Privacy rights advocates identify a series of principles entitled the "fair information practices" as the foundation of personal privacy on the Internet. These principles include: appropriate notice on when such information is being gathered; consent as to its use; access to one's own personal information held by others when that information was provided with a reasonable expectation of privacy to others; and the security of this information online. Fair information practices also include limitations on the use and disclosure of such information and the opportunity to obtain redress when this particular information is improperly or incorrectly used or disclosed. Consent under the fair information practices is based around the idea of "opt-in," where Web surfers must give affirmative consent to have their information tracked, stored, used and/or disclosed by the web site operator, rather than "opt-out," which allows the operators to collect and use the data without user consent but mandates that the user can not allow such activity to take place if he or she so chooses.
A recent FTC report found that only 20% of the busiest sites on the World Wide Web implement all four fair information practices in their privacy disclosures. Industry proponents often argue self-regulation will speed the implementation of the fair information principles, but self-regulation is falling short at giving consumers ample privacy protection. In 1999, an industry-commissioned study of the 100 most heavily-traveled websites showed 99 collect information about Internet users but only 22 comply with all four of the core privacy principles of notice, choice, access, and security.
Another frequent concern is the prevalence of cookies, or small bits of information stored on a browser, to secretly track the movements of individual web users. Most cookies are deposited on an individual's browser without his or her knowledge, and while it is possible to "opt-out," few users are aware of this or know how to do so. Direct marketers have a financial interest in obtaining an individual's personal information, because targeted advertisements receive more hits than static ads, and produce greater profits. Advertisers state that consumers' privacy is not being violated because they are not personally identified, and consumers enjoy the increased convenience that targeted advertising provides. Existing regulations, targeted at protecting personal information, can be applied to limit the use and application of cookies, but current cookie usage violates such norms.
Representative Gene Green (D-TX) has sponsored the Consumer Online Privacy and Disclosure Act (H.R. 347), which prohibits any website or Internet service provider (ISP) from correlating IPS address information with personal information (absent a pre-existing business relationship); allowing a third party to attach a persistent "cookie" as a means of developing a personal profile on an individual, without allowing the individual to opt-out of such attachment; or selling transactional information as a means to satisfy creditors. The Consumer Internet Privacy Enhancement Act (H.R. 237), sponsored by Representative Anna Eshoo (D-CA), declares it unlawful for a commercial website operator to collect personally identifiable information online from a website user unless the operator provides both notice and opportunity for such user to limit its use and disclosure. Both Green and Eshoo's bills embrace the opt-out approach, rather than stricter and more protective opt-in approach.
Senator Fred Thompson (R-TN) is the sponsor of the Citizens' Privacy Commission Act of 2001 (S. 851), which would establish a commission to conduct a study of government privacy practices. The bill has been referred to Senate Governmental Affairs Committee. Last Congress, legislation to set up a privacy commission did not pass, with the feeling among some that a commission would only delay the process of address privacy issues in Congress.
Last Congress, Senator Ernest Hollings (D-SC), the new chairman of the Senate Commerce Committee, introduced a comprehensive bill that utilized the fair information practices and "opt-in" approach for protecting consumer privacy online. He is expected to reintroduce such a bill. Former Commerce Committee chairman John McCain (R-AZ) is expected to reintroduce more modest opt-out Internet privacy legislation later this fall.
Social Security Numbers and National ID Cards
Today, the United States federal government uses the Social Security number as the taxpayer identification number, Medicare number, and soldier's serial number. Many states also use the numbers as identification for drivers' licenses; financial institutions use Social Security numbers to establish personal identification for credit, and they are requested by telephone companies and even video stores. Though intended as simply a tool for the Social Security Administration to track personal earnings, the Social Security number has become a de facto national identifier. When a person's Social Security number is in the wrong hands, that individual can be extremely vulnerable to having their whereabouts tracked and identity stolen. The Social Security Administration recently reported it had received more than 30,000 complaints regarding misuse of Social Security numbers last year, most of which had to do with identity theft (up from 11,000 complaints in 1998). In total, Treasury Department officials estimate that identity theft causes between $2 and $3 billion in losses each year from credit cards alone. In one truly tragic case, Amy Boyer, a twenty-year old New Hampshire resident, was killed by a man who had tracked her down through the online data service Docusearch.com.
Around the world, one hundred countries have official, compulsory, national IDs that are used for a variety of purposes, including Germany, France, Belgium, Greece, Portugal and Spain. Privacy advocates feel a national database and ID system raises grave concerns about invasions of privacy and personal freedom, especially when such a database of information would need continual updating. The linkage of government databases with corporate databases increases the likelihood that intimate personal information... credit histories, unlisted telephone numbers, voting, medical and employment histories... could be easily accessed without a person's knowledge. A national ID card would create a new tool for government surveillance and targeting of dissenters, as has happened periodically throughout our nation's history.
Senator Dianne Feinstein (D-CA) has introduced the Social Security Number Misuse Prevention Act of 2001 (S. 848), which would prohibit the display, sale, or purchase of social security numbers, with certain exceptions. The purview of the legislation includes: the use of social security numbers on checks issued for payment by governmental agencies; appearance of such numbers on driver's licenses or motor vehicle registration and inmate access to social security account numbers. It would also, in most instances, prohibit a commercial entity from requiring an individual to provide a social security number when purchasing a commercial good or service or denying an individual the good or service for refusing to provide that number, with exceptions.
Senator Richard Shelby (R-AL) introduced the Social Security Number Privacy Act of 2001 (S. 324), which would prohibit financial institutions from selling or purchasing Social Security numbers or Social Security account numbers in violation of regulations to be issued by the U.S. government on the issue. This would amend the Gramm-Leach-Bliley Act, which mandated that financial institutions send out privacy notices to their customers by July 1, 2001 and offer them the ability to "opt-out" of having their personal information being disclosed to third parties.
Senator Jim Bunning (R-KY) and Representative Clay Shaw, Jr. (R-FL) have introduced the Social Security Number Privacy and Identity Theft Prevention Act of 2001 (S. 1014/H.R. 2036). This bill would specify restrictions on the sale and public display of social security account numbers (SSNs) by federal, state, and local governments and bankruptcy case trustees; prohibit the display of SSNs on checks issued for payment by such governments, or on driver's licenses or motor vehicle registrations issued by a State or local government; prohibit the federal, state, or local government display of SSNs (or any derivatives) on employee identification cards or tags (IDs); prohibit access to the SSNs of other individuals by prisoners employed by federal, State, or local governments; and require states to require independent verification of birth records provided in support of applications for SSNs. The bill further provides that any person who refuses to do business with an individual because the individual will not consent to that person's receipt of his or her SSN shall be considered to have committed an unfair or deceptive act or practice in violation of the Federal Trade Commission Act, except in certain cases required under Federal law.
On July 11, 2000, the first reports of a new Federal Bureau of Investigation (FBI) surveillance tool called Carnivore surfaced in the national media. The Carnivore system is reportedly installed at the Internet Service Provider and can retrieve network traffic such as e-mail messages or Web page requests. The Internet wiretap technology is a modified version of a common piece of software known as a "packet sniffer" that is used by Internet service providers to maintain their networks. The system initially taps substantial portions of traffic coming through an Internet service provider's networks in search of data from the target of the investigation.
Opponents of the system say law enforcement officials should be required to get the same kind of court order to use Carnivore as is required for full telephone wiretaps. The F.B.I. argues that it should be able to use the system under the relatively loose rules governing technologies that gather phone numbers dialed by suspects and the numbers of people calling them. In early June, House Majority Leader Dick Armey (R-TX), who has spoken out against the use of Carnivore, wrote to Attorney General John Ashcroft: "I respectfully ask that you consider the serious constitutional questions Carnivore has raised and respond with how you intend to address them." Ashcroft has promised to look into the matter.
Medical Records Privacy
People are particularly troubled by the notion that their personal medical information is treated as a commodity. The increased sharing of identified information between medical practitioners, pharmaceutical companies, insurance entities and employers has made patients wary of losing their personal privacy. This information is routinely disclosed to third parties without patients' consent, and in some instances, patients' most intimate health histories are being exploited for advertising and profit.
Internet sites that offer information about certain diseases have in some cases solicited data from cyber-visitors and then, without their consent, sold that information to companies marketing drugs or therapies. An Internet user's visits to AIDS, diabetes or other sensitive health-related websites can be revealed to prospective employers willing to pay a fee for such information. In February of 2000, a California Health Care Foundation study concluded that "19 of the top 21 health sites had privacy policies but ". . . most failed to live up to promises not to share information with third parties. . . [N]one of the sites followed guidelines recommended by the Federal Trade Commission on collection and use of personal data."
Fears over how medical records and genetic information will be used (or misused) also has affected the willingness of individuals to seek medical treatment and to share important personal information with their physicians. In genetic testing studies at the National Institutes of Health, 32% of eligible people who were offered a genetic test for breast cancer declined to take it because of concerns about loss of privacy and the potential for discrimination in health insurance. Documented cases of employer and insurance discrimination have given credence to these concerns. During the late 1990s, a study conducted by Northwestern National Life Insurance found that, by the year 2000, 15 percent of employers planned to check the genetic status of prospective employees and dependents before making employment offers. In a case that was recently settled, the EEOC sued the Burlington Northern Santa Fe Railroad for genetic discrimination. Workers filing disability claims related to carpal tunnel syndrome were being tested without their knowledge or consent for an extremely rare genetic condition that may predispose some individuals to the disorder. The company evidently hoped to avoid paying disability claims for any workers found to have the gene.
Under the terms of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Department of Health and Human Services (HHS) issued Regulations Protecting the Privacy of Patients' Health Information. The final rules were announced on December 20, 2000 Among the provisions, patients were given new federal rights to access and request corrections of their patient records, and to receive a list of disclosures that have been made for purposes unrelated to treatment and payment. The rules also stipulated criminal and civil penalties for intentional misuse of patient information, but did not create a right for patients to sue; and extended coverage to personal medical records in all forms, including paper and oral communications.
The regulations, which were promulgated after HHS received 52,000 public comments during the rulemaking process, have provoked disparate reactions. Supporters of the new regulations argue that providing an adequate level of privacy protection will encourage patients to be more forthcoming about their conditions and thus facilitate medical treatment and research. Privacy advocates generally were supportive of the regulations but pointed out that patient consent for release of information to third parties is built around the "opt-out" approach, rather than "opt-in," and patients would only be allowed to opt-out after they've already been contacted once by advertisers or marketers. The regulations allow law enforcement officials to gain access to patients' medical records without a warrant. Health care providers and trade associations, on the other hand, urged the Bush administration to weaken, delay, or even withdraw the implementation of the regulations 1, arguing they would have imposed "onerous and costly" requirements including the re-training of employees, the purchase of new systems designed to comply with the privacy protections, and the hiring of privacy officers charged with the duty of ensuring compliance.
After a 30-day comment period on the final rule, President Bush and HHS Secretary Tommy Thompson decided to allow the rule to take effect on April 14, 2001, as scheduled, and make appropriate changes in the next year to clarify the requirements.
The Genetic Nondiscrimination in Health Insurance and Employment Act (S. 318/H.R. 602), sponsored by Senators Tom Daschle (D-SD), Edward Kennedy (D-MA), Christopher Dodd (D-CT) and Tom Harkin (D-IA), and Representatives Louise Slaughter (D-NY) and Connie Morella (R-MD), would prohibit employers, employment agencies, labor organizations and training programs from using predictive genetic information, genetic testing or genetic services to discriminate in their hiring, compensation or promotion practices. The bill would also ban health plans and insurers from restricting enrollment or premium adjustment on the basis of genetic information, and from requesting or requiring that an individual take a genetic test or reveal the results of genetic tests. This Congress, the bill has attracted widespread bipartisan support in the House (252 co-sponsors). In the Senate, the bill has attracted only 23 co-sponsors thus far, but the bill's chances of coming to the floor look enhanced due to the Democrats taking over the majority. Click here to see a Religious Action Center Action Alert on S. 318.
The Privacy Coalition
On February 12, the newly formed Privacy Coalition presented a Privacy Pledge as the standard for future protection of privacy. The pledge advocates the adoption of a legal framework based on full fair information practices. Nearly 30 organizations, representing a wide spectrum of constituencies and ideologies, have joined the Privacy Coalition. These include the American Library Association, American Civil Liberties Union, Consumers Union, Eagle Forum, Electronic Privacy Information Center, United Automobile, Aerospace and Agricultural Implement Workers of America, National Rifle Association, American Conservative Union, Traditional Values Coalition, and U.S. Public Interest Research Group. Freshmen Senator Ben Nelson (D-FL) is the first member of Congress to formally sign the Privacy Pledge. The Commission on Social Action of Reform Judaism is a member of the Privacy Coalition.