A. Michael Froomkin (1)
"You have zero privacy. Get over it."
--Sun Microsystems, Inc., CEO Scott McNealy (2)
Information, as we all know, is power. Both collecting and collating personal information are means of acquiring power, usually at the expense of the data subject. Whether this is desirable depends upon who the viewer and subject are and who is weighing the balance. People have long been believed, for example, that the citizen's ability to monitor the state tends to promote honest government, that "[s]unlight is . . . the best of disinfectants." (3) One need look no further than the First Amendment of the United States Constitution to be reminded that protecting the acquisition and dissemination of information is an essential means of empowering citizens in a democracy. Conversely, at least since George Orwell's 1984, if not Bentham's Panopticon, the image of the all-seeing eye, the Argus state, has been synonymous with the power to exercise repression. Today, the all-seeing eye need not necessarily belong to the government, as many in the private sector find it valuable to conduct various forms of surveillance or to "mine" data collected by others. For example, employers continually seek new ways to monitor employees for efficiency and honesty; firms trawl databases for preference information in the search for new customers. Even an infrequently exercised capability to collect information confers power on the potential observer at the expense of the visible: Knowing you may be watched affects behavior. Modern social science confirms our intuition that people act differently when they know they are on Candid Camera--or Big Brother Cam. (4)
In this article, I will use "informational privacy" as shorthand for the ability to control the acquisition or release of information about oneself. (5) I will argue that both the state and the private sector now enjoy unprecedented abilities to collect personal data, and that technological developments suggest that costs of data collection and surveillance will decrease, while the quantity and quality of data will increase. I will also argue that, when possible, the law should facilitate informational privacy because the most effective way of controlling information about oneself is not to share it in the first place.
Most of this article focuses on issues relating to data collection and not data collation. Much of the best work on privacy, and the most comprehensive legislation, (6) while not ignoring issues of data collection nonetheless focuses on issues relating to the storage and reuse of data. Privacy-enhancing legal and policy analysis often proceeds on the reasonable theory that because the most serious privacy-related consequences of data acquisition happen after the fact, and require a database, the use and abuse of databases is the appropriate focus for regulation. This article concentrates on the logically prior issue of data collection. Issues of data use and re-use cannot be avoided, however, because one of the ways to reduce data collection is to impose limits on the use of improperly collected data. Conversely, if limits on initial data collection are constitutional, then it is more likely that efforts to prohibit the retransmission or republishing of illicitly collected data would be held to be constitutional as well.
A data subject has significantly less control over personal data once information is in a database. The easiest way to control databases, therefore, is to keep information to oneself: If information never gets collected in the first place, database issues need never arise. It may be that "[t]hree can keep a secret--if two of them are dead," (7) but in the world of the living we must find kinder, gentler solutions. Although privacy-enhancing technologies such as encryption provide a limited ability to protect some data and communications from prying eyes and ears, it seems obvious that total secrecy of this sort is rarely a practical possibility today unless one lives alone in a cabin in the woods. One must be photographed and fill out a questionnaire to get a driver's license, show ID to get a job. (8) Our homes are permeable to sense-enhanced snooping; our medical and financial data is strewn around the datasphere; our communications are easily monitored; our lives are an open book to a mildly determined detective. Personal lives are becoming increasingly transparent to governments, interested corporations, and even to one another--as demonstrated by notorious incidents of phone eavesdropping or taping involving diverse individuals such as Britain's Prince Charles, House Speaker Newt Gingrich, and White House Intern Monica Lewinsky. (9) This general trend is driven by technological innovation and by economic and social forces creating a demand for privacy-destroying technologies. When solitude is not an option, personal data will be disclosed 'voluntarily' for transactions or emitted by means beyond our control. What remains to be determined is which legal rules should govern the collection as well as the use of this information.
In light of the rapid growth of privacy-destroying technologies, it is increasingly unclear whether informational privacy can be protected at a bearable cost, or whether we are approaching an era of zero informational privacy, a world of what Roger Clarke calls "dataveillance." (10) Part I of this article describes a number of illustrative technological developments that facilitate the collection of personal data. Collectively these and other developments provide the means for the most overwhelming assault on informational privacy in the recorded history of humankind. That surveillance technologies threaten privacy may not be breaking news, but the extent to which these technologies will soon allow watchers to permeate modern life still has the power to shock. Nor is it news that the potential effect of citizen profiling is vastly increased by the power of information processing and the linking of distributed databases. We are still in the early days of data mining, consumer profiling, and DNA databasing, to name only a few. The cumulative and accelerating effect of these developments, however, has the potential to transform modern life in all industrialized countries. Unless something happens to counter these developments, it seems likely that soon all but the most radical privacy freaks may live in the informational equivalent of a goldfish bowl. (11)
If the pace at which privacy-destroying technologies are being devised and deployed is accelerating, the basic phenomenon is nevertheless old enough to already have spawned a number of laws and proposed legal or social solutions designed to protect or enhance privacy in various ways. Part II of this article examines several of these proposed privacy enhancing policies in light of the technologies discussed in Part I. It suggests that some will be ineffective, that others will have undesirable or unconstitutional effects, and that even the best will protect only a narrow range of privacy on their own.
The relative weakness of current privacy-enhancing strategies sets the stage for the conclusion of the article, which challenges the latest entry to the privacy debate--the counsel of despair epitomized by Scott McNealy's suggestion that the battle for privacy was lost almost before it was waged. Although there is a disturbingly strong case supporting this view, a case made trenchantly by David Brin's The Transparent Society, (12) I conclude by suggesting that all is not yet lost. While there may be no single tactic that suffices to preserve the status quo, much less regain lost privacy, a smorgasbord of creative technical and legal approaches could make a meaningful stand against what otherwise seems inevitable.
A focus on informational privacy may seem somewhat crabbed and limited. Privacy, after all, encompasses much more than just control over a data trail, or even a set of data. It encompasses ideas of bodily and social autonomy, of self-determination, and of the ability to create zones of intimacy and inclusion that define and shape our relationships with each other. Control over personal information is a key aspect of some of these ideas of privacy, and is alien to none of them. On the other hand, given that we live in an age of ubiquitous social security numbers, (13) not to mention televised public talk-show confessionals and other forms of media-sanctioned exhibitionism and voyeurism, (14) it may seem reactionary to worry about informational privacy. It also may be that mass privacy is a recent invention, rarely experienced before the nineteenth century save in the hermitage or on the frontier. (15) Perhaps privacy is a luxury good by world standards, and right-thinking people should concentrate their energies on more pressing matters, such as war, famine, or pestilence. And perhaps it really is better to be watched, that the benefits of mass surveillance and profiling outweigh the costs. Nevertheless, in this article I will assume that informational privacy is a good in itself, (16) and a value worth protecting, (17) although not at all costs. (18)
I. Privacy-Destroying Technologies
Privacy-destroying technologies can be divided into two categories: those that facilitate the acquisition of raw data and those which allow one to process and collate that data in interesting ways. Although both real and useful, the distinction can be overstated because improvements in information processing also make new forms of data collection possible. Cheap computation makes it easy to collect and process data on the keystrokes per minute of clerks, secretaries, and even executives. It also makes it possible to monitor their web browsing habits. (19) Cheap data storage and computation also makes it possible to mine the flood of new data, creating new information by the clever organization of existing data.
Another useful taxonomy would organize privacy-destroying technologies by their social context. One could focus on the characteristics of individuals about whom data is being gathered (e.g., citizen, employee, patient, driver, consumer). Or, one could focus instead on the different types of observers (e.g., intelligence agencies, law enforcement, tax authorities, insurance companies, mall security, e-commerce sites, concerned parents, crazed fans, ex-husbands, nosy neighbors). At the most basic level, initial observers can be broadly categorized as either governmental or private, although here too the importance of the distinction can be overstated, because private parties often have access to government databases and governments frequently purchase privately collected data. There are some types of data collection that only the government can undertake, for example, the capture of information on legally mandated forms such as the census, driver's licenses, or tax returns. But even these examples illustrate the danger of being too categorical: some states make driver's license data and even photographs available for sale or search, and many tax returns are filed by commercial preparers (or web-based forms), giving a third party access to the data.
Databases multiply the effects of sensors. For example, cameras have a far less intrusive effect on privacy if their only use is to be monitored in real time by operators watching for commission of crimes. The longer the tapes are archived, the greater their potential effect. And, the more that the tapes can be indexed according to who and what they show rather than just where and when they were made, the more easily the images can be searched or integrated into personal profiles. Equally important, databases make it possible to create new information by combining existing data in new and interesting ways. Once created or collected, data is easily shared and hard to eradicate; the data genie does not go willingly, if ever, back into the bottle.
Reams of data organized into either centralized or distributed databases can have substantial consequences beyond the simple loss of privacy caused by the initial data collection, especially when subject to advanced correlative techniques such as data mining. (20) Among the possible harmful effects are various forms of discrimination, ranging from price discrimination to more invidious sorts of discrimination. (21) Data accumulation enables the construction of personal data profiles. (22) When the data are available to others, they can construct personal profiles for targeted marketing, (23) and even, in rare cases, blackmail. (24) For some, just knowing that their activities are being recorded may have a chilling effect on conduct, (25) speech, and reading. (26) Customers may find it discomfiting to discover that a salesperson knows their income or indebtedness, or other personal data.
When the government has access to the data, it not only gains powerful investigative tools allowing it to plot the movements, actions, and financial activities of suspects, (27) but it also gains new techniques for detecting crimes and identifying suspects. (28) Ultimately, if data is collected on everyone's location and on all transactions, it should be possible to achieve perfect law enforcement, a world in which no transgression goes undetected and, perhaps, unpunished. (29) At that point, the assumptions of imperfect detection, the need for deterrence, and the reliance on police and prosecutorial discretion on which our legal system is based will come under severe strain.
A further danger is that the government or others will attempt to use the ability to construct personal profiles in order to predict dangerous or antisocial activities before they happen. People whose profiles meet the criteria will be flagged as dangerous and perhaps subjected to increased surveillance, searches, or discrimination. Profiling is currently used to identify airline passengers who the profilers think present an above-average risk of being terrorists. (30) In the wake of the tragedy at Colombine, schools are turning to profiling to assess children for potential violence. (31) In a world where such profiling is common, who will dare to act in a way that will cause red flags to fly?
In a thorough survey, Roger Clarke suggested that the collection and collation of large amounts of personal data create many dangers at both the individual and societal levels, including:
Dangers of Personal Dataveillance
lack of
subject knowledge of data flows
blacklisting
Dangers
of Mass Dataveillance
To the
Individual
witch
hunts
ex-ante
discrimination and guilt prediction
selective advertising
inversion of the onus of proof
covert operations
unknown accusations and accusers
denial of due process
To
Society
prevailing climate of suspicion
adversarial relationships
focus
of law enforcement on easily detectable and provable offences
inequitable application of the law
stultification of originality
increased tendency to opt out of the official level of society
weakening of society's moral fibre and cohesion
repressive potential for a totalitarian government (32)
There is little reason to believe that the nosiness of neighbors, employers, or governments has changed recently. What is changing very rapidly, however, is the cost and variety of tools available to acquire personal data. The law has done such a poor job of keeping pace with these developments that some people have begun to suggest that privacy is becoming impossible.
A. Routinized Low-Tech Data Collection
Large quantities of personal data are routinely collected in the United States today without any high-tech equipment. Examples include the collection of personal data by the Federal Government for taxes and the census, data collected by states as a condition of issuing driver's licenses, and the vast amounts of data collected by the private sector in the course of selling products and services.
1. By the United States government.
The most comprehensive, legally mandated United States government data collections are the annual collection of personal and corporate tax data, and the decennial census. Both of these data collection activities are protected by unusually strict laws designed to prevent the release of personally identifiable data. (33) Other government data collection at the federal and state level is either formally optional, or aimed at subsets of the population. Some of these subsets, however, are very large. (34)
Anyone who takes a new job must be listed in the "new hires directory" designed to support the Federal Parent Locator Service. (35) This growing national database of workers enables courts to enforce court-ordered child support against working parents who are not making their support payments. Each state has its own database, which is coordinated by the Office of Child Support Enforcement within the Department of Health and Human Services. (36) Anyone receiving public assistance is likely to be in a state maintained database of aid recipients. Federal, state, and local governments also collect data from a total of about fifteen million arrestees each year. (37) The government continues to collect (and publish) data about some convicts even after they have served their sentences. (38)
License applications are formally optional data collections that have wide application--licenses are optional, but if one wants a license, one must answer the required questions.
Perhaps the most widespread data collection comes from driver's license applications, as most of the United States adult population hold driver's licenses, at least outside the
few major cities with efficient mass transportation networks. In addition to requesting personal data such as address, telephone number, and basic vital statistics, some states
collect health-related information, and all require a (frequently
digitized) photograph.
2. Transactional data.
Any personal transaction involving money, be it working, buying, selling, or investing, tends to create a data set relating to the transaction. Unless the payment is in cash, the data set usually includes some personal data about the individual(s) involved in the transaction.
Financial data collection is an interesting example of the private sector collecting data for mixed motives. A single firm, Acxiom, now holds personal and financial information about almost every United States, United Kingdom, and Australian consumer. (39) In many cases, banks and other financial service providers collect information about their clients because the data has commercial value. In other cases, they record data because the government requires them to make routine reports to assist law enforcement efforts. In effect, private banks often act as agents of state data collection efforts.
Until machines for tracking bills by their serial numbers become much more common than today, cash payment will remain relatively anonymous. In their quest to gather personal data about customers, merchants have turned to loyalty reward programs, such as frequent shopper cards and grocery club cards. Depending upon the sophistication of the card, and of the system of which it is a part, these loyalty programs can allow merchants to amass detailed information about their customers.
Large amounts of cash trigger reporting requirements, which in turn means that financial intermediaries must collect personal data from their customers. Anti-money laundering laws (and sometimes tax laws) require financial service providers to file reports on every suspicious transaction and every time a client deposits, withdraws, or transfers $10,000 or more. Some firms, often chosen because of their location in neighborhoods thought by law enforcement to be high drug trading zones, must report transactions involving as little as $750 in cash. (40)
Alternatives to cash, such as checks, debit cards, and credit cards, create a data trail that identifies the purchaser, the merchant, the amount of the sale, and sometimes the goods or services sold.
Whether replacing paper cash with electronic cash would make transactions more secure and anonymous or create a digital data trail linking every transaction to the parties involved depends entirely on how such an electronic cash system is designed. Both extremes are possible, as are intermediate designs in which, for example, the identity of the payer is not recorded (or even identifiable), but the payee is known to the bank that issued the electronic cash. (41) Because there is currently no standard for electronic cash and relatively little e-cash in circulation, anything remains possible.
Large quantities of medical data are generated and recorded during any sustained interaction with the United States health care system. In addition to being shared among various health care providers, the information is also shared with the entities that administrate the system. (42) Under the "Administrative Simplification" provision of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), (43) standards are being developed to facilitate the electronic transfer of health-related personal data. HIPPA requires that all health information be kept in electronic form and that each individual be given a unique health identifier to index the data.
Thus, even without high technology, substantial amounts of personal data are routinely collected about almost everyone in the country. The introduction of new technologies, however, promises to raise the quantity and nature of the information that could be collected to new, somewhat dizzying, heights.
B. Ubiquitous Surveillance
Unless social, legal, or technical forces intervene, it is conceivable that there will be no place on earth where an ordinary person will be able to avoid surveillance. In this possible future, public places will be watched by terrestrial cameras and even by satellites. Facial and voice recognition software, cell phone position monitoring, smart transport, and other science-fiction-like developments will together provide full and perhaps real time information on everyone's location. Homes and bodies will be subject to sense-enhanced viewing. All communications, save perhaps some encrypted messages, will be scannable and sortable. Copyright protection "snitchware" (44) and Internet-based user tracking will generate full dossiers of reading and shopping habits. The move to web-based commerce, combined with the fight against money laundering and tax evasion, will make it possible to assemble a complete economic profile of every consumer. All documents, whether electronic, photocopied, or (perhaps) even privately printed, will have invisible markings making it possible to trace the author. Workplaces will not only be observed by camera, but also anything involving computer use will be subject to detailed monitoring, analyzed for both efficiency and inappropriate use. As the cost of storage continues to drop, enormous databases will be created, or disparate distributed databases linked, allowing data to be cross-referenced in increasingly sophisticated ways.
In this very possible future, indeed perhaps in our present, (45) there may be nowhere to hide and little that can stay hidden.
1. Public spaces.
Moving about in public is not truly anonymous: Someone you know may recognize you, and anyone can write down the license plate number of your car. Nevertheless, at least in large cities, one enjoys the illusion, and to a large extent the reality, of being able to move about with anonymity. That freedom is soon to be a thing of the past, as the "privacy commons" of public spaces becomes subject to the enclosure of privacy-destroying technology.
Fear of crime, and the rapidly declining cost of hardware, bandwidth, and storage, are combining to foster the rapid spread of technology for routinely monitoring public spaces and identifying individuals. Monitoring technologies include cameras, facial recognition software, and various types of vehicle identification systems. Related technologies, some of which have the effect of allowing real-time monitoring and tracking of individuals, include cell-phone location technology and various types of biometric identifiers.
a. Cameras.
Perhaps the most visible way in which spaces are monitored is the increasingly ubiquitous deployment of Closed Circuit Television ("CCTV") cameras and video recorders. Monitoring occurs in both public and private spaces. Generally, private spaces such as shopping malls are monitored by private security, while public spaces are monitored by law enforcement. Although public cameras are common in the United States, (46) they are even more widespread abroad. Perhaps because of fears of IRA terrorism, in addition to ordinary concerns about crime, the United Kingdom has pursued a particularly aggressive program of blanketing the nation with cameras. Cameras operated by law enforcement "are now a common feature of Britain's urban landscape. . . . The cameras have also moved beyond the city, into villages, schools, hospitals and even, in Bournemouth, covering a coastal path." (47) Cameras are also commonly used on the roads to enforce speed limits by taking photos of speeding vehicles' license plates. Polls suggest that a substantial majority of the British public approves of the cameras because they make them feel safer. And indeed, the evidence suggests that cameras reduce, or at least displace, street crime and perhaps other antisocial behaviors. (48)
Cameras can also be placed in the office, school, and home. Visible cameras allow parents to keep an eye on junior at day care. Hidden cameras can be concealed in "clocks, radios, speakers, phones, and many other items" (49) to monitor caregivers and others in the home.
Cameras are also an example of how technologies can interact with each other to multiply privacy-destroying effects. All of the videotapes in the world are of little use unless there is someone to monitor them, a useful way to index the contents, or a mechanical aid to scan through them. And, pictures alone are only useful if there is a way to identify the people in them. Thus, for example, the London Police obtained excellent quality photographs of alleged participants in a violent demonstration in the City of London on June 18, 1998, but had to post the photographs on the Internet and ask viewers for help in identification--it worked in some cases. (50)
Human monitors are expensive and far from omniscient. (51) In the near future, however, human observers will become much less important as the task of analyzing still photos and videos will be mechanized. In some cases, such as schools, offices, or prisons, data subjects can be compelled to wear IDs with bar codes. (52) In public, however, more sophisticated technologies, such as facial recognition technology, are needed to identify people. Facial recognition technology is becoming better and more reliable every year. (53) Current systems are already capable of picking out people present in two different pictures, allowing police to identify repeat demonstrators even in large crowds assembled many weeks apart. The London police installed a system called "Mandrake" that matches CCTV photos taken from 144 cameras in shopping centers, parking lots, and railway stations against mug shots of known criminals. (54) The Israeli government plans to use facial recognition technology in the hope of creating "Basel," an automated border-crossing system. (55) The United States Pentagon is also investigating the possibility of using facial recognition systems to identify potential terrorists outside military facilities. (56)
Once mated with, for example, a database full of driver's license photos, images from a series of ubiquitous cameras could be indexed by name and stored for an indefinite period of time. (Indeed, the United States Secret Service and other agencies have expressed interest in a national database of drivers licence photos, and the government has spent at least $1.5 million helping a private corporation amass the data.) (57) Assuming the index and the videos are at least subject to subpoena (or perhaps the Freedom of Information Act) or even routinely placed on the Internet, alibis, mystery novels, and divorce proceedings will never be the same. One's face will nonetheless become an index marker. Devices will be available that warn you every time an individual convicted of rape or child molestation comes within 100 feet. Stores will be able to send coupons to window shoppers who browsed but did not enter ("Hi! Next time, wouldn't you like to see what we have inside?"). Worse still, once you enter, the store will be able to determine which merchandise to show you and how much to charge. (58)
b. Cell phone monitoring.
Many people can be tracked today without the use of cameras or any other device. Cellular phones must communicate their location to a base station in order to carry or receive calls. Therefore, whenever a cell phone is in use, or set to receive calls, it effectively identifies the location of its user every few minutes (within an area defined by the tolerance of the telephone). Recently, Maryland and Virginia officials unveiled a plan to use mobile phone tracking information to monitor traffic flows, although their plan does not involve capturing the identities of individual commuters, only their movements. (59)
The finer the cell phone zone, the more precisely a person's location can be identified. In the United States, a Federal Communications Commission ("FCC") regulation due to become effective in 2001 requires all United States cellular carriers to ensure that their telephones and networks will be able to pinpoint a caller's location to within 400 feet, about half a block, at least sixty-seven percent of the time. (60) The original objective of the rule was to allow emergency 911 calls to be traced, but the side-effect will be to turn cell phones into efficient tracking devices. Indeed, in a recent order, the FCC confirmed that wireline, cellular, and broadband Personal Communications Services (PCS) carriers would be required to disclose to law enforcement agents with wiretap authorization the location of a cell site at the beginning and termination of a mobile call. This was less than the FBI, the Justice Department, and the New York Police Department wanted; they had argued that they should be entitled to all location information available to the carrier. (61)
Governments are not the only ones who want to know where people are. Parents could use cell phone tracking to locate their children (or where they left the phone). Merchants are also interested in knowing who is in the neighborhood. A United Kingdom cell phone company is sending "electronic vouchers" to its six million subscribers, informing them of "special offers" from pubs in the area from which they are calling and helpfully supplying the nearby address. (62)
The privacy-destroying consequences of cell phone tracking increase dramatically when movement is are archived. It is one thing to allow police to use the data to track a fugitive in real time. It is another thing to archive the data, perhaps even in perpetuity, in case police or others wish to reconstruct someone's movements. In 1997, a Swiss newspaper revealed that a local phone company kept information recording the movement of one million subscribers, accurate to within a few hundred meters, and that the data was stored for more than six months. Swiss police described the data as a treasure trove. (63) However atypical the collection and retention of cellular phone subscribers' movements may be, the Swiss phone company's actions are clearly not unique. (64) The Swiss government, at least, values this locational data so highly that it will go to great lengths to preserve its access to it. Reports in 1998 suggested that the Swiss police felt threatened by the ability of Swiss cell phone users to buy prepaid phone cards that would allow certain types of "easy" telephones to be used anonymously. The Swiss government therefore proposed that citizens be required to register when acquiring "easy" cell phones, arguing that being able to identify who is using a cell phone was "essential" to national security. (65)
c. Vehicle monitoring.
Automobiles are a separate potential target of blanket surveillance. So-called "intelligent transportation systems" ("ITS") are being introduced in many urban areas to manage traffic flow, prevent speeding, and in some cases implement road pricing or centralized traffic control. (66) Ultimately, ITS promise continuous, real-time information as to the location of all moving vehicles. (67) Less complex systems already create travel records that can be stored and accessed later. (68) Some countries have also considered putting bar codes on license plates to ease vehicle identification. (69) While it is possible to design ITS in a manner that preserves the traveler's anonymity, (70) this has not been the norm.
2. Monitoring in the home and office.
Staying home may be no defense against monitoring and profiling. Existing technology can monitor every electronic communication, be it a telephone call, fax, or email. In the United States, at least, its use by either the government or private snoops is subject to substantial legal restrictions. As voiceprint, voice recognition, and content-analysis technology continue to improve, the tasks of sorting the ever-increasing volume of communications will be subjected to increasingly sophisticated automated processing. (71) Meanwhile, a number of legal technologies are already being deployed to track and archive many uses of the web.
a. Workplace surveillance.
Outside of restrooms, and the few laws banning wiretapping and reading email during transmission, (72) there are relatively few privacy protections applicable to every workplace in the nation. (73) Thus, employers may use hidden cameras, monitoring software, and other forms of surveillance more or less at will. (74) A 1993 survey, taken long before surveillance technology got cheap, showed that twenty million workers were subject to monitoring of their computer files, voice and electronic mail, and other networking communications. (75) Today, digital cameras are so small they fit on a one-inch by two-inch chip. Miniaturization lowers costs, which are expected to fall to only a few dollars per camera. (76) At these prices and sizes, ubiquitous and hidden monitoring is easily affordable. Software designed to capture keystrokes, either overtly or surreptitiously, is also readily available. For example, a program called "Investigator 2.0" costs under one hundred dollars and, once installed on the target PC, covertly monitors everything that it does and routinely emails detailed reports to the boss. (77) In addition, every technology described below that can be targeted at the home can also be targeted at the office.
b. Electronic communications monitoring.
According to a report prepared for the European Parliament, the United States and its allies maintain a massive worldwide spying apparatus capable of capturing all forms of electronic communications. (78) Known as "Echelon," the network can "access, intercept and process every important modern form of communications, with few exceptions." (79) The network is supported by a variety of processing technologies. Voiceprint recognition makes it possible to determine whether any of the participants in a call are on a watch list. If they are, the recording can be routed to a human being for review. (80) Similarly, text messages such as faxes and emails can be run through so-called dictionary programs that flag messages with interesting references or word patterns. (81) As artificial intelligence improves, these programs should become increasingly sophisticated. Meanwhile, advances in voice recognition (translating speech into text) promise to transform the telephone monitoring problem into another type of text problem. Further, once a conversation is converted into text, the National Security Agency ("NSA") is ready to gauge its importance with semantic forests: The NSA recently received a patent on a computerized procedure that produces a topical summary of a conversation using a "tree-word-list" to score the text. The patent describes a "pre-processing" phase that removes "stutter phrases" from a transcript. Then, a computer automatically assigns a label, or topic description, to the text. (82) The method promises to allow computerized sorting and retrieval of transcripts and other documents based upon their meaning, not just keywords. (83)
Not only have the communications intelligence agencies of the United States and its major allies "reaffirmed their requirements for access to all the world's communications," (84) but they have also taken a number of steps in the past two years to ensure they can get it. The NSA installed "sniffer" software to monitor and collect traffic at nine major Internet exchange points. (85) On May 7, 1999, the European Parliament passed the Lawful Interception of Communications Resolution on New Technologies, known as Enfopol. Although the Enfopol resolution is nonbinding, it serves as a declaration of the regulatory agenda of the European law enforcement community. Under the Enfopol proposal, Internet service providers and telephone companies in Europe would be required to provide law enforcement agencies with full-time, real-time access to all Internet transmissions. In addition, wireless communications providers would be required to provide geographical position information locating their cell phone customers. If the service provider offers encryption as part of the cell phone service, the provider would be required to ensure that it be able to decode the messages. (86)
Similarly, in the United States, the Communications Assistance for Law Enforcement Act of 1994 ("CALEA") requires that all new telecommunications networks be engineered to allow lawful wiretaps, although it does not address the issue of encryption. (87) The legislation also does not specify how many simultaneous wiretaps the network should be able to support, leaving this to the implementing regulations. In its initial assessment of "capacity requirements," the FBI proposed requiring carriers in major urban areas to install a maximum surveillance capacity of one percent of "engineered capacity"--in other words, to make it possible for a maximum of one out of every one hundred phone lines to be monitored simultaneously. (88) This proposal was so controversial that the FBI withdrew it and substituted a different capacity projection. (89) Although not free from all ambiguity, the revised rule appears to require very large capacity provisions. For example, the Center for Democracy and Technology calculated that under the formula proposed by the FBI, the system would have to be able to perform 136,000 simultaneous intercepts in the Los Angeles area alone. (90)
Domestic wiretapping without a court order is illegal in the United States, and only law enforcement and counter-intelligence agencies are allowed to apply for warrants. (91) State and federal courts authorized 1329 wiretaps in 1998, an increase of eighty percent over the 738 authorized a decade earlier. (92) These statistics are somewhat misleading, however, because a single wiretap order can affect hundreds of phone lines and up to 100,000 conversations. (93) The statistics are also difficult to reconcile with reports, attributed to the FBI, that on peak days up to one thousand different telephone lines are tapped in the Los Angeles area. (94) Although the number of wiretap orders is increasing, and the number of persons subject to legal eavesdropping is also increasing, these statistics are still small compared to the enormous volume of telecommunications. One reason why wiretaps remain relatively rare may be that judges have to approve them (although the number of wiretaps refused annually is reputed to be near zero); another, perhaps more important reason, is that they are expensive. The average cost of a wiretap is over $57,000, (95) with much of the expense attributable to paying the people who listen to the calls. However, as technology developed by intelligence agencies trickles down to domestic law enforcement, the marginal cost of telephone, fax, and email surveillance should decline considerably. Even if domestic law enforcement agencies remain scrupulously within the law, (96) the number of legal wiretaps is likely to increase rapidly once the cost constraint is reduced. (97)
c. Online tracking.
The worldwide web is justly celebrated as a cornucopia of information available to anyone with an Internet connection. The aspects of the web that make it such a powerful information medium (its unregulated nature, the flexibility of browsing software and the underlying protocols, and its role as the world's largest library, shopping mall, and chat room) all combine to make the web a fertile ground for harvesting personal data about Internet surfers. The more that people rely on the web for their reading and shopping, the more likely it becomes that data about their interests, preferences, and economic behavior will be captured and made part of personal profiles.
The baseline level of user monitoring is built into the most popular browsers and operates by default. Clicking on a link instructs a browser to automatically disclose the referring page to the new site. If a person has entered a name or email address in the browser's communication software that too will be disclosed automatically. (98) These features cannot be turned off--they are part of the hypertext transfer protocol--although one can delete one's name and email address from the software. Web surfers can, however, employ privacy-enhancing tools such as the anonymizer to mask personal information. (99)
The default setting on the two most popular browsers (Internet Explorer and Netscape Navigator) allows web sites to set and read all the "cookies" they want. Cookies are a means by which a browser allows a web site to write data a user's hard drive. (100) Often this works to the user's advantage--stored passwords eliminate the need to memorize or retype passphrases. Preference information allows a web designer to customize web pages to match individual users' tastes. But the process is usually invisible; and even when made visible, it is not transparent since few cookies are user-readable.
Cookies present a number of potential privacy problems. Any user data disclosed to a site, such as an address or phone number, can be embedded in a cookie. That information can then be correlated with user ID numbers set by the site to create a profile. If taken to its limit, this would permit a particularly intrusive site to build a dossier on the user. An online newspaper might, for example, keep track of the articles a reader selects, allowing it over time to construct a picture of the reader's interests. Cookies can be shared between web sites, allowing savvy web designers to figure out what other sites their visitors patronize, and (to the extent the other sites store information in cookies) what they have revealed to those other sites. When pieced together, this "clicktrail" can quietly reveal both personal and commercial information about a user without her ever being aware of it. A frequent visitor to AIDS sites, a regular purchaser of anti-cancer medicine, or even someone who has a passion for Barry Manilow, all may have reasons for not wanting others to know of their interests or actions.
Complicating matters, what appears as one page in a browser may actually be made up of multiple parts originating from multiple servers. Thus, it is possible to embed visible, or even invisible, content in a web page, which provides an occasion for setting a cookie. Doubleclick, an Internet advertising company, serves ads that appear on a large number of commercial and advertising-supported web pages. By checking for the Doubleclick cookie, the company can assign a unique identifier to each surfer and not only trace which Doubleclick-affiliated web sites they visit, but also when, how often, and what they choose to view while they are there. (101)
Cookies, however, are only the tip of the iceberg. Far more intrusive features can be integrated into browsers, into software downloaded from the Internet, (102) and into viruses or Trojan horses. (103) In the worst case, the software could be configured to record every keystroke.
The United States government suggested that Congress should authorize law enforcement and counter-intelligence agencies to remotely access and plant a back door in suspects' computers. (104) Using a back door could give the government access to every keystroke, allowing it to learn passwords and decrypt files protected with strong, otherwise uncrackable, cryptography. (105) The proposal in the original draft of the Cyberspace Electronic Security Act was sufficiently ambiguous that some imagined the government might even contract with makers of popular software to plant back doors that could be activated remotely as part of an investigation. [SEE NOTE]Instead, the clause in question, § 2713, was quickly dropped in the face of furious opposition from civil liberties groups. (106) Other countries have considered similar plans. For example, according to the uncensored version of the Australian Walsh Report, (107) intelligence agencies sought authority to alter software or hardware so that it would function as a bugging device, capturing all user keystrokes when activated by law enforcement authorities. (108)
Monitoring issues also arise in the context of automated intellectual property rights management. Proposals abound for "copyright management technologies" (sometimes unkindly dubbed "snitchware"), (109) which would record and in some cases disclose every time a user accessed a document, article, or even page of licensed material in order to finely assess charges. Similarly, digital watermarking systems, (110) which insert invisible customized tags into electronic documents, allow those documents to be tracked. Using various forms of these technologies, owners of valuable proprietary data can sell the information with less fear that it will be copied without payment. If the information is sold in encrypted form, along with a program or device that decrypts it every time a licensee wishes to view part of the content, charging can be done on a pay-per-view basis rather than requiring a large fee in advance. Leaving aside the issue of the effect on fair use, (111) monitoring for pricing purposes only raises privacy issues if information is recorded (and thus discoverable or subject to search and seizure) or reported to the licensor. If only the quantity of use is reported, rather than the particular pages viewed or queries run, user privacy is unaffected. When metering is conducted in real time, however, it is particularly difficult for a user to be confident about what is being reported. If, for example, a copyright management system connects via the Internet to the content owner to ensure billing or even payment before access, then only the most sophisticated user will be able to determine how much information is being transmitted. The temptation to create user profiles for marketing purposes may be quite great.
Already, programs that quietly report, to a central registry in real time, every URL viewed are common. Click on "what's related" in the default configuration of Netscape 4.06 or above and every URL visited in that browser session will be reported back to a server at Netscape/AOL. Alone, this information only tells Netscape which sites people consider related to others; it helps them construct a database they can use to guide future surfers. But this data, in conjunction with cookies that recorded personal information, could be used to build extensive dossiers of individual users. There is no evidence that Netscape does this, but there is no technical obstacle preventing it. (112)
d. Hardware.
Hardware manufacturers are also deploying privacy-compromising features in a wide variety of devices. The General Motors corporation has equipped more than six million vehicles with (until recently) secret devices, akin to airplane flight data recorders known as "black boxes," that are able to record crash data. First introduced in 1990, the automobile black boxes have become progressively more powerful. The 1994 versions:
record[ed] 11 categories of information, including the amount of deceleration, whether the driver was wearing a seat belt, whether the airbag was disabled, any system malfunctions recorded by the on-board computer at the time of the crash and when the airbag inflated. A more sophisticated system installed in some 1999 models also records velocity, brake status and throttle position for five seconds before impact. (113)
Other manufacturers include less elaborate data recorders in their cars.
Makers of computer chips and ethernet card adapters used for networking and for high-speed Internet access routinely build in unique serial numbers to their hardware, which can then be accessed easily over the web.
Each Intel Pentium III chip has a unique identification number. Intel originally designed the chip ID to function continuously and be accessible to software such as web browsers. (114) The intention appears to have been to make electronic anonymity impossible. Anonymous users might, Intel reasoned, commit fraud or pirate digital intellectual property. (115) With a unique, indelible ID number on each chip, software could be configured to work only on one system. Users could only mask their identities when many people used a single machine, or when one person used several machines. The unique ID could also serve as an index number for web sites, cookie counters, and other means of tracking users across the Internet.
The revelation that Intel was building unique serial numbers into Pentium III chips caused a small furor. In response, Intel announced it would commission a software program that would turn off the ID function. (116) However, Intel's software can be circumvented by a sufficiently malicious program and the ID number surreptitiously broadcast in a cookie or by other means. (117)
Intel is not the only company to put unique serial numbers into its communication-related products. For many years, all ethernet cards, the basis for networks and most DSL (118) connections, had a "Media Access Control" (MAC), a six-byte (usually represented as twelve alphanumeric characters) ID number built into them. This unique, unchangeable number is important for networks, because it forms part of each device's address, ensuring that no two devices get confused with each other, and that no data packets get misdelivered. The privacy issues become most acute when such a card is part of a computer that is used on the Internet or other communications networks, because the number can be used to identify the computer to which the ethernet card is attached.
Indeed, the new Internet Protocol version 6 ("IPv6"), (119) which will gradually replace the current Internet protocol, contemplates using an ethernet card's unique ID to create a globally unique identifier ("GUID"). The IPv6 standard requires software to include a GUID in the header of every Internet communication (email, web browsing, chat, and others). Computers with an ethernet card would create a GUID by combining the unique ID number assigned to the card's manufacturer with a unique number assigned to the card in the factory. (120) Thus, "[e]very packet you send out onto the public Internet using IPv6 has your fingerprints on it. And unlike your IP address under IPv4, which you can change, this address is embedded in your hardware. Permanently." (121) In response to criticism, the standard-setting bodies are reconsidering revisions which would allow users--if they are savvy enough to do so--to pick a random number to replace the GUID from time to time. (122) But this modification is still under consideration and would not, apparently, be the default.
Even before IPv6 was introduced, some software products, notably Word 97, Excel 97, and PowerPoint 97, routinely embedded a unique ID number into every document. If a computer had an ethernet card, the programs used its MAC, much like IPv6. (123) As a result, it became possible for law enforcement and others to trace the authorship of seemingly anonymous documents if they could match the MAC to a computer. This matching task was made easier by another Microsoft product: The initial version of the Windows 98 registration wizard transmitted the unique ID to Microsoft; visitors to the Microsoft web site who had previously registered were then given a cookie with the ID number. (124) As a result, the Microsoft ID not only identified a computer, but tied it directly to an individual's personal data. These features were not documented. (125) Although there is no reason to believe that Microsoft used the information for anything other than tracking the use of its website, there are powerful financial and commercial incentives for corporations to collect this information. A filing in a recent lawsuit claims that user information collected by Yahoo was worth four billion dollars. (126) Not surprisingly, other companies, including RealNetworks and Amazon.com, have been collecting, or considering collecting, similar personal information. (127) Indeed, it is possible that Microsoft's data collection activity was a dry run for something more elaborate. Documents disclosed during the Microsoft antitrust case revealed that Microsoft had considered switching to an "annuity model" by which users would have paid an annual fee for a Windows license in future versions of the operating system. (128) Annual billing would most likely have required registering and identifying users.
Hardware with built-in ID numbers is not yet ubiquitous, but proposals for expanding its use are increasingly common, in part because law enforcement and others fear that anonymous activities lead to criminality and antisocial behavior. For example, the fear that people could use color copiers to counterfeit United States currency has spurred makers of color copiers to put invisible, unique ID numbers in each machine in order to trace counterfeits. (129) The ID number appears in all color copies, making every copied document traceable to its originating machine. Because the quality of personal color printers continues to improve, the U.S. Treasury Department has become increasingly concerned that common inkjet color printers may become good enough for counterfeiters. As a result, the Treasury has begun to investigate the possibility of requiring printer manufacturers to build tracing information into all color printers. (130)
Ubiquitous hardware ID numbers are probably inevitable because they will enable smart homes and offices. Consider, for example, the smart refrigerator: Its computer can automatically display a shopping list of what is running short. The list can then automatically be sent to a shop over the Internet. A smart fridge also can be linked to an online cookbook to suggest suitable recipes depending upon its contents. (131) Once every food is tagged, (132) and the fridge knows its expiration date, the smart fridge can even be programmed to remind you to throw out milk that outlasts its sell-by date. Smart home and office applications such as the smart fridge or the smart office supply cabinet will provide a cornucopia of marketing data, and the information officers of food suppliers, and others, are already devising plans to get and use that information. (133) Ultimately the information may be of interest to many others as well. Insurance companies, for example, might like to know if there are any cigarette packages in the insured's home, whether she snacks regularly, and how often she eats fatty foods.
3. Biometrics.
Technology for identifying people is advancing at least as quickly as technology for identifying machines. With technologies for distinguishing human irises, fingerprints, faces, or other body parts (134) improving quickly, it seems increasingly attractive to use the "body as password" rather than base security on a passphrase, a PIN, or a hardware token such as a smart card. (135) Biometrics can be used for identification (who is this?) or authentication (what permissions does this person have?). (136)
To the extent that reliance on biometric identifiers may prevent information from being stolen or improperly disclosed, it is a privacy-enhancing technology. Some banks now use iris scans to determine whether a person is entitled to withdraw money from an ATM. (137) The United States government uses biometric identifiers in the border crossing identification cards issued to aliens who frequently travel to and from the United States on business, (138) as do several states seeking to prevent fraudulent access to welfare and other benefits. (139)
Despite the potential to enhance privacy, biometrics pose a two-pronged threat. First, a biometric provides a unique identifier that can serve as a high-quality index for all information available about an individual. The more reliable a biometric identifier, the more it is likely to be used, and the greater the amount of data likely to be linked to it. (140) Because a biometric is a part of the person, it can never be changed. It is true that current indexes, such as social security numbers, are rarely changed, which is why they make good indexes, but in extreme cases one can leave the country or join a witness protection program. As far as we know, changing an iris or a fingerprint is much more difficult. Second, some biometrics, particularly those that involve DNA typing, disclose information about the data subject, such as race, sex, ethnicity, propensity for certain diseases, and (as the genome typing improves) even more. (141) Others may provide the capability to detect states of mind, truthfulness, fear, or other emotions. (142)
DNA is a particularly powerful identifier. It is almost unique (143) and (so far) impossible to change. A number of state and federal databases already collect and keep DNA data on felons and others. (144) Attorney General Janet Reno recently asked the National Commission on the Future of DNA Evidence whether a DNA sample should be collected from every person arrested in the United States. Under this proposal, DNA information would become part of a permanent, and sizable, national database: More than fifteen million people were arrested in the United States in 1997 alone. (145) Such a plan is far from unthinkable--the Icelandic government considered a bill to compile a database containing medical records, genetic information, and genealogical information for all Icelanders. (146)
4. Sense-enhanced searches.
Sense-enhanced searches rely on one or more technologies to detect that which ordinarily could not be detected with un-aided human senses. These searches differ from surveillance in public places because, with a few exceptions such as airport body searches, sense enhanced searches are not yet routine, perhaps because of the rarity or expense of the necessary equipment. Instead, the typical sense-enhanced search is targeted at someone or something specific, or carried out at specific and usually temporary locations. Unlike home or office monitoring, which usually requires equipment inside the location of interest, many sense-enhanced searches allow someone on the outside to see what is happening inside a building, a package, or even clothing. Because there is no "entry" as the term is commonly defined, nor a physical intrusion, and because many of the technologies rely on emanations that are not coerced by the observer, these technologies may be impermissible under both the Fourth Amendment and private law trespass law. Sense-enhanced search technology is changing rapidly, raising doubts as to what constitutes a reasonable expectation of privacy in a world where we are all increasingly naked and living in transparent homes.
Governments appear to be the primary users of sense-enhanced searches, but many of the technologies are moving into the private sector as prices decrease.
a. Looking down: satellite monitoring.
Once the sole property of governments, high-quality satellite photographs in the visible spectrum are now available for purchase. The sharpest pictures on sale today are able to distinguish objects two meters long, (147) with a competing one-meter resolution service planned for later this year. (148)
Meanwhile, governments are using satellites to regulate behavior. Satellite tracking is being used to monitor convicted criminals on probation, parole, home detention, or work release. Convicts carry a small tracking device that receives coordinates from global positioning satellites ("GPS") and communicates them to a monitoring center. (149) The cost for this service is low, about $12.50 per target per day. (150)
Meanwhile, the United Kingdom is considering the adoption of a GPS-based system, already field tested in the Netherlands and Spain, (151) to prevent speeding. Cars would be fitted with GPS monitors that would pinpoint the car's exact location, link with a computer built into the car containing a database of national roads, identify the applicable speed limit, and instruct a governor built into the vehicle to stop the fuel supply if the car exceeds a certain speed. (152) GPS systems allow a receiver to determine its location by reference to satellites, but do not actually transmit the recipient's location to anyone. (153) The onboard computer could, however, permanently record everywhere the car goes, if sufficient storage were provided. The United Kingdom proposal also calls for making speed restrictions contextual, allowing traffic engineers to slow down traffic in school zones, after accidents, or during bad weather. (154) This contextual control requires a means to load updates into the computer; indeed, unless the United Kingdom wished to freeze its speed limits for all time, some sort of update feature would be essential. Data integrity validation usually relies upon two-way communication. Once such a mechanism exists between the speed control system and a central authority, the routine downloading of vehicle travel histories would become a real possibility. And even without two-way communication, satellite-control over a vehicle's fuel supply would allow immobilizing vehicles for purposes other than traffic control. For example, cars could be stopped for riot control or if being chased by police, parents would have a new way of "grounding" children, and hackers would have a new target.
That a government can track a device designed to be visible by satellite does not, of course, necessarily mean that it could track an individual without one could be tracked by satellite in the manner depicted by the film Enemy of the State. However, a one-meter resolution suggests that it should be possible to track a single vehicle if a satellite were able to provide sufficient images, and satellite technology is improving rapidly.
The public record does not disclose how accurate secret spy satellites might be, nor what parts of the spectrum they monitor other than visible light. The routine privacy consequences of secret satellites is limited, because governments tend to believe that using the results in anything less th