Biometrics Technologies Video Surveillance Online Privacy and E-commerce Workplace Monitoring Wireless Communications and Location Tracking Data Profiling Criminal Identity Theft Background Checks Information Broker Industry Public Records on the Internet Financial Privacy Medical Records Confidentiality
Wiretapping and Electronic Communications Youth Privacy Issues Digital Rights Management Digital Television and Broadband Cable TV Real ID
The purpose of this report is to highlight and summarize key privacy issues affecting consumers today and tomorrow. Readers who want to explore issues in depth should visit the Web sites of government agencies, public interest groups, industry associations, and companies. 1. Biometric Technologies Description of issue. The secret video surveillance of the thousands of football fans who attended the 2001 Superbowl in Tampa, Florida was the first time that many Americans learned of something called "facial recognition biometrics." The technology used was not the common form of video monitoring that we are familiar with in convenience stores, at shopping malls, and on city streets. These systems do not have the capability to identify individuals whose faces are captured on videotape. In contrast, the system used at the Superbowl and in the restaurant/bar district where many of the revelers gathered was able to identify known criminals and suspected terrorists from among the tens of thousands of faces scanned by the cameras using a biometrics technology called facial recognition biometrics. Privacy and civil liberties advocates were quick to decry the use of this technology by the Tampa Police Department. It is not difficult to envision how such systems could be used to identify, for example, individuals who participate in public demonstrations against unpopular government actions. The "chilling effect" on individuals would be a likely result. Biometrics is the term used for the many ways that we humans can be identified by unique aspects of our bodies. Fingerprints are the most commonly known biometric identifier. Other biometric identifiers are hand prints, vein dimensions, our iris designs, blood vessels on our retinas, body odor, the way that we walk, and our voices, among others. Our genetic profile is also unique to each of us. In facial recognition biometrics, the geometry of the face is measured. The use of facial recognition biometrics in particular is growing by leaps and bounds. Consider the routine use of high resolution cameras available in cell phones and Smartphones and subsequent posting of these pictures to social networking and photo sharing sites. When coupled with available software that can index and create databases from posted pictures, a privacy nightmare begins to emerge. An August 2011 Carnegie-Mellon study
The biometrics industry is booming, especially since the terrorist attacks of September 11, 2001. Several airports in the U.S. and other countries have since installed facial recognition biometrics systems to identify individuals on law enforcement agencies' "most-wanted" lists. Biometrics technologies are seen by the financial services industries as a way to deter fraud and identify fraudsters. Many casinos now use facial recognition biometrics systems to identify known card-counters and cheaters and expel them from their facilities. Various biometrics systems are being employed to provide secure access to computer systems, for example in health care institutions. Many national governments, including the U.S., use biometrics to speed border crossings and customs entry for frequent travelers. Some states and counties use fingerprinting to prevent welfare fraud.
Looking ahead. Privacy and civil liberties advocates are gravely concerned about the widespread adoption of biometrics systems. Such systems could easily be used to develop a database of known dissidents, to be used for social control purposes.
1a. Biometric Encryption
Description of issue.
Online Privacy and E-commerce Description of issue. News stories of Internet privacy threats are commonplace these days. The Internet was designed as an inherently insecure communications vehicle. Hackers easily penetrate the most secure facilities of the military and financial institutions. Internet companies have designed numerous ways to track web users as they travel and shop throughout cyberspace. "Cookie" is no longer a word associated solely with sweets. It now refers to cyber-snooping. Identity thieves are able to shop online anonymously using the credit-identities of others. Web-based information brokers sell sensitive personal data, including Social Security numbers, relatively cheaply. Looking ahead.
4. Workplace Monitoring Description of issue.
Employers make several arguments to justify their use of monitoring systems. The employer owns the systems used by the employees to do their work - primarily the phone and computer systems. Employers are responsible for the work product of their employees. Therefore they have a right, even a duty to monitor. Employers must guarantee a safe work environment for employees. They must be able to thwart sexual harassment, for example. And if an employee appears to be violent toward other workers, the employer must be able to detect and prevent such violence. Employers must be able to detect and prevent the sharing or selling of trade secrets and other matters of corporate intellectual property. Employers have been successful in making these arguments when aggrieved workers have filed lawsuits for privacy violations. The few court cases have largely been decided in the employers' favor.
5. Wireless Communications and Location Tracking Description of issue.
Description of issue. As we make our way through everyday life, data is collected from each of us, frequently without our consent and often without our realization. We pay our bills with credit cards and leave a data trail consisting of purchase amount, purchase type, date, and time. Data is collected when we pay by check. Our use of supermarket discount cards creates a comprehensive database of everything we buy. When our car, equipped with a radio transponder, passes through an electronic toll booth, our account is debited and a record is created of the location, date, time, and account identification. We leave a significant data trail when we surf the Internet and visit websites. When we subscribe to a magazine, sign up for a book or music club, join a professional association, fill out a warranty card, give money to charities, donate to a political candidate, tithe to our church or synagogue, invest in mutual funds, when we make a telephone call, when we interact with a government agency . with all of these transactions we leave a data trail that is stored in a computer.
[W]hen intimate information is removed from its original context and revealed to strangers, we are vulnerable to being misjudged on the basis of our most embarrassing, and therefore most memorable, tastes and preferences. (p.9)
He used the 1998 subpoena by prosecutor Kenneth Starr of Monica Lewinski's book purchases from a Washington, D.C., bookstore as an example of how profiling can harm individuals. This occurred during the Clinton administration sex scandal. Rosen states: Privacy protects us from being misdefined and judged out of context in a world of short attention spans, a world in which information can easily be confused with knowledge. (p.8)
Here is another story to illustrate the potential harm of untrammeled data collection and profiling. In 1998 the Salt Lake Tribune reported that the supermarket chain Smith's Foods was subpoenaed by the U.S. Drug Enforcement Agency (DEA) for its discount card data on several named suspects. Was the DEA looking for high-volume purchases of non-prescription medicines that make up the chemical formula for "speed," like Sudafed? No. They were interested in finding out if these individuals had purchased a lot of plastic "baggies," the presumption being that if you're manufacturing and selling "meth," you will need plastic bags to package it in. This story should alarm each of us. How many situations can we think of where someone might buy many "baggies" - the parent who wraps school lunches for a large family, the Girl Scout troop leader who makes sandwiches for the girls' outings, the jewelry maker who sells her creations at weekend arts fairs. Yet, if law enforcement were to request supermarket discount card data for "fishing trips," without court-ordered warrants -- something far more likely in the post-9-11 era of weakened checks and balances -- many individuals would be on the suspects list, most if not all of whom would not be drug dealers. Looking ahead. The supermarket club card story illustrates the fair information principle of secondary usage: Information that has been gathered for one purpose should not be used for other purposes without the consent of the individual (paraphrased from the "use limitation principle," Organization of Economic Cooperation and Development, 1980). The unfettered collection of data from numerous sources, in an environment where there are few legal restrictions on how the data can be used and merged, will inevitably lead to secondary uses that will violate privacy and trample on civil liberties. The legal protections for privacy in the U.S. are weak. They have been further weakened by the hasty passage of the USA PATRIOT Act, following the 9-11 terrorist attacks. There are few restrictions in the U.S. on how data can be collected and merged, in contrast to European Union countries, Canada, New Zealand, and Australia. When I first wrote this report in March 2001, I said the following: It is not farfetched to envision a future when such data will be used for a variety of secondary uses. If we were to enter a time of social unrest and political turmoil, our government might seek to use such information to investigate dissidents. We do not have to look very far to see such an investigation in our own time - Kenneth Starr's 1998 subpoena of Monica Lewinski's bookstore purchases during the Clinton impeachment proceedings.
7. Criminal Identity Theft Description of issue.
8. Background Checks Description of issue. Previous sections describe what can happen if data files contain erroneous information. This situation is particularly harmful to job applicants when background checks uncover wrongful criminal records and other inaccurate data. Unless the employer notifies the job applicant of the contents of the investigation, that individual may not learn why he or she was rejected. Federal law requires such disclosure (Fair Credit Reporting Act). But the law contains loopholes that the employer can use to avoid notifying the applicant that negative information in the background investigation resulted in their not being hired. The information broker industry is growing dramatically. More and more government records are being sold by county and state governments, and to a lesser degree, by federal agencies to private sector data vendors. Companies like Choicepoint and Lexis-Nexis compile records from thousands of sources and make them available to their subscribers, usually law enforcement agencies, private investigators, attorneys, debt collectors, skip-tracers, insurance claims investigators, and media outlets, among others. Some information brokers provide their databases for a fee on Internet Web sites, hawking their wares with "spam" messages that promise, "You can find anything about anyone for just $19.95." Anyone with a working credit card account can access these services, whether or not they have a legitimate business purpose. Those who use the services of these online information vendors are under no obligation to report their findings to the data subject. The information broker industry has attempted to weed out those online vendors that sell data to anyone and everyone, instead of to individuals and organizations that have a so-called “legitimate business purpose.” But “rogue” data vendors that operate online are still a reality. One company advertises that it can compile the following on individuals: criminal records check, bankruptcies and liens, small claims and judgments, sex offender check, alias names, address history, relatives and associates, neighbors, home value and details, and more. Indeed, most of these data elements are public record and/or publicly available. Looking ahead.
Description of issue. In previous sections, I discussed some of the privacy-related issues regarding the growing information broker industry. This industry is virtually unregulated except for the background check requirements in the Fair Credit Reporting Act. A set of voluntary guidelines was adopted by the information broker industry in conjunction with the Federal Trade Commission in 1997. But the guidelines are weak and have resulted in no meaningful privacy protections for U.S. consumers. In addition, the industry group that developed the guidelines, the Individual Reference Services Group, has since disbanded. Looking ahead. An incident from the November 2000 election illustrates what can go wrong when information broker data files are improperly used to make critical decisions about individuals. The Florida Secretary of State Division of Elections contracted with Database Technologies (DBT) to check its voter rolls against the data compiled by DBT. Many individuals were wrongly identified as being felons, and turned away at the polls. The original "scrub list," as it was called, included nearly 60,000 names. One county that checked each of the 700 names on its list could only verify 34 as former felons. ("Ex-Con Game," by Greg Palast, Harper's Magazine, March 2002). DBT has since been purchased by Choicepoint.
10. Public Records on the Internet Description of issue.
But what happens when the full texts of divorce records are available to anyone with an Internet connection, complete with sensitive financial data and family histories? What about access to an individual's criminal records of years gone by, showing a crime for which the individual has long since paid his or her debt to society, and which may have been legally expunged? Will an employer have a forgiving attitude toward a 30-year-old whose criminal record shows a conviction for shoplifting when the applicant was 19 years of age? Will an employer overlook a DUI conviction even after the individual has lived free of alcohol for many years? Is one's bankruptcy cause for negative value judgements by employers, relatives and neighbors? Should stalkers be able to locate their victims just because that person votes or drives, thereby revealing the home addresses in public records? Should identity thieves be able to pluck Social Security numbers, dates of birth, and mothers' maiden names from public records posted on the Internet? Looking ahead. Unless we are somehow transformed into a tolerant society, our "transparent society," to borrow a term from sci-fi writer David Brin, is going to pose significant problems for a large number of individuals. The full texts of criminal and civil court records, divorce decrees, bankruptcies, and more are slated to be available from government and information broker websites. Employers are likely to use such information to make adverse hiring decisions. Identity thieves will find their pot of gold at the end of the rainbow simply by clicking a mouse. And neighbors and relatives may learn more about us than we are comfortable with. Georgetown University law professor Jeffrey Rosen wrote The Unwanted Gaze about just such a scenario. He explains the value of privacy protection as follows: Privacy protects us from being objectified and simplified and judged out of context in a world of short attention spans, a world in which part of our identity can be mistaken for the whole of our identity. (p.115)
There are several potential drawbacks for posting public records online, especially the full texts of court records. Fewer individuals will choose to participate in government in order to prevent information about them from being posted on the Internet. Many will choose not to seek justice through the court system. Justice will only be available to those with the resources and know-how to seek private judicial proceedings. Individuals will experience shame and embarrassment, even discrimination, when details of their personal lives are broadcast in court records available on the Internet. Reputations will be destroyed because of errors. Data from electronic public records files will be used for secondary purposes that stray far from the original public policy purposes for which they were first created, that being government accountability. A particularly troubling consequence of untrammeled access to electronic public records is the loss of "social forgiveness." The 30 year-old who has turned his life around might be judged harshly for his transgressions at age 19. Our society will see a growing number of individuals who are disenfranchised for life. Large numbers will not be able to find employment because of negative information in court files whether true or not - from years gone by. Or they will be relegated to lower-paying jobs in the service industries. The solution is not to ban public records altogether from the Internet. Instead, records should be selectively redacted, for example, by removing Social Security numbers and financial account data. Instead of publishing the full texts of sensitive proceedings such as divorce cases, on the Internet, just the index information should be published. Certain categories of case files, family court records for example, should be available at the court house and not online. These and other solutions must be sought in order to prevent the negative consequences of publishing public records online, but without losing sight of the need for access to public records in order to provide oversight of our government. 11. Financial Privacy Description of issue.
Looking ahead. Unless legislation is passed at both the federal and state levels to strengthen the Financial Services Modernization Act, the process of affiliate sharing will enable these merged corporations to assemble customer data files of unprecedented scope. Some financial institutions have more than 2,000 affiliates spanning a broad array of businesses. While "junk" mail, e-mail, and telemarketing solicitations are a likely result of widespread affiliate sharing of customer data, privacy advocates are even more concerned about the potential for harmful uses of data merging and data profiling: Decisions on one's credit worthiness might hinge on medical information gleaned from insurance company data. A scam artist might use one's profile as a risk-taking investor to pitch get-rich-quick schemes. Elderly individuals with cash-rich portfolios could be vulnerable to fraud artists' promises of lucrative returns on risky investments.
Description of issue.
Looking ahead. Most individuals consider their medical information to be among the most sensitive of any information about them. And many are under the mistaken impression that the Hippocratic oath still holds true today. Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets. Hippocrates, 4th Century B.C. But in truth, one's medical information is an open book in our far-flung healthcare system -from medical providers, to insurance companies, to self-insured employers, to laboratories, and to payment companies, medical transcriptionists, pharmacies and pharmacy benefits systems, government regulators, and more. It remains to be seen whether HHS will depart from its current policy of voluntary compliance and begin to take a more aggressive approach in enforcing the HIPAA regulations.
Consumer Genetic Privacy Manual (Council for Responsible Genetics), http://www.councilforresponsiblegenetics.org/geneticprivacy/ (http://www.councilforresponsiblegenetics.org/geneticprivacy/) 13. Wiretapping and Electronic Communications Description of issue.
Looking ahead. The checks and balances provided by the U.S. Constitution and a host of laws have been weakened considerably by the USA PATRIOT Act regarding wiretapping and the interception of e-mail and web-surfing transactions. The law contains a number of secrecy clauses which prevent individuals from reporting ways in which the law is being used. The sunset provisions would have enabled several subsections to be evaluated and possibly overturned upon renewal of the Act. But when the PATRIOT Act was renewed in March 2006, the sunset provisions were renewed as well. Civil liberties organizations are using the Freedom of Information Act (FOIA) to attempt to determine how the Patriot Act is being implemented by government authorities, and whether or not abuses are occurring. In addition, members of Congress who are concerned about widespread violations of civil liberties are attempting to monitor the law's implementation. In light of the secrecy clauses in the law, it is actions such as these that will be needed to shine light on whether or not government authorities have overstepped their bounds.
Description of issue. Children and youth are vulnerable to a number of privacy threats. Their marketing profiles are highly prized. And since children are avid Internet users, marketers have attempted to capture data from their web surfing. Children watch a lot of television. With TV going "digital," (see below) marketing information is likely to be compiled from such new technologies as TiVo and ReplayTV. State education departments are developing databases that track students throughout their K12 school years. States are developing databases to track children's vaccine inoculations. Students are often asked to complete surveys that ask sensitive questions about themselves and their families. Given the incidents of violence in schools, administrators and school psychologists have the incentive to use profiling tools (Mosaic is one example) to attempt to identify individuals who are supposedly predisposed to violence, and then share that information with local law enforcement. Looking ahead. While these threats do not necessarily interrelate with one another, it is evident that children and youth are the targets of a great deal of data collection. Congress has acted to limit online data collection from children under age 13 by passing the Children's Online Privacy Protection Act, implemented in April 2000. And the Bush Administration signed into a law a provision to require that schools give parents the opportunity to opt the student out of participation in marketing related surveys that collect personal information. This is part of the No Child Left Behind Act of 2001. But as we've seen with the other issues discussed in this report, laws are not able to keep up with the fast pace of technology. Children are early adopters of computer and wireless technologies, and are far more skilled than many of their elders in using them. Children are also voracious consumers of the latest trends in clothing, music, sports, and entertainment. Marketers are not likely to bypass the opportunity to collect data from children and to solicit both them and their parents. The tension between laws and technology regarding children will persist for time to come. 15. Digital Rights Management Description of issue. The First Amendment gives Americans the right to explore ideas in books, music, and movies without having to identify ourselves. The right to anonymity is a vital foundation stone of our democratic society. Our strong First Amendment tradition protects people with dissenting, unpopular, or controversial ideas. But the migration of print, music, and images to the Internet has spawned new technologies called "digital rights management" systems (DRM) that infringe upon intellectual freedom. Copyright owners, including the entertainment industry and publishers, are attempting to monitor those who download copyrighted files in order to prevent piracy and ensure payment for their products. In developing DRM systems, they threaten to create technologies that identify those who read, listen to, and view Internet content. The companies that collect this information will be able to develop profiles of those who access Internet content. And as I've discussed elsewhere in this report, with profiling comes the potential for secondary uses to be made of that data, from marketing to government surveillance. Looking ahead. Intellectual property scholars point out that copyright and privacy have traditionally been compatible because copyright provisions control public distribution of content. Private use of copyrighted material has been governed by the fair use doctrine, enabling individuals to make limited copies for their own use. But DRM systems threaten to monitor private use by implementing technologies that capture personally identifiable information for each and every use. A challenge for policymakers and industry is to develop DRM systems that can confirm the eligibility of individuals to access content without identifying the actual user. Another challenge is to preserve the principle of fair use.
Description of issue.