Background of the Problem

For centuries, informational privacy and data were protected by the technology of the age. Collected data was handwritten and later typed and placed in location-secure specific files. Such information was limited, not openly shared, and difficult to find, but it was also economically unimportant.

The historic pattern was suddenly changed with the advent of the computer, information economy and the Internet, as information became economically valuable. Data could be mined (i.e., automatically scanned and collected) and easily shared, so information became instantly available and collectable.

The impact of data mining was established as early as 1997 when the Minneapolis Star Tribune received permission from a randomly selected individual to determine the depth and breadth of available information sources. The searchers determined where the person was born, lived, went to school, and worked. Data on the individual’s preferences in beer, entertainment, food, politics, and vacations were also easily found.⁹

In the late nineteenth century, most modern governments also started a system of collecting and analyzing personal data for legitimate service purposes. In the mid-twentieth century, businesses followed this pattern,

8Id. at 5–34. The UNISA School of Law standard uses Ibid. In the US, Id. is used in legal citations and Ibid. is used in non-legal systems.

especially in credit reporting. However, data storage was via file cabinets, and access was limited.¹⁰ The processes changed when the US government gave TRW Incorporated governmental computer programs to computerize credit reporting. Subsequently, the collection methods, uses, and value of information expanded.

As the Internet became commercial and companies demanded access and control over more data and databases, an economically powerful global system emerged. Large global corporations (including Acxiom, ChoicePoint, Experian, and LexisNexis) began purchasing databases from thousands of businesses and organizations to build extensive databases of their own on millions of people in the US alone. The data aggregators built electronic dossiers on millions of individuals that could then be filtered for specific data and sold on demand.¹¹

More data was more easily available than ever before, and that data could be shared at unprecedented speeds. Whitfield Diffie and Susan Landau¹² documented that at the start of the nineteenth century, it took the UK government eighteen weeks to send a message to the New Delhi ambassador. By the end of the next century, the same message took only a couple of days, and then decreased to an hour. Currently the message could be sent in seconds. However, each increase in speed due to technological advances, resulted in a decrease in privacy protections.

There was a general realization that these privacy infringements required legal remedies, but information technology evolved faster than traditional legal bases could respond. The law largely ignored evolving privacy concerns. For example, intellectual property protections were awarded with no attention to privacy enhancing technology design. In effect, the law followed a traditional

9Jeffrey Rothfeder, No Privacy on the Net, PC World, 223 (1997, February).

10 James B. Rule, Privacy in Peril: How We Are Sacrificing a Fundamental Right in Exchange for Security and Convenience, (Oxford University Press ed. 2007).

11 Robert O'Harrow, No Place to Hide, (Free Press ed. 2006).

12Whitfield Diffie & Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption, (The MIT Press. ed. 1998).

reactive pattern when the significance of these changes required a proactive legal response. The Internet and increased computer access, and the nature, speed, and implications of this technology presented a number of legal and policy challenges to traditional legal models and methods. The central legal issue was what hypotheses, deductions, objectives, and questions ought to be addressed. These developments challenged traditional common law views of asset protection, civil rights, consumer protection, data protection, data security, human rights, information privacy, and personal property rights.¹³

Powerful interests worked to make those challenges greater and to delay any emerging legal protections. Large corporations used the battle cry of marketing services and free speech, while governments used the need for national security. Both claimed ownership of data mining methods and data.

The US Government Accountability Office (GAO) defined data mining as “the application of database technology and techniques—such as statistical analysis and modeling—to uncover hidden patterns and subtle relationships in data and to infer rules that allow for the prediction of future results.”¹⁴ Individual intellectual property rights, knowledge control, confidentiality rules, tort principles, and the legal principle of informed consent were ignored along with existing legal constraints. The US government violated its own laws and pulled data from private sources for its own purposes. For example, JetBlue Airlines released personal data on five million passengers when the government asked—no warrant, only a request for information.¹⁵ Similar data were released under the same circumstances by several major telecommunication companies. There were no legal constraints in the United States to stop governments and private businesses from collecting, using, or sharing personal information. Corporations were found to share such information as they wanted to be seen as being nice or to avoid the problems

13See Lawrence Lessig, Code: Version 2.0, (Basic Books ed. 2006). See also Virginia Postrel, The Future and its Enemies: The Growing Conflict Over Creativity, Enterprise, and Progress, (The Free Press ed. 1998).

14 United States Government Accountability Office, Data Mining: Federal Efforts Cover a Wide Range of Uses. (2004), at http://epic.org/privacy/profiling/gao_dm_rpt.pdf (last visited on 23 June 2012).

related to saying no. Neil Richards¹⁶ analyzed the government business connection, and concluded the system allowed the government to circumvent statutory and constitutional constraints protecting individual privacy.

Personal data was now a unit of exchange that was usually secretly collected and monitored, then used to increase wealth and power. Modern data regarding an individual’s existence included name, home address, pictures, social security number, medical treatment, and insurance records. Data on livelihood included the individual’s airline and other travel information, certified and registered mail sent or received, computer uses by the individual, credit information on cards, credit history, delivery services used, listings in directories, driver’s license, and information held by Federal Express. The data also included licensing information, Internet research records, office phone and fax numbers, online testing services, passport data, membership in professional organizations, publications, research used, security systems data, records of telephone calls, testifying records, websites used, and work address. Data that individuals gave voluntarily (such as for goods, services, causes, or vanity) included data on airport VIP cards, data in cable TV records, directories, frequent flyer/staying cards, merchant loyalty cards, and data related to political registrations. A staggering volume of private information was readily available on any given person.

This information was obtained from individuals via a number of methods ranging from fraudulently, involuntarily, and under duress to unknowingly and voluntarily. The sources included public records; quasi-public records;

marketing data; business, financial, and personal records; and Internet use.

The data would often be accessed online (either for free or via subscription), independent of location or authority. The individual’s level of control was poor-to-moderate. With the aid of laws and judicial decisions, some businesses and governments had taken the information and declared it their

15 Markle Foundation, Creating a Trusted Information Network for Homeland Security.

(2003), at http://www.markletaskforce.org/ (last visited on 11 January 2012).

own to use, abuse, and share. An example was the Work Number Company, for which Carrie Teegardin¹⁷published data. The company collected detailed employment records of employees from a number of sources. The data included generally private data such as social security number, employer, job title, and wages. The Work Number then collected and sold the data to others without the employees’ consent. The data included private information on a third of all American employees and constituted over 165 million records.

There were no legal constraints on the collection or sale of this data—in fact, the US government was a customer.

By now it is clear that such individual employment data and other personal information should be secure, but are not. A recent study by Deloitte &

Touche¹⁸ found that data protection breaches and information privacy violations were increasing. In a study of over 827 privacy professionals, thirty-five percent reported six to ten privacy breach incidents, with forty-three percent reporting more than ten incidents in the last several months. Eighty-five percent reported at least one, and sixty-three percent reported multiple significant breaches. Of the breaches, thirty-four percent involved over 1,000 records and ten percent over 25,000 files. The Irish Privacy Commission reported that the office received 300 complaints in 2005, 658 in 2006, and in 2007 over 1,000 complaints.¹⁹

A similar pattern was found in the United States with privacy thefts. In 2006 there were 49.7 million reports, while in 2007 over 162 million records were lost or stolen. Disclosures came from “98 companies, 85 schools, 80

16 Neil M. Richards, Reconciling Data Privacy and the First Amendment, 52 UCLA Law Review, 4, 1149 (2005).

17 Carrie Teegardin, Guess Who Knows How Much You Earn Each Week?, The Atlanta Journal-Constitution. (2008), at

http://www.ajc.com/search/content/business/stories/2008/01/20/worknumber_0120.ht ml (last visited on 23 May 2012).

18Deloitte & Touche, LLP, Enterprise@Risk: Insights Into the Emerging Privacy and Data Protection Function (2007),

http://www.deloitte.com/dtt/cda/doc/content/us_risk_s%26P_2007%20Privacy10Dec2 007final.pdf (last visited Dec. 26, 2008).

19Ciara O'Brien, Data Protection Complaints Soar. (2007 December 12), at

http://www.electricnews.net/article/10123588.html (last visited on 26 December 2012).

government agencies and 39 hospitals and clinics.”²⁰For example, records of 6,313 medical patients at the University of California-San Francisco were mistakenly made available on the Internet. The university took six months to make any notification to the individuals involved. The released data included names, addresses, medical identification numbers, treating physician and department records, financial information, donation history, and neighborhood maps.²¹

DPSIP data loss and breach violations alone were massive. Cline²² determined that from 2000 to 2008, publically reported breaches alone involved more than 530 billion records (see Figure 1.1). The number was greater than the entire population of the European Union (EU) or of CA, the Caribbean, Central America, Mexico, and the US combined. The reported DPSIP violations accounted for more that the entire population of Africa.

Figure 1.1 Source of Breaches

20Byron Acohido, Theft of Personal Data More Than Triples This Year. (2007, December 9), at

http://www.usatoday.com/money/industries/technology/2007-12-09-data-theft_N.htm?POE=click-refer (last visited on 2 January 2012).

21Elizabeth Fernandez, 6,000 UCSF Patients' Data Got Put Online, San Francisco Chronicle (2008, May 2), at A1.

22 Jay Cline, 530M Records Exposed, and Counting, Computerworld (2008, September 9), at http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyNa me=Privacy&articleId=9114176&taxonomyId=84&pageNumber=1 (last visited on 9 September 2012).

Since 1997, the Electronic Privacy Information Center (EPIC), located in the US and Privacy International, located in the UK, have researched worldwide privacy policies. The 2007 EPIC report revealed that DPSIP legal standards had diminished. The US and UK were some of the weakest data protectors, with AU being in the second worst category. CA was one of the best data protectors, the EU was declining, and SA was in the development phase. The report showed “an increasing trend amongst governments to archive data on the geographic, communications and financial records of all their citizens and residents. This trend leads to the conclusion that all citizens, regardless of legal status, are under suspicion.”²³ The researchers examined constitutional protections, privacy enforcement, and statutory protections. A world map graphically illustrates the relevant privacy ratings of the study:

Figure 1.2 State of Privacy Map

23Privacy International, Leading Surveillance Societies in the EU and the World 2007. (2007, December 28), at http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559597 (last visited on 2 January 2012).

24

The map illustrates global surveillance levels per se, but this study also addressed the key issues of constitutional protection, communications data retention, communication interception, data-sharing, democratic safeguards, government access to data, privacy enforcement, statutory protection, surveillance of medical, financial and movement and found safeguards lacking worldwide.

The advent of modern computer technology provided businesses and governments the ability to amass, through grand mechanisms, the means to collect and build on data that left the owner–giver less control.²⁵ Alexander Rosenberg²⁶ described a "degenerate case of the peeping tom's invasion of our privacy" where "suffering is caused just by the voyeur's acquiring the information." A tension existed between the enlightened self-interest of the owner–giver and the economic or political advantage of the data collectors, who used an argument of social benefit and economic efficiency. Information gatherers tended to decay the value of the information and thus produced allocation of resource distortions.²⁷The data controllers argued that the pattern of ignoring DPSIP legal standards was in the name of efficiency and public order. The impact was to destabilize the essential boundaries among governments, individuals, and society.²⁸ DPSIP legal standards are a public good²⁹ that the government must control to preserve democratic objectives.³⁰

24Id. at 1.

25Hal R. Varian, Economic Aspects of Personal Privacy, in Privacy and Self-Regulation in the Information Age (U.S. Department of Commerce ed.eds., U.S. Department of

Commerce 1996); Hal R. Varian, The Information Economy: How Much Will Two Bits Be Worth in the Digital Marketplace? (1996), at

http://www.sims.berkeley.edu/~hal/pages/sciam.html (last visited on 4 July 2012).

26 Alexander Rosenberg, Privacy as a Matter of Taste and Right, in The Right to Privacy (Ellen Krankel Paul, et al. eds., Cambridge University Press 2000).

27Roger V. Clarke, Computer Matching by Government Agencies: The Failure of Cost/Benefit Analysis as a Control Mechanism, 4 Information Infrastructure and Policy, 1, 29 (1995).

28David Lyon, Surveillance Society: Monitoring Everyday Life, (Open University ed. 2001).

See also David Lyon, Surveillance as Social Sorting: Privacy, Risk, and Digital Discrimination (David Lyon ed., Routlegde ed. 2003).

29An economics term for a good or service that enhances the well-being of the public and society.

Over 30 years ago, Jack Hirshleifer³¹ maintained that respecting privacy rights provided an evolutionary advantage for people and societies. More recently Richard Epstein³²argued that information privacy is a form of private property so that any taking or confiscation must be compensated. The legal challenge is to develop laws to rebalance informational asymmetries.