by Paul Rodriguez
Privacy is the most comprehensive of all rights and the one most cherished by a free people. So wrote Justice Louis Brandeis in 1928(1). Defending this right becomes all the more important in an era of constant technological advancement, where the means of monitoring individuals are proliferating rapidly in new and varied ways. As our lives become increasingly enmeshed with this technology, we must be aware of the ways in which our privacy is effected. It is no surprise, therefore, that issues of privacy have taken on a greater profile since the dawn of the Internet. As a community centered around the rights of individuals in relation to technology, the Free Software community is uniquely concerned with the issue of privacy.
This August, NYLXS had the pleasure of attending a conference at Princeton University, which focused on Privacy in the Aftermath of 9/11. Held by the ACLU-NJ and the NJ Bar Association,the conference brought together 20 professionals, who work in the field of privacy, for a panel discussion on the current political environment, recent legislation, and ramifications for privacy and liberty today.
The topic for the early part of the day was recent legislation. In particular, the discussion revolved around two of the most important recent laws, The Patriot Act, and the NJ Open Public Records Act.
The Patriot Act (H. R. 3162)(2) was signed into law on the 25th of October, 2001, as a response to the terrorist attacks in New York and Washington. The law relaxes regulations, expanding investigative powers of the state. The act has been among the most controversial pieces of legislation to follow the September 11 attacks and certainly has widespread political consequences. Critics of the act have maintained that by reducing judicial supervision, it significantly reduces protection from government abuse while falling short of providing increased security from future attacks. Speakers expressed concern at the conference for the deleterious effects the Patriot Act could have on our system of checks and balances. It was felt that by reducing judicial oversight, the law undermines the Judiciary in its traditional role of policing the Executive Branch. This has the potential to create a dangerous imbalance of powers that could have far reaching effects for civil liberties. The new law, therefore, significantly expands the powers of the executive branch and allows the government more freedom to conduct its affairs in secret. Overall, the Patriot Act was characterized as hastily written and not fully considered, especially in regard to providing adequate protection for privacy and civil rights.
The new law eases privacy restrictions for various forms of investigations, particularly Internet surveillance, and affords the government reductions in liability from harm. Under the new law, for example, one does not need to be the subject of a criminal investigation to be the target of surveillance. In order to conduct Internet surveillance on an individual, a warrant must be obtained from a judge with special training in Internet matters. Such warrants, however, are in practice, fairly trivial to obtain. More leeway is now given on notification of wiretapping, and the new law also eases restrictions on information sharing between the government and Internet service providers.
Scott Christie, of the NJ Division of Criminal Justice, informed us of the current state of police Internet surveillance. He described law enforcement as being essentially self-policing and without oversight in these matters. Law enforcement officers, said Christie, are motivated and kept in check by a sense of personal decency and public obligation.
J.C. Sayler, of the ACLU, compared the current state of Internet privacy to high speed car chases. The analogy refers to the danger to the public interest when potentially criminal information is pursued recklessly. We are in a very similar situation now with Internet privacy, he says, as we were in the early days of automobile pursuits, before the overall dangers had been fully recognized. Even today, he reminds us, understanding the dangers involved with such chases, and a great deal of regulation exists regarding them, law enforcement officers remain immune from liability for personal or property damage.
NJ Open Public Records Act
On January 8, 2002, NJ passed a law reforming access to its public records.(3) New Jersey formerly had one of the most restrictive policies regarding government records. The new law is designed to significantly facilitate public access and civil involvement in government. The question was posed to the panel whether open access to government records would help maintain privacy, or endanger it.
William Kearns, of Vasallo, Guest & Kearns, took the possition that commercial interests were a greater threat to privacy than government. He felt that there was potential for corporate misuse of the information, particularly if available in digital form. While recognizing his concerns, a member of the ACLU from the audience responded that the greatest threat to privacy is government in secret. She asserted that maintaining open public records [was] our best safeguard of individual privacy. Joe Tyrell, from the NJ Foundation for Open Government, agreed with this sentiment, and warned of the danger of distorting ideas when discussing privacy. He cited as an example, that as 1200 Arab-Americans were secretly detained for several months in the aftermath of September 11th, government officials claimed to be protecting privacy, by refusing to release the names and countries of origin of these individuals to lawyers wishing to represent them.
Bruce Solomon, Custodian of Records for the Attorney General, concurred with Mr. Kearns, that the government has an obligation to ensure the privacy of its citizens. This is particularly the case when individuals, with a reasonable expectation of privacy, have entrusted personal information to the government. He expressed appreciation for the delicate issues involved, and understood that there is a fine line between protecting private information and government secrecy. He likened personal information to a scrambled egg. Just as an egg cannot be unscrambled, private information cannot be resealed after being released. Mr. Solomon assured those present that any limitation to right to information shall be construed in favor of the public.
The latter part of the afternoon was dedicated exclusively to Internet privacy and technology, including Biometrics.
Marc Rotenberg, Executive Director of the Electronic Privacy Information Center (www.epic.org), began by posing the question as to whether surveillance cameras truly offered a security blanket. He cited statistics which called this assumption into question. In England, for example, where video surveillance has been in use much more extensively than in the U.S., with nearly two million cameras currently in operation, crime has actually increased since the implementation of the surveillance. While he does not attempt to make a correlation between increased crime and video surveillance, he does feel that this is a clear indication that it is not an effective deterrent against crime.
Mr. Rotenberg urged us to consider the matter of public surveillance with a measure of caution. We need to maintain a matter of perspective. With regard to the recent terrorist attacks, for example, we need to first assess what happened and then determine what measures can be implemented prevent another attack. He found it very hard to justify a surveillance network (that is currently being proposed and tested nationwide), to watch and surveille individuals who have not been accussed of or are under suspicion of anything. If, under further analasys, the surveillance network, and a national ID system, cannot be justified as a reasonable deterrent against terror, what then is it's purpose? Mr. Rotenberg feels that it can only be described as a form of social and political control.
Central to the issue of the legality of electronic surveillance is whether or not the individual has a reasonable expectation of privacy in any given situation. This was originally made explicit in Katz v. U.S (1967). However, the issue becomes increasingly more complex the more forms of electronic surveillance exist. Mr. Rotenberg poses the question to us: if technology makes it possible to capture everything that is said, what then can be the expectation of privacy in those circumstances? If a man walks down the street with his family, for example, and leans over to whisper to his wife out of earshot of his children, does he have a reasonable expectation of privacy? And if officers on an rooftop opposite him capture the conversation? Would the man's legal standing change if there was a public statement made explaining that it was possible for what they said, even in a whisper to be captured? Mr. Rotenberg doubted whether such a statement would change the man's legal standing. After all, a person's reasonable expectation of privacy really comes down to community standards. It is through precedent that we establish what our community standards of privacy are. In such a situation, what is the basis of expectation of privacy? Is it what is technically feasable? What has been disclosed to the public? Or is it the constitution?
Mr. Rotenberg as Executive Director of EPIC, runs a program entitled Observing Surveillance (http://www.observingsurveillance.org/) . This program seeks to increase public awareness of video surveillance in America, particularly in our nation's capitol. He feels that it is improper for police to collect images sereptitiously of individuals who are engaged in peaceful activity. Observing Surveillance calls attention to the surveillance cameras in Washington, D.C. In the hopes of animate the public to defend their rights. EPIC is proposing that we construct a new statute which regulates video surveillance as a type of technologically advanced surveillance, and that it be regulated as such. He also believes that additional legal obligations should follow from hightened surveillance. He again posed the question as to whether such cameras can hope to prevent terrorist attacks. The answer he feels is obvious. No. Do cameras make us feel safer? Perhaps. He sited statistics in the UK, where there are currently nearly two million cameras, and crime has increased. What then is the motivation for such cameras? Perhaps to prevent petty crime and as a form of social control. Sites the case of the Super Bowl. Originally for terrorists, matched 19 ticket scalpers (how did they get in the system) all of which were mismatches and officers could not reach them before they disappeared into the crowd. This was later tried once again in Tampa, FL with disastrous results. It was supposed to be a 9 month test program. After a series of continuous false matches, the program was quickly discontinued after less than 2 months with not one accurate match.
Andrew Appel, Professor of Computer Science, spoke about the privacy from the perspective of an individual using the Internet. The first thing he discussed was the use of encryption software to communicate online. He drew connections between the system of paper mail we have in this country and e-mail. He likened unencryoted email to sending mail without an envelope. That envelope, while not being fool-proof, provided an expectation of privacy. The only problem so far with putting envelopes on your email has been the inconvenience and public laziness. He made sure to point out that the only system of encryption which was at all valid would be using open source software. He says that we can basically take this is a given and starting point for discussion. He also brought up the issue of whether Source Code could be considered speech or not, but drew very little conclusions as he felt that it was outside of his role to be able to judge. He also brought up a recent News report in which the FBI considered using viruses as a form of surveillance. He felt that is was reasonable for Interent users to expect the same level of anonymity on the internet as they enjoy in real life. Namely, that they can read anonymously over the Internet as they would in a library, and that they could purchase a book anonymously as they could with cash in a bookstore. Also, he felt it was reasonable for us to be able to expect to speak anonymously over the Internet, and engage in commercial activity. He did discuss that much Internet monitoring also is done by private companies. For example, he mentioned that it was not the government that monitors transactions under $10,000 on the Internet, but rather commercial corporations. They are pressuring the transfer of commercial information in order to discriminate prices.
Abby Notterman from the Internet Crimes Group (an Internet investigative, consulting, and forensic services organization) discussed how much more information is collected for any one thing than is actually required for the stated purpose. She said that records should be held stating why, what, and by whom information was recorded, with strict enforcement and real penalties for those who violate them. Such systems also need to be used overtly. She had a diagram of better and worse uses of biometric data:
overt use covert use
fixed duration indefinite duration
Personal Storage Verification Template Databse Identification
Barry Steinhardt, Associate Director of the ACLU clarified the ACLU's possition on the use of biometric. He pointed out that the ACLU and civil libertarians in general are not necessarily opposed to the use of biometric technology, but to recognize that because of the potential for misuse, it must be used responsibly under certain conditions.
ACLU's fair information Principles
3.Limitations on Secondary Use
4.Access And Right to Correct
Breeder documents: not reliable, contain too much information and a very lucrative black market. Story of 2 birth certificates
1)Your personal information should never be collected or given out without your knowledge and permission.
2) Organizations must let you know why they're collecting your info; and they can't use it for reasons other than the one you gave permission for (unless they get a new permission from you.)
3)They must ensure the privacy of the personal info they collect or maintain on you, retaining only what is necessary info, and only for as long as it's needed.
4)You should have the right to examine, copy, and correct your own personal information.
5)There must be no national ID system -- either in law or in practice.
6)Unrelated data bases must be kept strictly separate so info can't be cross-referenced.
7)Personal "biometric" data -- your fingerprints, DNA, retina/iris scans, etc. -- must not be involuntarily captured or used (except for fingerprinting criminals.)
8)The government must not prohibit or interfere with the development of technologies that preserve anonymity (such as encryption).
9)These principles should be enforceable by law. And no service, benefit or transaction should be conditioned on your waiving your privacy rights. Produced by the American Civil Liberties Union.
Mr. Steinhardt went on to state that when considering the use of any new for of technology, there are some basic questions that need to be asked first:
1)Does the technology work? (in the case of current biometric technologies, the answer would be no.)
2)Will use of the technology have the desired stated results? Only after the first two criteria are met can we begin to deal with the subsequent issues, such as:
3)What are the legal, ethical, moral ramifications of using such technology?
A proposed a set of criteria we should use when considering questions of new forms of surveillance and security measues.
(1)Justice Brandeis wrote a vigorous dissent in the case of Olmstead v. U.S. 277 U.S. 438 (1928) which upheld the right of Elliot Ness and his untouchables to wiretap the telephone lines of bootleggers as long as it was done at a point between the defendant's homes and their offices. Let's take a look at some of the passages (paraphrased) in this famous dissent:
"The makers of our Constitution understood the need to secure conditions favorable to the pursuit of happiness, and the protections guaranteed by this are much broader in scope, and include the right to life and an inviolate personality -- the right to be left alone -- the most comprehensive of rights and the right most valued by civilized men. The principle underlying the Fourth and Fifth Amendments is protection against invasions of the sanctities of a man's home and privacies of life. This is a recognition of the significance of man's spiritual nature, his feelings, and his intellect. Every violation of the right to privacy must be deemed a violation of the Fourth Amendment. Now, as time works, subtler and more far-reaching means of invading privacy will become available to the government. The progress of science in furnishing the government with the means of espionage is not likely to stop with wiretapping. Advances in the psychic and related sciences may bring means of exploring beliefs, thoughts and emotions. It does not matter if the target of government intrusion is a confirmed criminal. If the government becomes a lawbreaker, it breeds contempt for law. It is also immaterial where the physical connection of the wiretap takes place. No federal official is authorized to commit a crime on behalf of the government." (Justices HOLMES and STONE also dissenting, agreeing with Justice BRANDEIS)
O'Connor, T. 2002. The Right of Privacy http://faculty.ncwc.edu/toconnor/325/325lect04.htm Last Updated: 02/12/01
Full text of Olmstead v. U.S. 277 U.S. 438 available at:
(2)Full Text of the Patriot Act:
http://www.eff.org/Privacy/Surveillance/Terrorism_militias/20011025_hr3162_usa_patriot_bill.html and http://www.epic.org/privacy/terrorism/hr3162.html
EFF Analysis of Patriot Act: http://www.eff.org/Privacy/Surveillance/Terrorism_militias/20011031_eff_usa_patriot_analysis.html
ACLU analysis of Patriot Act: http://www.aclu.org/congress/l110101a.html
It may be worth noting that I was unable to find any careful analysis of the Patriot Act that was at all positive.
(3)NJ Open Public Records Act P.L. 2001, c. 404 http://www.njleg.state.nj.us/2000/Bills/PL01/404_.HTM
(4)Digital availability of data, felt Kearns, facilitates aggregating personal information held in separate documents into one database, creating a profile of individuals from the data. To illustrate his point, Mr. Kearns offered as an example the hypothetical case of a burglar able to conduct a cross-referenced search of electrical permits, senior citizen tax exemption requests, dog-licenses, and a list of city residents, to come up with a list of households likely to contain elderly individuals, who have neither a dog nor a burglar alarm.
(5)Joe Tyrell, from the NJ Foundation for Open Government, agreed with this sentiment. He cited what he reffered to as a common rationalle law enforcement agencies government information on individuals (most often that acquired by law enforcement agencies) are often kept secret with the excuse that it may contain incomplete, misleading, and/or patently false information. Mr. Tyrell described the importance of having access to those records if they do, in fact, contain incorrect information. It is an individual's right to be able to review and correct those records as necessary. EPIC http://www.epic.org
Observing Surveillance http://www.observingsurveillance.org/
The URL of the conference itself: http://www.wws.princeton.edu/~privacy/