Category Archives: Privacy

What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies

Source: Alissa Cooper, Center for Democracy and Technology, Testimony before the House Telecom Subcommittee, July 17, 2008

From the summary:
CDT Testifies Before House Telecom Subcommittee About Online Behavioral Advertising – CDT today testified before the House Telecom Subcommittee regarding the privacy implications of “deep packet inspection,” a technology underlying some online behavioral advertising models. CDT warned that consumers are increasingly concerned about the growing amount of personal data being collected by online advertising practices, but that they are ill-equipped to take steps to protect their privacy. CDT also said that the emerging advertising model partnering ISPs with ad networks brings new legal complexities and privacy risks to the e-commerce equation. CDT urged Congress to take a comprehensive look at online advertising practices and made several recommendations for designing policies and laws that insure consumer privacy and instill trust in the electronic marketplace.
See also:
CDT Senate Commerce Committee Testimony, July 09, 2008
• ISP, Ad Networking Scheme May Violate Federal and State Wiretap Laws
Press Release, July 08, 2008
CDT Legal Analysis Memo, July 08, 2008

Homeland Security Expands Requirements Over Workers, Travelers

Source: Electronic Privacy Information Center, June 2008

President Bush has signed Executive Order 12989 which gives the Department of Homeland Security authority to review employment eligibility for all federal employees and federal contractors. The decision to expand E-Verify comes after Congress rejected the President’s verification proposal and a federal court struck down the agency’s attempt to establish similar authority by regulation. EPIC testified in Congress in 2007 against the “Employment Eligibility Verification System.” Meanwhile, the Transportation Security Administration, a division of Homeland Security, will now require travelers to present identity documents or to be “cooperative.”
See also:
EPIC Spotlight on Surveillance: “National Employment Database Could Prevent Millions of Citizens From Obtaining Jobs” and EPIC Amicus in Gilmore v. Ashcroft.

Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information

Source: Government Accountability Office, GAO-08-536, May 2008

The centerpiece of the federal government’s legal framework for privacy protection, the Privacy Act of 1974, provides safeguards for information maintained by federal agencies. In addition, the E-Government Act of 2002 requires federal agencies to conduct privacy impact assessments for systems or collections containing personal information.

Increasingly sophisticated ways of obtaining and using personally identifiable information have raised concerns about the adequacy of the legal framework for privacy protection. Although the Privacy Act, the E-Government Act, and related guidance from the Office of Management and Budget set minimum privacy requirements for agencies, they may not consistently protect personally identifiable information in all circumstances of its collection and use throughout the federal government and may not fully adhere to key privacy principles. Based on discussions with privacy experts, agency officials, and analysis of laws and related guidance, GAO identified issues in three major areas:

Applying privacy protections consistently to all federal collection and use of personal information.
Ensuring that collection and use of personally identifiable information is limited to a stated purpose.
Establishing effective mechanisms for informing the public about privacy protections.

Privacy: Congress Should Consider Alternatives for Strengthening Protection of Personally Indentifiable Information, GAO-08-795, June 18, 2008

Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions, GAO-08-603, May 30, 2008

Center for Democracy and Technology (CDT) Urges Congress to Move This Year to Update Federal Privacy Legislation
Testimony before Senate Government Affairs Committee

REAL ID: Final Regulations

Source: Jeremy Meadows, Molly Ramsdell and Matt Sundeen, National Conference of State Legislatures, LegisBrief, Vol. 16, no. 25, June/July 2008
(subscription required)

In January, the Department of Homeland Security (DHS) issued the long-awaited final regulations on implementation of the REAL ID Act of 2005, a mere four months before the May 11, 2008, statutory implementation date. Under the act, states are required to adopt federal standards for driver’s licenses and identification cards or the federal government will not accept the licenses or identification cards for federal purposes such as boarding commercial aircraft, entering a federal building or nuclear power plant, or other purposes as determined by the secretary of Homeland Security. DHS re-estimated the cost to states of implementation at just under $4 billion over 10 years.

High-Tech Medical Records: Can electronic records transform health care?

Source: Kory Mertz and Donna Folkemer, State Legislatures, June 2008

In the middle of a legislative session, a veteran legislator from an out-county district walks into the ER near the Capitol complaining of a headache and nausea. He is handed a stack of forms to fill out. Unable to recall most of this information, he is forced to leave many fields blank, including the names of his many prescriptions. To fill in all the missing information the doctor has to run a host of tests, some very expensive. The legislator is sent home to await the test results feeling no better than when he arrived. The state foots the bill.

This is the current state of affairs in health care. Now envision this situation transformed by information technology.

The legislator enters the ER and a nurse pulls up his complete electronic health record within seconds. No forms to fill out, no prescriptions to remember. The doctor reviews the lawmaker’s record and notices that his five medications were prescribed by four different specialists. After speaking with the patient, the doctor deduces the symptoms are likely the result of a bad prescription interaction. Checking her findings with a computer system that helps make clinical decisions, the doctor prescribes an alternative medication and updates the patient’s record. The prescription is electronically sent to a pharmacy of the legislator’s choosing. No paper, no agonizing wait for the legislator and no redundant–and expensive–testing.

Former Speaker of the U.S. House of Representatives Newt Gingrich and others see health information technology (IT) as key to fixing a dysfunctional health-care system. “Health information technology is essential if we are to make any meaningful change, from reining in costs to improving the delivery of care to expanding insurance coverage. We simply cannot continue to prop up a 1950s paper-based system and expect anything to change,” says Gingrich, founder of the Center for Health Transformation.

Instant access to vital health information can save time, money and, ultimately, lives. When doctors see a patient’s complete medical history, they can make better decisions by preventing harmful drug interactions and eliminating duplicate tests or procedures. The Center for Information Technology Leadership estimates that this kind of technology would save $77.8 billion a year–or about 4 percent in a $2 trillion health system.

But moving health care into the digital age will be far from easy.

EPIC Report: “REAL ID Implementation Review: Few Benefits, Staggering Costs”

Source: Electronic Privacy Information Center

Throughout its history, the United States has rejected the idea of a national identification system. Yet, the Department of Homeland Security continues to push forward a system of identification that has been widely opposed. The REAL ID Act mandates that State driver’s licenses and ID cards follow federal technical standards and verification procedures issued by Homeland Security. REAL ID also enables tracking, surveillance, and profiling of the American public.

May 11, 2008 was the statutory deadline for implementation of the REAL ID system, but not one State is in compliance with the federal law creating a national identification system. In fact, 19 States have passed resolutions or laws rejecting the national ID program. The Department of Homeland Security has faced so many obstacles that the agency now plans an implementation deadline of 2017 — nine years later than the 2008 statutory deadline.

Homeland Security claims that it is making strides in implementing the national ID program. Homeland Security Secretary Michael Chertoff encourages the use of the REAL ID system for a wide variety of purposes unrelated to the law that authorized the system. In an opinion column written by Secretary Chertoff after the publication of the final rule in January, he said, “embracing REAL ID” would mean it would be used to “cash a check, hire a baby sitter, board a plane or engage in countless other activities.” None of these uses for the REAL ID have a legal basis. Each one creates a new risk for Americans who are already confronting the staggering problem of identity theft.

Last year, EPIC submitted detailed comments to the DHS on the draft proposal for REAL ID. With the assistance of many experts, we attempted to address the enormous challenge in the project proposal. In the following report, EPIC details the many problems with the final plan to implement this vast national identification system. The REAL ID system remains filled with threats to privacy, security and civil liberties that have not been resolved.

Full report (PDF; 450 KB)

Outbound Email and Data Loss Prevention in Today’s Enterprise, 2008

Source: Proofpoint, May 2008

From the press release:
In its fifth-annual study of outbound email and data loss prevention issues, Proofpoint, Inc. found that large enterprises continue to incur risk from–and take action against–information leaks over outbound email, as well as newer communications media such as blogs, message boards, media sharing sites and mobile devices.

41% of Large U.S. Corporations Employ Staff to Read Employee Email; 26% Terminated Employees for Email Policy Violations in the Past Year

11% Of U.S. Companies Disciplined Employees for Improper Use of Blogs/Message Boards; 13% for Social Network Violations; 14% for Improper Use of Media Sharing Sites

Consumers Union Calls For Limits on Social Security Number Use & Availability Identity Thieves Have Easy Access to Social Security Numbers Which Leaves Consumers Vulnerable to Fraud

Source: Consumer’s Union, Press release, December 11, 2007

WASHINGTON, D.C. – The widespread use and availability of Social Security numbers puts Americans at risk for identity theft and should be restricted, according to Consumers Union, nonprofit publisher of Consumer Reports.

The group urged policymakers to take action to protect consumers as part of a public forum on the issue organized by the Federal Trade Commission in conjunction with the President’s Identity Theft Task Force. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity.

See also:
H.R. 3046

REAL ID Final Rule

Source: U.S. Department of Homeland Security

From press release:
The U.S. Department of Homeland Security (DHS) announced today a final rule establishing minimum security standards for state-issued drivers’ licenses and identification cards. The rule sets uniform standards that enhance the integrity and reliability of drivers’ licenses and identification cards, strengthen issuance capabilities, and increase security at drivers’ license and identification card production facilities. The final rule also dramatically reduces state implementation costs by roughly 73 percent.

Final Rule, Part 1 (PDF, 120 pages – 4.2 MB)
Final Rule, Part 2 (PDF, 164 pages – 5.6 MB)
Privacy Impact Assessment for REAL-ID (PDF; 277 KB)

Privacy Rights Clearinghouse

Source: Privacy Rights Clearinghouse

The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer organization with a two-part mission — consumer information and consumer advocacy. It was established in 1992 and is based in San Diego, California. It is primarily grant-supported and serves individuals nationwide.

The PRC’s goals are to:
•Raise consumers’ awareness of how technology affects personal privacy.
•Empower consumers to take action to control their own personal information by providing practical tips on privacy protection.
•Respond to specific privacy-related complaints from consumers, intercede on their behalf, and, when appropriate, refer them to the proper organizations for further assistance.
•Document the nature of consumers’ complaints and questions about privacy in reports, testimony, and speeches and make them available to policy makers, industry representatives, consumer advocates, and the media.
•Advocate for consumers’ privacy rights in local, state, and federal public policy proceedings, including legislative testimony, regulatory agency hearings, task forces, and study commissions as well as conferences and workshops.

Also in Spanish