Internet Regulation: Surveillance, Convenience,

and Global Privacy Protection

Should the Internet be Regulated to Protect Privacy?

My research question came about as a result of increased awareness on my part of

the numerous threats to privacy from the Internet, including "hackers" attacking personal

computers or networks, mining them for information or using trojan programs to take

control of them in the background (see, for example,

http://www.pbs.org/wgbh/pages/frontline/shows/hackers); "cookies" or other "spyware" or "web

bugs" inconspicuously downloaded from web pages to visitors’ computers for tracking

purposes; and surveillance by government agencies, such as the FBI using a program

popularly known as "Carnivore" that can filter vast amounts Internet traffic, including

"private" emails. The following report describes the unfolding of events.

On July 11, 2000, the existence of an FBI Internet monitoring system called "Carnivore" was widely reported. Although the public details were sketchy, reports indicated that the Carnivore system is installed at the facilities of an Internet Service Provider (ISP) and can monitor all traffic moving through that ISP. The FBI claims that Carnivore "filters" data traffic and delivers to investigators only those "packets" that they are lawfully authorized to obtain. Because the details remain secret, the public is left to trust the FBI's characterization of the system and—more significantly—the FBI's compliance with legal requirements.

One day after the initial disclosures, EPIC filed a Freedom of Information Act (FOIA) request seeking the public release of all FBI records concerning Carnivore, including the source code, other technical details, and legal analyses addressing the potential privacy implications of the technology. On July 18, after Carnivore had become a major issue of public concern, EPIC asked the Justice Department to expedite the processing of its request. When DOJ failed to respond within the statutory deadline, EPIC filed suit in U.S. District Court seeking the immediate release of all information concerning Carnivore.

In late January 2001, the FBI completed its processing of EPIC's FOIA request. The Bureau revised its earlier estimate and reported that there were 1756 pages of responsive material; 1502 were released in part and 254 were withheld in their entirety. The litigation is scheduled to resume in May 2001 after the FBI has submitted a detailed justification to the court explaining the legal basis for its withholdings. (Electronic Privacy Information Center, 2001, http://www.epic.org/privacy/carnivore.)

This diagram, provided by the FBI, shows how the program is designed to operate. (Center for Democracy and Technology, 2000, http://www.cdt.org/security/carnivore. Also available at http://www.fbi.gov/hq/lab/carnivore/carnlrgmap.htm.)

According to Reg Whitaker, in his book The End of Privacy: How Total

Surveillance is Becoming a Reality, domestic surveillance is a symptom of "national

insecurity." He writes, "Far more significant for millions of people has been the

utilization of the tools of Intelligence for internal security: repression of dissent and

dissenters; control of turbulent or ‘dangerous’ classes; compulsory political conformity;

and the pervasive and intrusive surveillance and regulation of everyday life. National

security, or national insecurity to be more precise, is an anxiety that afflicts states across

the ideological spectrum." (1999, 19.)

As technology advances, the capability to conduct large-scale surveillance and

compile vast amounts of data increases. And as the ability to gather data increases, the

threats to privacy also increase. The ACLU has a website devoted to a project called

Echelon. The following excerpt is from that website.

Echelon is perhaps the most powerful intelligence gathering organization in the world. Several credible reports that suggest that this global electronic communications surveillance system presents an extreme threat to the privacy of people all over the world. According to these reports, ECHELON attempts to capture staggering volumes of satellite, microwave, cellular and fiber-optic traffic, including communications to and from North America. This vast quantity of voice and data communications are then processed through sophisticated filtering technologies.

This massive surveillance system apparently operates with little oversight. Moreover, the agencies that purportedly run ECHELON have provided few details as to the legal guidelines for the project. Because of this, there is no way of knowing if ECHELON is being used illegally to spy on private citizens.

This site is designed to encourage public discussion of this potential threat to civil liberties, and to urge the governments of the world to protect our rights. (http://www.aclu.org/echelonwatch/index.html.)

Other articles have appeared describing Echelon and reactions to it, corroborating

its existence. The following article, written by Doug Brown (2000), provides some

additional insight into the project.

"A U.S.-driven international project to spy on citizens in other countries is growing quickly as digital communications spread around the world," said Duncan Campbell, a Scottish journalist who prepared an influential report about the subject for the European Parliament.

Code-named Echelon, the project, which has been around since the end of World War II, has never been acknowledged by its alleged sponsor, the National Security Agency - although during a presentation at the Computers, Freedom and Privacy conference in Toronto Thursday, April 6, Campbell revealed classified NSA documents he obtained that show that Echelon does exist.

"There are plans in the works," Campbell said, "to build storage facilities that could hold 1000 terabytes of data, the equivalent of months of Internet traffic." Echelon currently intercepts about 1 million signals, including e-mail messages, every half-hour, he said. Using enormously powerful search tools, the agency sifts through the data hunting for communiqués that could help expose plots against the U.S., or other types of information that contribute toward national security.

"You are most likely to be targeted [by Echelon] if you are involved with a nongovernmental organization with international operations," he said. The Red Cross, for example, is an international nongovernmental organization, as is Amnesty International.

The work of harvesting communications - digital, voice and other - involves assistance from Australia, Canada, New Zealand and the U.K., Campbell said.

The subject of Echelon has stirred passions in Europe, where it is accused of serving as a global spy effort that benefits first and foremost the U.S., with some benefits also accruing to its partners. Protesters in France and Germany have marched against the program, and the European Parliament is considering proposals to address Echelon.

The Pew Internet & American Life Project has published results of a survey taken

earlier this year that show Americans are worried enough about crime on the Internet that

"54% of Americans approve of the idea of FBI monitoring of suspects’ email, while 34%

disapprove. There is equal public support of the FBI monitoring of email, phone calls,

and postal mail." But, "Only 31% of Americans say they trust the government to do the

right thing most of the time or all of the time." (Fox, 2001.) Everyone it seems is willing

to allow the authorities to track down terrorists and criminals. But what happens if some

cabal gets control and decides to blur the line distinguishing "environmentalists" from

"terrorists" and uses the excuse of "national security" to monitor and harass those they

view as inimical to their economic programs? In his testimony before the Senate

Judiciary Committee, James X. Dempsey points out the difficulty of balancing the

interests of law enforcement against privacy protection.

We focus in this testimony primarily on the Fourth Amendment issues, where this Committee, along with the rest of society, is confronted with what might seem to be a dilemma: how to fight crime on the Internet without intruding on privacy.

A starting point in resolving this apparent dilemma is to recognize that the Internet is a uniquely decentralized, user-controlled medium. Hacking, unauthorized access to computers, denial of service attacks, and the theft, alteration or destruction of data are all already federal crimes, and appropriately so. But Internet security is not a problem primarily within the control of the federal government. Particularly, it is not a problem to be solved through the criminal justice system. Internet security is primarily a matter most effectively addressed by the private sector, which has built this amazing medium in such a short time without government interference. It is clear that the private sector is stepping up its security efforts, with an effectiveness that the government could never match, given the rapid pace of technology change and the decentralized nature of the medium. The tools for warning, diagnosing, preventing and even

investigating infrastructure attacks through computer networks are uniquely in the hands of the private sector. In these ways, Internet crime is quite different from other forms of crime. While the potential for the government to help is limited, the risk of government doing harm through design mandates or further intrusions on privacy is very high. (Center for Democracy and Technology, 2000, http://www.cdt.org/testimony/000525dempsey.shtml.)

In the United States, however, perhaps the greatest threat to personal privacy is

not from government surveillance, but from surveillance by private companies, which

"have benefited from the fact that most privacy law protects citizens against invasions by

the government, not by business. And much of the case law on the subject dates back 50

years, long before the Internet and other technology gave companies new tools to collect

and use personal information about consumers." (Sanders, 2001.)

Far from being wary, consumers eagerly provide information in exchange for

some perceived benefit, or merely by participating in what Whitaker (1999, 141) calls

"the consumer Panopticon." In a recent article for The Atlantic Monthly, Toby Lester

writes,

People give away vast amounts of valuable information about themselves, wittingly or unwittingly, by using credit cards, signing up for supermarket discount programs, joining frequent-flyer clubs, sending e-mail, browsing on the Internet, using electronic tollbooth passes, mailing in rebate forms, entering sweepstakes, and calling toll-free numbers. Such behaviors are essentially voluntary (although a somewhat abstract case can be made that they are the product of what has been called "the tyranny of convenience"), but many other ways of participating in everyday life basically require the divulging of information about oneself. A person can't function in American society without regularly using a Social Security number, which has become a de facto national ID number--and which, as such, is the key to all sorts of private information. (2001, 28.)

In recent years the United States has come under increasing pressure to conform

to the European Union (EU) Data Protection Directive (the Directive), which became

effective on October 25, 1998. The Directive "places numerous controls on the collection,

use, and transfer of personal information" (Prescott, 2000) and calls for legislation to

protect individuals from invasions of privacy by businesses as well as governments. A

recent report in the Financial Times highlights the tension between the U.S. and Europe:

The European Union has rejected a US request that it delay implementing a central element of its controversial directive for safeguarding privacy of personal data, saying it will not postpone action because of "US domestic constraints".

The wide-ranging directive aims to protect data about EU citizens against misuse worldwide. It is backed by the power to cut off data flows to countries that the EU judges not to have adequate data protection rules and enforcement.

The directive, enacted in late 1998, has repeatedly caused frictions with the US, which has accused the EU of trying to impose laws beyond its own frontiers. (de Jonquieres, 2001.)

Charles Prescott, writing for the pro-business U.S. Direct Marketing Association,

describes the Safe Harbor which U.S. companies are trying to negotiate in order to satisfy

the Directive’s "adequate level of protection" provisions.

Because the EU does not appear to view the United States as having an adequate level of protection, businesses in the United States may not be able to access data from EU countries without either contracts between US businesses and the EU owners of the data or Safe Harbor. These restrictions affect the access to any personal data in the EU, including data from a US business's European subsidiary. Any contracts or Safe Harbor must sufficiently guarantee an adequate level of protection for the data. To date, a model contract has not yet been established and authorized by the EU Commission.

The Safe Harbor is a system in which a U.S. company may voluntarily self-certify to the U.S Department of Commerce or its designee that it will adhere to certain privacy principles. Companies making such certifications would be presumed to provide an adequate level of protection, and data transfers from the European Community to these companies would continue. (http://www.the-dma.org/library/privacy/safeharbor1.shtml.)

The United States has a long tradition of limitations on government intrusions on

privacy, but is unwilling to provide the kind of business regulation called for by the

Directive. Self-regulation has long been preferred over government regulation in the

United States, and in such industries as accounting, self-imposed standard-setting and

peer review procedures have provided sufficient credibility to stave off increased

attempts to further regulate the profession. (Even so, the accounting profession is heavily

regulated by many governmental bodies. For example, the various states have created

Boards of Accountancy establishing licensing requirements and oversight of licensees;

the Securities Exchange Commission regulates reporting with respect to publicly-traded

investments; in 1974 Congress passed the Single Audit Act—which empowers the Office

of Management and Budget to regulate the reporting on audits of state and local

governments with respect to federal grant monies; the various local, state, and federal tax

authorities regulate reporting required by both profit and nonprofit organizations with

respect to income tax and information returns; and, in addition, certain individual

departments of the government, such as Housing and Urban Development, have their

own separate reporting requirements.)

You may have noticed you have been getting a lot of privacy policy notices in the

mail lately? Have you noticed the opt-out provisions regarding the sharing of information

with "affiliates?" The language in the original draft of the Directive, however, provided

for "opt-in," requiring your specific consent to share information. According to Priscilla

Regan, "The European Direct Marketing Association (EDMA) and other business groups

spent over $50 million lobbying primarily against the 'opt in' requirement of the October

1990 Data Protection Draft directive and restriction on transfer of data to third countries."

(1999, 207)

Now that the directive has been approved and member states are considering their legislative responses, observers are once again pondering whether this will provoke stronger legislation in the United States. Based on analysis of events leading up to approval of the directive, it is more likely that American businesses will continue to work through and with their European partners and counterparts, rather than lobbying for change in U.S. laws.

American business regards the application of market-based solutions as the appropriate alternative to legal solutions. The preference has been, and is likely to continue to be, for voluntary, self-regulation rather than regulation imposed by law. In response to threats of legislative action and to domestic consumer pressure, many American businesses have adopted 'Codes of Fair Information Use.' Such market-based codes may be relevant to the creation of a global solution. The Data Protection Directive requires that 'adequacy' of American data protection policy be evaluated in light of 'all circumstances

surrounding a data transfer operation.' These codes will be used by business as evidence of the protection offered.

However, pressure for an American data protection or privacy commission is likely to continue from outside the United States. National governments prefer to deal with national governments, and representatives from data protection commissions prefer to deal with representatives from data protection commissions. (Regan, 1999, 211-213.)

It seems that Europe has taken a key leadership role in this arena. One of the

contentious points about the privacy regulation as mandated by the Directive, is policy

extending beyond the borders of any one nation-state. A recent court case in France has

made Internet history, when a French judge "ordered the Yahoo Web site to prevent

French residents from viewing Nazi memorabilia in its online auctions." (Guernsey,

2001.) Privacy advocates fear the Internet will either become geographically fragmented

or will fall to the lowest common denominator of "allowable content."

In conformity with the 1980 OECD Guidelines (Brin, 1998, 74), most European

countries have enacted stronger privacy protection than the U.S. Some writers feel this

response is a direct result of their unpleasant experience with the likes of Adolf Hitler,

whose lieutenants routinely used the census data of newly conquered territories to round

up "undesirables" and put them into concentration camps. David Flaherty writes, for

example, that "the Holocaust Museum in Washington, DC, features a Hollerith machine

used in the 1930s to try to identify and keep track of Jews in German-controlled

territory." (1999, 27.) A brief biography of Herman Hollerith, as written by Simson

Garfinkel, will add perspective to the subject:

Herman Hollerith was a young man who came to the census office after graduating from Columbia College in 1879. Hollerith saw the census problems and soon became obsessed with the idea of building a machine that would somehow automate the clerical work. He spent a year looking at the problem, then left and spent a year teaching mechanical engineering at MIT. He returned to Washington, this time spending a year in the Patent Office. Finally, he quit government service in 1884 to become a full-time inventor.

Hollerith realized that information from each census form could be stored by punching holes on pieces of paper, and that by repeatedly counting the holes in different ways, he could perform the basic statistical operations the census office

required. In 1889, he entered and won a competition organized by the census office, earning a contract to process the census forms with his tabulating machines the following year. With these new machines, the census was tabulated in just six weeks, and Hollerith became the toast of census officials around the world.

In 1896, Hollerith incorporated his business, the Tabulating Machine Company. He sold the business in 1911, receiving $1 million for his stock and a promise of continued employment with the successor firm, the Computing-Tabulating-Recording Company (CTR). Three years later, CTR hired Thomas J. Watson, who in 1924 renamed the company the International Business Machines Corporation (IBM). (2000, 17-18.)

In spite of the arguments in favor of self-regulation, there are compelling reasons

to consider the place of government in this debate. The Directive deals with the

protection of data in any number of different transactions in which individuals might be

involved. This paper’s focus is privacy on the Internet. But how can any government

regulate the Internet? Lawrence Lessig argues, in his book Code and Other Laws of

Cyberspace, that what can be regulated of the Internet is its code, which is its

architecture, and he insists that there is a public policy issue:

But isn't it clear that government should do something to make this architecture consistent with important public values? If commerce is going to define the emerging architectures of cyberspace, isn't the role of government to ensure that those public values that are not in commerce's interest are also built into the architecture?

Architecture is a kind of law: it determines what people can and cannot do. When commercial interests determine the architecture, they create a kind of privatized law.

Ordinarily, when we describe competing collections of values, and the choices we make among them, we call these choices "political." Choices among values, choices about regulation, about control, choices about the definition of spaces of freedom—all this is the stuff of politics. Code codifies values, and yet, oddly, most people speak as if code were just a question of engineering. Or as if code is best left to the market. Or best left unaddressed by government.

As the world is now, code writers are increasingly lawmakers. They determine what the defaults of the internet will be; whether privacy will be protected; the degree to which anonymity will be allowed; the extent to which access will be guaranteed.

How the code regulates, who the code writers are, and who controls the code writers—these are questions that any practice of justice must focus in the age of cyberspace. The answers reveal how cyberspace is regulated. (1999, 59-60.)

We can agree that computer code is the architecture of the Internet, or at least a

very significant component of that architecture, but does architecture exercise the amount

of influence over what people can and cannot do that Lessig claims it does? In an

example of how architecture literally controls people, Whitaker describes Bentham’s idea

for the architecture of a particular kind of prison called the Panopticon.

The idea of the Panopticon is simple. Imagine a prison constructed in circular form. On the outer perimeter of each level are the individual cells, each housing a single prisoner and each entirely isolated from the other to make it impossible for a prisoner to see or hear fellow prisoners. Each cell is visible to the gaze of the Inspector, who is housed in a central office from which he can scan all cells on the same level.

Although the prisoners' behavior is made permanently visible to the Inspector, the prisoners cannot actually see the face and eyes of the Inspector who is rendered opaque, a silhouette that reminds them of his continuous presence, but an 'utterly dark spot' whose features cannot be deciphered. The point is discipline or training. As the prisoners fear they may be constantly watched and fear punishment for transgressions, they internalize the rules; actual punishment will thus be rendered superfluous.

The Inspector sees without being seen. His presence, which is also an absence, is in his gaze alone. The prisoners, incarcerated in their individual cells, are also incarcerated in their bodies. They cannot escape the sweeping gaze that seems to stand outside the corporeal world, yet penetrates it and renders it transparent.

The Panopticon is, at bottom, nothing more than sleight of hand. But according to Bentham it creates a context in which the subjects have no alternative but to believe that appearance is reality. (1999, 32-35.)

In the above example the prisoners have lost something more than their freedom—they have lost their privacy.

What is Privacy?

Why is the issue of privacy important? In the conservative tradition of a liberal

democracy such as in the United States, privacy is so fundamental that the U.S.

Constitution does not even mention it. Rather, privacy is one of those "inalienable rights"

spoken of in the Declaration of Independence. This right has been codified in many state

constitutions, for example in the California Constitution as follows:

All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy. (Article I, Section I.)

Of the many definitions of privacy, the most basic is "the right to be left alone"

from a famous 1890 essay, as described by Lester in the following passage:

...until the late nineteenth century Americans for the most part thought of privacy as a physical concept: if one needed to protect it, or just wanted more of it, one simply moved west, where there were fewer people likely to know or care what one was doing. By the closing years of the nineteenth century, however, things had changed: the frontier's limits had been reached, the population was growing rapidly, and a blitz of novel technologies had arrived.

Two of these were cameras and high-speed printing presses. For the first time, spontaneous, unposed pictures could be taken, quickly printed in newspapers and books, and distributed widely, all without the subjects' consent. This possibility was highly unsettling to many people (as it still is in remote cultures less familiar with photography), and it led to an article by Samuel D. Warren and the future Supreme Court justice Louis D. Brandeis—"The Right to Privacy," published in the Harvard Law Review, on December 15, 1890—that began to define privacy for the modern age.

Warren and Brandeis's masterstroke was to document in the common law the presence of a "principle which protects personal writings and any other productions of the intellect or of the emotions," and to argue that "the law has no new principle to formulate when it extends this protection to the personal appearance, sayings, acts, and to personal relation, domestic or otherwise." In other words, the two men broadened the legal conception of privacy to include not only the tangible but also the intangible realm. (2001, 33-34.)

The Supreme Court is commonly believed, however, to have first considered the

constitutionality of the right to privacy in the case of Griswold v. Connecticut (1965). But

according to Richard Arneson, the Supreme Court’s decision was flawed.

The right to privacy that was claimed to have constitutional status by the U.S. Supreme Court in Griswold v. Connecticut (1965) has also attracted objections, to the effect that the conception of privacy defined by the justices was constructed by misclassification and confusion. Griswold, an officer of the Planned Parenthood League of Connecticut, had been convicted as an accessory under a Connecticut statute that prohibited any person from using "any drug, medicinal article or instrument for the purpose of preventing conception." Griswold's specific act had been to counsel married couples regarding contraception. The Court reversed his conviction on the ground that the Connecticut statute as applied to his case violated a right of privacy that was within the "penumbras, formed by emanations from" specific guarantees in the Bill of Rights. This decision has proved controversial on several counts, one being that the Court was really protecting a liberty or autonomy interest, not anything that could properly be called "privacy." (2000, 91.)

Engelhardt, in his essay Privacy and Limited Democracy: The Moral Centrality of

Persons, philosophically supports the idea that our government is defined by consensual

limits, and argues that privacy is therefore a Ninth Amendment right.

Thus, consent forms the authority for government, not divine will or moral rationality, since both are precluded by competing views of God and moral rationality. Authority only comes from the permission of those who collaborate. In such circumstances, rights to privacy announce the plausible limits of the authority of others and of the state over the individual by disclosing the boundaries of consent. Or to put matters more positively, rights to privacy mark where individuals continue to maintain authority over themselves. (2000, 124.)

The Ninth Amendment indicates not just a constitutional, prima facie right to act on one's own moral and religious commitments in areas over which individuals have not ceded authority to the government; it also establishes a view of democracy as essentially limited. The moral force of the Ninth Amendment's acknowledgement that individuals have moral authority over themselves, comes from its retained-rights language. (Ibid., 138.)

Rights to privacy are not merely privileges dispensed by governments. They are spheres of authority maintained by individuals and not ceded to society or government. Hence, the burden of proof falls on government when it claims the right to intrude on the sphere of privacy. The claim of a right to privacy is, thus, not to be regarded as requiring a justification for an exemption from the constraints of good public morals, fairness, and justice that provide the structure for the general society. The moral burden of proof lies on those who would interfere in spheres of privacy by imposing a particular morality, view of human flourishing, or conception of fairness. (Ibid., 140.)

In another essay, Richard Epstein raises the issue of surveillance by stating that

"…constitutional guarantees of liberty and property…in the relevant case law…are

hemmed in by an acceptance of the state ‘police power,’ which allows for regulation to

preserve (at the very least) ‘the safety, health, and morals’ of the public at large. (2000, 2-

3.) But again, who decides what is in the best interest of the public at large? A private

doctor cannot prescribe marijuana for medicinal use without violating U.S. narcotics

laws. Does this mean that allowing doctors to make decisions regarding the dispensing of

pharmaceuticals is not in the best interest of the public?

Rene Laperriere (1999, 193) writes that "Privacy as a social value has defied

many attempts at a definition, and that is good. A definition, especially in the legal field,

is an exercise in power. It tends to limit the notion to the terms of the definition, whereas

privacy should remain one of the last ramparts against the exercise of power on

individuals."

Probably the best "definition," then, of privacy I have found is the one offered by Janlori

Goldman in her essay Privacy and Individual Empowerment in the Interactive Age.

The difficulty of defining privacy and its underlying principles has stymied and paralyzed policy makers and philosophers. Yet defining privacy and its value to individuals and society is essential if we are to develop cohesive and rational information privacy policies. We must understand why preserving and enhancing privacy is an ultimate 'good' before we can expect policy makers, the private sector, and privacy and consumer advocates to reach some common ground on core privacy principles and their application. From a privacy perspective, people must be able to maintain some control over personal information in order to fully realize other core values, including autonomy, liberty, free expression, and civic participation.

Information privacy is defined here as incorporating two components. The first component is the right to retreat from the world, from one's family, neighbors, community, and government. The component allows us to shield ourselves, physically and psychologically, from the prying eyes of others. We think of this privacy value as it was initially conceived by Justice Louis Brandeis over a century ago as 'the right to be let alone.'

The second component of privacy is the right to control information about oneself, even after divulging it to others. This component acknowledges the

critical value of being able to step forward and participate in society without having to relinquish all control over personal information.

An emblem of a vibrant, participatory democracy is the ability of people to develop as individuals, separate and distinct from one another, with the confidence to hold and express their own political opinions, beliefs, and preferences. A free society tolerates—even revels in—such individuality, recognizing it as the bedrock of an open society and as a necessary precursor to ensuring free speech and political participation. (1999, 101-102.)

Finally, no discussion of privacy would seem complete without mentioning the four kinds

of privacy, here described so well by David Brin.

The most complete form of privacy, solitude, is about seeking separation from your fellow humans and being secure against intrusion, observation, or interruption, free to "let your hair down" and do what you would not do if there were a chance of being watched. Most people find enforced or protracted solitude intolerable, but when undertaken voluntarily it can be essential for creativity, a sense of freedom, or restoring the soul.

To be anonymous is to be unnamed, unnoticed, part of a crowd. In an urban setting, anonymity can provide many of the same benefits as solitude, letting us stroll down a busy street content that no one is likely to be looking at us at this precise moment. Yet, in the anonymous context we can be people watchers, or express feelings we might suppress if those nearby knew our name. While this kind of privacy leaves hooligans and criminals unaccountable, anonymity also shelters a shy person from having to guard every word.

Reserve could be illustrated by an elegant person who is detached and dignified—or else by the pimply kid sitting across from you on a bus, withdrawn behind headphones into his own private world. Such people are not necessarily anonymous. You may know their names. Yet by choice they are not entirely there. They withhold opinions and confidences, preserving them to share with others, or at another time. Even the most extroverted among us wants the option to choose, moving back and forth across a spectrum of reserve.

Intimacy is the opening of a door between two gardens, a merging of realities, even as the rest of humanity is barred from taking part. If the gist of all types of privacy is choice and control, then intimacy—the choice of whom to share with, how much, and for how long—is its purest form.

If I sound sympathetic to all four types of privacy mentioned above, the reader should not be surprised. As a human, I recognize all these needs in myself, and can extrapolate that they also apply to the other bipedal beings around me who are striving, shouting, and hurting. Moreover, to be an eccentric in this world

is to have special needs and cravings for solitude, anonymity, reserve, and intimacy. (1998, 78-79.)

Existing and Pending Legislation

The first legislation aimed specifically at protecting privacy was the Fair Credit

Reporting Act (FCRA) passed by the Congress in 1971, which "gave consumers new

rights regarding information stored about them in credit-related databanks." (Garfinkel,

2000, 23.)

After literally decades of inactivity, the U.S. lawmakers have begun to pay attention to

the issue of privacy again. In 1998, the 105th Congress passed the Children’s Online

Privacy Protection Act (COPPA), which provides for FTC regulations on information

from children over the Internet. In April 2001, the FTC announced "settlements with

three Web operators for violations of the Children's Online Privacy Protection Rule

(COPPA Rule)." (http://www.ftc.gov/opa/2001/04/girlslife.htm.)

In 1999, the 106th Congress passed the Financial Services Modernization Act of 1999

(Gramm-Leach-Bliley) which contains privacy protection provisions. Below is the

summary of the final FTC regulations with respect to this Act.

The Federal Trade Commission (the ‘‘Commission’’ or ‘‘FTC’’) is publishing a final privacy rule, as required by section 504(a) of the Gramm-Leach-Bliley Act, Pub. L. 106-102 (the ‘‘G-L-B Act’’ or ‘‘Act’’), with respect to financial institutions and other persons under the Commission’s jurisdiction, as set forth in section 505(a)(7) of the Act. Section 504 of the Act requires the Commission and other federal regulatory agencies to issue regulations as may be necessary to implement notice requirements and restrictions on a financial institution’s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. Pursuant to section 503 of the G-L-B Act, a financial institution must provide its customers with a notice of its privacy policies and practices. Section 502 prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties unless the institution satisfies various disclosure and opt-out requirements and the consumer has not elected to opt out of the disclosure. This final rule implements the

requirements outlined above. This rule is effective November 13, 2000. Full compliance is required by July 1, 2001. (16 CFR, Part 313.)

To date, eighteen resolutions affecting privacy have been introduced and referred

to committee in the 107th Congress. These resolutions are listed in the Appendix.

With regard to the Internet, there has been additional legislation in other areas

such as free speech, access, encryption, and wiretaps. These laws are beyond the scope of

this paper, but the Center for Democracy and Technology website (http://www.cdt.org) is an

excellent resource for tracking federal legislation affecting the Internet. See also the

Electronic Frontier Foundation website at http://www.eff.org.

Conclusion: Are You Ready for Future Shock?

"Implanted ID tags have become all the rage for saving precious pets. Internal homing

devices have the ability to thwart kidnappers. Now that the future has arrived, would you

prefer your chip in your wrist or forehead?" (Mechanic, 1996.)

In October 1987, Daniel Man, an Israeli-born plastic surgeon practicing in Boca Raton, Fla., patented a homing device implant designed for humans under the name "Man's Implanted." Unlike the animal chip, the human device runs on long-lasting lithium batteries and periodically transmits a signal that would allow authorities to pinpoint a person's exact location using cellular phone towers or helicopters carrying triangulation equipment. The batteries, Man says, could be replenished twice a year—"like an electric toothbrush"—using a charger held against the skin.

Both Man and Zacky Meltzer, the engineer who has helped Man's device take shape, hail from Israel, where terrorism is a constant threat and security issues are paramount. Inspired by several prominent kidnap-murder cases, Man intended the implant for use as a safeguard against child abduction. "When I was a resident in plastic surgery, I was in many situations when this was needed and there wasn't anything like it," says Man. "The idea was to get something very small that would fit outside or inside the body without being detected."

When the bugs are worked out, Man's device could be used to thwart child kidnappers, protect foreign dignitaries, monitor prisoners and protect cars from theft. (Indeed, some models already carry anti-theft transmitters that operate on a similar principle.)

So far, Man's implant has not been marketed. To do so will require approval from the U.S. Food and Drug Administration, a costly and time-consuming process. But the estimated $500,000 needed to bring the product to market may be forthcoming. Man has been contacted by interested companies, plus government agencies—including the U.S. Navy—which say they want to use the device to track marine mammals. The FBI also has expressed an interest in the device, according to Man's assistant, Faye Shelkofsky.

The utility of the device is undeniable, but the Orwellian and biblical ramifications have raised the hackles of civil libertarians, religious groups and militia members, among others, who see the potential for misuse. Some Christians quite literally view Man's invention, or some related technology, as "the mark" used by the Antichrist to identify his followers, according to the Bible book of Revelation. (Ibid., http://www.metroactive.com/papers/metro/12.12.96/implants-9650.html.)

The religious groups concerned are those that believe the microchip is the Mark

of the Beast, which was written about in Revelation. For those not familiar with this part

of the Christian Bible here is the quote:

"And he (the Antichrist) causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name. Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a [M]an; and his number is Six hundred threescore and six." (Werth, 1999, http://oak.cats.ohiou.edu/~dw142994/Tier3/policytoc.html.)

Toby Lester begins his article, The Reinvention of Privacy, with a description of a

device designed to be used for personal tracking and recovery. Is this Man’s device?

Issued as U.S. Patent 5,629,678 ("Personal tracking and recovery system"), the patent is summed up in an abstract that begins,

"Apparatus for tracking and recovering humans utilizes an implantable transceiver incorporating a power supply and actuation system allowing the unit to remain implanted and functional for years without maintenance. The implanted transmitter may be remotely actuated, or actuated by the implantee. Power for the remote-activated receiver is generated electromechanically through the movement of body muscle. The device is small enough to be implanted in a child."

Until recently such an idea might have seemed better suited to science fiction or political allegory than to real life. But in December of 1999 the patent was acquired by a Florida-based company named Applied Digital Solutions, and

it is now the basis of an identity-verification and remote-monitoring system that ADS calls Digital Angel. "We believe the potential global market for this device," ADS announces on its Web site, "could exceed $100 billion." (2001, 27.)

In his article, Lester refers an environment of " privacy space," and the "fact that

many businesses view the coming several years…as an opportunity to seize lucrative

leadership." (Ibid., 29.) Whitaker paints a harsh picture of the new "political economy of

cyberspace":

Neither individual free enterprise nor an aggressive interventionist state are particularly relevant to the new political economy of cyberspace. Hardware and software are produced by corporate giants such as IBM and Microsoft, and the infrastructure of the Internet is currently a bone of contention between the telephone and media/cable giants. The real frontier is the commodification of information by capital. To shift metaphors, cyberspace is like the commons under attack from enclosures. The relentless emphasis in recent years on 'intellectual property' as a crucial element in international trade agreements points us clearly in the direction that the so-called Information Revolution is travelling. The architecture of cyberspace may well look very much like William Gibson's fictional vision: vast, mysterious collections of data looming like mega-fortresses fiercely guarded by giant corporations—while the 'real world' wallows in urban squalor, petty criminality, violence, and tawdry escapism. (1999, 68-69.)

With these new technologies will come tremendous advantages, security, and

convenience. But along with them may come a new kind of tyranny. Will we protect our

privacy or will we be "owned" by them? One of the keys to our freedom may be using the

powerful tools of cryptography, as described by Singh (1999, 293.) "Encryption can be

seen as providing the locks and keys of the Information Age. For two thousand years

encryption has been of importance only to governments and the military, but today it also

has a role to play in facilitating business, and tomorrow ordinary people will rely on

cryptography in order to protect their privacy."

The EU Directive is not unreasonable to ask that nation-states protect their

citizens’ rights. It asks that the U.S. establish a Privacy Protection Agency, or similar

Commission, to enforce privacy legislation and protect the rights of the common citizen

against intrusion by powerful corporate interests as well as by governments. It asks that

we do this, or risk losing future business with EU countries.

2001 by Tim Shates

Prepared For:

Masters in Public Administration Program

Course: MPA 650

Seminar in the Public Policy Process

Dr. Stephen Lefevre

California State University, Northridge at Channel Islands

May 17, 2001

Epilogue

While doing some last minute research to update my notes for current events on

the Washington Post website using the search phrase "pentagon computers," my firewall

program, ZoneAlarm, blocked three attempts to access my computer. (ZoneAlarm is

available free for personal use and can be downloaded from:

http://www.zonelabs.com/products/index.html.)

The following is a text file which documents those attempts:

The firewall has blocked Internet access to your computer (NetBIOS Name) from 64.14.113.105 (NetBIOS Name). Time: 5/16/01 7:40:02

The firewall has blocked Internet access to your computer (NetBIOS Name) from 64.14.113.106 (NetBIOS Name). Time: 5/16/01 7:40:02

The firewall has blocked Internet access to your computer (NetBIOS Name) from 64.14.113.95 (NetBIOS Name). Time: 5/16/01 7:40:02

Output from ARIN WHOIS (http://www.arin.net/whois):

Exodus Communications Inc. (NETBLK-ECI-64)

2831 Mission College blvd.

Santa Clara, CA 95054

Netname: ECI-64

Netblock: 64.14.0.0 - 64.14.255.255

Maintainer: ECI

Coordinator:

Center, Network Control (NOC44-ARIN) CompServ@Exodus.net

(888) 239-6387 (FAX) (888) 239-6387

Domain System inverse mapping provided by:

NS.EXODUS.NET 206.79.230.10

NS2.EXODUS.NET 207.82.198.150

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

* Rwhois reassignment information for this block is available at:

* rwhois.exodus.net 4321

Record last updated on 12-Dec-2000.

Database last updated on 15-May-2001 22:44:34 EDT.

This article is from a link on the Exodus website (http://www.exodus.net):

Exodus Named the Number One Web Hosting Company in the Washington D.C. Metro Area!

In a recent survey by leading business publication, The Washington Business Journal, Exodus has been named D.C. metro area's Top Web Hosting Company*. As the largest Web Hosting Provider, Exodus stands above the competition to provide comprehensive IT services to the D.C. area's most prominent enterprises.

Exodus continues to lead the pack as the premier provider of outsourced IT services throughout the D.C. metro area—and the world.

References

American Civil Liberties Union. 1999. "Echelon Watch." http://www.aclu.org/echelonwatch/index.html.

Arneson, Richard J. 1999. "Egalitarian Justice versus the Right to Privacy?" Visions of Privacy: Policy Choices for the Digital Age. Bennett, Colin J. and Rebecca Grant, Eds. University of Toronto Press.

Brin, David. 1998. The Transparent Society. Addison-Wesley. Reading, MA.

Brown, Doug. 2000. "Journalist Describes Echelon At Privacy Conference." ZDNet. http://www.zdnet.com/zdnn/stories/news/0,4586,2522927,00.html.

Center for Democracy and Technology. 1999. "Echelon." http://www.cdt.org/security/echelon.

Center for Democracy and Technology. 2000. "Internet Security and Privacy." Testimony of James X. Dempsey before the Senate Judiciary Committee. http://www.cdt.org/testimony/000525dempsey.shtml.

de Jonquieres, Guy. 2001. "EU 'no' to data privacy delay." Financial Times. http://news.ft.com/ft/gx.cgi/ftc?pagename=View&c=Article&cid=FT3M0NO0FMC.

Docherty, Neil. 2001. "Hackers." Frontline. Program #1910. Original Airdate: February 13, 2001. Produced and Directed by Neil Docherty. http://www.pbs.org/wgbh/pages/frontline/shows/hackers.

Electronic Privacy Information Center. 2001. "The Carnivore FOIA Litigation." http://www.epic.org/privacy/carnivore.

Engelhardt, H. Tristam Jr. 2000. "Privacy and Limited Democracy: The Moral Centrality of Persons." The Right to Privacy. Ellen F. Paul, Fred D. Miller Jr., & Jeffrey Paul, Eds. New York. Cambridge University Press.

Epstein, Richard A. 2000. "Deconstructing Privacy: And Putting It Back Together Again." The Right to Privacy. Ellen F. Paul, Fred D. Miller Jr., & Jeffrey Paul, Eds. New York. Cambridge University Press.

Flaherty, David H. 1999. "Visions of Privacy: Past, Present, and Future." Visions of Privacy: Policy Choices for the Digital Age. Bennett, Colin J. and Rebecca Grant, Eds. University of Toronto Press.

Fox, Susannah and Oliver Lewis. 2001. "Fear of Online Crime." Washington, D.C. Pew Internet & American Life Project. http://www.pewinternet.org.

Garfinkel, Simson. 2000. Database Nation: The Death of Privacy in the 21st Century. O’Reilly & Associates. Cambridge, MA.

Goldman, Janlori. 1999. "Privacy and Individual Empowerment in the Interactive Age." Visions of Privacy: Policy Choices for the Digital Age. Bennett, Colin J. and Rebecca Grant, Eds. University of Toronto Press.

Guernsey, Lisa. 2001. "Welcome to the World Wide Web. Passport, Please?" New York Times. March 15, 2001.

Laperriere, Rene. 1999. "The 'Quebec Model' of Data Protection: A Compromise between Laissez-faire and Public Control." Visions of Privacy: Policy Choices for the Digital Age. Bennett, Colin J. and Rebecca Grant, Eds. University of Toronto Press.

Lessig, Lawrence. 1999. Code and Other Laws of Cyberspace. Basic Books. New York.

Lester, Toby. 2001. "The Reinvention of Privacy." Atlantic Monthly. Vol. 287 No. 3, March 2001. New York.

Mechanic, Michael. 1996. "Beastly Implants." Metro Publishing Inc. http://www.metroactive.com/papers/metro/12.12.96/implants-9650.html.

Prescott, Charles A. 2000. "The US Direct Marketer's Guide to Compliance With The Safe Harbor Program For European Data." U.S. Direct Marketing Association. http://www.the-dma.org/library/privacy/safeharbor1.shtml.

Regan, Priscilla M. 1999. "American Business and the European Data Protection Directive: Lobbying Strategies and Tactics." Visions of Privacy: Policy Choices for the Digital Age. Bennett, Colin J. and Rebecca Grant, Eds. University of Toronto Press.

Sanders, Edmund. 2001. "Privacy Cases Not Yielding Much Payoff." Los Angeles Times, Sunday, May 6, 2001. http://www.latimes.com/business/20010506/t000038096.html.

Singh, Simon. 1999. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. Anchor Books. New York.

U.S. Federal Trade Commission. http://www.ftc.gov/privacy/index.html.

Werth, David. 1999. "Human Microchip Implants." http://oak.cats.ohiou.edu/~dw142994/Tier3/policytoc.html.

Whitaker, Reg. 1999. The End of Privacy: How Total Surveillance is Becoming a Reality. The New Press. New York.

Appendix - Privacy 107th Congress

Source: Center for Democracy and Technology (http://www.cdt.org/legislation/107th/privacy)

Bill # Name (Sponsor) Summary Status

S 851 Citizens' Privacy Commission Act of 2001 (Thompson)

Establishes a commission to conduct a study of government privacy practices.

5/9/01: Introduced and refCommittees on Governme

HR 583 Privacy Commission Act (Hutchinson)

"To establish the Commission for the Comprehensive Study of Privacy Protection."

2/13/01: Introduced and reGovernment Reform CommMarkup by the SubcommitGovernment Efficiency.

HR 1478 Personal Information Privacy Act of 2001 (Kleczka)

Protects the privacy of Social Security Numbers and other personal information.

4/4/01: Introduced and refCommittees on Ways and Financial Services. 4/24/0Financial Services CommiSubcommittee on FinanciaConsumer Credit.

HR 1215 Medical Information Protection and Research Enhancement Act of 2001 (Greenwood)

Establishes protection for medical records and other health-care related information.

"3/27/01: Introduced and rCommittees on Energy andon the Judiciary. 4/16/01: RCommerce Committee to SHealth."

S 536 Freedom From Behavioral Profiling Act of 2000 (Shelby)

Amends the Gramm-Leach-Bliley Act to provide for a limitation on sharing of marketing and behavioral profiling information.

"3/14/01: Introduced and rCommittee on Banking, HAffairs."

S 451 Social Security Number Protection Act of 2001 (Nelson)

Establishes civil and criminal penalties for the sale or purchase of a social security number.

3/1/01: Introduced and refCommittee.

S 450 Financial Institution Privacy Protection Act of 2001 (Nelson)

"Amends the Gramm-Leach-Bliley Act to provide for enhanced protection of nonpublic personal information, including health information."

"3/1/01: Introduced and reHousing, and Urban Affair

HR 347 Consumer Online Privacy and Disclosure Act (Green)

"To require the Federal Trade Commission to prescribe regulations to protect the privacy of personal information collected from and about individuals on the Internet, to provide greater individual control over the collection and use of that information, and for other purposes."

"1/30/01: Introduced and rCommerce Committee. 2/1Commerce Committee to SCommerce, Trade, and CoProtection."

HR 237 Consumer Internet Privacy Enhancement Act (Cannon/Eshoo)

"Requires web sites to provide ""clear, conspicuous, and easily understood notice"" of their information practices, as well as obvious opt-out mechanisms; prevents collection of personal information unless users have the opportunity to opt out of that information's disclosure and use beyond the primary purpose."

"1/20/01: Introduced and rCommerce Committee. 2/1Commerce Committee to SCommerce, Trade, and CoProtection."

S 290 Student Privacy Protection Act (Dodd/Shelby)

Prevents schools that receive federal funding from disclosing data gathered from students to commercial interests without parental consent. Also prevents schools from permitting any organization from gathering its own data about students without parental consent.

"2/8/01: Introduced and reCommittee on Health, EduPensions"

HR 220 Identity Theft Protection Act of 2001 (Paul/Bartlett)

Adds new restrictions to the use of Social Security Numbers and imposes a ban on government-wide uniform identifying numbers. The bill also calls for all Social Security Numbers to be randomly generated.

1/3/01: Introduced and refCommittee on Ways and MCommittee on GovernmenReferred by House Ways aCommittee to SubcommittSecurity.

HR 260 "Wireless Privacy Protection Act of 2001"(Frelinghuysen)

"Requires wireless services providers to give clear notice of their disclosure practices regarding location, transaction, and crash information. Also requires express written consent by customers to that information's collection and use."

1/30/01: Introduced and reCommerce Committee.

S 197 Spyware Control and Privacy Protection Act of 2001 (Edwards/Hollings)

"Controls ""spyware,"" computer programs that collect information about their users and transmit it back to the software company. The bill requires that manufacturers notify consumers when a product includes this capability, what types of information could be collected, and how to disable it. The bill also makes it illegal for programs to transmit users' information back to software manufacturers unless the user expressly enables that capability, and grants users access to any such information that is collected. Exceptions are made for validating authorized software users, providing technical support, or legal monitoring of computer activity by employers."

1/29/01: Introduced and reCommerce Committee.

S 30 Financial Information Privacy Protection Act of 2001 (Sarbanes)

"Includes a number of protections for financial and health-related information, including opt-out, limits on redisclosure of information, and rights to access and correct information."

"1/22/01: Introduced and rBanking, Housing, and UrCommittee."

HR 113 Wireless Telephone Spam Protection Act (Holt)

Prohibits the transmission of unsolicited advertisements to mobile telephones and other wireless devices.

1/3/01: Introduced and refCommerce Committee.

HR 112 "To prohibit the making, distribution, sale, installation, or use of an information collection device without proper labeling or notice and consent. (Holt)"

not available yet 1/3/01: Introduced and refCommerce Committee.

HR 89 Online Privacy Protection "Requires privacy notices on all web sites, as well as 1/3/01: Introduced and ref

Act of 2001 (Frelinghuysen)

ways for users to opt-out or limit the use of their information. Also instructs the Federal Trade Commission to establish incentives and ""safe harbors"" that will allow sites to construct their own means of protecting privacy. Permits enforcement of the act through civil actions by state attorneys."

Commerce Committee.

HR 91 Social Security On-Line Privacy Protection Act (Frelinghuysen)

Prohibits ISPs from disclosing their customers' Social Security Numbers or other related personally identifiable information without consent.

1/3/01: Introduced and refCommerce Committee.