1 / 44

“The Year in Privacy and Security”

“The Year in Privacy and Security”. Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP International Association of Privacy Professionals October 30, 2003. Overview. An overview of the year in privacy politics Private Sector

cece
Download Presentation

“The Year in Privacy and Security”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “The Year in Privacy and Security” Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP International Association of Privacy Professionals October 30, 2003

  2. Overview • An overview of the year in privacy politics • Private Sector • Spam, Do Not Call, HIPAA, Genetic, FCRA • Public Sector • PIAs, TIA, CAPPS II • Patriot Act sunset looms • New research on FISA • Conclusions

  3. I. Private Sector Privacy • Anti-intrusion privacy • Secondary use • States as drivers of change • Administration not prominent in the debates

  4. Anti-Intrusion: Spam • High political interest in anti-spam laws • Senate bill • Wildly popular to “do something”

  5. Anti-Spam Efforts • Muris position • The problem is “bad actors” • Body part enlargement, drug of the month, and porn • Congressional efforts • Largely would affect “corporate actors” • May be small % of UCE • But that’s what Congress can affect • How to affect the “bad actors” is the puzzle • Likely have continuing pressure to act

  6. Anti-Intrusion: Do Not Call • Political steamroller • Developed by Muris & FTC • Once popular, announced in Rose Garden ceremony • 54 million have signed up • Most popular “opt out” in history • One reason: simple, clear opt out

  7. Anti-Intrusion: Do Not Call • Very popular politically • District Court held Congress had not authorized the rule • Passed in both houses the next day • Popularity may influence the 1st Amendment analysis of 10th Circuit • Phone company cases and transfers within a company or holding company • Here, Congress & President & 54 million want to protect the integrity of their homes • Judges have phones, too

  8. Secondary Use: HIPAA • HIPAA medical privacy rule in effect April, 2003 • Political non-event • Industry efforts to roll it back largely failed • Advocate efforts to tighten marketing, etc., have gotten no traction • Next political moments will be about enforcement or lack of enforcement

  9. Secondary Use: Genetic Data • Senate passed genetic discrimination bill • Can’t use in employment and insurance • Bill developing for 6 years • Part of Genome project • Lots of state laws • Clinton Executive Order • Proven gaps in ADA, HIPAA and other laws

  10. Secondary Use: Genetic • President Bush speech supporting a bill • No apparent political capital spent on it • No action yet in House • If comes to a vote, very hard for politicians to vote in favor of genetic discrimination

  11. Secondary Use: FCRA • The high-stakes fight this year in Congress on privacy • Risk to industry when have a deadline, such as end of preemption in 2004 • Mostly, industry is winning • But, the price is about 6 new rulemakings

  12. Secondary Use: FCRA • Strength of industry’s substantive arguments: • Credit system works well for most people • Is a national credit system • ID theft as the engine for new regulations

  13. ID Theft • Mix of • Intrusion – my life suffers intrusion from the stranger – and • Secondary use – data holder uses and discloses key data to others • Link to national ID debate • Authentication a huge debate in coming years • Expect more political pressure on ID theft, and debates about biometrics & IDs

  14. Role of the States • California law for notification on security breaches, now in effect • California law for Internet privacy, requiring notice on commercial web sites • California law on affiliate-sharing • Likely preempted by FCRA • States as continuing source of ferment

  15. Summary on Private Sector Privacy • A lot happening even in a quiet year with no Administration leadership • Intrusion impels political action • Secondary use less powerful politically because individuals don’t see the problems • Ongoing political instinct to “do something” on privacy

  16. II. Government Sector Privacy • Administration acts on privacy only in response to Congressional orders • Congress says “Yuck!” to a number of Administration initiatives • Patriot Act sunset as the current and future battleground

  17. Congress Acts, Administration Reacts • 2002, Dept. Homeland Security Act • Required Chief Privacy Officer in DHS • Said nothing in the law authorized a national ID card or system • Administration accepted these, but had no pro-privacy provisions in its own draft bill

  18. Congress Acts • E-Government Act of 2002 • Required privacy impact assessments (PIAs) for all new federal computer systems • Codified OMB guidance for privacy policies on federal web sites and limits on cookies • Pushed agencies to use privacy-enhancing technologies, including P3P

  19. Administration Reacts: PIAs • OMB guidance required by April, issued in September • Tracks statute closely

  20. PIAs • One innovation • Privacy Act loophole if agency “pings” private database and doesn’t create “system of records” • Guidance says PIA needed “when agencies systematically incorporate into existing information systems databases of information in identifiable form [from] commercial or public sources” • Purchases of commercial products and services more likely to trigger PIA

  21. Administration Reacts • PIA guidance • Codifies 2000 guidance with strict limits on cookies and other tracking technology on agency web sites • New exception “for authorized law enforcement, national security and/or homeland security purposes” • No limits on the scope of the exception, so might apply to all federal web sites • Weak promise – no tracking, except we might track everywhere

  22. “Yuck!”: TIPS and DHS • TIPS – mail carrier or cable guy at your house calls 800 number at DOJ • Popular reaction against a nation of informants • Banned in Homeland Security Act, 2002

  23. “Yuck!”: TIA • Total (now Terrorist) Information Awareness program in Dept. Defense

  24. “Yuck!”: TIA • Jan. 2003: no funding to TIA unless have detailed report • Report in May • TIA banned by Congress in 2004 DOD Appropriations bill, except for military or foreign intelligence conducted wholly overseas or against wholly non-citizens

  25. “Yuck!”: TIA & next steps • Ironically, TIA had begun to fund pro-privacy measures • Swire: consider % of funding for ELSI in new surveillance programs • Transparency – TIA and possibility of Congressional oversight • Now, the scary research likely to continue in new bureaus, but with less oversight and less pro-privacy research

  26. “Yuck!”: CAPPS II • Post 9/11 statute to require system to spot high risk of terrorists on airlines • Computer Assisted Passenger Profiling System (CAPPS), second version • 1st System of Records Notice • Administration wanted to get, use, & share lots of data • They didn’t “get” privacy, or calculated risk? • Public outcry • Bill Scannell, dontspyon.us • Fear of “internal passport” and “your papers, please”

  27. “Yuck!”: CAPPS II • Congressional hearings & Loy promises • 2d System of Records Notice • Much more careful on privacy safeguards • But already backsliding from Loy statements • Not only “foreign terrorists”; now also outstanding warrants (criminals), “domestic terrorists”, and maybe immigration

  28. “Yuck!”: CAPPS II • Congress says, in appropriations bill, no implementation of CAPPS II until GAO report shows lots of safeguards

  29. Patriot Act Sunset • Passed quickly in 2001 • FISA and some other provisions sunset end of 2005 • A trigger for broader re-examination • Fights on oversight • Intense secrecy from DOJ • Sensenbrenner threat to hold Ashcroft in contempt of Congress • Somewhat more disclosure since

  30. Patriot Act Sunset • House – passed ban on “sneek and peek” • Perhaps a “yuck!” reaction • Seems unlikely to pass Senate • Senate 7 hearings this fall on Patriot Act • On track for substantial debate leading up to 2005 sunset

  31. Patriot Act Sunset • DOJ defends the Patriot Act • Ashcroft speaking tour • Library and other demonstrators • Stopped announcing speaking locations in advance • Said no library searches with new FISA powers • DOJ web site to defend the act • Scathing CDT report this week • DOJ site defends the non-controversial parts • No response to the substantive critiques of the Patriot Act

  32. FISA Case Study • Send to pswire@mofo.com if you want copy of draft paper; final in January • Summary of how we got here • Big expansion of FISA in Patriot Act, etc. • NY Times today • Paths for reform

  33. FISA: Up to 1978 • Domestic law enforcement: T. III wiretaps, neutral magistrate & strict rules • “National security” surveillance: inherent power of President and AG, such as watch the Soviet spy • Watergate and revelation of abuses • “The Lawless State” • Surveillance of Martin Luther King, political opponents, etc.

  34. FISA: 1978 • Need probable cause that is foreign power or “agent of foreign powers” • “The purpose” must be foreign intelligence • AG must sign • Federal judge, on FISA court, must sign • Never gets revealed to the target • If used in criminal, in camera decision by federal judge what gets turned over

  35. FISA: Since 1978 • Number of FISA orders up • Scope of “agent of foreign power” • From spies to terrorists • Cali cartel? Russian mafia? • Patriot Section 215 • Any records or tangible objects, including library records • Gag rule

  36. FISA since 1978 • Patriot Act and “the wall” • Before, using foreign intelligence for criminal was “legal but rare” • Prosecutors could not “direct or control” the use of FISA orders • Patriot Act: OK if “a significant purpose” is foreign intelligence • “Direction and control” now OK by prosecutors • Ashcroft says will use this power aggressively

  37. FISA as a Criminal Statute • NY Times today: story on Edwin Wilson • CIA affidavit in 1980s that no contact with Wilson after he left the agency • His lawyer read the secret documents, and over 40 contacts after he left, did work for CIA • Yesterday, judge overturned that conviction • The risks of a secret criminal system, with no cross-examination or confrontation • That is today’s FISA system, with much more use of secret evidence, with no cross-examination

  38. Where next on FISA? • Recognize the growth and fundamental change in focus of FISA system • If FISA has become a criminal statute, consider more due process • Sec. 215 has serious flaws for records • Consider more oversight, less secrecy, and limits on expansion

  39. Conclusion: Politics • Lots of political activity again this year, even with deregulatory politics and focus on security • The Libertarian wing of Republican Party: • Bob Barr, Dick Armey – think Waco, gun control, and big government • Inclined to laissez faire, but worry private sector databases are becoming surveillance agents for the government • Do Not Call and the public pressure on visible privacy problems

  40. Conclusions: Coordination? • The “Yuck!” reactions have been to different agencies • TIPS was FEMA • TIA was Defense Dept. • CAPPS II and Homeland Security • Patriot Act mostly Justice Dept. • A continuing lack of an Administration policy process for privacy • No public official except Nuala Kelly on privacy • Administration has continuing exposure on this

  41. Conclusion: Privacy & Security • First, does the intrusive measure in fact improve security? • Second, is the measure designed to improve security while also respecting privacy where possible? • Third, have we built the new checks and balances appropriate to the new surveillance?

  42. Finally ... • For FISA we have torn down the old checks and balances, and not built new ones • No Administration policy process to build security and privacy • Up to Congress, the public, and the press to build that process • Think of what you as privacy professionals can do to make that happen

  43. Contact Information • Professor Peter P. Swire • web: www.peterswire.net • phone: (240) 994-4142 • email: pswire@mofo.com

More Related