Background Paper: Balancing Privacy and Safeguards James X. Dempsey
Center for Democracy and Technology July 13, 2007
The Internet is a powerful tool for economic activity, human development and
democratic participation. At the same time, however, criminals see the potential of the Internet as a place to perpetrate fraud and other crime. Terrorists use it as a
communications medium of global reach and low cost. The critical infrastructures that depend on networked computers are vulnerable to accidental or intentional disruption. Meanwhile, consumers continue to cite privacy and security concerns as their number one reason for not making broader use of online opportunities.
In order for the Internet to fulfill its potential for good, it must be trustworthy and secure. However, misguided policies pursued in the name of security can be ineffective or even harmful. The success of the Internet to date is due in part to a policy framework suited to its unique architecture, which is open, decentralized, and user-controlled. The challenge going forward is to enhance trust and reliability while still promoting openness,
competition, innovation, and consumer choice.
“Balance”does not necessarily require trade-off. Even in confronting the acute threat of terrorism, privacy and security need not be in conflict. To the contrary, privacy
protection, checks and balances, accountability and redress are key elements of effective responses to the law enforcement and national security threats we face. As the 9/11 Commission stated: “The choice between security and liberty is a false choice.”The shift in government power and authority that is occurring in response to terrorism, the 9/11 Commission concluded, “calls for an enhanced system of checks and balances to protect the precious liberties that are vital to our way of life.”1
There are no silver bullets for the challenges posed by the Internet. Effective solutions will be based on a mix of laws, industry self-regulation, technical standards and user education.
1
This conclusion - that privacy protection and accountability should be built into the design and implementation of counterterrorism information systems -- is central to the recommendations of other bi-partisan expert bodies that have studied the role of information technology in fighting terrorism, including the Secretary of Defense’s Technology and Privacy Advisory Committee (TAPAC), the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction, chaired by former Virginia Governor James Gilmore,
http://www.rand.org/nsrd/terrpanel/ and the Markle Foundation Task Force on National Security in the Information Agehttp://www.markletaskforce.org.
I. The Elements of Trust and Security Online
There are at least four components to the policy framework for trust and security online: Criminal Law –Generally speaking, criminal laws should be drafted in
technology-neutral terms, to cover the same conduct online and off. For example, many kinds of identity theft and associated fraud are equally illegal online and offline, as are production and possession of child pornography. Periodically, it is appropriate to assess the criminal law to ensure that it is appropriately technology neutral and that it adequately addresses uniquely electronic crimes, such as attacks on the security and integrity of computer systems.
Standards for Government Access to Communications and Stored Data – The Constitution as interpreted by the courts and laws like the Wiretap Act and the Electronic Communications Privacy Act and their state counterparts provide standards for government access to communications and stored data when needed for the investigation of crimes. Such procedures both empower the government to carry out its investigations and also assure businesses and consumers that the government cannot unjustifiably monitor their communications. Technology, by generating and storing more and more information, can outpace privacy
protections, requiring a periodic re-balancing of access standards.
Computer and Network Security –Laws are not sufficient to make computer networks secure. The problem of computer crime will be solved only when makers of computer technology build more secure systems and when owners, operators and users of computer systems operate their systems in more secure manner. By and large, this is an area in which the private sector must lead. It is not the government’s role to dictate standards or control technology design. Governments do need, however, to secure their own computer systems with proper security practices.
Consumer Protection and Consumer Education–Companies that collect and use personally identifiable information have a custodial responsibility for that information. The Internet is regulated by a web of consumer protection laws, including privacy laws, but consumers also have an obligation to educate
themselves –and policy should support user education -- about the technology, its risks, and the steps individuals should take to protect themselves.
II. What is Privacy?
“Privacy”is a broad and a widely misunderstood concept. The word “privacy”means different things in different contexts. It refers, for example, to the confidentiality of communications: The Supreme Court has held that the Fourth Amendment protects telephone calls from interception without a warrant, and a federal appeals court recently held that the same principle applies to email stored on the computers of an email service provider. The values encompassed by the word “privacy”also include the important First
Amendment principle that individuals should be able to oppose government policies or engage in other political activities without the government collecting information about them. The Supreme Court has held that there is a First Amendment right to speak anonymously about matters of political and social interest.
“Privacy”also is used to describe the interests at stake in the flow of personally identifiable information generated in the course of commercial and governmental transactions. To a large degree, privacy in this context is not about keeping personal information secret or hidden. Rather, it is about fairness: How do you use information to make fair and reliable decisions about people? Information privacy laws are intended to provide individuals (1) control over what to disclose; (2) awareness of how their
personal data will be used; (3) rights to insist that data are accurate and up-to-date; and (4) protection when personal information is used to make decisions.
It is well established by U.S. Supreme Court cases, the federal Privacy Act, and other privacy laws like the Fair Credit Reporting Act (FCRA) and the Health Insurance Portability and Accountability Act (HIPAA) that individuals retain a privacy (or due process) interest in information about themselves even after they have disclosed it in the course of a commercial or governmental transaction. Our interest in the fair use of information to make decisions about us extends even to data that is publicly available: if that information (arrest records, for example) is used to make decisions that can have adverse consequences, then we should have a right to know about the use of that
information and an opportunity to respond to information that is inaccurate or misleading. The term “Fair Information Practices”(FIPs) best describes this aspect of privacy. These principles govern not just the initial collection of information, but also its use. The “Fair Information Practices”have been embodied in varying degrees in the Privacy Act, FCRA, and the other “sectoral”federal and state privacy laws. The FIPs has remained remarkably relevant despite the dramatic advancements in information technology There is no single authoritative statement of Fair Information Practices. CDT uses the following list, the elements of which can be found in the Privacy Act, which is generally applicable to all U.S. government systems of records:
1. Notice (or openness) -- the entity collecting data should state when it is collecting data, through a published notice and wherever possible on an individual basis - Privacy Act, subsection (e)(2), (3) and (4). Sometimes notice is discussed in conjunction with choice or consent, the principle that individuals should have control over when data is collected and how it is used, unless a certain standard is met for the compulsory collection of data (such as with a warrant or subpoena).
2. Purpose specification -- the data collector should specify the purpose for which it is collecting data - Privacy Act, subsection (e)(3).
3. Collection limitation –a system or program should collect no more information than is relevant and necessary for the specified purpose (minimization) –see Privacy Act subsections (e)(2) and (7).
4. Retention limitation –data should be retained no longer than necessary for the specified purpose –see Privacy Act subsections (e)(1), (2) and (5).
5. Use and disclosure limitation –information collected for one purpose should not be disclosed to third parties or used for other purposes without consent– Privacy Act subsection (b).
6. Data quality –information should be timely, accurate, complete –Privacy Act subsection (e)(5).
7. Security –the entity holding data must establish reasonable administrative, technical and physical safeguards to protect it against loss or unauthorized disclosure or use - Privacy Act subsection (e)(10).
8. Access to one’s own records –Sometimes referred to as “individual participation,”access is a right in and of itself, but also it is a precursor to exercising the right to insist on the correction of mistakes –Privacy Act subsections (c), (d) and (f).
9. Redress –Sometimes combined with the “individual participation”principle, this refers to the right to challenge inaccurate data, preferably before adverse decisions are made, and to correct mistakes and obtain redress for abuse – Privacy Act subsections (e) and (d).
10. Accountability- audit, enforcement –Privacy Act subsections (e)(9) and (10), (g) and (i).
Applying these principles in law enforcement or national security contexts poses
challenges. Clearly, not all of these concepts can be implemented in the criminal justice or national security context in the same way they are applied, for example, in the
government benefits context. Nevertheless, FIPs define the key questions that should be asked in designing almost any information systems, including: what information is being collected, for what purpose, with whom will it be shared, how long will it be kept, how accurate and reliable is the information, how will an individual be able to correct
erroneous information, how will the data be secured against loss or unauthorized access, will individuals know the basis for decisions affecting them and be able to respond to mistakes, and what are the accountability and enforcement mechanisms?2
III. Applying Fair Information Practices to the Challenge of Identity
Clearly, identity creation and management is a central challenge of the digital age for both the public and private sectors. Identity-related technologies can facilitate realization of the potential of the digital age, whether by making online transactions more seamless, tying together information on multiple devices, combating fraud, or enabling new 2
For an example of the application of some of these principles in the criminal justice context, see Department of Justice, Office of Justice Programs, Global Justice Information Sharing Initiative (“Global”), “Fusion Center Guidelines: Law Enforcement Intelligence, Public Safety, and the Private Sector” (2006)http://it.ojp.gov/documents/fusion_center_guidelines.pdf, Guideline 8, pp. 41-42, and Global’s “Privacy Policy Development Guide and Implementation Templates” (October 2006)http://it.ojp.gov/documents/Privacy_Guide_Final.pdf, Sec. 4 and Appendix A.
services like electronic health records. Multiple ID-related initiatives are underway. A major goal of these activities is to prevent illegal activity or enhance security, whether it is the security of our national borders, airplanes, workplaces, health records, or online transactions.
However, the collection, storage, and disclosure of identity information can create risks to personal privacy and security. Poorly implemented identity systems can actually contribute to identity theft or weaken security. To mitigate these risks, it is essential that identity systems be designed with effective privacy and security measures.
CDT is undertaking a consultative process with industry, privacy advocates and
government officials to define privacy principles to guide government and commercial entities in developing programs or systems for the creation, authentication, and use of identity. By convening stakeholders with diverse perspectives, we hope to achieve a comprehensive and useful set of guidelines or “best practices”that can be applied to the issues associated with identity creation and management across the public and private sectors and in many different contexts. Information about the process is available at
http://www.cdt.org/security/identity/. The project has identified three overarching concepts: (1) proportionality; (2) diversity and decentralization: and (3) privacy and security by design.
A. Proportionality
In analyzing identity solutions offered in response to particular needs or problems, it is useful to understand identity as a spectrum, ranging from complete anonymity at one end to unique and full identity at the other. The uniqueness and reliability of an identity, and the amount of information collected by a system, should be demonstrably proportional to the purpose for which it is being created or used. Not all transactions need to be tied to identity. Some goals can be served (i.e., some transactions can be completed) without using any identity information at all (for example, cash-based transactions can be highly reliable) or by using minimally revealing forms of identity.
The amount, type, and sensitivity of information collected and stored by an identity system should be proportional to the purpose for which the identity is being created. For example, in many situations it is not proportional to collect information about race, gender, ethnicity, or religious or political affiliation. Also, for transactions of lower significance, it is not appropriate to use a multitude of attributes or identifiers, or those that divulge much about a person’s unique and full identity.
B. Diversity and Decentralization
Security goals will be best served by a diversity of ID systems and identifiers. Reliance on a single identifier or ID device is extremely risky. No system is perfect, so a single or dominant ID presents a major point of failure. Rather than attempt to develop the perfect single solution, identity creation and authentication options should function like keys on a key ring, allowing individuals to choose the appropriate key to satisfy a specific need.
Different government agencies, companies and organizations, and different types of functions within organizations, will likely need different types of identity systems. Identity systems should be designed to exist in a marketplace offering multiple services that deliver varying degrees and kinds of identity creation, authentication, and use.
As a single identity becomes more widely used and as identity information becomes more physically or logically centralized, there is increased likelihood for abuse by criminals. The Social Security number is a example of this risk. Using only one or a very small handful of centralized identity solutions for multiple purposes leaves individuals with few choices and diminishes the ability of identity systems to protect privacy and security. Forcing individuals to use a single identifier or credential for multiple purposes makes that identifier or credential ripe for abuse, putting privacy and security at risk.
C. Privacy and Security by Design
Privacy and security considerations should be incorporated into an identity system from the very outset of the design process. These include both safeguards for the physical system components and policies that guide the implementation of the system. Internal privacy and security practices should incorporate applicable regulatory and self-regulatory guidelines.
Identity systems should be designed with attention to human strengths and limitations that may impact the privacy and security of the systems. Knowledge of human behavior and how people will likely interact with an identity system should be incorporated from the first phases of a system’s design. Incorporating limits on the use of the system into its design will make “mission creep”–authorized but initially unintended uses –easier to avoid and less appealing later on.
IV. Concerns with Data Retention Mandates
One proposal that has been put forth to address online crime is to require service providers to collect and retain certain data identifying customers and their online
activities, for later use by law enforcement in investigations. These proposals have raised privacy and business objections.
One of the best ways to protect privacy is to minimize the amount of data collected in the first place. A data retention law would undermine this important principle, resulting in the collection of large amounts of information that could be abused and misused. Mandatory data retention laws will create large databases of information that trace personal contacts and relationships. These databases would be vulnerable to insider abuse, hackers and accidental disclosure. Thus, data retention could have the unintended consequence of aggravating the risk of data breaches and unauthorized use.
The current data preservation law, 18 U.S.C. §2703(f), authorizes any governmental entity to require any service provider (telephone company, ISP, cable company,
university) to immediately preserve any records in its possession for up to 90 days, renewable indefinitely. Data preservation orders are mandatory –service providers must comply. They do not require judicial approval and do not need to meet any evidentiary threshold. This may be preferable to data retention because a data preservation request can specify exactly what information is needed for the investigation at hand. Data retention laws, on the other hand, take a “one-size-fits-all”approach that is unsuited to the dynamic nature of Internet investigations. They are likely to be both over-inclusive and under-inclusive at the same time –forcing service providers to store multiple terabytes of useless information while possibly missing the information that would be useful in a particular investigation. Retention of more data than is necessary to achieve law enforcement objectives could be counterproductive, drowning companies and investigators in irrelevant and potentially misleading information that will be very difficult to search or use.
Data retention laws create the danger of mission creep. Service providers themselves might be tempted to use the stored information for a range of currently unanticipated purposes. A data retention database could serve as a honey pot for trial lawyers in civil cases. Already, many requests that ISPs and other online service providers receive for customer information come not from the government but from private litigants in divorce cases, copyright enforcement actions, and commercial lawsuits.
Proceeding with data retention would require a full-scale re-examination of data privacy laws. The European Union has a data retention rule, but the EU also has detailed rules governing the privacy of electronic communications information in terms of both governmental access and corporate use and disclosure. The US does not have a privacy law that adequately protects the data that would be collected and retained. In particular, the Electronic Communications Privacy Act (ECPA) sets very low standards for
governmental access to data and places no limits on the secondary use that ISPs can make of the non-content information they collect and maintain about their subscribers. Service providers can, unless they make a privacy promise to the contrary, disclose subscriber-identifying information for any purpose, except to a governmental entity, and government agencies can access the data without judicial approval. Mandating large-scale data retention would upset the balance in ECPA and would require a larger re-examination of how that law works.
-- Possible Alternatives to Data Retention Legislation
There are other, less burdensome but more effective measures that policymakers should consider:
Allow the National Center for Missing and Exploited Children (NCMEC) to issue data preservation orders, or alternatively, require entities to retain information immediately upon making a referral to NCMEC under 42 USC §13032.
(Currently, only government entities can issue data preservation orders under 18 USC §2703(f).) (Note that under current law, ISPs are permitted to disclose
non-content information to NCMEC without any judicial process. See 18 USC §2702(c)(5).)
Place a federal prosecutor with authority to issue subpoenas at NCMEC so that information can be obtained immediately after service providers make referrals. This would assist law enforcement in obtaining the information it needs without having to wait for referrals from NCMEC.
Require companies to include IP address (and any available subscriber identifying information) in initial reports to NCMEC under Section 13032 to expedite and facilitate investigations.
Increase resources for staffing and training of law enforcement and for necessary improvements to technical support and infrastructure.
-- Issues for Policymakers to Consider Before Mandating Data Retention
Developing and implementing data retention state-by-state would probably be
unworkable. If Congress were to take up the issue, the following are some questions that would have to be addressed:
What information should companies have to retain? Companies should not be forced to retain information that they don’t already generate and save (for some period of time) for business purposes. The entities to be covered and the type of information to be retained would have to be very precisely and narrowly defined. It seems there is no reason, for example, to retain any information other than IP addresses assigned to customers.
What should be the standard for government access to the data? Transactional information related to Internet communications is currently available to the government with a subpoena or a National Security Letter, neither of which requires judicial approval. In the case of data retained for the benefit of the government, shouldn’tthe statute require the government to obtain a court order under 18 USC 2703(d) before getting access to the data? While transactional information for phone calls is available with a subpoena, Internet records like IP addresses are much more revealing, especially since they can be combined with other information routinely stored by search engines and content providers. What obligations should ISPs have to maintain the integrity and security of the
data?
Should ISPs be precluded from using retained information for secondary purposes without first obtaining customer consent? Should ISPs be allowed to use the information for any secondary purpose? Under current law, ISPs are permitted to
use their customers’non-content information and to disclose it to “any person other than a governmental entity.” (18 USC §2702(c)(6)), meaning that ISPs could lawfully use or disclose any information retained pursuant to the data retention mandate to any non-governmental entity.
Should legislation provide a statutory remedy— such as an exclusionary rule— to defendants whose electronic communications or records were obtained in
violation of the statute? Similarly, should legislation impose penalties on those who make improper requests for or misuse data obtained under the mandate? Should a data retention mandate be coupled with a data destruction mandate?
Should the government be required to delete information it obtains pursuant to the mandate, after such information is no longer needed for the investigation for which it was obtained?
What types of Internet access providers will the statute cover? Will the coverage be limited to actual network providers (Earthlink, AOL, etc.)? Extending
coverage to small access providers like libraries, coffee shops, hotels and other WiFi hotspots might add huge costs with little benefit.
Will government access to the data be limited to certain investigatory purposes? Because the justification put forth so far has focused on child pornography, the government should not have access to the data for other purposes without express legislative authorization, except when emergencies involving immediate danger of death or serious physical injury to any person justify disclosure of the
information. Furthermore, the government should be prohibited from using this information for data mining or other predictive purposes. The government should only get access to the information relevant to a particular, ongoing investigation. What kind of oversight is appropriate? Is a sunset provision appropriate?
Lawmakers should receive periodic reports showing the number of requests made, the number and types of investigations in which the information was used, and the effectiveness of the data retention mandate in combating child porn.
In order to ensure public confidence and government accountability and to deter abuse, should law enforcement be required to notify the persons whose
information it obtains? Legislation could require after-the-fact notice, unless a senior law enforcement officer certifies that such notice would jeopardize an ongoing investigation.
V. Other Privacy Debates
Comprehensive Consumer Privacy Legislation: As indicated above, the US has no comprehensive privacy legislation. In 2006, key technology companies joined privacy advocates in calling for a comprehensive federal consumer privacy law. However, some businesses remain intensely opposed to privacy legislation. The states continue to serve
as leaders and innovators on privacy protection.3
Updating the Federal Privacy Act and Comparable State Privacy Laws: The federal Privacy Act of 1974 applies to data held or used by the federal government. The federal Act is out of date. State laws may need updating too, in light of the ongoing evolution of technology. Reforms being considered this Congress include: requiring all federal agencies to notify individuals when their personal information has been lost or stolen; expanding the number, independence and authority of agency chief privacy officers; increasing the number of privacy audits at agencies; and creating rules for the use of commercial data by the government.4 One privacy protection mechanism at the federal level that the states should consider adopting is the “Privacy Impact Assessment,” mandated by the federal e-Government Act of 2001. PIAs are a mechanism for
identifying and addressing privacy issues in the design of information systems and data collection programs.
Spyware: By and large, spyware and other malicious online behavior is already illegal but some observers have noted that the penalties sought from spyware companies are small in comparison to the companies' profits. Congress should explore whether federal legislation allowing the FTC to seek higher penalties in its spyware cases would increase the effectiveness of prosecuting spyware purveyors. Giving the FTC the authority to seek civil damages, rather than merely disgorgement, may be one way for Congress to help forestall the spread of spyware. State Attorneys General and state consumer protection offices have a major role in addressing spyware and associated ills.5
Data Breach Legislation: States have led the way in requiring notification of consumers whose data is lost or stolen, so the consumers can take self-protective action. Congress is debating adoption of a federal breach notification law, but some businesses are trying to use the federal bills to preempt stronger state laws.
For further information: Jim Dempsey,jdempse@cdt.org, (202) 365-8026.
3
CDT/CAP Report, “Protecting Consumers Online”
http://www.cdt.org/privacy/20060724consumer.pdf (July 2006). 4
CDT Testimony, "Securing Electronic Personal Data"
http://www.cdt.org/testimony/20050413dempsey.pdf(April 2005). 5
As a resource for state officials, CDT has tracked federal and state level anti-spyware enforcement: "Spyware Enforcement"
http://www.cdt.org/privacy/spyware/20060626spyware-enforcement.php (February 2007).
