1. The Year in Privacy and Security Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP International Association of Privacy Professionals October 30, 2003

2. Overview n An overview of the year in privacy politics n Private Sector – Spam, Do Not Call, HIPAA, Genetic, FCRA n Public Sector – PIAs, TIA, CAPPS II – Patriot Act sunset looms n New research on FISA n Conclusions

3. I. Private Sector Privacy n Anti-intrusion privacy n Secondary use n States as drivers of change n Administration not prominent in the debates

4. Anti-Intrusion: Spam n High political interest in anti-spam laws n Senate bill n Wildly popular to do something

5. Anti-Spam Efforts n Muris position – The problem is bad actors – Body part enlargement, drug of the month, and porn n Congressional efforts – Largely would affect corporate actors – May be small % of UCE – But thats what Congress can affect n How to affect the bad actors is the puzzle n Likely have continuing pressure to act

6. Anti-Intrusion: Do Not Call n Political steamroller n Developed by Muris & FTC n Once popular, announced in Rose Garden ceremony n 54 million have signed up n Most popular opt out in history – One reason: simple, clear opt out

7. Anti-Intrusion: Do Not Call n Very popular politically n District Court held Congress had not authorized the rule n Passed in both houses the next day n Popularity may influence the 1 st Amendment analysis of 10 th Circuit – Phone company cases and transfers within a company or holding company – Here, Congress & President & 54 million want to protect the integrity of their homes – Judges have phones, too

8. Secondary Use: HIPAA n HIPAA medical privacy rule in effect April, 2003 n Political non-event – Industry efforts to roll it back largely failed – Advocate efforts to tighten marketing, etc., have gotten no traction – Next political moments will be about enforcement or lack of enforcement

9. Secondary Use: Genetic Data n Senate passed genetic discrimination bill – Cant use in employment and insurance n Bill developing for 6 years – Part of Genome project – Lots of state laws – Clinton Executive Order – Proven gaps in ADA, HIPAA and other laws

10. Secondary Use: Genetic n President Bush speech supporting a bill – No apparent political capital spent on it n No action yet in House n If comes to a vote, very hard for politicians to vote in favor of genetic discrimination

11. Secondary Use: FCRA n The high-stakes fight this year in Congress on privacy n Risk to industry when have a deadline, such as end of preemption in 2004 n Mostly, industry is winning n But, the price is about 6 new rulemakings

12. Secondary Use: FCRA n Strength of industrys substantive arguments: – Credit system works well for most people – Is a national credit system n ID theft as the engine for new regulations

13. ID Theft n Mix of – Intrusion – my life suffers intrusion from the stranger – and – Secondary use – data holder uses and discloses key data to others n Link to national ID debate – Authentication a huge debate in coming years n Expect more political pressure on ID theft, and debates about biometrics & IDs

14. Role of the States n California law for notification on security breaches, now in effect n California law for Internet privacy, requiring notice on commercial web sites n California law on affiliate-sharing – Likely preempted by FCRA n States as continuing source of ferment

15. Summary on Private Sector Privacy n A lot happening even in a quiet year with no Administration leadership n Intrusion impels political action n Secondary use less powerful politically because individuals dont see the problems n Ongoing political instinct to do something on privacy

16. II. Government Sector Privacy n Administration acts on privacy only in response to Congressional orders n Congress says Yuck! to a number of Administration initiatives n Patriot Act sunset as the current and future battleground

17. Congress Acts, Administration Reacts n 2002, Dept. Homeland Security Act – Required Chief Privacy Officer in DHS – Said nothing in the law authorized a national ID card or system – Administration accepted these, but had no pro- privacy provisions in its own draft bill

18. Congress Acts n E-Government Act of 2002 – Required privacy impact assessments (PIAs) for all new federal computer systems – Codified OMB guidance for privacy policies on federal web sites and limits on cookies – Pushed agencies to use privacy-enhancing technologies, including P3P

19. Administration Reacts: PIAs n OMB guidance required by April, issued in September n Tracks statute closely

20. PIAs n One innovation – Privacy Act loophole if agency pings private database and doesnt create system of records n Guidance says PIA needed when agencies systematically incorporate into existing information systems databases of information in identifiable form [from] commercial or public sources n Purchases of commercial products and services more likely to trigger PIA

21. Administration Reacts n PIA guidance – Codifies 2000 guidance with strict limits on cookies and other tracking technology on agency web sites – New exception for authorized law enforcement, national security and/or homeland security purposes – No limits on the scope of the exception, so might apply to all federal web sites – Weak promise – no tracking, except we might track everywhere

22. Yuck!: TIPS and DHS n TIPS – mail carrier or cable guy at your house calls 800 number at DOJ – Popular reaction against a nation of informants – Banned in Homeland Security Act, 2002

23. Yuck!: TIA n Total (now Terrorist) Information Awareness program in Dept. Defense

25. Yuck!: TIA n Jan. 2003: no funding to TIA unless have detailed report n Report in May n TIA banned by Congress in 2004 DOD Appropriations bill, except for military or foreign intelligence conducted wholly overseas or against wholly non-citizens

26. Yuck!: TIA & next steps n Ironically, TIA had begun to fund pro-privacy measures – Swire: consider % of funding for ELSI in new surveillance programs n Transparency – TIA and possibility of Congressional oversight n Now, the scary research likely to continue in new bureaus, but with less oversight and less pro- privacy research

27. Yuck!: CAPPS II n Post 9/11 statute to require system to spot high risk of terrorists on airlines n Computer Assisted Passenger Profiling System (CAPPS), second version n 1 st System of Records Notice – Administration wanted to get, use, & share lots of data – They didnt get privacy, or calculated risk? n Public outcry – Bill Scannell, dontspyon.us – Fear of internal passport and your papers, please

28. Yuck!: CAPPS II n Congressional hearings & Loy promises n 2d System of Records Notice – Much more careful on privacy safeguards – But already backsliding from Loy statements – Not only foreign terrorists; now also outstanding warrants (criminals), domestic terrorists, and maybe immigration

29. Yuck!: CAPPS II n Congress says, in appropriations bill, no implementation of CAPPS II until GAO report shows lots of safeguards

30. Patriot Act Sunset n Passed quickly in 2001 n FISA and some other provisions sunset end of 2005 – A trigger for broader re-examination n Fights on oversight – Intense secrecy from DOJ – Sensenbrenner threat to hold Ashcroft in contempt of Congress – Somewhat more disclosure since

31. Patriot Act Sunset n House – passed ban on sneek and peek – Perhaps a yuck! reaction – Seems unlikely to pass Senate n Senate 7 hearings this fall on Patriot Act n On track for substantial debate leading up to 2005 sunset

32. Patriot Act Sunset n DOJ defends the Patriot Act – Ashcroft speaking tour n Library and other demonstrators n Stopped announcing speaking locations in advance n Said no library searches with new FISA powers n DOJ web site to defend the act n Scathing CDT report this week n DOJ site defends the non-controversial parts n No response to the substantive critiques of the Patriot Act

33. FISA Case Study n Send to pswire@mofo.com if you want copy of draft paper; final in Januarypswire@mofo.com n Summary of how we got here n Big expansion of FISA in Patriot Act, etc. n NY Times today n Paths for reform

34. FISA: Up to 1978 n Domestic law enforcement: T. III wiretaps, neutral magistrate & strict rules n National security surveillance: inherent power of President and AG, such as watch the Soviet spy n Watergate and revelation of abuses – The Lawless State – Surveillance of Martin Luther King, political opponents, etc.

35. FISA: 1978 n Need probable cause that is foreign power or agent of foreign powers n The purpose must be foreign intelligence n AG must sign n Federal judge, on FISA court, must sign n Never gets revealed to the target n If used in criminal, in camera decision by federal judge what gets turned over

36. FISA: Since 1978 n Number of FISA orders up n Scope of agent of foreign power – From spies to terrorists – Cali cartel? Russian mafia? n Patriot Section 215 – Any records or tangible objects, including library records – Gag rule

37. FISA since 1978 n Patriot Act and the wall – Before, using foreign intelligence for criminal was legal but rare – Prosecutors could not direct or control the use of FISA orders n Patriot Act: OK if a significant purpose is foreign intelligence n Direction and control now OK by prosecutors n Ashcroft says will use this power aggressively

38. FISA as a Criminal Statute n NY Times today: story on Edwin Wilson – CIA affidavit in 1980s that no contact with Wilson after he left the agency – His lawyer read the secret documents, and over 40 contacts after he left, did work for CIA – Yesterday, judge overturned that conviction n The risks of a secret criminal system, with no cross-examination or confrontation n That is todays FISA system, with much more use of secret evidence, with no cross-examination

39. Where next on FISA? n Recognize the growth and fundamental change in focus of FISA system n If FISA has become a criminal statute, consider more due process n Sec. 215 has serious flaws for records n Consider more oversight, less secrecy, and limits on expansion

40. Conclusion: Politics n Lots of political activity again this year, even with deregulatory politics and focus on security n The Libertarian wing of Republican Party: – Bob Barr, Dick Armey – think Waco, gun control, and big government – Inclined to laissez faire, but worry private sector databases are becoming surveillance agents for the government – Do Not Call and the public pressure on visible privacy problems

41. Conclusions: Coordination? n The Yuck! reactions have been to different agencies – TIPS was FEMA – TIA was Defense Dept. – CAPPS II and Homeland Security – Patriot Act mostly Justice Dept. n A continuing lack of an Administration policy process for privacy n No public official except Nuala Kelly on privacy n Administration has continuing exposure on this

42. Conclusion: Privacy & Security n First, does the intrusive measure in fact improve security? n Second, is the measure designed to improve security while also respecting privacy where possible? n Third, have we built the new checks and balances appropriate to the new surveillance?

43. Finally... n For FISA we have torn down the old checks and balances, and not built new ones n No Administration policy process to build security and privacy n Up to Congress, the public, and the press to build that process n Think of what you as privacy professionals can do to make that happen

44. Contact Information n Professor Peter P. Swire n web: www.peterswire.net n phone: (240) 994-4142 n email: pswire@mofo.com