“The Year in Privacy and Security”

Professor Peter P. Swire

Ohio State University

Consultant, Morrison & Foerster LLP

International Association of Privacy Professionals

October 30, 2003

Overview

An overview of the year in privacy politics Private Sector

– Spam, Do Not Call, HIPAA, Genetic, FCRA Public Sector

– PIAs, TIA, CAPPS II– Patriot Act sunset looms

New research on FISA Conclusions

I. Private Sector Privacy

Anti-intrusion privacy Secondary use States as drivers of change Administration not prominent in the debates

Anti-Intrusion: Spam

High political interest in anti-spam laws Senate bill Wildly popular to “do something”

Anti-Spam Efforts

Muris position– The problem is “bad actors”– Body part enlargement, drug of the month, and porn

Congressional efforts– Largely would affect “corporate actors”– May be small % of UCE– But that’s what Congress can affect

How to affect the “bad actors” is the puzzle Likely have continuing pressure to act

Anti-Intrusion: Do Not Call

Political steamroller Developed by Muris & FTC Once popular, announced in Rose Garden

ceremony 54 million have signed up Most popular “opt out” in history

– One reason: simple, clear opt out

Anti-Intrusion: Do Not Call

Very popular politically District Court held Congress had not authorized

the rule Passed in both houses the next day Popularity may influence the 1st Amendment

analysis of 10th Circuit– Phone company cases and transfers within a company

or holding company– Here, Congress & President & 54 million want to

protect the integrity of their homes– Judges have phones, too

Secondary Use: HIPAA

HIPAA medical privacy rule in effect April, 2003

Political non-event– Industry efforts to roll it back largely failed– Advocate efforts to tighten marketing, etc.,

have gotten no traction– Next political moments will be about

enforcement or lack of enforcement

Secondary Use: Genetic Data

Senate passed genetic discrimination bill– Can’t use in employment and insurance

Bill developing for 6 years– Part of Genome project– Lots of state laws– Clinton Executive Order– Proven gaps in ADA, HIPAA and other laws

Secondary Use: Genetic

President Bush speech supporting a bill– No apparent political capital spent on it

No action yet in House If comes to a vote, very hard for politicians

to vote in favor of genetic discrimination

Secondary Use: FCRA

The high-stakes fight this year in Congress on privacy

Risk to industry when have a deadline, such as end of preemption in 2004

Mostly, industry is winning But, the price is about 6 new rulemakings

Secondary Use: FCRA

Strength of industry’s substantive arguments:– Credit system works well for most people– Is a national credit system

ID theft as the engine for new regulations

ID Theft

Mix of– Intrusion – my life suffers intrusion from the stranger –

and – Secondary use – data holder uses and discloses key data

to others

Link to national ID debate– Authentication a huge debate in coming years

Expect more political pressure on ID theft, and debates about biometrics & IDs

Role of the States

California law for notification on security breaches, now in effect

California law for Internet privacy, requiring notice on commercial web sites

California law on affiliate-sharing– Likely preempted by FCRA

States as continuing source of ferment

Summary on Private Sector Privacy

A lot happening even in a quiet year with no Administration leadership

Intrusion impels political action Secondary use less powerful politically

because individuals don’t see the problems Ongoing political instinct to “do

something” on privacy

II. Government Sector Privacy

Administration acts on privacy only in response to Congressional orders

Congress says “Yuck!” to a number of Administration initiatives

Patriot Act sunset as the current and future battleground

Congress Acts, Administration Reacts

2002, Dept. Homeland Security Act– Required Chief Privacy Officer in DHS– Said nothing in the law authorized a national ID

card or system – Administration accepted these, but had no pro-

privacy provisions in its own draft bill

Congress Acts

E-Government Act of 2002– Required privacy impact assessments (PIAs)

for all new federal computer systems– Codified OMB guidance for privacy policies on

federal web sites and limits on cookies– Pushed agencies to use privacy-enhancing

technologies, including P3P

Administration Reacts: PIAs

OMB guidance required by April, issued in September

Tracks statute closely

PIAs

One innovation– Privacy Act loophole if agency “pings” private

database and doesn’t create “system of records” Guidance says PIA needed “when agencies

systematically incorporate into existing information systems databases of information in identifiable form [from] commercial or public sources”

Purchases of commercial products and services more likely to trigger PIA

Administration Reacts

PIA guidance– Codifies 2000 guidance with strict limits on cookies

and other tracking technology on agency web sites– New exception “for authorized law enforcement,

national security and/or homeland security purposes”– No limits on the scope of the exception, so might

apply to all federal web sites– Weak promise – no tracking, except we might track

everywhere

“Yuck!”: TIPS and DHS

TIPS – mail carrier or cable guy at your house calls 800 number at DOJ– Popular reaction against a nation of informants– Banned in Homeland Security Act, 2002

“Yuck!”: TIA

Total (now Terrorist) Information Awareness program in Dept. Defense

“Yuck!”: TIA

Jan. 2003: no funding to TIA unless have detailed report

Report in May TIA banned by Congress in 2004 DOD

Appropriations bill, except for military or foreign intelligence conducted wholly overseas or against wholly non-citizens

“Yuck!”: TIA & next steps

Ironically, TIA had begun to fund pro-privacy measures– Swire: consider % of funding for ELSI in new

surveillance programs

Transparency – TIA and possibility of Congressional oversight

Now, the scary research likely to continue in new bureaus, but with less oversight and less pro-privacy research

“Yuck!”: CAPPS II

Post 9/11 statute to require system to spot high risk of terrorists on airlines

Computer Assisted Passenger Profiling System (CAPPS), second version

1st System of Records Notice– Administration wanted to get, use, & share lots of

data– They didn’t “get” privacy, or calculated risk?

Public outcry– Bill Scannell, dontspyon.us– Fear of “internal passport” and “your papers, please”

“Yuck!”: CAPPS II

Congressional hearings & Loy promises 2d System of Records Notice

– Much more careful on privacy safeguards– But already backsliding from Loy statements– Not only “foreign terrorists”; now also

outstanding warrants (criminals), “domestic terrorists”, and maybe immigration

“Yuck!”: CAPPS II

Congress says, in appropriations bill, no implementation of CAPPS II until GAO report shows lots of safeguards

Patriot Act Sunset

Passed quickly in 2001 FISA and some other provisions sunset end of 2005

– A trigger for broader re-examination Fights on oversight

– Intense secrecy from DOJ– Sensenbrenner threat to hold Ashcroft in

contempt of Congress– Somewhat more disclosure since

Patriot Act Sunset

House – passed ban on “sneek and peek”– Perhaps a “yuck!” reaction– Seems unlikely to pass Senate

Senate 7 hearings this fall on Patriot Act On track for substantial debate leading up to

2005 sunset

Patriot Act Sunset

DOJ defends the Patriot Act– Ashcroft speaking tour

Library and other demonstrators Stopped announcing speaking locations in advance Said no library searches with new FISA powers

DOJ web site to defend the act Scathing CDT report this week

DOJ site defends the non-controversial parts No response to the substantive critiques of the

Patriot Act

FISA Case Study

Send to pswire@mofo.com if you want copy of draft paper; final in January

Summary of how we got here Big expansion of FISA in Patriot Act, etc. NY Times today Paths for reform

FISA: Up to 1978

Domestic law enforcement: T. III wiretaps, neutral magistrate & strict rules

“National security” surveillance: inherent power of President and AG, such as watch the Soviet spy

Watergate and revelation of abuses– “The Lawless State”– Surveillance of Martin Luther King, political

opponents, etc.

FISA: 1978

Need probable cause that is foreign power or “agent of foreign powers”

“The purpose” must be foreign intelligence AG must sign Federal judge, on FISA court, must sign Never gets revealed to the target If used in criminal, in camera decision by

federal judge what gets turned over

FISA: Since 1978

Number of FISA orders up Scope of “agent of foreign power”

– From spies to terrorists– Cali cartel? Russian mafia?

Patriot Section 215– Any records or tangible objects, including

library records– Gag rule

FISA since 1978

Patriot Act and “the wall”– Before, using foreign intelligence for criminal

was “legal but rare”– Prosecutors could not “direct or control” the use

of FISA orders Patriot Act: OK if “a significant purpose” is foreign

intelligence “Direction and control” now OK by prosecutors Ashcroft says will use this power aggressively

FISA as a Criminal Statute

NY Times today: story on Edwin Wilson– CIA affidavit in 1980s that no contact with Wilson after

he left the agency– His lawyer read the secret documents, and over 40

contacts after he left, did work for CIA– Yesterday, judge overturned that conviction

The risks of a secret criminal system, with no cross-examination or confrontation

That is today’s FISA system, with much more use of secret evidence, with no cross-examination

Where next on FISA?

Recognize the growth and fundamental change in focus of FISA system

If FISA has become a criminal statute, consider more due process

Sec. 215 has serious flaws for records Consider more oversight, less secrecy, and

limits on expansion

Conclusion: Politics

Lots of political activity again this year, even with deregulatory politics and focus on security

The Libertarian wing of Republican Party:– Bob Barr, Dick Armey – think Waco, gun control, and

big government– Inclined to laissez faire, but worry private sector

databases are becoming surveillance agents for the government

– Do Not Call and the public pressure on visible privacy problems

Conclusions: Coordination?

The “Yuck!” reactions have been to different agencies– TIPS was FEMA– TIA was Defense Dept.– CAPPS II and Homeland Security– Patriot Act mostly Justice Dept.

A continuing lack of an Administration policy process for privacy

No public official except Nuala Kelly on privacy Administration has continuing exposure on this

Conclusion: Privacy & Security

First, does the intrusive measure in fact improve security?

Second, is the measure designed to improve security while also respecting privacy where possible?

Third, have we built the new checks and balances appropriate to the new surveillance?

Finally ...

For FISA we have torn down the old checks and balances, and not built new ones

No Administration policy process to build security and privacy

Up to Congress, the public, and the press to build that process

Think of what you as privacy professionals can do to make that happen

Contact Information

Professor Peter P. Swire web: www.peterswire.net phone: (240) 994-4142 email: pswire@mofo.com