consumers' personal information with
one another. Supporters focus on the business efficiencies the act
was intended to encourage. The act also requires financial institutions
to offer individuals notice and an opportunity to opt out before
selling their name, address, or Social Security number to an outside
entity, but critics complain that most opt-out notices are not written
in the plain language stipulated in the act and warn consumers to
look carefully at the privacy notices.
The federal law does not extend the customer-notice
provision to the insurance industry, however, and this led to P.A.
24 of 2001, which prohibits Michigan insurers from disclosing a
customer's personal financial information to a third party unless
the customer is notified and does not opt out. As with the federal
mandate, the problem remains that people must read the fine print
in notices, which, with all the appearance of being a solicitation,
may be discarded unread.
Government Lists
Until 2000, private individuals, companies, and organizations
could buy certain State of Michigan lists, but P.A. 192 of 2000
now prohibits the secretary of state from selling such information
as driver's license and other agency records for the purpose of
“surveys, marketing, or solicitations.” (The act does
not prohibit the sale of the lists for such other purposes as “motor-vehicle
market-research activities,” however.)
State facility and profession/occupation licensing
and registration information is provided on the Michigan Department
of Consumer and Industry Services Web site. Although presented to
enable consumers to find service providers and check their credentials,
the information may be used for whatever purpose the seeker wishes
to put it, including telemarketing and other forms of solicitation.
Government Intrusion
National ID Card
Many people are concerned about direct government
intrusion of privacy, and in particular over a move toward a national
identification card, an idea made at least thinkable by the September
11, 2001, terrorist attacks. Michigan and federal legislation aiming
to establish standardized medical records (see below) also evokes
such fears. Databases, whether government, commercial, or both,
could be integrated much more efficiently and cost effectively if
everyone had a unique national identifier, but such databases carry
the risk of being all-revealing to any person or institution that
gains access to them. Some seek to overturn current law prohibiting
the use of the Social Security number as a national identifier;
others seek a new and unique identifier for specific purposes, such
as an electronic medical record.
A related proposal would have every individual retaining
some control over his/her personal data by storing it on an electronic
“smart card.” Several European and Asian countries have
implemented limited smart card systems containing one's national
identity number, driver's license information, and medical records.
National Security
Even before September 11 the need to protect defense,
economic, and other key national information and transaction systems
(including private-sector systems judged critical to national defense
or the economy) from intruders and saboteurs was the basis of additional
and strengthened government “cyber-security” measures
that have significant privacy implications.
The Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism (USA
PATRIOT) Act, enacted after the September 11 attacks, significantly
expanded government surveillance authority, reduced judicial oversight,
and criminalized as terrorism a wide range of activities, including
computer hacking.
The act includes a sunset (expiration) date (December
31, 2005) on the enhanced electronic-surveillance provisions and
an amendment providing judicial oversight of law enforcement's use
of the FBI's Carnivore computer system. The latter enables the agency
to eavesdrop on electronic communications, including e-mail. Nevertheless,
the act vastly expands government investigative authority, especially
with respect to the Internet. Exhibit 2
summarizes a selection of the expanded federal government powers.
Michigan's anti-terrorism package (P.A.s 112–137
and 140–143 of 2002) includes state-authorized wiretapping,
a definition for terrorism in state criminal law, authority to seal
affidavits used in issuing search warrants, and authority to search
premises without notifying the resident. Objections to the laws
center on their privacy-intrusive aspects, but proponents contend
that the legislation not only combats terrorism but also strengthens
state law enforcement officials' hand in investigating crimes involving
drugs, gambling, racketeering, money laundering, computer-related
crimes against children, and more.
Genetic Profiling
Since completion of the Human Genome Project, genetic
profiling has taken center stage as the technology with the most
immediate and substantial implications for privacy. In Michigan,
for example, P.A. 250 of 1990 (DNA Identification Profiling System
Act) requires a DNA sample from all felons and people convicted
of certain sex-related misdemeanors, permitting investigators to
compare DNA strands in hair, tissue, or bodily fluids found at a
crime scene with the DNA of those previously convicted of a crime
in Michigan. (Eight other states and the United Kingdom have similar
laws.) Opponents say that there are scientific concerns about the
reliability and validity of DNA tests and that the next step may
be to collect DNA samples from anyone accused of a crime and, ultimately,
from everyone. Supporters point out that DNA evidence is as important
in protecting innocent people as it is in implicating the guilty
and that the DNA database will be an invaluable investigation tool.
Medical Records
The 1996 federal Health Insurance Portability and
Accountability Act (HIPAA) requires health care providers, health
plans, and clearinghouses to adopt and use common data formats for
sharing patient clinical and billing information electronically.
The legislation includes strong privacy and data-security rules
to which the industry must adhere by April 2004. The privacy rules
require covered organizations to secure patient opt-in before releasing
information to another entity, except in emergencies, and the information
released has to be the minimum necessary to accomplish its purpose.
Information that has been “de-identified” by removing
name, address, and various other potential identifiers may be freely
distributed. Patients have the right to access and request changes
to their health records. Supporters say the shared information will
improve health care and reduce administrative costs, and they believe
the privacy provisions are adequate. Opponents generally focus on
the cost and complexity of implementing the requirements, but some
fear that the privacy provisions may prove to be less adequate than
thought, at the expense of patient privacy.
In Michigan, pending legislation (HB 4936) also aims
to establish all Michigan residents' rights to medical privacy and
to access their own medical information. All health care providers—not
just physicians and hospitals/clinics, as is the case now—would
be required to maintain the confidentiality of patients' medical
records. The legislation complements HIPAA and would prohibit unauthorized
disclosure, sale, or transfer of any information in any patient
record, including electronic records stored on a computer, without
first obtaining the written consent of the patient and would further
require that any information disclosed be used only for the expressed
purpose agreed to by the patient. The draft legislation has so far
attracted little in the way of public debate.
Criminal Intrusion
ID Theft/Use
Identity theft occurs when someone uses someone else's
identity (e.g., name, date of birth, Social Security number, driver's
license number) to masquerade as that person. In the 18 months preceding
the end of 2001, in metropolitan Detroit alone, the identity of
some 3,000 residents was stolen and used for obtaining credit and
other purposes. The high-tech crime unit of the Michigan Department
of the Attorney General, working with federal, state, and local
law-enforcement agencies, has taken action against counterfeit credit-card
and check operations, and SB 955 would toughen penalties for forging
driver's licenses, a common practice of identity thieves.
The federal government has mandated that states must
collect Social Security numbers from motorists applying for or renewing
a driver's license, and the Michigan secretary of state is preparing
to comply. The federal intent is to help states track parents who
are delinquent in making child-support payments. In Michigan, only
about one parent in three pays required child support, and the total
amount owed but not paid exceeds $7 billion. Supporters say collecting
drivers' Social Security numbers will facilitate finding “deadbeat”
parents and thereby help their children. Opponents argue that it
is a step down the slippery slope toward creating a national identity
system and an identity-theft risk as well.
Other
Space precludes a full discussion here of all the
areas in which privacy is an issue. (See Exhibit 1 for a sampling
of other areas.) The debate about privacy is intense and, as set
out with regard to the matters discussed above, generally focuses,
on the one hand, on providing efficiency and better tools to accomplish
a purpose and, on the other hand, protecting individuals' private
information from the consequences of its use by others.
See also Civil Rights and Liberties; Consumer
Protection; Crime and Corrections; Emergency Preparedness and Response.
FOR ADDITIONAL INFORMATION
Electronic Frontier Foundation
454 Shotwell Street
San Francisco CA 94110
(415) 436-9333
(415) 436-9993 FAX
www.eff.org
Electronic Privacy Information Center
1718 Connecticut Avenue, N.W., Suite 200
Washington, DC 20009
(202) 483-1140
(202) 483-1248 FAX
www.epic.org
Federal Communications Commission
445 12th Street, S.W.
Washington, DC 20554
(888) 225-5322
(202) 418-0232 FAX
www.fcc.gov
Federal Trade Commission
CRC-240
Washington, D.C. 20580
(877) 382-4357
www.ftc.gov
Michigan Legislature
www.michiganlegislature.org
[Contains detailed and searchable records of Michigan laws and legislative
activity]
CONTENT CURRENT AS OF APRIL 1,
2002
© 2002 Public
Sector Consultants, Inc.
Sponsored by the Michigan Nonprofit Association and the Council
of Michigan Foundations
www.michiganinbrief.org
 
|
