The Year in Privacy and Security Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP International Association of Privacy Professionals October 30, 2003
Overview n An overview of the year in privacy politics n Private Sector – Spam, Do Not Call, HIPAA, Genetic, FCRA n Public Sector – PIAs, TIA, CAPPS II – Patriot Act sunset looms n New research on FISA n Conclusions
I. Private Sector Privacy n Anti-intrusion privacy n Secondary use n States as drivers of change n Administration not prominent in the debates
Anti-Intrusion: Spam n High political interest in anti-spam laws n Senate bill n Wildly popular to do something
Anti-Spam Efforts n Muris position – The problem is bad actors – Body part enlargement, drug of the month, and porn n Congressional efforts – Largely would affect corporate actors – May be small % of UCE – But thats what Congress can affect n How to affect the bad actors is the puzzle n Likely have continuing pressure to act
Anti-Intrusion: Do Not Call n Political steamroller n Developed by Muris & FTC n Once popular, announced in Rose Garden ceremony n 54 million have signed up n Most popular opt out in history – One reason: simple, clear opt out
Anti-Intrusion: Do Not Call n Very popular politically n District Court held Congress had not authorized the rule n Passed in both houses the next day n Popularity may influence the 1 st Amendment analysis of 10 th Circuit – Phone company cases and transfers within a company or holding company – Here, Congress & President & 54 million want to protect the integrity of their homes – Judges have phones, too
Secondary Use: HIPAA n HIPAA medical privacy rule in effect April, 2003 n Political non-event – Industry efforts to roll it back largely failed – Advocate efforts to tighten marketing, etc., have gotten no traction – Next political moments will be about enforcement or lack of enforcement
Secondary Use: Genetic Data n Senate passed genetic discrimination bill – Cant use in employment and insurance n Bill developing for 6 years – Part of Genome project – Lots of state laws – Clinton Executive Order – Proven gaps in ADA, HIPAA and other laws
Secondary Use: Genetic n President Bush speech supporting a bill – No apparent political capital spent on it n No action yet in House n If comes to a vote, very hard for politicians to vote in favor of genetic discrimination
Secondary Use: FCRA n The high-stakes fight this year in Congress on privacy n Risk to industry when have a deadline, such as end of preemption in 2004 n Mostly, industry is winning n But, the price is about 6 new rulemakings
Secondary Use: FCRA n Strength of industrys substantive arguments: – Credit system works well for most people – Is a national credit system n ID theft as the engine for new regulations
ID Theft n Mix of – Intrusion – my life suffers intrusion from the stranger – and – Secondary use – data holder uses and discloses key data to others n Link to national ID debate – Authentication a huge debate in coming years n Expect more political pressure on ID theft, and debates about biometrics & IDs
Role of the States n California law for notification on security breaches, now in effect n California law for Internet privacy, requiring notice on commercial web sites n California law on affiliate-sharing – Likely preempted by FCRA n States as continuing source of ferment
Summary on Private Sector Privacy n A lot happening even in a quiet year with no Administration leadership n Intrusion impels political action n Secondary use less powerful politically because individuals dont see the problems n Ongoing political instinct to do something on privacy
II. Government Sector Privacy n Administration acts on privacy only in response to Congressional orders n Congress says Yuck! to a number of Administration initiatives n Patriot Act sunset as the current and future battleground
Congress Acts, Administration Reacts n 2002, Dept. Homeland Security Act – Required Chief Privacy Officer in DHS – Said nothing in the law authorized a national ID card or system – Administration accepted these, but had no pro- privacy provisions in its own draft bill
Congress Acts n E-Government Act of 2002 – Required privacy impact assessments (PIAs) for all new federal computer systems – Codified OMB guidance for privacy policies on federal web sites and limits on cookies – Pushed agencies to use privacy-enhancing technologies, including P3P
Administration Reacts: PIAs n OMB guidance required by April, issued in September n Tracks statute closely
PIAs n One innovation – Privacy Act loophole if agency pings private database and doesnt create system of records n Guidance says PIA needed when agencies systematically incorporate into existing information systems databases of information in identifiable form [from] commercial or public sources n Purchases of commercial products and services more likely to trigger PIA
Administration Reacts n PIA guidance – Codifies 2000 guidance with strict limits on cookies and other tracking technology on agency web sites – New exception for authorized law enforcement, national security and/or homeland security purposes – No limits on the scope of the exception, so might apply to all federal web sites – Weak promise – no tracking, except we might track everywhere
Yuck!: TIPS and DHS n TIPS – mail carrier or cable guy at your house calls 800 number at DOJ – Popular reaction against a nation of informants – Banned in Homeland Security Act, 2002
Yuck!: TIA n Total (now Terrorist) Information Awareness program in Dept. Defense
Yuck!: TIA n Jan. 2003: no funding to TIA unless have detailed report n Report in May n TIA banned by Congress in 2004 DOD Appropriations bill, except for military or foreign intelligence conducted wholly overseas or against wholly non-citizens
Yuck!: TIA & next steps n Ironically, TIA had begun to fund pro-privacy measures – Swire: consider % of funding for ELSI in new surveillance programs n Transparency – TIA and possibility of Congressional oversight n Now, the scary research likely to continue in new bureaus, but with less oversight and less pro- privacy research
Yuck!: CAPPS II n Post 9/11 statute to require system to spot high risk of terrorists on airlines n Computer Assisted Passenger Profiling System (CAPPS), second version n 1 st System of Records Notice – Administration wanted to get, use, & share lots of data – They didnt get privacy, or calculated risk? n Public outcry – Bill Scannell, dontspyon.us – Fear of internal passport and your papers, please
Yuck!: CAPPS II n Congressional hearings & Loy promises n 2d System of Records Notice – Much more careful on privacy safeguards – But already backsliding from Loy statements – Not only foreign terrorists; now also outstanding warrants (criminals), domestic terrorists, and maybe immigration
Yuck!: CAPPS II n Congress says, in appropriations bill, no implementation of CAPPS II until GAO report shows lots of safeguards
Patriot Act Sunset n Passed quickly in 2001 n FISA and some other provisions sunset end of 2005 – A trigger for broader re-examination n Fights on oversight – Intense secrecy from DOJ – Sensenbrenner threat to hold Ashcroft in contempt of Congress – Somewhat more disclosure since
Patriot Act Sunset n House – passed ban on sneek and peek – Perhaps a yuck! reaction – Seems unlikely to pass Senate n Senate 7 hearings this fall on Patriot Act n On track for substantial debate leading up to 2005 sunset
Patriot Act Sunset n DOJ defends the Patriot Act – Ashcroft speaking tour n Library and other demonstrators n Stopped announcing speaking locations in advance n Said no library searches with new FISA powers n DOJ web site to defend the act n Scathing CDT report this week n DOJ site defends the non-controversial parts n No response to the substantive critiques of the Patriot Act
FISA Case Study n Send to if you want copy of draft paper; final in n Summary of how we got here n Big expansion of FISA in Patriot Act, etc. n NY Times today n Paths for reform
FISA: Up to 1978 n Domestic law enforcement: T. III wiretaps, neutral magistrate & strict rules n National security surveillance: inherent power of President and AG, such as watch the Soviet spy n Watergate and revelation of abuses – The Lawless State – Surveillance of Martin Luther King, political opponents, etc.
FISA: 1978 n Need probable cause that is foreign power or agent of foreign powers n The purpose must be foreign intelligence n AG must sign n Federal judge, on FISA court, must sign n Never gets revealed to the target n If used in criminal, in camera decision by federal judge what gets turned over
FISA: Since 1978 n Number of FISA orders up n Scope of agent of foreign power – From spies to terrorists – Cali cartel? Russian mafia? n Patriot Section 215 – Any records or tangible objects, including library records – Gag rule
FISA since 1978 n Patriot Act and the wall – Before, using foreign intelligence for criminal was legal but rare – Prosecutors could not direct or control the use of FISA orders n Patriot Act: OK if a significant purpose is foreign intelligence n Direction and control now OK by prosecutors n Ashcroft says will use this power aggressively
FISA as a Criminal Statute n NY Times today: story on Edwin Wilson – CIA affidavit in 1980s that no contact with Wilson after he left the agency – His lawyer read the secret documents, and over 40 contacts after he left, did work for CIA – Yesterday, judge overturned that conviction n The risks of a secret criminal system, with no cross-examination or confrontation n That is todays FISA system, with much more use of secret evidence, with no cross-examination
Where next on FISA? n Recognize the growth and fundamental change in focus of FISA system n If FISA has become a criminal statute, consider more due process n Sec. 215 has serious flaws for records n Consider more oversight, less secrecy, and limits on expansion
Conclusion: Politics n Lots of political activity again this year, even with deregulatory politics and focus on security n The Libertarian wing of Republican Party: – Bob Barr, Dick Armey – think Waco, gun control, and big government – Inclined to laissez faire, but worry private sector databases are becoming surveillance agents for the government – Do Not Call and the public pressure on visible privacy problems
Conclusions: Coordination? n The Yuck! reactions have been to different agencies – TIPS was FEMA – TIA was Defense Dept. – CAPPS II and Homeland Security – Patriot Act mostly Justice Dept. n A continuing lack of an Administration policy process for privacy n No public official except Nuala Kelly on privacy n Administration has continuing exposure on this
Conclusion: Privacy & Security n First, does the intrusive measure in fact improve security? n Second, is the measure designed to improve security while also respecting privacy where possible? n Third, have we built the new checks and balances appropriate to the new surveillance?
Finally... n For FISA we have torn down the old checks and balances, and not built new ones n No Administration policy process to build security and privacy n Up to Congress, the public, and the press to build that process n Think of what you as privacy professionals can do to make that happen
Contact Information n Professor Peter P. Swire n web: n phone: (240) n