Privacy
Background
In 1890, in the Harvard Law Review, future Supreme Court Justice Louis Brandeis termed the right of privacy "the most comprehensive of rights and the right most valued by civilized men." Indeed, privacy is a fundamental American value that is recognized in our laws, business practices, professional obligations, electoral process, customs and traditions. The Fourth Amendment is the most recognizable guarantor of this indispensable freedom, stating that, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated." Over the years, courts rulings have established a broader right to personal privacy (not dependent on property rights), and in Katz v. U.S. (1967), the U.S. Supreme Court recognized that under the U.S. Constitution individuals have a "reasonable expectation of privacy" against which violations of privacy rights could be measured. In wake of the excesses of the McCarthy Era and the FBI's use of wiretaps to intrude into the lives of people such as Dr. Martin Luther King, Jr., laws that further protect personal privacy in a number of areas have been enacted.
Now, a new type of privacy debate is upon us. The explosion of the World Wide Web and the development and use of electronic data processing, advanced forms of networking, and data access for corporations and other institutions have facilitated increased levels of communication across the globe. Moreover, the computerization of patient medical records has brought health care system to new levels of efficiency, provided for faster transmission of patient information between doctors and facilitated more effective research by universities and drug companies into the risks and benefits of competing therapies and medications. In addition, the increased significance of medical technology and testing has provided new clues about our genetic makeup and new hopes for bringing about cures to our most devastating health epidemics.
Yet these same technological forces pose serious threats to our personal privacy. Our personal and business information is flowing through an ever-expanding number of computer networks in formats that allow data to be linked, transferred, shared and sold too often without our knowledge or consent. The opportunities for an individual to secure employment, insurance, and credit, to obtain medical care and to participate in electronic commerce are endangered by the misuse of personal information. "Cookies," or bits of information from an outside source stored on one's computer, are now commonly used to track user surfing habits, often without the individual's consent. While these technologies help expedite Web browsing, they are also used to construct invasive and often incomplete and inaccurate profiles of individuals, which are then sold to third parties for solicitation and other undesirable purposes.
Concern arose over two recent examples of governmental intrusion into privacy: the use of biometric face recognition technology to scan the tens of thousands of spectators at the 2001 Super Bowl in Tampa Bay, and the FBI's utilization of the Carnivore program to surreptitiously monitor individual email communications. In June 2001, in Kyollo v. United States, the Supreme Court ruled the use of heat sensors to monitor activity in people's homes is unconstitutional according to the Fourth Amendment. The rise in identity theft and the persistent refusal of companies (and the U.S. government) to abide by self-imposed privacy policies has further exasperated concern.
It is hardly surprisingly that polls demonstrate the intrusion of new technologies into our personal privacy is one of Americans' top concerns as we enter the 21st century. The most recent Federal Trade Commission survey confirms that 92% of Americans are concerned about misuse of their personal information on the Internet. In September 1999, the Wall Street Journal reported that Americans' top concern as we enter the 21st century was the fear of a loss of personal privacy. This apprehension also translates into lost online sales with estimates ranging from $2.8 billion (Forrester Research) in 1999 to $18 billion in 2002.
Glossary of Terms
Aggregate: formed by the collection of units or particles into a body, mass, or amount. In terms of privacy, refers to information of many individuals, anonymized and categorized.
Confidentiality: the legal duty of individuals who come into the possession of information about others, especially in the course of particular kinds of relationships with them, to keep private that information.
Cookie: Bits of information that can be used to track a user's progress though the web, with or without their knowledge.
Data Surveillance: the systematic use of personal data systems in the investigation or monitoring of the actions or communications of one or more persons..
Information Privacy: the interest an individual has in controlling, or at least significantly influencing, the handling of data about themselves
Opt-Out: the ability for an individual to actively remove themselves from a process or list, such as a marketing database
Profiling: a technique whereby a set of characteristics of a particular class of person is inferred from past experience, and data-holdings are then searched for individuals with a close fit to that set of characteristics
Reasonable expectation of privacy: the amount of protection from monitoring or observation that a normal individual would expect to have. For example, individuals in their bedroom at home would have a reasonable expectation of privacy that was rather high, in comparison to an individual on a public street or at work
Surveillance: the systematic investigation or monitoring of the actions or communications of one or more persons.
Issues and Legislation
Internet Privacy
Privacy rights advocates identify a series of principles entitled the "fair information practices" as the foundation of personal privacy on the Internet. These principles include: appropriate notice on when such information is being gathered; consent as to its use; access to one's own personal information held by others when that information was provided with a reasonable expectation of privacy to others; and the security of this information online. Fair information practices also include limitations on the use and disclosure of such information and the opportunity to obtain redress when this particular information is improperly or incorrectly used or disclosed. Consent under the fair information practices is based around the idea of "opt-in," where Web surfers must give affirmative consent to have their information tracked, stored, used and/or disclosed by the web site operator, rather than "opt-out," which allows the operators to collect and use the data without user consent but mandates that the user can not allow such activity to take place if he or she so chooses.
A recent FTC report found that only 20% of the busiest sites on the World Wide Web implement all four fair information practices in their privacy disclosures. Industry proponents often argue self-regulation will speed the implementation of the fair information principles, but self-regulation is falling short at giving consumers ample privacy protection. In 1999, an industry-commissioned study of the 100 most heavily-traveled websites showed 99 collect information about Internet users but only 22 comply with all four of the core privacy principles of notice, choice, access, and security.
Another frequent concern is the prevalence of cookies, or small bits of information stored on a browser, to secretly track the movements of individual web users. Most cookies are deposited on an individual's browser without his or her knowledge, and while it is possible to "opt-out," few users are aware of this or know how to do so. Direct marketers have a financial interest in obtaining an individual's personal information, because targeted advertisements receive more hits than static ads, and produce greater profits. Advertisers state that consumers' privacy is not being violated because they are not personally identified, and consumers enjoy the increased convenience that targeted advertising provides. Existing regulations, targeted at protecting personal information, can be applied to limit the use and application of cookies, but current cookie usage violates such norms.
Representative Gene Green (D-TX) has sponsored the Consumer Online Privacy and Disclosure Act (H.R. 347), which prohibits any website or Internet service provider (ISP) from correlating IPS address information with personal information (absent a pre-existing business relationship); allowing a third party to attach a persistent "cookie" as a means of developing a personal profile on an individual, without allowing the individual to opt-out of such attachment; or selling transactional information as a means to satisfy creditors. The Consumer Internet Privacy Enhancement Act (H.R. 237), sponsored by Representative Anna Eshoo (D-CA), declares it unlawful for a commercial website operator to collect personally identifiable information online from a website user unless the operator provides both notice and opportunity for such user to limit its use and disclosure. Both Green and Eshoo's bills embrace the opt-out approach, rather than stricter and more protective opt-in approach.
Senator Fred Thompson (R-TN) is the sponsor of the Citizens' Privacy Commission Act of 2001 (S. 851), which would establish a commission to conduct a study of government privacy practices. The bill has been referred to Senate Governmental Affairs Committee. Last Congress, legislation to set up a privacy commission did not pass, with the feeling among some that a commission would only delay the process of address privacy issues in Congress.
Last Congress, Senator Ernest Hollings (D-SC), the new chairman of the Senate Commerce Committee, introduced a comprehensive bill that utilized the fair information practices and "opt-in" approach for protecting consumer privacy online. He is expected to reintroduce such a bill. Former Commerce Committee chairman John McCain (R-AZ) is expected to reintroduce more modest opt-out Internet privacy legislation later this fall.
Social Security Numbers and National ID Cards
Today, the United States federal government uses the Social Security number as the taxpayer identification number, Medicare number, and soldier's serial number. Many states also use the numbers as identification for drivers' licenses; financial institutions use Social Security numbers to establish personal identification for credit, and they are requested by telephone companies and even video stores. Though intended as simply a tool for the Social Security Administration to track personal earnings, the Social Security number has become a de facto national identifier. When a person's Social Security number is in the wrong hands, that individual can be extremely vulnerable to having their whereabouts tracked and identity stolen. The Social Security Administration recently reported it had received more than 30,000 complaints regarding misuse of Social Security numbers last year, most of which had to do with identity theft (up from 11,000 complaints in 1998). In total, Treasury Department officials estimate that identity theft causes between $2 and $3 billion in losses each year from credit cards alone. In one truly tragic case, Amy Boyer, a twenty-year old New Hampshire resident, was killed by a man who had tracked her down through the online data service Docusearch.com.
Around the world, one hundred countries have official, compulsory, national IDs that are used for a variety of purposes, including Germany, France, Belgium, Greece, Portugal and Spain. Privacy advocates feel a national database and ID system raises grave concerns about invasions of privacy and personal freedom, especially when such a database of information would need continual updating. The linkage of government databases with corporate databases increases the likelihood that intimate personal information... credit histories, unlisted telephone numbers, voting, medical and employment histories... could be easily accessed without a person's knowledge. A national ID card would create a new tool for government surveillance and targeting of dissenters, as has happened periodically throughout our nation's history.
Senator Dianne Feinstein (D-CA) has introduced the Social Security Number Misuse Prevention Act of 2001 (S. 848), which would prohibit the display, sale, or purchase of social security numbers, with certain exceptions. The purview of the legislation includes: the use of social security numbers on checks issued for payment by governmental agencies; appearance of such numbers on driver's licenses or motor vehicle registration and inmate access to social security account numbers. It would also, in most instances, prohibit a commercial entity from requiring an individual to provide a social security number when purchasing a commercial good or service or denying an individual the good or service for refusing to provide that number, with exceptions.
Senator Richard Shelby (R-AL) introduced the Social Security Number Privacy Act of 2001 (S. 324), which would prohibit financial institutions from selling or purchasing Social Security numbers or Social Security account numbers in violation of regulations to be issued by the U.S. government on the issue. This would amend the Gramm-Leach-Bliley Act, which mandated that financial institutions send out privacy notices to their customers by July 1, 2001 and offer them the ability to "opt-out" of having their personal information being disclosed to third parties.
Senator Jim Bunning (R-KY) and Representative Clay Shaw, Jr. (R-FL) have introduced the Social Security Number Privacy and Identity Theft Prevention Act of 2001 (S. 1014/H.R. 2036). This bill would specify restrictions on the sale and public display of social security account numbers (SSNs) by federal, state, and local governments and bankruptcy case trustees; prohibit the display of SSNs on checks issued for payment by such governments, or on driver's licenses or motor vehicle registrations issued by a State or local government; prohibit the federal, state, or local government display of SSNs (or any derivatives) on employee identification cards or tags (IDs); prohibit access to the SSNs of other individuals by prisoners employed by federal, State, or local governments; and require states to require independent verification of birth records provided in support of applications for SSNs. The bill further provides that any person who refuses to do business with an individual because the individual will not consent to that person's receipt of his or her SSN shall be considered to have committed an unfair or deceptive act or practice in violation of the Federal Trade Commission Act, except in certain cases required under Federal law.
Carnivore
On July 11, 2000, the first reports of a new Federal Bureau of Investigation (FBI) surveillance tool called Carnivore surfaced in the national media. The Carnivore system is reportedly installed at the Internet Service Provider and can retrieve network traffic such as e-mail messages or Web page requests. The Internet wiretap technology is a modified version of a common piece of software known as a "packet sniffer" that is used by Internet service providers to maintain their networks. The system initially taps substantial portions of traffic coming through an Internet service provider's networks in search of data from the target of the investigation.
Opponents of the system say law enforcement officials should be required to get the same kind of court order to use Carnivore as is required for full telephone wiretaps. The F.B.I. argues that it should be able to use the system under the relatively loose rules governing technologies that gather phone numbers dialed by suspects and the numbers of people calling them. In early June, House Majority Leader Dick Armey (R-TX), who has spoken out against the use of Carnivore, wrote to Attorney General John Ashcroft: "I respectfully ask that you consider the serious constitutional questions Carnivore has raised and respond with how you intend to address them." Ashcroft has promised to look into the matter.
Medical Records Privacy
People are particularly troubled by the notion that their personal medical information is treated as a commodity. The increased sharing of identified information between medical practitioners, pharmaceutical companies, insurance entities and employers has made patients wary of losing their personal privacy. This information is routinely disclosed to third parties without patients' consent, and in some instances, patients' most intimate health histories are being exploited for advertising and profit.
Internet sites that offer information about certain diseases have in some cases solicited data from cyber-visitors and then, without their consent, sold that information to companies marketing drugs or therapies. An Internet user's visits to AIDS, diabetes or other sensitive health-related websites can be revealed to prospective employers willing to pay a fee for such information. In February of 2000, a California Health Care Foundation study concluded that "19 of the top 21 health sites had privacy policies but ". . . most failed to live up to promises not to share information with third parties. . . [N]one of the sites followed guidelines recommended by the Federal Trade Commission on collection and use of personal data."
Fears over how medical records and genetic information will be used (or misused) also has affected the willingness of individuals to seek medical treatment and to share important personal information with their physicians. In genetic testing studies at the National Institutes of Health, 32% of eligible people who were offered a genetic test for breast cancer declined to take it because of concerns about loss of privacy and the potential for discrimination in health insurance. Documented cases of employer and insurance discrimination have given credence to these concerns. During the late 1990s, a study conducted by Northwestern National Life Insurance found that, by the year 2000, 15 percent of employers planned to check the genetic status of prospective employees and dependents before making employment offers. In a case that was recently settled, the EEOC sued the Burlington Northern Santa Fe Railroad for genetic discrimination. Workers filing disability claims related to carpal tunnel syndrome were being tested without their knowledge or consent for an extremely rare genetic condition that may predispose some individuals to the disorder. The company evidently hoped to avoid paying disability claims for any workers found to have the gene.
Under the terms of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Department of Health and Human Services (HHS) issued Regulations Protecting the Privacy of Patients' Health Information. The final rules were announced on December 20, 2000 Among the provisions, patients were given new federal rights to access and request corrections of their patient records, and to receive a list of disclosures that have been made for purposes unrelated to treatment and payment. The rules also stipulated criminal and civil penalties for intentional misuse of patient information, but did not create a right for patients to sue; and extended coverage to personal medical records in all forms, including paper and oral communications.
The regulations, which were promulgated after HHS received 52,000 public comments during the rulemaking process, have provoked disparate reactions. Supporters of the new regulations argue that providing an adequate level of privacy protection will encourage patients to be more forthcoming about their conditions and thus facilitate medical treatment and research. Privacy advocates generally were supportive of the regulations but pointed out that patient consent for release of information to third parties is built around the "opt-out" approach, rather than "opt-in," and patients would only be allowed to opt-out after they've already been contacted once by advertisers or marketers. The regulations allow law enforcement officials to gain access to patients' medical records without a warrant. Health care providers and trade associations, on the other hand, urged the Bush administration to weaken, delay, or even withdraw the implementation of the regulations 1, arguing they would have imposed "onerous and costly" requirements including the re-training of employees, the purchase of new systems designed to comply with the privacy protections, and the hiring of privacy officers charged with the duty of ensuring compliance.
After a 30-day comment period on the final rule, President Bush and HHS Secretary Tommy Thompson decided to allow the rule to take effect on April 14, 2001, as scheduled, and make appropriate changes in the next year to clarify the requirements.
The Genetic Nondiscrimination in Health Insurance and Employment Act (S. 318/H.R. 602), sponsored by Senators Tom Daschle (D-SD), Edward Kennedy (D-MA), Christopher Dodd (D-CT) and Tom Harkin (D-IA), and Representatives Louise Slaughter (D-NY) and Connie Morella (R-MD), would prohibit employers, employment agencies, labor organizations and training programs from using predictive genetic information, genetic testing or genetic services to discriminate in their hiring, compensation or promotion practices. The bill would also ban health plans and insurers from restricting enrollment or premium adjustment on the basis of genetic information, and from requesting or requiring that an individual take a genetic test or reveal the results of genetic tests. This Congress, the bill has attracted widespread bipartisan support in the House (252 co-sponsors). In the Senate, the bill has attracted only 23 co-sponsors thus far, but the bill's chances of coming to the floor look enhanced due to the Democrats taking over the majority. Click here to see a Religious Action Center Action Alert on S. 318.
The Privacy Coalition
On February 12, the newly formed Privacy Coalition presented a Privacy Pledge as the standard for future protection of privacy. The pledge advocates the adoption of a legal framework based on full fair information practices. Nearly 30 organizations, representing a wide spectrum of constituencies and ideologies, have joined the Privacy Coalition. These include the American Library Association, American Civil Liberties Union, Consumers Union, Eagle Forum, Electronic Privacy Information Center, United Automobile, Aerospace and Agricultural Implement Workers of America, National Rifle Association, American Conservative Union, Traditional Values Coalition, and U.S. Public Interest Research Group. Freshmen Senator Ben Nelson (D-FL) is the first member of Congress to formally sign the Privacy Pledge. The Commission on Social Action of Reform Judaism is a member of the Privacy Coalition.
Position of the Reform Jewish Movement
In the spirit of Judaism's embrace of privacy rights, the URJ and CCAR have spoken out when actions of the government or private sector have eroded these fundamental rights. In 1971, the URJ passed a resolution entitled Privacy and Surveillance, urging Congress to enact legislation to restrict the power of government to collect data on individuals. In a 1976 resolution, Privacy, the CCAR condemned government agencies that engaged in electronic surveillance, opening mail and spying. In Corporate Invasions of Privacy (1979), the CCAR expanded the scope of the previous resolution by "...deplor[ing] corporate invasions of the individual's right to privacy" such as "...administering pre-employment tests that intrude into their financial situation, personal habits, criminal record and family relationships." In 1997, both the URJ and CCAR expressed support for legislation that would prohibit health care providers or researchers from disclosing genetic data concerning an identified individual without written consent from the individual. The Women of Reform Judaism also have endorsed this legislation and taken particular interest in this issue. Finally, in its 1999 resolution entitled Internet, the CCAR called for the protection of previously private information such as medical records, address information, social security numbers and credit information, stating, "It is the right of each individual to have control over their personal data."
In March 2001, the Commission on Social Action passed a comprehensive privacy resolution dealing with medical records privacy and privacy concerns in the 21st century. The resolution will be likely be presented for consideration to the upcoming Union for Reform Judaism biennial conference in December.
Privacy and Jewish Values
Judaism teaches us that privacy is a fundamental aspect of the human condition, the protection of which is a serious societal and individual responsibility. Our tradition distinguishes privacy as an essential element of personality, rather than as only a right of property, and considers privacy an aspect of one's sanctity as a child of God. Without this protection, one is stripped of individuality and selfhood and is effectively dehumanized. In commenting on the story of Balaam's refusal to curse the children of Israel, the Talmud tells us that "he saw that the entrances to their tents were not directly opposite each other, so that one family did not visually intrude on the privacy of the other" (B. Talmud, Baba Batra 60a). Moreover, Deuteronomy (24:10-11) teaches that: "When you lend your neighbor any manner of loan, you shall not go into his house to fetch your pledge. You shall stand outside, and the person to whom you made the loan shall bring the pledge to you." Eavesdropping, gossip, and slander are strongly condemned in Jewish teaching, and unauthorized disclosure of information was strictly prohibited. In the Talmud, Rabbi Ami expelled a scholar from the academy because he disclosed a report he had received confidentially twenty-two years earlier. By the eleventh century, the privacy of mail was absolutely safeguarded by Rabbenu Gershom.
