1 July 8, 1994 Working Group on Privacy NII Secretariat National Telecommunications and Information Administration U.S. Department of Commerce Room 4892 Washington, D.C. 20230 To the Working Group on Privacy: The Electronic Frontier Foundation (EFF) submits comments on the draft "Principles for Providing and Using Personal Information" as developed by the Working Group on Privacy of the Information Policy Committee of the Information Infrastructure Task Force (IITF) and published in the Federal Register, Vol. 59, No. 100, page 27206 (May 25, 1994). The Electronic Frontier Foundation was founded in July, 1990 and is dedicated to preserving and enhancing civil liberties in digital media. In particular, the Privacy and Technology Project of EFF is focused on privacy issues in the new electronic age. EFF was invited to share its views with the Information Infrastructure Task Force (IITF) in the fall of 1993 and testified at the IITF hearings held at the Department of Commerce in January, 1994. EFF was on the steering committee of and participated in the March, 1994 Public Interest Summit on the National Information Infrastructure (NII). In addition, two of EFF's Board members, Mitch Kapor and Esther Dyson, serve on the Administration's NII Advisory Council. The Privacy and Technology Project, a new undertaking at EFF, is in the process of developing its position on many of the privacy issues raised by the IITF principles. We submit these comments as a preliminary, and possibly incomplete, statement of our position. We will continue to analyze the IITF principles over the next few months. EFF concludes that the Administration's proposed principles represent a retreat from the original privacy principles set forth by the Department of Health, Education and Welfare in 1973. We urge the Working Group on Privacy to reaffirm the 1973 principles and to press for a revision of the Privacy Act of 1974 that re-establishes the Act's original goals. Executive Summary The Working Group on Privacy is part of the Information Infrastructure Task Force (IITF), an inter-agency task force set up by the Clinton Administration to articulate and implement the Administration's vision of the NII. The Task Force is chaired by Ron Brown, Secretary of Commerce, and consists of representatives from various Federal agencies involved in telecommunications and information policy. In writing draft privacy principles, the Working Group on Privacy proposes to update the Code of Fair Information Practices developed by the Department of Health, Education and Welfare (HEW) in 1973. The draft principles seek to address two major changes in information technology since the 1970s -- the emergence of large privately-held databases, and the development of interactive technologies. In 1972, then-Secretary of HEW, Elliot L. Richardson, appointed an Advisory Committee on Automated Personal Data Systems to explore the impact of computerized record keeping on individuals. In a report published in 1973, the Advisory Committee proposed a Code of Fair Information Practices published in _Records, Computers and the Rights of Citizens: Report of the Secretary's Advisory Committee on Automated Personal Data Systems_. The 1973 Code of Fair Information Practices supplied the intellectual and statutory framework for the Privacy Act of 1974 and served as a model for privacy legislation worldwide. The basic principles of the 1973 Code, as published in the Advisory Committee's _Report_, are: 1. There must be no personal data record-keeping systems whose very existence is secret; 2. There must be a way for an individual to find out what information is in his or her file and how the information is being used; 3. There must be a way for an individual to correct information in his or her records; 4. Any organization creating, maintaining, using, or disseminating records of personally identifiable information must assure the reliability of the data for its intended use and must take precautions to prevent misuse; and 5. There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without his or her consent. Despite the clear language and intent of the 1973 principles, in practice they have failed to protect the privacy of personal information. The Privacy Act of 1974, which codified the 1973 principles, has been undermined by legislative loopholes, lukewarm implementation by government agencies and broad interpretation by courts. The Privacy Protection Study Commission, a temporary commission created by Congress in 1974 as a compromise to those who wanted a permanent oversight agency, highlighted the legislative and administrative shortcomings of the Privacy Act in a 1977 report entitled _Personal Privacy in an Information Age_. The Commission found that the Privacy Act "had not resulted in the general benefits to the public that either its legislative history or the prevailing opinion as to its accomplishments would lead one to expect..." [ Report at 502.] Since the 1973 Code was written, privacy rights in the United States have languished. The IITF draft privacy principles incorporate a number of concepts and phrases that are associated with the deterioration of privacy rights in the United States, namely: * "Reasonable expectation of privacy" standard, a legal standard used by courts to eviscerate privacy rights under the Fourth Amendment of the U.S. Constitution; * "Compatible use" exemption to the consent principle, a provision in the Privacy Act of 1974 that has been interpreted to allow government agencies to bypass the heart of the Act; * "Authorized by law" exemption to the consent principle, a provision which, like the compatible use exemption, has given the government the ability to subvert the original intent of the 1974 Privacy Act; * "Actual harm" requirement for redress, a high threshold standard that prevents individuals from obtaining redress for harm that it is difficult to prove in court; * Weak guarantee of the "right to correct personal information," which qualifies with terms like "reasonable" and "appropriate" the essential right to correct information, and; * "Shared responsibility" for fair information practices, which unfairly burdens individuals who disclose personal information and fails to guard against individuals being coerced into consenting to the disclosure of information in return for services or benefits. EFF believes that the 1973 privacy principles are as pertinent today as they were twenty years ago. Instead of adopting new principles, EFF urges the IITF to support passage of a strengthened Privacy Act that would override the "reasonable expectation of privacy" standard, the "compatible use" exemption, the "authorized by law" exemption, and the "actual harm" requirement. Discussion of EFF's Recommendations This section discusses in more detail the shortcomings of the IITF's draft privacy principles. 1. "Reasonable expectation of privacy" standard The draft IITF Information Privacy Principle states: "Individuals are entitled to a reasonable expectation of information privacy." The general understanding of the reasonable expectation of privacy standard comes from Fourth Amendment cases decided by the U.S. Supreme Court. The Supreme Court has consistently interpreted this standard in ways that weaken the scope of constitutional protection for individual privacy. The U.S. Supreme Court first formulated the "expectation of privacy" standard in _Katz v. United States_ (1967) when it ruled that warrantless wiretapping is unconstitutional. Since Katz, however, this standard has failed to provide strong privacy protection. The problem with the Katz _ formulation is that expectations of privacy can only reflect, not prevent, a deterioration in societal respect for privacy. Applying the "reasonable expectation" standard, the Supreme Court in later cases often determined that an individual's privacy had not been violated by certain intrusions because society's "expectation of privacy" had been persistently lowered by the circumstances of modern existence. Nowhere is the fallibility of the reasonable expectation of privacy standard more evident than in the Court's holding in _United States v. Miller_ (1976). The Court in _Miller_ ruled that one does not have a constitutionally protected privacy interest in personal records held by a bank. The _Miller_ decision ultimately turned on the fact that the bank customer could not assert ownership of his documents. The Court held that because Miller's documents were the bank's business records, the expectation of privacy that he asserted was not reasonable. The Court reached this conclusion even though most bank customers probably do have an actual expectation of privacy in those records. As Justice Brennan dissented in the 5-4 opinion in the _Miller_ case: A bank customer's reasonable expectation is that, absent a compulsion by legal process, the matters he reveals to the bank will be utilized by the bank only for internal banking purposes....[A] depositor reveals many aspects of his personal affairs, opinions, habits associations. Indeed, the totality of bank records provides a virtual current biography.... Development of photocopying machines, electronic computers and other sophisticated instruments have accelerated the ability of government to intrude into areas which a person normally chooses to exclude from prying eyes and inquisitive minds. Consequently, judicial interpretations of the constitutional protection of individual privacy must keep pace with the perils created by these new devices. The year following the _Miller_ decision, Congress passed the Right to Financial Privacy Act, which limits government access to personal bank records. The _Miller_ decision demonstrates the Court's unwillingness to bring the Fourth Amendment into the information age. Although modern society may change the form in which information is stored, the conflict between the government and industry's interest in expanding its power through access to personal information, and the individual's interest in retaining a sphere of autonomy against that power, remains the same. In another case, _Smith v. Maryland _ (1979), the Supreme Court ruled that law enforcement officials do not need a search warrant to install a pen register, a device that records the numbers dialed from a telephone. Under the Katz standard, the Court found that people have no reasonable expectation of privacy in the numbers that they dial. Congress overturned this ruling in 1986 when it passed the Electronic Communications Privacy Act. The unwillingness of the Supreme Court to protect individual privacy under changing circumstances will be especially problematic in the realm of electronic communications. For example, the reasonable expectation of privacy standard will not protect an individual who intends to keep information private but whose "expectations" are technologically out of date. What is a "reasonable" expectation of privacy will be difficult to determine where many levels of users participate in the exchange of information. It is unclear how a reasonable expectation of privacy standard will be applied in an interactive electronic environment. The reasonable expectation of privacy standard does not convince us that personal information on the NII will be protected against misuse and disclosure. In fact, the application of the standard will undermine the confidence of the general public in the NII. Finally, how much privacy an individual can reasonably expect on the information highway will depend on the legal and regulatory protections set by Congress and the agencies. By adopting the reasonable expectation standard without defining it, the IITF takes a step backwards from extending privacy protections. EFF Recommendation: We urge the IITF to take this opportunity to create a new legal definition of "reasonable expectation of privacy." We believe that a new definition should extend to individuals an objective expectation of privacy protection, irrespective of the technological capability to intrude. 2. "Compatible use" exemption The draft IITF Acquisition Principle (III.A.2) states that "Users of personal information should... obtain and keep only information that could reasonably be expected to support current or planned activities and use the information only for those or *compatible* purposes... Similarly, the IITF Fairness Principle (III.D.3) states that "Information users should, as appropriate... allow individuals to limit the use of their personal information if the intended use is incompatible with the original purpose for which it was collected..." [See also Paragraphs 27 and 28 of the Commentary.] Under the Privacy Act of 1974, the term "compatible" has been interpreted in ways that allow agencies wide latitude in disclosing personal information to other agencies, a practice inconsistent with the original thrust of the Privacy Act. In its 1977 _Report_, the Privacy Commission found that the consent principle of the 1973 Code was subverted by the government's interpretation of the Privacy Act's "routine use" exemption, which allows agencies to disclose personal information if the disclosure is *compatible* with the purpose for which it was collected. [5 U.S.C. Section 552a (b)(3) (1974).] For instance, government officials have interpreted the exemption to allow the computerized matching of separate agency record systems, arguing that detecting waste, fraud, and abuse in government programs is a legitimate government interest, and is thus compatible with any original purpose for which the records were collected. In 1988, Congress attempted to tighten this loophole by passing the Computer Matching and Privacy Protection Act. The legislation does not limit the content or types of records that can be matched, but does create an important procedural framework of more adequate notice to individuals, the right to a hearing before benefits are cut off or denied, and mandatory reporting requirements for agencies that match records. EFF Recommendation: The "routine use" exemption in the 1974 Privacy Act must be revamped so that the law will work as intended. A clear and restrictive definition of routine use must be added to the statute clarifying that disclosure for a routine use must be *consistent* with the original purpose for which the information was originally collected. Individuals must have the right to challenge a proposed routine use on the grounds that it is not consistent with the purpose for which the information was originally collected. Routine use disclosures under this definition must be benign and not for the purpose of taking adverse action against an individual. 3. "Authorized by law" exemption Section III.D.3 of the IITF draft principles allows individuals to limit the use of their personal information "unless that use is authorized by law." The willingness of Congress to authorize the widespread use of the Social Security Number demonstrates that the "authorized by law" exemption is an invitation to Congress to erode existing protections. In the 1974 Privacy Act, Congress prohibited local, state, or federal governments from requiring an individual's Social Security number as a condition of receiving services or benefits, unless authorized by law. The drafters of the Privacy Act were concerned that the Social Security Number was on its way to becoming a national identifier, and would be used as the uniform identifier in linking separate records systems. Since 1974, however, Congress has authorized the use of Social Security Numbers on numerous occasions. For instance, the Tax Reform Act of 1976 subverted the Privacy Act by authorizing states to use the Social Security Number for state or local tax purposes, welfare systems, driver's license systems, and tracking down parents delinquent in court-imposed child-support payments. [See Willis H. Ware, The New Faces of Privacy, 9 Information Society 195, 197-98 (1993).] The most striking example of the "authorized by law" exemption is the 1986 Tax Reform Act provision requiring all children over the age of five claimed as dependents on tax returns to have a Social Security Number. EFF Recommendation: Government agencies should be authorized to collect only information that is necessary and relevant to their particular purpose. Agencies must inform individuals of the reasons why personal information is being collected and for what purposes it will be used. 4. "Actual harm" requirement for redress Under the draft IITF Principles, the right to redress depends on an individual's ability to show harm (Sections III.D.2, IV.A.4 and IV.B.3 and Paragraph 18 of the Commentary). Likewise, paragraph 36 of the Commentary which would limit "the opportunity to review personal information... to those cases where harm may occur." In commenting upon the Privacy Act of 1974, the Privacy Commission noted that actual injury could be difficult to prove even where violations of the Act had occurred. [Report at 529.] For instance, harm is difficult to prove when an agency violates notice requirements or fails to correct inaccuracies. Even where actual harm has occurred, it is extremely difficult for individuals to obtain relief under the 1974 Privacy Act. The Act's lack of both a broad injunctive relief and liquidated damages provision prevents meaningful litigation of the Act's intent and application. In addition, a plaintiff must show that the government agency's action was "intentional and willful" in order to obtain damages. In a recent article, Willis Ware writes, "The consequences of an erroneous action can be devastating because it proliferates through other data systems that play an unusually central role in one's personal affairs, notably credit databases, financial records, and tax records. The one sidedness of the privacy situation as it now exists in favor of the record keeper, especially the government agency, is probably one of the most ugly faces of privacy." [Ware at 203.] EFF Recommendation: The Privacy Act needs a new remedy section that provides both liquidated damages and injunctive relief for any aggrieved individual. Section (g)(4)(A) of the Privacy Act should be amended to allow individuals to obtain damages for violation of the "accurate, relevant, timely or complete" standard without a showing of adverse effect to the plaintiff. Individuals must be able to collect damages for intangible harms caused by violations of the Act. Individuals must also be informed of any actions taken as a result of incorrect information. 5. Weak Guarantee of the "Right to Correct Personal Information" The draft IITF principles dilute the individual's right to correct personal information. For example, section III.D.1 requires that users of information provide only "*reasonable* means to obtain, review, and correct information." Section IV.B.1 provides that individuals be given means to correct inaccurate information only if it could "harm them." The Privacy Commission found that the correction principle of the 1973 Code, as codified in the Privacy Act of 1974, appears "to have had little effect on agency practices..." [Report at 524.] In particular, the Commission found "that the Act's requirements for the propagation of corrections does not adequately assure that decisions are made on the basis of accurate, timely, complete and relevant information. Under the Act, for example, corrections do not have to be sent to prior internal agency recipients or to the sources of erroneous information. In addition, corrections of erroneous information initiated by the agency rather than by the individual, no matter how important, do not have to be propagated at all." [Id.] EFF Recommendation: The right of individuals to correct personal information, regardless of harm, is critical to prevent the propagation of incorrect information across multiple databases. Accordingly, users and collectors of information should develop technical mechanisms to detect, locate, and fix problems and correct errors. [Ware at 204.] In addition, the right of individuals to correct personal information should be incorporated into the design of all information systems. 6. "Shared responsibility" for fair information practices on the NII. The Preamble to the draft IITF Principles states: "... [the] new principles must acknowledge that all members of our society (government, industry, and individual citizens), *share responsibility* for ensuring the fair treatment of individuals in the use of personal information..." As written, the draft IITF Principles (Preamble, Section IV.A and Commentary Paragraphs 30-37) place a heavy burden on individuals to educate themselves about the potential uses and misuses of the information they provide. While EFF agrees that individuals should disclose personal information with knowledge of its uses by others, we are concerned that the draft Principles limit an individual's ability to hold collectors and users of information accountable for information policies and practices. The draft IITF Principles should acknowledge the imbalance of power between providers, collectors and users of information. In order to receive benefits and services, providers of information frequently have no meaningful choice as to whether to provide personal information. EFF Recommendation: The burden of maintaining fair information practices should not rest with the individual who discloses personal information. Rather, the ultimate responsibility for upholding fair information practices should rest with the collectors and users of personal information. Conclusion In sum, IITF's proposed principles will serve only to weaken and muddle the current state of information privacy protection in this country. EFF urges the IITF to abandon its effort to rewrite the 1973 Code of Fair Information Practices. We believe that the 1973 privacy principles, in their original scope and intent, remain sound and enduring -- and that the IITF should press for the application of the 1973 principles by both the public and private sector. We urge the IITF to focus on rewriting the Privacy Act to undo twenty years of weak enforcement and interpretation that have undermined the Privacy Act's original intent. Sincerely, Janlori Goldman Director Privacy and Technology Project