9
Privacy, Law Enforcement, and National Security

The tension between individual privacy and law enforcement or national security interests has been an enduring force in American life, its origins long predating the advent of new media or current technologies. Nowhere else is the tension between “it’s none of your business” and “what have you got to hide” so easily seen.1

Although these tensions predate the information revolution, new technologies, new societal contexts, and new circumstances have sharply intensified that conflict, and even changed its focus. Section 9.1 focuses on the uses of information technology in law enforcement and discusses the pressures that such uses place on individual privacy. Section 9.2 does the same for national security and intelligence.

1

As an illustration of the latter, Houston police chief Harold Hurtt referred to a proposal to place surveillance cameras in apartment complexes, downtown streets, shopping malls, and even private homes to fight crime during a shortage of police officers and told reporters at a police briefing, “I know a lot of people are concerned about Big Brother, but my response to that is, if you are not doing anything wrong, why should you worry about it?” See Pam Easton, “Houston Eyes Cameras at Apartment Complexes,” Associated Press Newswire, February 15, 2006.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age 9 Privacy, Law Enforcement, and National Security The tension between individual privacy and law enforcement or national security interests has been an enduring force in American life, its origins long predating the advent of new media or current technologies. Nowhere else is the tension between “it’s none of your business” and “what have you got to hide” so easily seen.1 Although these tensions predate the information revolution, new technologies, new societal contexts, and new circumstances have sharply intensified that conflict, and even changed its focus. Section 9.1 focuses on the uses of information technology in law enforcement and discusses the pressures that such uses place on individual privacy. Section 9.2 does the same for national security and intelligence. 1 As an illustration of the latter, Houston police chief Harold Hurtt referred to a proposal to place surveillance cameras in apartment complexes, downtown streets, shopping malls, and even private homes to fight crime during a shortage of police officers and told reporters at a police briefing, “I know a lot of people are concerned about Big Brother, but my response to that is, if you are not doing anything wrong, why should you worry about it?” See Pam Easton, “Houston Eyes Cameras at Apartment Complexes,” Associated Press Newswire, February 15, 2006.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age 9.1 INFORMATION TECHNOLOGY, PRIVACY, AND LAW ENFORCEMENT 9.1.1 Background By its very nature, law enforcement is an information-rich activity. The information activities of law enforcement can be broken into three categories. Gathering and analyzing information to determine that a law has been violated; Gathering and analyzing information to determine the identity of the person or persons responsible for a violation of law; and Gathering and analyzing information to enable a legal showing in court that the person or persons identified in fact were guilty of the violation. All of these gathering and analysis activities have been altered in basic ways by functional advancements in the technologies that have become available for collecting, storing, and manipulating data. In actual practice, these categories can overlap or the activities in each category can occur in several temporal sequences. When a police officer observes someone breaking a law, the officer is determining that a law has been violated, gathering information about who broke the law (presumably the person he or she is observing), and gaining evidence that may be introduced in court (the testimony of the officer). The essential difference between these categories is the locus or subject about which the information is gathered. In the first category concerning the breaking of a law, the locus of information is the event or activity. In the second sort of activity, the locus is the determination of an individual or set of individuals involved in the activity. In the third category, information associated with categories one and two are combined in an attempt to link the two in a provable way. Although activities in the first category usually precede those in the second, this is not always the case. Law enforcement authorities have been known to start with “suspicious people” and then seek to discover what laws they might have broken, might be breaking, or might be planning to break. This is one of the rationales for certain kinds of undercover activity and is frequently regarded as more controversial. These distinctions are important because they help to differentiate cases that generate concern about invasions of privacy from those that involve less controversial uses of the state’s investigatory power.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age Concerns about privacy invasions often involve the possibility that law enforcement officials can cast an unduly broad net, or one that is seen as discriminatory, as they gather information about persons in the absence of specific reasons to suspect that these individuals have violated some particular law. A case in which an individual is targeted to see if he or she has violated a law is conceptually (and legally and morally) different from a case in which information is gathered about an individual as part of an investigation into a known or suspected violation of law or in which there are other grounds for suspicion. In the former case, information may be gathered about individuals who in fact were not involved in a violation—which is different in kind from the task of assembling information about an individual in the hope of finding a violation of law. The potential for data gathering targeted at a particular individual or set of individuals to aid in the discovery of previously unknown violations of the law, or the risk that data gathered by law enforcement may be used for political or harassment purposes, often underlies efforts to restrict the kinds of information that law enforcement agencies can gather and the ways in which it is gathered. Even if the information is never used, the very fact that considerable amounts of data have been collected about individuals who have not been accused or convicted of a crime ensures that substantial amounts of information about non-criminals will end up in the databases of law enforcement agencies. Moreover, with such data a permanent part of their files, citizens may be concerned that this information will eventually be misused or mistakenly released, even if they are not suspects in any crime. They may even engage in self-censorship, and refrain from expressing unpopular opinions. For individuals in this position, issues such as recourse for police misbehavior or carelessness are thus very important. Nor are worries about the gathering of information by law enforcement agencies restricted to how that information could be used in legal proceedings. Such proceedings are governed by the laws and professional ethics that protect the privacy of the individual, and the inappropriate use (in a criminal context) of information gathered by law enforcement agencies can be balanced by judicial review. However, even the suspicion of wrongdoing or being a “person of interest” can have an effect on an individual’s ability to fly in a commercial airliner, obtain certain kinds of permits, gain some kinds of employment, obtain financial services, or conduct business. For example, watch lists, such as those used by the Transportation Security Agency, are not subject to the same level of scrutiny as evidence in a court of law yet can still affect the lives of those whose names appear on such lists. These uses of information are often not

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age balanced by judicial or any other kinds of review, leaving the individual at a severe disadvantage when information is inaccurate or incomplete.2 None of these concerns about balancing the need for law enforcement agencies to gather information and the need of the citizen for privacy are new. What is new are the modern information technologies that law enforcement agencies can now use to observe situations and identify individuals more quickly, more accurately, and at less expense than ever before. These technologies include surveillance cameras, large-scale databases, and analytical techniques that enable the extraction of useful information from large masses of otherwise irrelevant information. The sections that follow describe a number of technologies that allow law enforcement agencies expanded capabilities to observe, to listen, and to gather information about the population. Just as the ability to tap phone lines offered law enforcement new tools to gather evidence in the past century, so also these new technologies expand opportunities to discover breaches in the law, identify those responsible, and collect the evidence needed to prosecute. And just like the ability to tap telephones, these new technologies raise concerns about the privacy of those who are—rightly or wrongly—the targets of the new technologies. Use of the technologies discussed requires careful consideration of the resulting tension posed between two legitimate and sometimes competing goals: information gathering for law enforcement purposes and privacy protection. 9.1.2 Technology and Physical Observation As a point of departure, consider the issue of privacy as it relates to government authorities conducting surveillance of its citizens. Using the anchoring vignette approach described in Chapter 2 (see Box 2.2), a possible survey question might be, How much does [your/“Name’s”] local town or city government respect [your/“Name’s”] privacy in [your/her/his] routine local activities? Here are a number of possibilities: [Anita] lives in a city that prohibits any form of video or photographic monitoring by government agencies. [Bita] commutes to work every day into a city that automatically photographs each car to see whether it runs a particular stoplight. [Jake] lives in a city that videotapes all cars on city-owned property. 2 See, for example, Peter M. Shane, “The Bureaucratic Due Process of Government Watch Lists,” Ohio State Public Law Working Paper No. 55, February 2006, available at http://ssrn.com/abstract=896740.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age [Beth] lives in a city that videotapes all people inside the hallways of city-owned buildings. [Mark] lives in a city that uses a device in police cars to detect whether individuals are at home. [Juanita] lives in a city that uses an imaging device in police cars that can see through walls and clothes. These vignettes, ordered from most to least privacy-protecting, illustrate only a single dimension of privacy (namely image-based personal information), but they are a starting point for knowing what must be analyzed and understood in this particular situation, and what decisions society will have to make with respect to the issues the vignettes raise. Whether it is used to see that a law has been or is being broken, to determine who broke the law, or to find a suspect for arrest, physical observation has historically been the main mechanism by which law enforcement agencies do their job. Physical observation is performed by law enforcement officers themselves, and also by citizens called as witnesses in an investigation or a trial. The vignettes above suggest that physical observation has evolved far beyond the in-person human witness in sight of the event in question. When individuals are watched, particularly by the state with its special powers, privacy questions are obviously relevant. The usual expectation is that, unless there is a reason to suspect an individual of some particular infraction of the law, individuals will not be under observation by law enforcement agencies. But because of advances in technology, the means by which law enforcement can conduct physical observation or surveillance have expanded dramatically. New technologies that provide automated surveillance capabilities are relatively inexpensive per unit of data acquired; vastly expand memory and analytical ability, as well as the range and power of the senses (particularly seeing and hearing); and are easily hidden and more difficult to discover than traditional methods. They can be used to observe violations of law as well as a particular individual over extended periods of time unbeknownst to him or her. Today, for example, the use of video cameras is pervasive. Once only found in high-security environments, they are now deployed in most stores and in many parks and schools, along roads, and in public gathering places. A result is that many people, especially in larger cities, are under recorded surveillance for much of the time that they are outside their homes. Law enforcement officials, and indeed much of the public, believe that video cameras support law enforcement investigations, offering the prospect of a video record of any crime committed in public areas where they are used. Such a record is believed to have both investigatory value

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age (in identifying perpetrators) and deterrent value (in dissuading would-be perpetrators from committing crimes).3 However, these cameras also give those who operate them ever more information, often in the form of a reusable and possibly permanent record regarding where many law-abiding individuals are, who they are with, and what they are doing. Another example concerns automobiles equipped with tracking systems, such as General Motors’ OnStar system, that permit the location tracking to a fairly fine resolution of anyone holding a cell phone. (Such systems may be based on the use of GPS or on cell phones that provide location information as part of E-911 services.) By tracking people’s position over time, it is also possible to track their average speed,4 where they have been, and (by merging the positional information for multiple people) with whom they might have met. If such tracking is recorded, correlations can be made at any time in the future. Indeed, given the right monitoring equipment and enough recording space, it is even possible that the locations of every person for much of a lifetime could be made available to law enforcement agencies or even family members or researchers. Similar issues regarding data reuse arise with respect to the use of video cameras for the enforcement of traffic regulations. In many cities the traffic lights have been equipped with cameras that allow law enforcement agencies to determine violations of red-light stop zones simply by photographing the offending vehicles as they pass through the red light. Such images allow local police agencies to automatically send red-light-running tickets to the vehicle owners. Even such a seemingly straightforward use of surveillance technology, however, brings up a host of privacy 3 It is unquestionable that video records have had forensic value in the investigations of crimes that have already been committed. The deterrent effect is less clear. A study done for the British Home Office on the crime prevention effects of closed-circuit television (CCTV) cameras systematically reviewed two dozen other empirical studies on this subject and concluded that, on balance, the evidence suggested a small effect on crime reduction (on the order of a few percent) and only in a limited set of venues (namely, car parks). The deployment of CCTV cameras had essentially no effect in public transportation or in city-center contexts. Welsh and Farrington also noted that poorly controlled studies systematically indicated larger effects than did well-controlled ones. See Brandon Welsh and David Farrington, Crime Prevention Effects of Closed Circuit Television, Home Office Research Study 252, August 2002, available at http://www.homeoffice.gov.uk/rds/pdfs2/hors252.pdf. 4 A lower-tech version of this capability is inherent in toll systems on highways. For some highways, periodic toll plazas on turnpikes were replaced by a system in which the driver picked up a ticket at the point of entry that was then used to determine the toll at the location where the car exited. Given that these tickets included the time of entry into the turnpike, there were concerns that the tickets could also be used upon exit to determine if the car had exceeded the speed limit. Stories of such secondary use have the ring of urban myth, but they continue to surface on the Internet and are certainly consistent with what the technology enables.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age issues. For example, consider that these cameras could also be used to trace and record the presumed locations of people based on the observed time and location of their cars. That is, they could take pictures even when no car was running a red light. Such a concern is based on the future possibilities for repurposing the information gathered by such cameras rather than on the purpose for which these cameras were originally deployed. Note that nothing intrinsic in the use of a video system to catch those running traffic lights enables secondary use of the information. The system could be designed in such a way that only those images showing someone running a red light were kept, and all other images were discarded immediately. Such a system could not be used to track the location of any but a small number of vehicles. Designing such a system in this way is simple to do when the system is first being built but is far more difficult once the system has been installed. However, privacy concerns associated with possible secondary uses are usually not raised when a system is designed, if nothing else because those secondary uses are not yet known or anticipated. It could be argued that a video camera at the stoplight is no different in principle from posting a live police officer at the same place. A police officer can issue a ticket for a car that runs a red light, and if a live police officer on traffic detail at the intersection is not a threat to privacy, then neither is the placement of a video camera there. Others, however, would argue that a live officer could not accurately record all vehicles passing lawfully through the intersection, and could not be used to trace the movements of every vehicle passing through a busy intersection—lawfully or not—in the way that a video camera can. The image-retention capacity of a video system vastly exceeds that of even the most astute human observer and thus allows the tracking of all vehicles, not just those that are of interest at the time they move through the intersection. The images stored by the video system can, in principle, be not just those of vehicles that have violated the law, but of all vehicles that have passed by the camera. In addition, information gathered by a video camera ostensibly deployed to catch cars running a red light can be used for other purposes, such as tracking the location of particular cars at particular points in time, or finding speeders (this would require combining of information from multiple cameras at multiple locations)—purposes that are not possible with a human officer. Further, when the images are stored, law enforcement agencies gain the capability to track what individuals have done in the past, and not just what they are currently doing. The worry is that once the information has been gathered and stored, it will be used in a variety of ways other than that for which it was originally intended. Such “feature creep” is possible because what is stored is the raw information, in image form, which can be used in a variety of ways.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age Finally, video surveillance is far less expensive than the use of many human officers. From an economic point of view, it is impossible in large jurisdictions to station officers at every intersection, but placing a video camera at many intersections is much less expensive and within the means of many police departments. An important check on executive power has always been based on the allocation of resources, and if technology can enable a greater amount of police activity—in particular, more surveillance—for the same cost, the introduction of that technology changes the balance of power. Perhaps most importantly, this change in the balance of power is often unnoticed or not discussed—and when it is, a dispute about the amount of police activity must be resolved explicitly on policy grounds rather than implicitly on economic grounds. Beyond video technologies such as those discussed above, there is also the prospect that emerging technologies can extend the reach of observation from public spaces into what have traditionally been private spaces. There has been some use of infrared detectors to “look through” walls and see into a suspect’s home;5 although the Supreme Court recently suggested that such law enforcement surveillance tactics might violate the resident’s “reasonable expectation of privacy” (Section 1.5.5), the courts have not categorically rejected the use of such sophisticated imaging devices. If environmental sensors become pervasive, it may in the near future become possible to infer the location of people from the information gathered for purposes such as energy conservation—and to infer identities by correlating that information with other recorded information (such as building access records). The conditions under which law enforcement agencies will or should have access to such information raises difficult questions both of law and of policy. Concern over the potential use of such sensitive information lies at the heart of many privacy-based concerns about the deployment of such technologies. The deepest concern, from the privacy perspective, is the potential for combining constant and non-obvious data gathering and the ability to assemble the data gathered to give the effect of largely constant observation of any space, whether public or private. Such a prospect, combined with the temporally permanent nature of the data when they are stored, appears to give law enforcement agencies the ability to constantly monitor almost any place and to have access to a history of that 5 A number of court cases have been brought addressing the question of whether the use of a thermal-imaging device aimed at a private home from a public street to detect relative amounts of heat within the home constitutes a “search” within the meaning of the Fourth Amendment. The definitive ruling on this point is the decision of the U.S. Supreme Court in Kyllo v. United States, No. 99-8508 and decided on June 11, 2001, which held that it is a search and thus must be governed by the apparatus designed to protect the public against unreasonable searches.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age place. Together with the ability to aggregate and mine the data that have been gathered (discussed below), this prospect would appear to give law enforcement enormous amounts of information. The most serious issues arise if and when such technologies enable monitoring of specific individuals. Many present-day technologies indicate bodies, but not the identities of the persons who own those bodies. Future technologies may enable the identification of individuals—that is, the high-accuracy association of specific names with the bodies within view—in which case the privacy concerns are accentuated many-fold. (Even today, modern cell phones with location identification capabilities yield information about the whereabouts of individuals, because of the generally unviolated presumption that individuals carry their cell phones with them.) 9.1.3 Communications and Data Storage Both communication and data storage technologies have long been of interest and use to the law enforcement community. Being able to observe and overhear the discussions of those suspected of breaking the law and to obtain records of criminal activity has been an important means for gaining evidence—but has also created inevitable threats to principles of privacy. The primary difference between records and communications is that by definition, records are intended to persist over time, whereas communications are more transient. Transient phenomena vanish, and they are generally more private than persistent entities that can be reviewed anew, copied, and circulated. For this reason, technologies that threaten the privacy of records are often seen as less problematic than those that threaten the privacy of communications. For keeping records private, the most common technique used has been to hide the records in a location known only to their owner. One can “hide” records by placing the file in a secret location (e.g., in an “invisible” directory on one’s disk, on a CD-ROM stored under the mattress or under a rock in the back yard or in a safe deposit box, or embedded secretly in another document). Today, there are few generally applicable technologies that enable law enforcement authorities to find records in a secret location without the (witting or unwitting) cooperation of their owner. Thus, debates over the appropriate balance between the privacy of records—even digital records—and the needs of law enforcement authorities for those records have been relatively straightforward, and based on the ability of law enforcement authorities to compel or trick the owner into revealing the records’ location. (The use of encryption to hide records, discussed in more detail below, presents a wrinkle in this debate, but the

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age same techniques are available to law enforcement authorities to compel or trick the owner or others into revealing the decryption keys that would allow law enforcement access.) But history paints a much different picture when it comes to communications. For the interception of telephone conversations, e-mail, and Internet-based communication, the proper balance between the claimed needs of law enforcement for access to such communications, and the privacy interests of persons who are the participants in the targeted communication, has been elusive and more difficult to define. When the Bill of Rights was enacted, communication consisted either of spoken language (which could only be heard directly) or written. Written communications are a type of record, and such records can be obtained by law enforcement personnel as the result of a search (under rules covered by the Fourth Amendment). But what of written communications being sent through the mails—were these communications more like utterances made in public, and therefore not subject to the same explicit protections of privacy, or were they more like records private and covered by the protections of the Fourth Amendment? In the case of mail carried by the U.S. Postal Service, the decision was that the outside of the mail (such as the address and return address) was public information, and not covered by the need for a search warrant,6 but that any communication inside the envelope was considered private and any viewing of that information by law enforcement required a search warrant obtained under the requirements of probable cause.7 As communication technologies advanced, the distinction between what was publicly available and what was private in those technologies became the crux of the debates about the privacy of those communica- 6 Ex Parte Jackson, 96 U.S. (6 Otto) 727,733 (1877). 7 The process by which national security investigators have obtained mail cover information has been governed by U.S. postal regulations for nearly 30 years. See 39 C.F.R. 233.3. The authority to use mail covers for law enforcement purposes first appeared in the 1879 postal regulations. Section 212 statutorily authorizes the continued use of mail covers in national security investigations. A “mail cover” is the process by which the U.S. Postal Service furnishes to the FBI the information appearing on the face of an envelope addressed to a particular address: i.e., addressee, postmark, name and address of sender (if it appears), and class of mail. The actual mail is delivered to the addressee, and only the letter carrier’s notation reaches the FBI. A mail cover does not include the contents of any “sealed mail,” as defined in existing U.S. postal regulations (see 39 C.F.R. 233.3(c)(3)) and incorporated in Section 212. Although the Supreme Court has not directly addressed the constitutionality of mail covers (the Court has denied certiorari in cases involving the issue), lower courts have uniformly upheld the use of mail covers as consistent with the requirements of the Fourth Amendment. See Vreeken v. Davis, 718 F.2d 343 (10th Cir. 1983); United States v. DePoli, 628 F.2d 779 (2d Cir. 1980); United States v. Huie, 593 F.2d 14 (5th Cir. 1979); and United States v. Choate, 576 F.2d 165 (9th Cir.), cert. denied, 439 U.S. 953 (1978).

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age tions and what access law enforcement agencies had to the communication. Perhaps the best example concerns communication by telephone. When telephones were first introduced, the circuits were connected by an operator who often needed to listen in on the call to monitor quality, and most of the telephone lines were shared or “party” lines, allowing conversations to be heard by anyone with whom the line was shared (although good manners suggested not listening when the call was not for you). With this history, it was generally held that discussions over a telephone were like discussions in public, so that law enforcement agents could listen in on such conversations, and could use in criminal prosecutions the contents of what they heard, with no oversight and without the consent of those whose words were monitored. Indeed, in Olmstead v. United States, 277 U.S. 438 (1928), the U.S. Supreme Court held that “the reasonable view is that one who installs in his house a telephone instrument with connecting wires intends to project his voice to those quite outside, and that the wires beyond his house, and messages while passing over them, are not within the protection of the Fourth Amendment. Here those who intercepted the projected voices were not in the house of either party to the conversation.” In so holding, it ruled that “the wire tapping here disclosed [in the case] did not amount to a search or seizure within the meaning of the Fourth Amendment,” and thus that telephone conversations were not protected or privileged in any way over ordinary speech outside the home. There was, in this view, no (rational) expectation of privacy for such conversations (although the term “expectation of privacy” had not yet come into use). This view of telephone conversations lasted until 1967,8 when the Supreme Court ruled that there was, in fact, a constitutional expectation of privacy in the use of the telephone. By this time, operators were hardly ever used for the connection of circuits and were not expected to monitor the quality of phone conversations, nor were most phone lines shared. However, the decision that there was an expectation of privacy in such conversations lagged significantly behind the technological developments that created such an expectation. At this point, the court decided that telephone calls were like physical mail, in which each call had a public “outside” and a private “contents.” The public envelope contained the information necessary to establish the circuit for the call (including the phone from which the call was being made and the phone to which the call was made) but did not include the contents of the call, which was considered private. Gaining legal access to that part of the call required a warrant issued by a judge after a showing of probable cause. The last two decades have seen a novel set of communication technol- 8 Katz v. United States, 389 U.S. 347.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age the information that was used to make the determination. Even Edward Kennedy, senior senator from Massachusetts, has had problems getting his name off the watch list.29 Even if corrective mechanisms were in place, lists such as these suffer from a cluster of problems having to do with establishing the identity of those who are being compared to the list. If a list is kept in terms of names, its usefulness is limited by the fact that a single name can be shared by many different people. A combination of name and address may be better, but falls prey to the ease with which people move from place to place, and the time lag between such a move and the time at which all relevant records have been updated to reflect the new address. Indeed, such lists seem to presume, contrary to fact, that there is a way (or set of ways) to uniquely identify each person who might appear on such a list. There is no such mechanism available today, and establishing such a mechanism is far from simple.30 9.2.5 Tensions Between Privacy and National Security In many ways, the tension between privacy and national security parallels the tension between privacy and law enforcement. Both law enforcement and national security require government to amass large amounts of information about people, including much information that the subject or target might want to keep private and information that will ultimately not prove useful for any mission-related function. Both law enforcement and national security require that that information be analyzed to try to infer even more about a person. Both are heavy users of technology, and both use technology to gather information, identify individuals, and analyze that information. National security differs from law enforcement, however, in two significant ways. First, law enforcement authorities are usually (though not always) called in when a criminal act has been committed, and the criminal act itself serves to focus investigative resources—that is, they tend to be reactive. National security authorities are most interested in preventing hostile acts from taking place—they tend to be proactive. Second, most of the information gathered by law enforcement and used to prosecute a person for the violation of a law will eventually be made public, along with the mechanisms used to gather that information. Intelligence gathering 29 Rachel L. Swarns, “Senator? Terrorist? A Watch List Stops Kennedy at Airport,” New York Times, August 20, 2004. 30 See National Research Council, Who Goes There? Authentication Through the Lens of Privacy, Stephen T. Kent and Lynette I. Millett, eds., The National Academies Press, Washington, D.C., 2003.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age for the purposes of national security, on the other hand, is an intrinsically non-public activity. The mechanisms used to gather information, along with the information itself, are not made public, even when the information is used in a way that has an impact on the life of the subject of that information. This greater need for secrecy makes it unlikely that citizens will be able to discover if the agencies charged with national security are violating their privacy. The mechanisms for gathering information are often unknown, so those wishing to ensure privacy may not know the techniques against which they must guard. The information gathered must remain secret, and so there is no easy way to know what information is gathered, if that information is accurate, whether it might be subject to different interpretations, or how to correct the information if it is inaccurate or incomplete. The only thing known with certainty is that there is an entity that is capable of gathering information about foreign governments, and it is reasonable to presume that such an entity can easily gather information about private citizens in the United States. Because of the secret nature of the information gathered by national security agencies, it can be difficult to establish a trust relationship if one does not already exist between the citizens about whom the information is gathered and the agencies doing the gathering. There are few in the United States who would worry about the gathering of information even within the borders of the United States and about U.S. citizens if they could be assured that such information was only being used for genuine national security purposes, and that any information that had been gathered about them was accurate and appropriately interpreted and treated. How to obtain that assurance is a public policy issue of the utmost importance. This is why oversight is so important, all the more so in times of crisis. Accountability need not mean indiscriminate transparency; rather, trusted agents such as members of Congress or special commissions should be entrusted with offering, and hopefully can be trusted to offer, needed assurances. 9.3 LAW ENFORCEMENT, NATIONAL SECURITY, AND INDIVIDUAL PRIVACY Even before the formation of our nation, government was seen as posing the principal threats to individual privacy. Many of the grievances against the English crown that were detailed in the Declaration of Independence reflected an erosion of the right to be left alone, and many provisions of the Bill of Rights sought to codify limitations on government power which the framers saw as vital to the new nation. While the Constitution nowhere expressly recognizes a “right to privacy,” several

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age provisions (especially, but not only, the Fourth Amendment) unmistakably limit the power of government to invade the lives of citizens. When law enforcement and national security are concerned, the sources of concern about privacy rights are readily apparent. On the one hand, law enforcement must be able to gather information about individuals in order to identify and apprehend suspects and to enforce criminal law and regulatory standards. National security agencies gather and analyze information about individuals and organizations in order to protect and enhance national security. On the other hand, the very process of gathering and using such information may pose serious risks to individual privacy. A somewhat similar set of tensions apply to data that have already been collected for some purpose other than law enforcement or national security. As noted in earlier chapters, a wide variety of personal information on individuals is collected for a wide variety of purposes by both government agencies (e.g., the Internal Revenue Service, the Census Bureau) and private sector organizations such as banks, schools, phone companies, and providers of medical care. In some instances (such as survey data collected by the Census Bureau), such information has been collected under a promise, legal or otherwise, that it would be used for a certain purpose and only for that purpose, and would otherwise be kept confidential.31 If and when external circumstances change (e.g., the nation comes under attack), some would argue strongly that it is criminal to refrain from using all resources available to the government to pursue its law enforcement and national security responsibilities. Others would argue just as strongly that the legal restrictions in effect at the time of data collection effectively render such data unavailable to the government, legally if not physically. According to scholars William Seltzer and Margo Anderson,32 an example of such government use of privileged data occurred during World War II, when the Bureau of the Census assisted U.S. law enforcement authorities in carrying out the presidentially ordered internment 31 One exception is that the USA PATRIOT Act of 2001 allows the attorney general to obtain a court order directing the Department of Education to provide to the Department of Justice data collected by the National Center for Education Statistics (NCES) if such data are relevant to an authorized investigation or prosecution of an offense concerning national or international terrorism. However, the law also requires the attorney general to protect the confidentiality of the data, although the standards used for such protection are formulated by the attorney general “in consultation with” the Department of Education. Prior to the passage of the USA PATRIOT Act, NCES data were to be used only for statistical purposes. 32 William Seltzer and Margo Anderson, “After Pearl Harbor: The Proper Role of Population Data Systems in Time of War,” paper presented at the annual meeting of the Population Association of America, Los Angeles, California, March 2000, available at the American Statistical Association’s Statisticians in History Web site.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age of Japanese-Americans. In a meeting of the Census Advisory Committee held in January 1942, J.C. Capt, director of the census, was reported to say, “We’re by law required to keep confidential information by [sic] individuals. But in the end, [i]f the defense authorities found 200 Japs missing and they wanted the names of the Japs in that area, I would give them further means of checking individuals.” It is not known if the Census Bureau actually provided information on individual Japanese-Americans, but Seltzer and Anderson cite documents indicating that the Census Bureau clearly did provide mesodata (i.e., census results tabulated for very small geographic units, some as small as a city block) that did facilitate the internment process. Indeed, on the Monday after the December 7 attack on Pearl Harbor (which occurred on a Sunday), the Census Bureau initiated the production of reports on the distribution of Japanese-Americans across the United States based on macrodata (data from the 1940 census aggregated in terms of large geographic units). Seltzer and Anderson note also that the Census Bureau has recognized possible threats to privacy arising from certain kinds of mesodata, and in response has progressively introduced stricter disclosure standards. Indeed, the bureau has indicated that under the standards now in place the release of mesodata from the 1940 census on Japanese-Americans would have been severely restricted. A number of points are worth noting about this example. First, whether or not the Census Bureau provided information on individuals, the use of census data violated the spirit of the confidentiality law in the sense that respondents provided information under promises of confidentiality33—information that was subsequently used against them. Second, Capt’s remarks suggest a willingness to exploit legal loopholes in order to cooperate with the internment order. Third, even if the actual wording of the confidentiality promise made a “fine print” provision for “other legally authorized uses,” it would still have left survey respondents with the impression that their responses were confidential. 33 For example, President Herbert Hoover’s proclamation in 1929 for the 15th census said that “the sole purpose of the census is to secure general statistical information regarding the population and resources of the country…. No person can be harmed in any way by providing the information required. The census has nothing to do with … the enforcement of any national, state, or local law or ordinance. There need be no fear that any disclosure will be made regarding any individual person or his affairs….” In addition, the 1940 census enumeration form itself said that “only sworn census employees will see your statements. Data collected will be used solely for preparing statistical information concerning the Nation’s population, resources, and business activities. Your Census Reports Cannot Be Used for Purposes of Taxation, Regulation, or Investigation” [capitalization in the original]. See Thomas F. Corcoran, “On the Confidential Status of Census Reports,” The American Statistician 17(3):33-40, 1963.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age Issues related to privacy in a law enforcement or national security context are hard for citizens to assess. Citizens are not told what information these agencies are capable of gathering or what they do gather, because that knowledge being made public can limit the very information that agencies will be able to gather. In addition, the stakes are higher because these agencies can use information they gathered to imprison citizens. Citizens are asked to trust that abuses are not occurring and to trust in the oversight mechanisms that often require one part of the government to ensure that another is not generally overstepping appropriate bounds. Similarly, law enforcement and national security agencies are put into a difficult position regarding the gathering and analysis of information. If these agencies fail to gather enough information to accomplish their missions, they are faulted for not using the latest techniques and technologies. However, if these agencies are perceived as gathering too much information about ordinary citizens, they are faulted for invasion of privacy. Unfortunately, it is often impossible to determine, before the fact, who is going to be a law breaker or terrorist in the future. There is no way for law enforcement and national security agencies to determine about whom they should gather information without requiring that these agencies also know the future. The conundrum is further accentuated by a declaratory national policy that emphasizes prevention of terrorist attacks rather than prosecution or retaliation after they occur. That is, law enforcement activities must take place—successfully—in the absence of the primary event that usually focuses such activities. With few definitively related clues to guide an investigation, a much more uniform spread of attention must be cast over those who might have some contact or connection, however tenuous, to a possible terrorist event in the future. The best that can be expected is that these agencies put into place the appropriate safeguards, checks, and balances to minimize the possibility that they gather information in an inappropriate way about citizens. But the more such safeguards are in place, so the argument goes, the more likely it is that mistakes are made in the opposite direction, and that these agencies will miss some piece of information that is vital for the performance of their function. Yet areas of overlap between privacy and law enforcement and national security also exist. For example, citizens who have faith in their government and who believe that it generally follows democratic rules (one reflection of which is respect for privacy) will be more likely to cooperate with law enforcement in providing information and other forms of support. In that sense, just as it is sometimes said that privacy is a good business practice, it might also be said that a law enforcement agency’s respect for a citizen’s privacy, rather than necessarily being in opposition to, can be supportive of law enforcement goals.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age An important influence on the process of balancing governmental and societal needs for safety and security and individual privacy is the fact that public safety is—almost by definition—a collective benefit, while government infringements of privacy in the name of public safety tend to affect individuals or relatively small or politically marginal groups of people, at least in the short term. Under such circumstances, it is easier for public safety officials to dismiss or minimize privacy concerns that their actions might raise. As an illustration of the sentiment, Harvard Law School Professor William Stuntz has asserted that “reasonable people can differ about the balance, but one could plausibly conclude that the efficiency gains from profiling outweigh the harm from the ethnic tax that post-September 11 policing is imposing on young men of Middle Eastern origin.”34 The flip side of this sentiment, of course, is that community involvement and good will may well be an essential element, perhaps the most important element, of a strategy that seeks to counter terrorists concealing themselves in the nation’s communities. That is, tips about unusual and suspicious behavior are most likely to emerge when the communities in which terrorists are embedded are allied with, or at least not suspicious of, law enforcement authorities—and singling out young men of Middle Eastern origin for special scrutiny is not an approach that will create a large amount of good will in the affected communities. These tensions have been magnified since the terrorist attacks of September 11. There are many who feel that if the right information had been available, along with the right tools to analyze that information and the right governmental structures that would allow the sharing of the information between law enforcement and national security agencies, those attacks could have been avoided. Part of the reaction to those attacks was the passing of laws and the creation of policies that made it easier for agencies to collect and share information and the weakening of some traditional checks and balances in the hope of enhancing national security. At the same time, there is worry that the increasingly sophisticated technology available for surveillance, data sharing and analysis, and data warehousing, when joined with the weakening of rules protecting individual information, will allow law enforcement and national security agencies a vastly expanded and largely unseen ability to monitor all citizens. The potential for abuse given such an ability is easy to imagine—for example, a law enforcement agency might be able to monitor the group gatherings of citizens objecting to a certain government policy, identifying who they meet with and perhaps what they talk about. Most citizens do not know what is technically possible, either now or in the near future. Because of this, there is often a tendency to believe that the technology 34 See William Stuntz, “Local Policing After the Terror,” Yale Law Journal 111:2137, 2002.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age is capable of far more than it can actually do, either currently or in the foreseeable future. The problem may not be in what these government agencies are capable of doing with technology, but rather with what the citizens believe those agencies can do. These comments should not be taken to suggest that policy makers in government agencies are unaware of privacy interests. For example, under the E-Government Act of 2002, any federal agency contemplating a substantially revised or new information technology system is required to develop a privacy impact assessment (PIA; Box 9.5) for such a system before work on that system begins in earnest. In the case of the Department of Homeland Security (DHS), DHS officials indicate that findings of PIAs are, to some extent, folded into the requirements development process in an attempt to ensure that the program or system, when deployed, is at least sensitive to privacy considerations. (It should also be noted that DHS officials reject the paradigm that privacy trades off against security; they assert that the challenge is enhancing security while protecting privacy.) Nevertheless, the concern from the privacy advocates remains regarding the extent to which privacy considerations are taken into account, and the specific nature of the privacy-driven system or program adaptations. BOX 9.5 The Department of Homeland Security Privacy Impact Assessment A privacy impact assessment (PIA) is an analysis of how personally identifiable information is collected, stored, protected, shared, and managed. “Personally identifiable information” is defined as information in a system or online collection that directly or indirectly identifies an individual whether the individual is a U.S. citizen, legal permanent resident, or a visitor to the United States. The purpose of a PIA is to demonstrate that system owners and developers have consciously incorporated privacy protections throughout the entire life cycle of a system. This involves making certain that privacy protections are built into the system from the start, not after the fact when they can be far more costly or could affect the viability of the project. Personally identifiable information is information in a system, online collection, or technology (1) that directly identifies an individual (e.g., name, date of birth, mailing address, telephone number, Social Security number, e-mail address, zip code, address, account numbers, certificate and license numbers, vehicle identifiers including license plates, uniform resource locators, Internet Protocol addresses, biometric identifiers, photographic facial images, or any other unique identifying number or characteristic), or (2) by which an agency intends to identify specific individuals in conjunction with other data elements, that is, indirect identification. These data elements may include

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age Finally, the discussion in this chapter raises the question of what must be done when law enforcement authorities or intelligence agencies invade the privacy of Americans who are law-abiding or who pose no threat to national security. It is unrealistic to expect that the number of false positives (i.e., the number of people improperly implicated) can be reduced to zero, and thus public policy must necessarily anticipate that some such cases will arise. One option is to minimize the number of false positives, and in the event of a false positive, the person improperly implicated simply absorbs the cost and consequences of the false positive (e.g., loss of privacy and any consequential costs, such as personal embarrassment, financial loss, and so on) on behalf of the rest of society. But these costs and consequences can be dire indeed, and at least in principle our society has generally adopted the principle that individuals suffering the consequences of improper or mistaken government behavior are entitled to some kind of compensation. Providing recourse for citizens improperly treated by government authorities is generally thought to make government authorities more careful and more respectful of rights than they might otherwise be. a combination of gender, race, birth date, geographic indicator, and any information that reasonably can be foreseen as being linked with other information to identify an individual. In some cases the technology might only collect personal information for a moment. For example, a body-screening device might capture the full scan of an individual, and even if the information was not retained for later use, the initial scan might raise privacy concerns, and thus the development and deployment of the technology would require a PIA. Questions asked by the PIA include the following: Section 1.0 Information collected and maintained 1.1 What information is to be collected? 1.2 From whom is information collected? 1.3 Why is the information being collected? 1.4 What specific legal authorities, arrangements, or agreements define the collection of information? 1.5 Privacy Impact Analysis: Given the amount and type of data being collected, discuss what privacy risks were identified and how they were mitigated. Section 2.0 Uses of the system and the information 2.1 Describe all the uses of information. 2.2 Does the system analyze data to assist users in identifying previously un

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age known areas of note, concern, or pattern (sometimes referred to as “data mining”)? 2.3 How will the information collected from individuals or derived from the system be checked for accuracy? 2.4 Privacy Impact Analysis: Given the amount and type of information collected, describe any types of controls that may be in place to ensure that information is used in accordance with the above described uses. Section 3.0 Retention 3.1 What is the retention period for the data in the system? 3.2 Has the retention schedule been approved by the National Archives and Records Administration (NARA)? 3.3 Privacy Impact Analysis: Given the purpose of retaining the information, explain why the information is needed for the indicated period. Section 4.0 Internal sharing and disclosure 4.1 With which internal organizations is the information shared? 4.2 For each organization, what information is shared and for what purpose? 4.3 How is the information transmitted or disclosed? 4.4 Privacy Impact Analysis: Given the internal sharing, discuss what privacy risks were identified and how they were mitigated. Section 5.0 External sharing and disclosure 5.1 With which external organizations is the information shared? 5.2 What information is shared and for what purpose? 5.3 How is the information transmitted or disclosed? 5.4 Is a memorandum of understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? 5.5 How is the shared information secured by the recipient? 5.6 What type of training is required for users from agencies outside DHS prior to receiving access to the information? 5.7 Privacy Impact Analysis: Given the external sharing, describe what privacy risks were identified and how they were mitigated. Section 6.0 Notice 6.1 Was notice provided to the individual prior to collection of information? If yes, please provide a copy of the notice as an appendix. (A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system-of-records notice published in the Federal Register Notice.) If notice was not provided, why not? 6.2 Do individuals have an opportunity and/or right to decline to provide information?

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age 6.3 Do individuals have the right to consent to particular uses of the information, and if so, how does the individual exercise the right? 6.4 Privacy Impact Analysis: Given the notice provided to individuals above, describe what privacy risks were identified and how they were mitigated. Section 7.0 Individual access, redress and correction 7.1 What are the procedures that allow individuals to gain access to their own information? 7.2 What are the procedures for correcting erroneous information? 7.3 How are individuals notified of the procedures for correcting their information? 7.4 If no redress is provided, are alternatives available? 7.5 Privacy Impact Analysis: Given the access and other procedural rights provided for in the Privacy Act of 1974, explain the procedural rights that are provided and, if access, correction, and redress rights are not provided, explain why not. Section 8.0 Technical access and security 8.1 Which user group(s) will have access to the system? 8.2 Will contractors to DHS have access to the system? If so, please submit to the Privacy Office with this PIA a copy of the contract describing their role. 8.3 Does the system use “roles” to assign privileges to users of the system? 8.4 What procedures are in place to determine which users may access the system, and are they documented? 8.5 How are the actual assignments of roles and rules verified according to established security and auditing procedures? 8.6 What auditing measures and technical safeguards are in place to prevent misuse of data? 8.7 Describe what privacy training is provided to users either generally or that is specifically relevant to the functionality of the program or system. 8.8 Are the data secured in accordance with FISMA requirements? If yes, when were certification and accreditation last completed? 8.9 Privacy Impact Analysis: Given access and security controls, describe what privacy risks were identified and how they were mitigated. Section 9.0 Technology 9.1 Was the system built from the ground up or purchased and installed? 9.2 Describe how data integrity, privacy, and security were analyzed as part of the decisions made for your system. 9.3 What design choices were made to enhance privacy? SOURCE: Department of Homeland Security, Privacy Impact Assessments: Official Guidance, DHS Privacy Office, available at http://www.dhs.gov/interWeb/assetlibrary/privacy_pia_guidance_march_v5.pdf.

OCR for page 251
Engaging Privacy and Information Technology in a Digital Age This page intentionally left blank.