Add to collection(s) Add to saved
  1. History
  2. US History
  3. The Cold War And Beyond (After 1945)
  4. Patriot Act

Security and Privacy After 9/11

advertisement 
“The Year in Privacy and
Security”
Professor Peter P. Swire
Ohio State University
Consultant, Morrison & Foerster LLP
International Association of Privacy
Professionals
October 30, 2003
Overview
An overview of the year in privacy politics
 Private Sector

–

Spam, Do Not Call, HIPAA, Genetic, FCRA
Public Sector
–
–
PIAs, TIA, CAPPS II
Patriot Act sunset looms
New research on FISA
 Conclusions

I. Private Sector Privacy
Anti-intrusion privacy
 Secondary use
 States as drivers of change
 Administration not prominent in the debates

Anti-Intrusion: Spam
High political interest in anti-spam laws
 Senate bill
 Wildly popular to “do something”

Anti-Spam Efforts

Muris position
–
–

Congressional efforts
–
–
–


The problem is “bad actors”
Body part enlargement, drug of the month, and porn
Largely would affect “corporate actors”
May be small % of UCE
But that’s what Congress can affect
How to affect the “bad actors” is the puzzle
Likely have continuing pressure to act
Anti-Intrusion: Do Not Call
Political steamroller
 Developed by Muris & FTC
 Once popular, announced in Rose Garden
ceremony
 54 million have signed up
 Most popular “opt out” in history

–
One reason: simple, clear opt out
Anti-Intrusion: Do Not Call




Very popular politically
District Court held Congress had not authorized
the rule
Passed in both houses the next day
Popularity may influence the 1st Amendment
analysis of 10th Circuit
–
–
–
Phone company cases and transfers within a company
or holding company
Here, Congress & President & 54 million want to
protect the integrity of their homes
Judges have phones, too
Secondary Use: HIPAA
HIPAA medical privacy rule in effect April,
2003
 Political non-event

–
–
–
Industry efforts to roll it back largely failed
Advocate efforts to tighten marketing, etc.,
have gotten no traction
Next political moments will be about
enforcement or lack of enforcement
Secondary Use: Genetic Data

Senate passed genetic discrimination bill
–

Can’t use in employment and insurance
Bill developing for 6 years
–
–
–
–
Part of Genome project
Lots of state laws
Clinton Executive Order
Proven gaps in ADA, HIPAA and other laws
Secondary Use: Genetic

President Bush speech supporting a bill
–
No apparent political capital spent on it
No action yet in House
 If comes to a vote, very hard for politicians
to vote in favor of genetic discrimination

Secondary Use: FCRA
The high-stakes fight this year in Congress
on privacy
 Risk to industry when have a deadline, such
as end of preemption in 2004
 Mostly, industry is winning
 But, the price is about 6 new rulemakings

Secondary Use: FCRA

Strength of industry’s substantive
arguments:
–
–

Credit system works well for most people
Is a national credit system
ID theft as the engine for new regulations
ID Theft

Mix of
–
–

Link to national ID debate
–

Intrusion – my life suffers intrusion from the stranger –
and
Secondary use – data holder uses and discloses key data
to others
Authentication a huge debate in coming years
Expect more political pressure on ID theft, and
debates about biometrics & IDs
Role of the States
California law for notification on security
breaches, now in effect
 California law for Internet privacy,
requiring notice on commercial web sites
 California law on affiliate-sharing

–

Likely preempted by FCRA
States as continuing source of ferment
Summary on Private Sector Privacy
A lot happening even in a quiet year with no
Administration leadership
 Intrusion impels political action
 Secondary use less powerful politically
because individuals don’t see the problems
 Ongoing political instinct to “do something”
on privacy

II. Government Sector Privacy
Administration acts on privacy only in
response to Congressional orders
 Congress says “Yuck!” to a number of
Administration initiatives
 Patriot Act sunset as the current and future
battleground

Congress Acts, Administration
Reacts

2002, Dept. Homeland Security Act
–
–
–
Required Chief Privacy Officer in DHS
Said nothing in the law authorized a national ID
card or system
Administration accepted these, but had no proprivacy provisions in its own draft bill
Congress Acts

E-Government Act of 2002
–
–
–
Required privacy impact assessments (PIAs)
for all new federal computer systems
Codified OMB guidance for privacy policies on
federal web sites and limits on cookies
Pushed agencies to use privacy-enhancing
technologies, including P3P
Administration Reacts: PIAs
OMB guidance required by April, issued in
September
 Tracks statute closely

PIAs

One innovation
–


Privacy Act loophole if agency “pings” private database
and doesn’t create “system of records”
Guidance says PIA needed “when agencies
systematically incorporate into existing
information systems databases of information in
identifiable form [from] commercial or public
sources”
Purchases of commercial products and services
more likely to trigger PIA
Administration Reacts

PIA guidance
– Codifies 2000 guidance with strict limits on
cookies and other tracking technology on
agency web sites
– New exception “for authorized law
enforcement, national security and/or homeland
security purposes”
– No limits on the scope of the exception, so
might apply to all federal web sites
– Weak promise – no tracking, except we might
track everywhere
“Yuck!”: TIPS and DHS

TIPS – mail carrier or cable guy at your
house calls 800 number at DOJ
–
–
Popular reaction against a nation of informants
Banned in Homeland Security Act, 2002
“Yuck!”: TIA

Total (now Terrorist) Information
Awareness program in Dept. Defense
“Yuck!”: TIA
Jan. 2003: no funding to TIA unless have
detailed report
 Report in May
 TIA banned by Congress in 2004 DOD
Appropriations bill, except for military or
foreign intelligence conducted wholly
overseas or against wholly non-citizens

“Yuck!”: TIA & next steps

Ironically, TIA had begun to fund pro-privacy
measures
–


Swire: consider % of funding for ELSI in new
surveillance programs
Transparency – TIA and possibility of
Congressional oversight
Now, the scary research likely to continue in new
bureaus, but with less oversight and less proprivacy research
“Yuck!”: CAPPS II




Post 9/11 statute to require system to spot high
risk of terrorists on airlines
Computer Assisted Passenger Profiling System
(CAPPS), second version
1st System of Records Notice
– Administration wanted to get, use, & share lots
of data
– They didn’t “get” privacy, or calculated risk?
Public outcry
– Bill Scannell, dontspyon.us
– Fear of “internal passport” and “your papers,
please”
“Yuck!”: CAPPS II
Congressional hearings & Loy promises
 2d System of Records Notice

–
–
–
Much more careful on privacy safeguards
But already backsliding from Loy statements
Not only “foreign terrorists”; now also
outstanding warrants (criminals), “domestic
terrorists”, and maybe immigration
“Yuck!”: CAPPS II

Congress says, in appropriations bill, no
implementation of CAPPS II until GAO
report shows lots of safeguards
Patriot Act Sunset



Passed quickly in 2001
FISA and some other provisions sunset end of
2005
– A trigger for broader re-examination
Fights on oversight
– Intense secrecy from DOJ
– Sensenbrenner threat to hold Ashcroft in
contempt of Congress
– Somewhat more disclosure since
Patriot Act Sunset

House – passed ban on “sneek and peek”
–
–
Perhaps a “yuck!” reaction
Seems unlikely to pass Senate
Senate 7 hearings this fall on Patriot Act
 On track for substantial debate leading up to
2005 sunset

Patriot Act Sunset



DOJ defends the Patriot Act
– Ashcroft speaking tour
 Library and other demonstrators
 Stopped announcing speaking locations in advance
 Said no library searches with new FISA powers
DOJ web site to defend the act
Scathing CDT report this week
 DOJ site defends the non-controversial parts
 No response to the substantive critiques of the
Patriot Act
FISA Case Study
Send to pswire@mofo.com if you want
copy of draft paper; final in January
 Summary of how we got here
 Big expansion of FISA in Patriot Act, etc.
 NY Times today
 Paths for reform

FISA: Up to 1978



Domestic law enforcement: T. III wiretaps, neutral
magistrate & strict rules
“National security” surveillance: inherent power
of President and AG, such as watch the Soviet spy
Watergate and revelation of abuses
– “The Lawless State”
– Surveillance of Martin Luther King, political
opponents, etc.
FISA: 1978
Need probable cause that is foreign power
or “agent of foreign powers”
 “The purpose” must be foreign intelligence
 AG must sign
 Federal judge, on FISA court, must sign
 Never gets revealed to the target
 If used in criminal, in camera decision by
federal judge what gets turned over

FISA: Since 1978
Number of FISA orders up
 Scope of “agent of foreign power”

–
–

From spies to terrorists
Cali cartel? Russian mafia?
Patriot Section 215
–
–
Any records or tangible objects, including
library records
Gag rule
FISA since 1978




Patriot Act and “the wall”
– Before, using foreign intelligence for criminal
was “legal but rare”
– Prosecutors could not “direct or control” the
use of FISA orders
Patriot Act: OK if “a significant purpose” is
foreign intelligence
“Direction and control” now OK by prosecutors
Ashcroft says will use this power aggressively
FISA as a Criminal Statute

NY Times today: story on Edwin Wilson
–
–
–


CIA affidavit in 1980s that no contact with Wilson after
he left the agency
His lawyer read the secret documents, and over 40
contacts after he left, did work for CIA
Yesterday, judge overturned that conviction
The risks of a secret criminal system, with no
cross-examination or confrontation
That is today’s FISA system, with much more use
of secret evidence, with no cross-examination
Where next on FISA?
Recognize the growth and fundamental
change in focus of FISA system
 If FISA has become a criminal statute,
consider more due process
 Sec. 215 has serious flaws for records
 Consider more oversight, less secrecy, and
limits on expansion

Conclusion: Politics


Lots of political activity again this year, even with
deregulatory politics and focus on security
The Libertarian wing of Republican Party:
–
–
–
Bob Barr, Dick Armey – think Waco, gun control, and
big government
Inclined to laissez faire, but worry private sector
databases are becoming surveillance agents for the
government
Do Not Call and the public pressure on visible privacy
problems
Conclusions: Coordination?

The “Yuck!” reactions have been to different
agencies
–
–
–
–



TIPS was FEMA
TIA was Defense Dept.
CAPPS II and Homeland Security
Patriot Act mostly Justice Dept.
A continuing lack of an Administration policy
process for privacy
No public official except Nuala Kelly on privacy
Administration has continuing exposure on this
Conclusion: Privacy & Security
First, does the intrusive measure in fact
improve security?
 Second, is the measure designed to improve
security while also respecting privacy where
possible?
 Third, have we built the new checks and
balances appropriate to the new
surveillance?

Finally ...
For FISA we have torn down the old checks
and balances, and not built new ones
 No Administration policy process to build
security and privacy
 Up to Congress, the public, and the press to
build that process
 Think of what you as privacy professionals
can do to make that happen

Contact Information
Professor Peter P. Swire
 web: www.peterswire.net
 phone: (240) 994-4142
 email: pswire@mofo.com

Related documents
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Privacy Confidentiality Minor
Privacy Confidentiality Minor
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Download
advertisement