Post on 27-Mar-2015
transcript
“The Year in Privacy and Security”
Professor Peter P. Swire
Ohio State University
Consultant, Morrison & Foerster LLP
International Association of Privacy Professionals
October 30, 2003
Overview
An overview of the year in privacy politics Private Sector
– Spam, Do Not Call, HIPAA, Genetic, FCRA Public Sector
– PIAs, TIA, CAPPS II– Patriot Act sunset looms
New research on FISA Conclusions
I. Private Sector Privacy
Anti-intrusion privacy Secondary use States as drivers of change Administration not prominent in the debates
Anti-Intrusion: Spam
High political interest in anti-spam laws Senate bill Wildly popular to “do something”
Anti-Spam Efforts
Muris position– The problem is “bad actors”– Body part enlargement, drug of the month, and porn
Congressional efforts– Largely would affect “corporate actors”– May be small % of UCE– But that’s what Congress can affect
How to affect the “bad actors” is the puzzle Likely have continuing pressure to act
Anti-Intrusion: Do Not Call
Political steamroller Developed by Muris & FTC Once popular, announced in Rose Garden
ceremony 54 million have signed up Most popular “opt out” in history
– One reason: simple, clear opt out
Anti-Intrusion: Do Not Call
Very popular politically District Court held Congress had not authorized
the rule Passed in both houses the next day Popularity may influence the 1st Amendment
analysis of 10th Circuit– Phone company cases and transfers within a company
or holding company– Here, Congress & President & 54 million want to
protect the integrity of their homes– Judges have phones, too
Secondary Use: HIPAA
HIPAA medical privacy rule in effect April, 2003
Political non-event– Industry efforts to roll it back largely failed– Advocate efforts to tighten marketing, etc.,
have gotten no traction– Next political moments will be about
enforcement or lack of enforcement
Secondary Use: Genetic Data
Senate passed genetic discrimination bill– Can’t use in employment and insurance
Bill developing for 6 years– Part of Genome project– Lots of state laws– Clinton Executive Order– Proven gaps in ADA, HIPAA and other laws
Secondary Use: Genetic
President Bush speech supporting a bill– No apparent political capital spent on it
No action yet in House If comes to a vote, very hard for politicians
to vote in favor of genetic discrimination
Secondary Use: FCRA
The high-stakes fight this year in Congress on privacy
Risk to industry when have a deadline, such as end of preemption in 2004
Mostly, industry is winning But, the price is about 6 new rulemakings
Secondary Use: FCRA
Strength of industry’s substantive arguments:– Credit system works well for most people– Is a national credit system
ID theft as the engine for new regulations
ID Theft
Mix of– Intrusion – my life suffers intrusion from the stranger –
and – Secondary use – data holder uses and discloses key data
to others
Link to national ID debate– Authentication a huge debate in coming years
Expect more political pressure on ID theft, and debates about biometrics & IDs
Role of the States
California law for notification on security breaches, now in effect
California law for Internet privacy, requiring notice on commercial web sites
California law on affiliate-sharing– Likely preempted by FCRA
States as continuing source of ferment
Summary on Private Sector Privacy
A lot happening even in a quiet year with no Administration leadership
Intrusion impels political action Secondary use less powerful politically
because individuals don’t see the problems Ongoing political instinct to “do
something” on privacy
II. Government Sector Privacy
Administration acts on privacy only in response to Congressional orders
Congress says “Yuck!” to a number of Administration initiatives
Patriot Act sunset as the current and future battleground
Congress Acts, Administration Reacts
2002, Dept. Homeland Security Act– Required Chief Privacy Officer in DHS– Said nothing in the law authorized a national ID
card or system – Administration accepted these, but had no pro-
privacy provisions in its own draft bill
Congress Acts
E-Government Act of 2002– Required privacy impact assessments (PIAs)
for all new federal computer systems– Codified OMB guidance for privacy policies on
federal web sites and limits on cookies– Pushed agencies to use privacy-enhancing
technologies, including P3P
Administration Reacts: PIAs
OMB guidance required by April, issued in September
Tracks statute closely
PIAs
One innovation– Privacy Act loophole if agency “pings” private
database and doesn’t create “system of records” Guidance says PIA needed “when agencies
systematically incorporate into existing information systems databases of information in identifiable form [from] commercial or public sources”
Purchases of commercial products and services more likely to trigger PIA
Administration Reacts
PIA guidance– Codifies 2000 guidance with strict limits on cookies
and other tracking technology on agency web sites– New exception “for authorized law enforcement,
national security and/or homeland security purposes”– No limits on the scope of the exception, so might
apply to all federal web sites– Weak promise – no tracking, except we might track
everywhere
“Yuck!”: TIPS and DHS
TIPS – mail carrier or cable guy at your house calls 800 number at DOJ– Popular reaction against a nation of informants– Banned in Homeland Security Act, 2002
“Yuck!”: TIA
Total (now Terrorist) Information Awareness program in Dept. Defense
“Yuck!”: TIA
Jan. 2003: no funding to TIA unless have detailed report
Report in May TIA banned by Congress in 2004 DOD
Appropriations bill, except for military or foreign intelligence conducted wholly overseas or against wholly non-citizens
“Yuck!”: TIA & next steps
Ironically, TIA had begun to fund pro-privacy measures– Swire: consider % of funding for ELSI in new
surveillance programs
Transparency – TIA and possibility of Congressional oversight
Now, the scary research likely to continue in new bureaus, but with less oversight and less pro-privacy research
“Yuck!”: CAPPS II
Post 9/11 statute to require system to spot high risk of terrorists on airlines
Computer Assisted Passenger Profiling System (CAPPS), second version
1st System of Records Notice– Administration wanted to get, use, & share lots of
data– They didn’t “get” privacy, or calculated risk?
Public outcry– Bill Scannell, dontspyon.us– Fear of “internal passport” and “your papers, please”
“Yuck!”: CAPPS II
Congressional hearings & Loy promises 2d System of Records Notice
– Much more careful on privacy safeguards– But already backsliding from Loy statements– Not only “foreign terrorists”; now also
outstanding warrants (criminals), “domestic terrorists”, and maybe immigration
“Yuck!”: CAPPS II
Congress says, in appropriations bill, no implementation of CAPPS II until GAO report shows lots of safeguards
Patriot Act Sunset
Passed quickly in 2001 FISA and some other provisions sunset end of 2005
– A trigger for broader re-examination Fights on oversight
– Intense secrecy from DOJ– Sensenbrenner threat to hold Ashcroft in
contempt of Congress– Somewhat more disclosure since
Patriot Act Sunset
House – passed ban on “sneek and peek”– Perhaps a “yuck!” reaction– Seems unlikely to pass Senate
Senate 7 hearings this fall on Patriot Act On track for substantial debate leading up to
2005 sunset
Patriot Act Sunset
DOJ defends the Patriot Act– Ashcroft speaking tour
Library and other demonstrators Stopped announcing speaking locations in advance Said no library searches with new FISA powers
DOJ web site to defend the act Scathing CDT report this week
DOJ site defends the non-controversial parts No response to the substantive critiques of the
Patriot Act
FISA Case Study
Send to pswire@mofo.com if you want copy of draft paper; final in January
Summary of how we got here Big expansion of FISA in Patriot Act, etc. NY Times today Paths for reform
FISA: Up to 1978
Domestic law enforcement: T. III wiretaps, neutral magistrate & strict rules
“National security” surveillance: inherent power of President and AG, such as watch the Soviet spy
Watergate and revelation of abuses– “The Lawless State”– Surveillance of Martin Luther King, political
opponents, etc.
FISA: 1978
Need probable cause that is foreign power or “agent of foreign powers”
“The purpose” must be foreign intelligence AG must sign Federal judge, on FISA court, must sign Never gets revealed to the target If used in criminal, in camera decision by
federal judge what gets turned over
FISA: Since 1978
Number of FISA orders up Scope of “agent of foreign power”
– From spies to terrorists– Cali cartel? Russian mafia?
Patriot Section 215– Any records or tangible objects, including
library records– Gag rule
FISA since 1978
Patriot Act and “the wall”– Before, using foreign intelligence for criminal
was “legal but rare”– Prosecutors could not “direct or control” the use
of FISA orders Patriot Act: OK if “a significant purpose” is foreign
intelligence “Direction and control” now OK by prosecutors Ashcroft says will use this power aggressively
FISA as a Criminal Statute
NY Times today: story on Edwin Wilson– CIA affidavit in 1980s that no contact with Wilson after
he left the agency– His lawyer read the secret documents, and over 40
contacts after he left, did work for CIA– Yesterday, judge overturned that conviction
The risks of a secret criminal system, with no cross-examination or confrontation
That is today’s FISA system, with much more use of secret evidence, with no cross-examination
Where next on FISA?
Recognize the growth and fundamental change in focus of FISA system
If FISA has become a criminal statute, consider more due process
Sec. 215 has serious flaws for records Consider more oversight, less secrecy, and
limits on expansion
Conclusion: Politics
Lots of political activity again this year, even with deregulatory politics and focus on security
The Libertarian wing of Republican Party:– Bob Barr, Dick Armey – think Waco, gun control, and
big government– Inclined to laissez faire, but worry private sector
databases are becoming surveillance agents for the government
– Do Not Call and the public pressure on visible privacy problems
Conclusions: Coordination?
The “Yuck!” reactions have been to different agencies– TIPS was FEMA– TIA was Defense Dept.– CAPPS II and Homeland Security– Patriot Act mostly Justice Dept.
A continuing lack of an Administration policy process for privacy
No public official except Nuala Kelly on privacy Administration has continuing exposure on this
Conclusion: Privacy & Security
First, does the intrusive measure in fact improve security?
Second, is the measure designed to improve security while also respecting privacy where possible?
Third, have we built the new checks and balances appropriate to the new surveillance?
Finally ...
For FISA we have torn down the old checks and balances, and not built new ones
No Administration policy process to build security and privacy
Up to Congress, the public, and the press to build that process
Think of what you as privacy professionals can do to make that happen
Contact Information
Professor Peter P. Swire web: www.peterswire.net phone: (240) 994-4142 email: pswire@mofo.com