CIPP Guide » Surveillance

CALEA: Increasing Government Surveillance, Limiting Technological Innovation

hannah — Thu, 19 Jan 2012 12:00:57 +0000

Since its enactment in 1994, privacy rights experts and watchdogs have been wary of the Communications Assistance for Law Enforcement Act (CALEA). This article explores the history of the CALEA, how it has evolved over the years and some privacy issues surrounding wiretapping and other forms of surveillance.

Background

CALEA was passed in 1994 in order to facilitate law enforcement authorities’ wiretapping of digital telephone networks. It was the first piece of legislation in history that required telecommunications companies to modify their equipment in order to facilitate government surveillance. The FBI originally proposed the CALEA in 1992. This proposal was broadly inclusive – for instance, computer networks would have been part of this Act, in the name of government surveillance.

The CALEA essentially forced telephone companies to redesign their architectures in order to facilitate wiretapping. Notably, the CALEA did not regulate data traveling over the internet.

According to privacy watchdogs, wiretapping of suspected criminal activity by law enforcement agencies can rapidly degenerate into suspicionless monitoring of the general public, which violates the Fourth Amendment.

According to the Privacy Rights Clearinghouse, “Wiretapping is any interception of a telephone transmission by accessing the telephone signal itself.” Another related concept is ‘electronic eavesdropping,’ which is defined as “the use of an electronic transmitting or recording device to monitor conversations without the consent of the parties.”

Under US law, there are very few situations in which wiretaps are legal. However, technological improvements have made it increasingly easier to illegally wiretap communications.

Evolution of CALEA

In August 2004, the Federal Communications Commission (FCC) released a Notice of Proposed Rule Making (NPRM), which expanded the boundaries of CALEA by redefining what constitutes telephone service, concluding that broadband Internet access providers and managed VoIP systems substantially replace local exchanges and therefore are subject to the requirements of CALEA.

In August 2005, the FCC announced a Final Rule, which expanded CALEA to Internet broadband providers and certain VoIP providers.

Critics Say…

In response to the expanding reach of CALEA, the Electronic Frontier Foundation (EFF) has listed a number of objections and concerns. These are briefly summarized below.

Wiretapping Convenience – According to the EFF, wiretapping is already a relatively easy practice as is. Existing legislation already permits law enforcement agencies to place Internet users under surveillance, regardless of what programs or protocols being used to communicate. The reality is that most types of surveillance has gotten easier in this day and age.
“Tappability Principle” is Problematic – The FBI suggested that if something is legally searchable sometimes, it should be physically searchable all the time (the “tappability principle”). However, this could lead to all individual phones having built-in bugs, leaving consumers to trust that the phone companies or law enforcement would not activate those bugs without a legitimate reason.
Increased Costs for Services – Expanding CALEA in the manner suggested by the FCC’s NPRM would cause broadband providers to spend millions of dollars restructuring their network architectures and design and manufacture surveillance-friendly technologies. This would cause telecommunications bills to skyrocket. It would also eliminate privacy-friendly technologies from the marketplace.
Takes a Toll on Innovation – CALEA compliance would significantly reduce the scope of technological research and development. It would also allow the FCC to have authority over a wider range of technologies. CALEA’s requirements might result in economic incentives for software developers to create new programs (e.g. email, IM programs) that are more surveillance-friendly. This would mean that innovators will need to work within the guidelines of CALEA’s surveillance.
Phone Regulations are not Applicable – The NPRM assumes that regulations that apply within the phone network (a closed, insulated system) should be extended to the internet (an open, always-changing system). This could severely hamper technological development and innovation on the Internet, where new services and devices are being introduced all the time.
Internet Insecurities – Unfortunately, many of the technologies that are used to create surveillance-friendly computer networks might increase the risk of attacks or breaches of personal data. Broadband service providers who must make their networks or applications more tappable end up introducing potential points of vulnerability into their system. Many users are unaware of this reality when they register for such services.

Surveillance-Industrial Complex

Services that facilitate wiretapping, and the types of policies that are necessitated by such legislation as the CALEA essentially facilitates what the American Civil Liberties Union (ACLU) refers to as the surveillance-industrial complex, which involves the integration of private individuals and organizations with a government-sanctioned surveillance network. Private entities motivated by profiting from surveillance activities have an incentive to lobby for increased government surveillance authority.

Regarding the CALEA, the ACLU comments,

“Americans have long feared the specter of the government maintaining dossiers filled with information about the lives of individual, innocent citizens. Data retention, whether mandatory or de facto, achieves the same goal indirectly, by ensuring that information is stored by corporations – from where, as we have seen, it can easily be accessed by the authorities.”

Summary

This article takes a look at the Communications Assistance for Law Enforcement Act (CALEA), which was passed in 1994 to facilitate law enforcement authorities’ wiretapping of digital telephone networks. In 2004, the FCC suggested substantial expansions in the scope of the CALEA in its Notice of Proposed Rulemaking (NPRM). In August 2005, the FCC’s Final Rule expanded the CALEA to include Internet broadband and VoIP providers. This article also explores privacy watchdogs’ criticism of government surveillance expansion.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

Communications Assistance to Law Enforcement Act – CALEA (I.B.a.iii.3.)

Senate Investigates Mobile Data Collection, Companies Respond to Consumer Fears

hannah — Tue, 04 Oct 2011 12:00:03 +0000

Both US and European regulators alike are turning the focus to mobile technology, especially the collection of location-based data and other consumer behavioral information. An American statistic revealed that over 26,000 adults were stalked annually through the use of GPS devices, including those on mobile phones. This number is from 2006, and today there are three times as many smartphones in use.

On May 19, 2011, the US Senate Committee on Commerce, Science and Transportation had a hearing that focused on “Consumer Privacy & Protection in the Mobile Market Place.” Present were representatives from Google, Apple and Facebook, as well as David Vladeck, director of the Bureau of Consumer Protection of the Federal Trade Commission (FTC).

Voicing Concerns

At the subcommittee hearing, Senator John Rockefeller expressed concerns about the amount of information mobile devices are actually able to collect about their owners. He demanded stronger controls over how and when such personal data is shared, saying, “As smartphones become more powerful, more personal information is being concentrated in one place. Consumers want to understand and have control of their personal information. ” Senator Rockefeller is the chairman of the US Senate Committee on Commerce, Science and Transportation.

According to Senator Al Franken, the chairman of the judiciary subcommittee on Privacy, Technology and the Law, “Consumers have a fundamental right to know what data is being collected about them. I also believe they have a right to decide whether or not they want to share that information and with who they want to share it and when.”

Jessica Rich from the FTC expressed worries about mobile device safety, saying, “These concerns stem from the always-on, always-with-you personal nature of mobile devices.” She also pointed out the possible hazards of “invisible collection and sharing of data with multiple parties, the ability to track consumers – including children and teens – to their precise location.”

Responding to the Fears

In response to the increased concerns regarding mobile data collection, Catherine Novelli, Apple’s VP of worldwide government affairs explained that the company currently provides tools allowing customers to control the collection and use of data on its mobile devices, including location data. Novelli said, “Apple does not track users’ locations – Apple has never done so and has no plans to ever do so.” However, the recent flurry of activity over the company’s iPhone and 3G-enabled iPads speak to the contrary.

Alan Davidson, Google’s director of public policy for the Americas responded that Google supports the development of a legal privacy framework that ensures broad-based user trust and that will support continued innovation.

Bret Taylor, the Chief Technology Officer of Facebook, warned that too much regulation may stifle innovation amongst mobile technology and service providers: “Adopting overly restrictive policies will prevent our social features from functioning in the way that individuals expect and demand.”

FTC Suggestions

In its statement to the subcommittee, the FTC suggested extending the application of its Do-Not-Track mechanism. Introduced in December 2010, the Do Not Track feature for internet browsers would allow users to opt out of sharing browsing data completely and protect their privacy. This suggestion was made in order to give end users increased control over the amount and type of personal data stored by companies, preventing the sharing of sensitive data with third parties, or the use of sensitive data against the individual’s wishes.

The FTC recommended that this Do-Not-Track mechanism should apply to mobile and desktop devices: “At least for purposes of web browsing, the issues surrounding implementation of Do Not Track are the same on mobile devices and desk top computers.” Currently, FTC staff is developing ways to implement Do Not Track mechanisms on mobile apps.

Summary

This article takes a look at the May 19, 2011 Senate Subcommittee hearing on “Consumer Privacy & Protection in the Mobile Market Place.” As mobile phones and location-based apps are becoming more ubiquitous, this has raised a number of consumer concerns regarding the amount and type of sensitive information that is being collected, stored and shared by developers and third-parties. The subcommittee hearing was an opportunity for those on both sides of the debate to express their opinions. The FTC suggested extending the Do Not Track mechanism for web browsers to include mobile devices as well.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

Sensitive Personal Information (SPI) (I.A.b.)
Data accountability (I.B.c.)
Consumer privacy concerns (II.A.a.)
Government and citizen surveillance (II.A.k.)
Social networking services (VI.C.)
Location-based services (VI.E.)

Implementing the EU e-Privacy Directive: The Cookie Problem

hannah — Tue, 12 Apr 2011 12:00:44 +0000

This article explores the EU e-Privacy Directive, with a focus on the “Cookie Law,” which was passed late 2009. The Directive has yet to be fully implemented in all EU member states and the amendment of the “Cookie Law” has created additional roadblocks to harmonization of legislation across Europe.

Background: e-Privacy Directive
The European Commission’s Directive of Privacy and Electronic Communications 2002/58/EC (also referred to as the e-Privacy Directive) required that public communications providers (i.e. internet service providers and telecommunications companies) inform national regulatory authorities of any data security breach. Subscribers should also be notified if the personal data breach is likely to adversely affect the personal data or the privacy of the subscriber. The deadline for member states to implement this Directive is May 25, 2011.

The Cookie Law
On November 9, 2009, the European Parliament made additions to the e-Privacy Directive, which included an effort to regulate online cookies. According to the previous law, web sites were required to allow consumers to opt-out of cookies, typically by selecting a setting on their web browsers. A Parliament committee determined that the practice be reversed; users should be presented with the opportunity to opt in before cookies are placed on their computers.

Under the new addition, companies are required to secure consent from users before tracking files, such as online cookies, are placed on the users’ computers. This addition is commonly referred to as the “cookie law:”

“The new e-Privacy Directive will include a provision requiring the EU Member States to ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.”

Although it does not directly mention cookies, commenters point out that the wording includes cookies as well as any other technologies which may be used to track users’ behavior through their internet browsers.

Cookie Law Controversy
The Cookie Law applies to cookies that collect personal data. Some experts have pointed out that certain cookies are not covered by this consent requirement. According to data protection authorities, persistent cookies that contain a unique user ID would qualify as personal data, thus subject to applicable data protection regulations. However, there are other types of cookies that do not meet such criteria.

Another uncertainty regarding the Cookie Law is the process by which consent should be obtained. The statement does not mention prior consent, rather suggests that users are presented with an opportunity to refuse cookies before they are delivered to their computers. The means by which consent should be obtained has given rise to a series of discussions between internet service providers, privacy advocates, advertisers, law makers and EU member states.

It is unclear if “consent” means that users need to agree to cookies when setting up their web browsers, or if they must give unambiguous consent for each and every cookie. Others have interpreted “consent” to mean a standardized plan that allows users to view and opt-out of data collected about them through cookies.

Advertising Outcry
Europe’s online advertising industry currently generates US$20.12 billion in advertising spending annually. The initial idea that cookie placement needed the user’s prior consent concerned industry executives, who argued it would be a costly and disruptive practice. As a result, the requirement of “prior consent” was moved to an addendum.

Rather than recurring pop-up windows requesting consent, advertising executives suggested placing icons on internet ads that rely on tracking tools. Users can click on the icon to view what data is being collected about them, or to block any cookies.

Dutch Telecommunications Act
On November 3, 2010, an amendment to the Dutch Telecommunications Act was submitted to the Dutch Parliament. This was an effort to implement the EU e-Privacy Directive.

The proposed Bill requires telecommunications and internet service providers to give notification of data security breaches involving personal data to the Dutch Telecom Authority. If individuals’ privacy is likely to be compromised in a breach, service providers would also be obliged to notify the appropriate individuals.
The proposed Bill also requires that consent be secured before the use of cookies, in particular, prior to the use of third party cookies that are designed to track individuals’ web browsing activities for behavioral advertising purposes. In response to confusion regarding unambiguous consent (i.e. whether or not consent was required for placing individual cookies), the Bill indicates that browser consent would be sufficient. However, browser consent may not be enough in all situations.

Summary
This article discusses the European Union’s e-Privacy Directive, also referred to as the Directive of Privacy and Electronic Communications 2002/58/EC. The Directive is a continuation of the EU Data Protection Directive and deals with data protection and privacy issues relating to digital technologies. The article takes a look at the “Cookie Law,” an amendment to the Directive that requires user consent before cookies are placed on users’ computers. This amendment has given rise to controversial discussions between internet service providers, privacy advocates, advertisers, law makers and EU member states. Finally, the article takes a look at how the elements of the e-Privacy Directive are being implemented in the legislation of member states.

CIPP Exam Preparation
In preparation for the Certification Foundation exam (Foundations) and the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
• Online Privacy – Online Identification Mechanisms – Cookies (Foundations; III.B.g.i.)
• Privacy-Enhancing Technologies – Web Cookies (CIPP/IT; III.B.c.i.)
• Privacy & Data Protection Regulation – Europe (Foundations; I.F.b.ii.)

Justice Department Pushes for Mandatory Data Retention

hannah — Tue, 29 Mar 2011 12:00:52 +0000

In a House subcommittee hearing held January 25, 2011, the US Department of Justice called for new legislation mandating internet service providers (ISPs) to retain customer usage data for up to two years. This has resulted in a number of concerns, ranging from individuals’ privacy worries, to ISP concerns regarding the storage of large amounts of data for long periods of time.

Crucial Evidence

In his statement before the Subcommittee on Crime, Terrorism, and Homeland Security, Jason Weinstein, deputy assistant attorney general at the Justice Department, pointed out that retaining data from ISPs and cell phone service providers can help provide crucial evidence in cases “including child exploitation, violent crime, fraud, terrorism, public corruption, drug trafficking, online piracy, computer hacking, and other privacy crimes.”

According to Weinstein, many of the Justice Department’s current criminal investigations are being hindered by its inability to monitor and store the online activity of users. He provided numerous examples in which the retention policies of service providers were obstructing federal, state and local law enforcement investigations. Weinstein said, “These decisions by providers to delete records are rarely done out of a lack of desire to cooperate with law enforcement; rather, they are usually done out of an understandable desire to cut costs. Some providers also seem to delete records out of a concern for customer privacy.”

Current Practices

At this point, ISPs are required to preserve usage data only at the request of law enforcement authorities. Many ISPs are also collecting and maintaining “non-content records,” for instance a subscriber’s login records, information on who is using their services and how. ISPs have widely varying policies and practices regarding the storage of non-content records. In some cases, it will be deleted within days, while others may retain the data for months. Weinstein would like to see this retention period standardized, so that authorities are guaranteed to be able to access such data, should they require it.

There is currently no law that requires ISPs to retain user data. However, the push for extensive data retention legislation is not a new issue. In the past, FBI director Robert Mueller requested that Congress consider such legislation for similar reasons.

Critics Say…

Undoubtedly, the January 25^th hearing has brought to the surface a number of privacy and freedom of speech concerns. The notion of law enforcement authorities tracking and retaining large amounts of information on over 230 million Americans is an unacceptable outcome for many. This may significantly impact free and anonymous speech and will change how individuals use the internet.

Jim Harper, the director of information policy studies at the Cato Institute, commenting on the issue of mandatory data retention, says “I fail to see where the Fourth Amendment permits the government to require dragnet surveillance of Internet users.”

Another issue is that while the federal government is pushing for pro-privacy laws, it is also contradicting itself with anti-privacy laws, such as this data retention legislation. Recently, the FTC proposed that browsers include Do-Not-Track features, which would help users ensure that their information is not being retained while they browse the internet. At the same time, the Justice Department has asked for more extensive retention laws, though the two are seemingly in conflict with each other.

According to John Morris, the general counsel for the Washington DC-based think-tank Center for Democracy and Technology, the hearing does not necessarily mean that a data retention bill is on the way. It is also uncertain what kind of data ISPs would be expected to retain, or if other online services (e.g. e-mail providers) might be included in the new legislation. Morris said:

“In the best-case scenario, a data retention bill will only require ISPs to track and store Internet Protocol (IP) address allocation data to help law enforcement better link Internet use to specific users. In the worst-case scenario, it could require ISPs and all sorts of online service providers to store and track everything from IP addresses to source data involving e-mail, instant messaging (IM), social media interactions and Web sites visited.”

Summary

On January 25, 2011, the US Department of Justice brought the issue of mandatory data retention to the House Subcommittee on Crime, Terrorism, and Homeland Security. Currently, there is no law requiring internet service providers (ISPs) to retain user data, and ISP retention practices are inconsistent in terms of type of data and retention period. Law enforcement authorities have long argued that mandatory data retention would advance criminal investigations, especially those dealing with child pornography and sexual predators. Critics argue that retention of user data would result in numerous privacy and freedom of speech concerns.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

Methods of Data Collection (I.B.a.)
Privacy Concerns – Consumer Perspective (II.A.a.)
Government and Citizen Surveillance (II.A.k.)
Privacy Expectations – Consumer Behaviors (II.B.a.)
Online Privacy (V.D.i.1.)

Combatting Online Infringements & Counterfeits Act

hannah — Tue, 15 Feb 2011 12:00:08 +0000

The US Combatting Online Infringements and Counterfeits Act (COICA) made headlines this fall as a censorship bill masquerading as a copyright infringement bill. This article explores the COICA, which aims to amend the United States Code by removing Internet sites that may be dedicated to, or involved with, infringing activities. The article also examines some potential repercussions and criticisms of the COICA, which have been raised by privacy activists and Internet experts.

What is COICA?
The Combatting Online Infringements and Counterfeits Act (COICA) refers to a potential Internet censorship bill that may be passed in the United States. While it appears to be focused on copyright infringement issues, many critics argue that it could potentially silence political content as well.

Initially proposed by Democratic Senator Patrick Leahy, the cross-party supported COICA aims to provide the US Justice Department with the necessary tools to prevent online infringement. The objective of the bill is to create a blacklist of censored domains, through interference with the Internet’s DNS (domain name system). Under the COICA, the Attorney General is permitted to ask the court to place any web site on the blacklist, as long as it can be proven that copyright infringement is central to the web site’s purpose.

Under the bill, two Internet blacklists would be published. Web sites appearing on the first list would receive a censorship court order from the Attorney General. These sites would have their domains blocked. Web sites appearing on the second list consist of a blacklist of domain names determined to be operating for infringement purposes, as determined by the Department of Justice. It is recommended that sites on this list are blocked and that Internet intermediaries and DNS operators blocking these domains should also receive legal immunity.
In cases where the registries or registrars are located outside of the US, the COICA gives the Attorney General the authority to serve the order to other third parties. These third parties may include Internet service providers, online ad network providers and payment processors.

Blacklisted
According to the Senate Judiciary Committee’s draft COICA bill, released in September 2010, there are a number of different types of web sites that would potentially be taken offline. These sites fall under the following categories:
• One-click hosting web sites
• MP3 blogs and mashup/remix music sites
• Sites discussing piracy
One-click hosting sites allow users to upload anything, unless DMCA takedown notices are received. Their practices arguably balance copyright enforcement with user innovation. According to the draft COICA, the Department of Justice has the authority to determine if piracy is central to the purpose or functioning of the web sites. Such web sites would include: MediaFire, Dropbox and Rapidshare.

MP3 blogs and mashup/remix sites have historically been involved in litigation for unauthorized sampling, though such uses are protected by the fair use doctrine. Observers are concerned that the Department of Justice may simply take down such sites in fear of complaints from the recording industry. Examples of this category of sites include: Hype Machine, Mashup Town and SoundCloud.

The final category of targeted sites includes those discussing P2P technology and piracy in an intellectual or political manner. These sites typically link to tools and information related to file sharing, which may be reason enough for the sites to be taken offline, under the COICA. Critics are concerned that this would fundamentally violate the principles of the freedom of speech. Such sites include: Slyck, ZeroPaid, p2pnet, InfoAnarchy and pirate-party.us.

Critics say…
Prominent critics of the COICA, such as the Electronic Frontier Foundation (EFF), argue that the bill would have a detrimental impact on a wide range of issues, including freedom of speech, internet architecture, copyright doctrine, foreign policy and more. In a recent analysis by the EFF legislative branch, a number of points were raised regarding the harm that the COICA would do. These issues are briefly explained below:

• Anti-innovation: The bill does not resolve the problem of un-compensated artists/creators. The EFF argues that Internet services such as Pandora, Amazon Music and YouTube facilitates a marketplace for digital business to grow. Other new online services are being developed to allow artists/creators to connect with their audiences and raise revenue. However, media-sharing platforms, which give rise to artistic creativity and collaboration, would violate the requirements of the COICA.

• Censorship: The authority to determine which web sites ought to be blacklisted and which ones are acceptable is dangerous territory. The COICA permits a broad, government-initiated, domain-wide authority to take down websites, which may result in mistakes and abuses, as have been perpetrated under the Digital Millennium Copyright Act (DMCA).

• DNS Undermining: According to Internet engineers, the COICA has the potential to cause significant problems for the DNS. They anticipate that once the US government starts to control DNS infrastructure, much of the Internet may shift to different DNS mechanisms that are not located in the US.
This may result in inconsistencies between the current DNS hierarchy and the new alternative mechanisms. By using these offshore DNS mechanisms, data may have to travel long physical distances over the network before users can access it on their browsers. This could increase the cost of the Internet infrastructure by 20%. Furthermore, with the dependence on offshore DNS, it may become more difficult to maintain and secure these servers, leading to potential security threats and attacks.

• Unconstitutional: Unlike the DMCA, which gives copyright owners the right to remove their own copyrighted content from a website, the COICA permits everything on a particular domain to be taken offline. This constitutes a significant violation of the freedom of speech and could potentially threaten the innovation of new content.

By the end of September 2010, privacy activists successfully delayed the passing of the COICA. The bill was postponed before the Senate’s October recess, allowing more time for debate. This result was partially due to the involvement of key Internet scientists, engineers and citizens who publicized the bill and its potential repercussions.

Summary
This article looks at the COICA (Combatting Online Infringement and Counterfeits Act), which could grant the Attorney General the power to take down entire domains. The article explores the elements of the bill, which include the release of two separate Internet blacklists for websites deemed to be dedicated to, or engaged in, copyright-infringing activities. Under the bill, a number of different types of web sites could be taken down, including: one-click hosting web sites; MP3 blogs and mashup/remix music sites; and sites discussing piracy. Finally, the article provides a brief overview of some criticisms and concerns regarding the COICA, which have been raised by Internet experts and privacy rights activists in the US.

CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam; the Certification Foundation (Foundations) exam and the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
• US Public & Private Sector Information Privacy Laws (CIPP/G; I.B.)
• Department of Justice (CIPP/G; II.B.f.iv.)
• Government and Citizen Surveillance (CIPP/IT; II.A.k.)
• Online Privacy Threats (Foundations; III.B.a.)

Ontario’s Privacy-Protective Facial Recognition System

hannah — Tue, 18 Jan 2011 17:00:32 +0000

Efficient and accurate authentication of individuals is a growing challenge across a number of sectors. There are currently three main forms of authentication, based on something you know, something you have and something you are. The third form is especially interesting in light of biometric technologies as a means of verification. This article explores some recent applications of biometrics in Ontario.

OLG and OIPC Announcement
On November 12, 2010, Tom Marinelli, the Acting CEO of the Ontario Lottery & Gaming Corporation (OLG) and Dr. Ann Cavoukian, the Ontario Information & Privacy Commissioner (OIPC), announced a new development in privacy-protective facial recognition technology. This biometric system is scheduled to be implemented in 2011 in various OLG gaming sites throughout the province. The objective is to better protect the data of OLG customers, as well as support voluntary self-exclusion programs.

Self-Exclusion Program
One of the initiatives of the OLG is the voluntary self-exclusion program. This gives individuals the option to initiate a self-imposed ban from one or more gaming sites. Every casino in Canada offers a self-exclusion program, which varies in terms of scope, length and penalty for breaches. Ontario’s self-exclusion program enables individuals to opt out of OLG marketing and promotions databases. Individuals in the program will also be escorted from OLG gaming sites and issued a trespass notice. Enrollment in the program may last a minimum of six months and may extend indefinitely. As one of the OLG’s objectives is to detect program members who are attempting to enter a gaming site, it is necessary to improve detection.

Currently, the procedures for detecting self-excluded individuals consist of collecting a photograph and personal information, which was stored in secure binders accessible only to security personnel. However, such a manual identification process is largely inefficient and ineffective, especially since most people aren’t good at recognizing faces of those they don’t know.

In order to address these issues, a new system was developed through collaboration between iView Systems, an Ontario video surveillance and biometric firm and University of Toronto researchers Professor Kostas Plataniotis and Dr. Karl Martin. This new system combines a watch list module with a BE module. The watch list relies on traditional facial recognition technology for each casino patron. The BE module releases keys for each subject on the top matches list. Should a key be released, a match alert is sounded.

Privacy Issues & Biometric Encryption
Privacy professionals have been concerned that surveillance and biometric systems may compromise individuals’ privacy. Some of the main privacy issues regarding biometrics are outlined below:

1. Data Linkage – There is the possibility that biometric databases can be linked algorithmically for data mining, profiling and investigation.

2. Function Creep – This refers to expanding the scope of a system. For instance, the biometric data may be used for purposes other than the originally described purposes.

3. Data Misuse – Biometric data cannot be replaced or reset, thus they present a high risk for threat or abuse.

4. Security Vulnerabilities – Such vulnerabilities include: interception, replay, substitution, masquerade, spoofing, Trojan horse attacks and tampering.

In order to address the above privacy issues, the Privacy by Design approach (discussed in further detail below) has developed a process known as biometric encryption (BE). BE securely binds a key to/extracts a key from a biometric, such that neither the key nor the biometric can be retrieved from the data, except through verification with the correct live biometric sample.

According to the OIPC, the process of BE offers the following advantages over other types of biometric systems. These advantages are outlined below:
1. Images, biometric templates and keys are not retained. The user’s biometrics are never stored, thus they cannot be compromised. The original biometric is untraceable.

2. Multiple, cancellable, revocable identifiers. There is no way to associate a biometric with accounts.

3. Improved authentication security. BE securely binds account identifiers to an individual’s biometric. There is no need for the user to remember these identifiers.

4. Greater public confidence, acceptance and use. BE enables biometric data to remain under the control of the individual, which limits the possibility of identity theft and surveillance.

5. Greater compliance with privacy legislation.

6. Suitable for large-scale applications. Other biometric systems store data on centralized databases, which are highly vulnerable to identity theft. There is less risk with BE.

Privacy by Design Approach
The Privacy by Design (PbD) Approach was developed by Dr. Ann Cavoukian during the 1990s. It is based on the notion that technology can be used to protect, rather than encroach upon, privacy. PbD links the international standard fair information practices with the 7 Foundational Principles. These unique principles are as follows:

1. Proactive – PbD strives to be proactive, anticipating and preventing privacy invasions, rather than reactive.

2. By Default – Personal data is automatically protected in any IT system or business practice. Privacy protection is incorporated into the design of the system.

3. Embedded – Privacy protections should be embedded into the design and architecture of systems and practices; they are core components of the functionality of the systems.

4. Positive-Sum – All legitimate interests and objectives are included in a positive-sum/win-win approach. It is possible to balance the needs of privacy and security.

5. Lifecycle Protection – Privacy protection practices extend through the entire lifecycle of the data.

6. Visibility/Transparency – All stakeholders are made aware of the operations of the practices or the technologies used.

7. Respect for Users – Architects and operators are required to offer user-friendly options, such as strong privacy defaults and appropriate notice.

The applicability of these principles has allowed the PbD concept to be used in the following areas:
I. Information Technology
II. Accountable Business Practices
III. Physical Design
The PbD approach has been recently approved by the Council of International Data Protection and Privacy Commissioners as an “essential component of fundamental privacy protection.”

Summary
This article explores the Privacy by Design (PbD) approach, which was initially pioneered by the Ontario Information and Privacy Commissioner as a means of extending privacy concerns beyond legislation and regulation. The PbD approach fundamentally integrates privacy assurance into the design and operations of an organization’s systems and practices. The article looks at how PbD has been used to develop a new facial-recognition technology, which will be implemented in casinos throughout Ontario in 2011.

CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Canada (CIPP/C) exam; the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
• Canada – Provincial Privacy Commissioners (CIPP/C; II.B.e.i.1.b.)
• Policy Development & Implementation (CIPP/C; III.B.b.)
• Biometric Identification (CIPP/IT; VI.G.iii.)

EU Data Retention Directive: A Request for Repeal

hannah — Tue, 04 Jan 2011 17:00:11 +0000

Data retention has been an important issue for law enforcement agencies and privacy rights organizations alike. Governments have made efforts to require telecommunications service providers to record and retain information, such as telephone calls, emails, or other communications. This article examines the European Union Directive on Mandatory Retention of Communications Traffic Data, which was enacted in March 2006. The article goes on to look at criticisms of the Directive as well as recent efforts calling for the repeal of this Directive.

Background: The 2006 EU Data Retention Directive
The EU Data Retention Directive 2006/24/EC required that operators of public electronic communication networks store specific data for the investigation, detection and prosecution of serious crime. The Directive requires that Internet service providers operating in Europe retain telecom and Internet traffic data about all their clients’ communications for at least six months, to a maximum of two years from the date of the communication. This is for the potential use of law enforcement authorities. Retained data includes the traffic and location data, but not the contents of the communications.

Of specific concern to privacy professionals was that the retained data included the following:
• Fixed network telephony
• Mobile telephony
• Internet access
• Internet email
• Internet telephony

The data retention regulations listed four data security principles, applicable to the retained data. These regulations are outlined below:
1. The data must have the same security levels when retained and must remain the same quality.
2. Security measures (both technical and organizational) must be enacted to protect against accidental or unlawful disclosure, access, alteration or loss of the data.
3. The retained data should only be accessible by authorized persons.
4. All retained data must be appropriately destroyed at the end of the retention period.

As part of the terms of the Directive, the data could only be made available to competent national authorities in particular cases, in line with national law. EU member states are responsible to ensure that any intentional access or transfer of this data is punishable by administrative or criminal penalties. Member states were also required to have a public authority responsible for implementing and monitoring the Directive within 18 months after it was introduced. Each state developed their own version of the Directive, which was integrated into their national laws.

Controversy Surrounding the Directive
For public communications providers throughout the EU, the Directive presented a number of different challenges. Service providers were mandated to retain communications data to allow requested access for investigations. This meant that they were faced with the challenge of harmonizing their data center with hundreds of storage devices and petabytes of data. This significantly increased the size of IT infrastructures. Many critics argued that the mandated retention practices made organizations more vulnerable to privacy risks.

Observers also argued that the requirements of the Directive amounted to a type of surveillance. The Directive requires member states to collect personal data about citizens, without the consent of the citizens. It also allows the states to apply the data to monitor and control citizens, by applying criminal penalties.
For these and other reasons, many European privacy activists have strongly opposed the Directive.

One example was the Freedom Not Fear movement, which organized protests in major cities across Europe. These demonstrations aimed to raise public awareness of increased surveillance and data retention practices. The Freedom Not Fear movement also demanded the following:
• Cutbacks on surveillance measures
• Evaluation of existing surveillance powers
• Moratorium on new surveillance powers
• Ensure the freedom of expression, dialogue and information on the Internet

During 2007, the German Working Group on Data Retention represented 35 000 people and filed a class-action lawsuit against data retention laws. The court found the laws unconstitutional, which led to requirements for the immediate deletion of all data retained under the law.

During 2009, the Romanian Constitutional Court ruled that the Directive was in direct violation of Article 8 of the European Convention on Human Rights, guaranteeing the right to respect for private life and correspondence. The Court held that data retention turns all those who use public communication networks into potential criminals.

Also during 2009, the European Commission initiated a lawsuit with the Swedish government, which had refused to implement the Data Retention Directive within the required time frame. Political leaders argued that the Directive was inconsistent with the European Convention on Human Rights, as well as being an expensive and ineffective means of protecting citizens’ rights and freedoms. In addition to Sweden’s non-cooperation with the Directive, Austria, Greece, Ireland, the Netherlands and Poland also did not implement data retention laws within the April 2009 deadline stipulated by the Directive.

Calls to repeal the Directive
During the 32nd Annual Conference of Data Protection and Privacy Commissioners, which was held during October 27-29, 2010, privacy authorities called for the repeal of the Data Retention Directive.

A vocal participant in this discussion was the Electronic Frontier Foundation (EFF), which has protested the indiscriminate collection of traffic data. According to the EFF, there is no clear link between data retention and effective law enforcement. Rather, such retention leads to abuse of authorities, including excessive tracking and over-collection. Furthermore, many of the retention practices pose a serious violation of individuals’ rights and freedoms.

Summary
This article explores the 2006 European Union Data Retention Directive, which required member states to implement laws requiring communications service providers to retain data from anywhere between six months to two years. This was supposedly to facilitate law enforcement efforts, particularly anti-terrorist programs. The Directive was met with widespread public outcry, given the potential for surveillance, monitoring and abuse, in addition to arguments that it was a violation of rights and freedoms. The article explores a number of different responses to the Directive, including citizens’ movements throughout Europe, national court rulings against the Directive and non-compliance issues.

CIPP Exam Preparation
In preparation for the Certification Foundation (Foundations) exam and the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
• Data Retention & Destruction – Period of Retention (CIPP/IT; I.E.a.)
• Privacy Concerns – Government Surveillance (CIPP/IT; II.A.k.)
• Modern Principles of Privacy – Europe (Foundations; I.D.a.ii.)
• Privacy & Data Protection Regulation – Europe (Foundations; I.F.b.ii.)

RFID Technology

hannah — Tue, 27 Jul 2010 12:00:26 +0000

In recent years, RFID (radio frequency identification) has caught the attention of privacy watchdogs, civil organizations and the general public. Its ability to identify and track items as well as individuals raises a number of privacy and security concerns, while the potential for integration into numerous contexts has increased with the development of technology. Discussion and integration of RFID in the workplace, retail situations and other environments should be informed by a number of privacy-respecting practices that will be explored in this article.

What is RFID?

RFID is a term for a group of technologies that enable machines to identify objects. This may include bar codes, smart cards, optical character readers, biometric technologies and more. RFID uses radio waves to identify items. Its first application was the identification of aircraft during WWII. Since then, developments in technology have reduced the cost and increased potential applications of RFID technology. The automatic identification offered by RFID is attractive to many organizations and retail stores, as it reduces the time and labor necessary to manually input data and to improve data accuracy.

There are three components in an RFID system:

Tag: this is usually made up of a microchip unit, antenna and encapsulating material. Microchips can store up to two kB of data. This may be information about a certain product, such as its destination or sell-by date. An RFID system may include multiple tags.

Tags are also referred to as transponders. They can be read-only or read-write tags. “Read-only” means that the information on the tags cannot be changed in any way. Read-write tags can have the information modified or erased multiple times. Since they offer greater functionality, their price is much higher than read-only tags.

Reader: this is a device that has at least one antenna to communicate with the RFID tag. It emits radio waves and receives signals back from the tag. The reader passes digital information to a computer system. Readers are also known as interrogators. They can be portable, handheld devices or fixed terminals positioned in strategic places, such as loading bays or doorways.
Infrastructure: this includes the necessary hardware and software for supporting the RFID system. The RFID software translates the data from the tag into the information about the goods and orders. This information is transmitted into other databases and applications for processing.

How can RFID be used?

RFID technology has and will be applied in a variety of public and private sector organizations. Uses include:

Product Integrity – to ensure that products are authentic and untampered with
Supply Chain Management – to monitor and control the flow of goods through the supply chain (i.e. from raw material to finished product to consumer)
Warranty Services – goods with tags incorporated into the materials, in order to facilitate warranty services
ID, Travel & Ticketing – to verify the identity of the traveller; to ensure that travel documents are genuine
Baggage Tracking – to monitor and control the movement of baggage (e.g. from check-in to loading)
Patient Care & Management – to rapidly, accurately verify patient information (e.g. allergies, prescription, health history, etc.)

Privacy Issues

According to the Canadian PIAC (Public Interest Advocacy Center), RFID technology presents a challenge to Canadian privacy legislation. The basic surveillance capabilities of RFID are unlikely to violate privacy, though the PIPEDA significantly limits the use of RFID for consumer surveillance purposes.

However, later Office of the Privacy Commissioner of Canada (OPC) research indicated that there were significant concerns regarding the use of RFID in the workplace. Through a number of public consultations, the OPC was able to establish the perspectives of academics, RFID vendors, industry groups and private citizens. Numerous privacy threats were identified:

Repeated collection of information

Since RFID tags are very small, they can easily be embedded on/in objects or documents without the individual’s knowledge. It is possible to read RFID tags through fabric, plastic and other materials, as radio waves are not restricted to line of sight. Tags can also be read from a distance. These factors render it impossible for individuals to know if/when he/she is being scanned.

Tracking Movements

If there is a sufficient network of RFID readers, the tags can be tracked in time and space. This is possible through a combination of GPS (Global Positioning Systems) and RIFD technologies.

Profiling Individuals

RFID technology means that each object has its own unique identification. This contrasts bar code technology, which gives the same identification to all similar objects (e.g. in a grocery store, all orange juice cartons of the same brand have the same bar code). If unique identifiers are associated with individuals, then profiles of purchasing habits can be compiled.

Secondary Use

Creating profiles and tracking individual movement can be linked to other information which the individual may not want revealed.

Massive Data Aggregation

RFID records may be linked with personally identifying data, which may facilitate any of the other privacy threats listed previously.

OPC Responses

The OPC recommends that the ten principles of the CSA Model Code, as well as the PIPEDA form the basis for an RFID privacy management framework. OPC research responds to each of the ten CSA principles, with respect to RFID technologies:

Accountability – Who has access to and who is accountable for the data generated by RFID systems, as well as other data collection systems in the workplace?
Identifying Purposes – RFID systems that are used for legitimate business purposes (e.g. supply chain management) are more likely to be supported than RFID systems used for secondary purposes or surveillance (e.g. employee surveillance, workforce management). The OPC identified that industry standards, policies or guidelines can help to ensure that the data collected through these systems are used and disclosed for identified purposes.
Consent – Meaningful consent must be secured before an RFID system is implemented. However, there is the challenge of securing meaningful and completely voluntary consent in a workplace setting.
Limiting Collection – Reasonable expectations of privacy must be balanced with reasonable management of RFID systems. While reasonable expectations of employees are important, the reasonable management of the RFID system is the employer’s responsibility. This involves the protection of employee privacy.
Limiting Use, Disclosure & Retention – The issue of RFID implants was a significant concern for OPC and other groups who were consulted, as implants present significant privacy and security issues. For instance, employee conduct might be monitored during and after work hours, at lunch, during vacation, and for tracking physical movements and conduct. This may pose a serious security issue.

Employers should limit the collection of personally identifiable information, including RFID-related data. Data from RFID systems should not be linked to other databases, unless there is a proven need.

Accuracy – It is the responsibility of the employer to ensure that personal information is accurate, complete and up to date for the purposes for which it is to be used. An audit trail might be established and maintained regarding the lifecycle of the RFID data.
Safeguards – RFID systems that contain personal information must be protected in a way that is proportionate to its sensitivity. Employers should be made accountable for any breach of RIFD technology. Protecting data in each distinct part of the system is an effective approach to safeguarding employee privacy.
Openness – For instance, hidden tags or readers should not be implemented. Clients, employees and/or unions should be consulted before RFID systems are installed. Tags and readers ought to be in plain sight, never used for covert surveillance.
Individual Access – Individuals (e.g. clients, employees, union leaders) should be guaranteed access to any personally identifiable data generated by RFID systems.
Challenging Compliance – Individuals ought to be able to challenge compliance with other principles. This may be the ability to make inquiries or lodge a complaint if necessary.

After examining each principle individually, the OPC stated some guiding applications for the implementation of RFID technology in a way that respects Fair Information Practices:

If the RIFD chip has an individual’s personal information contained on it, then it is defined as a repository of personal information.
If the tag is unique, it can be associated with an individual. The tag becomes a unique identifier for that individual.
Personal information includes information about possessions, purchases or behaviors that can be processed to create a profile.

Summary

This article provides a brief introduction to RFID (radio frequency identification) technology. It explores some uses of this technology in consumer and work settings. Privacy concerns regarding RFID systems are raised. The article also offers some responses and recommendations made by the Privacy Commissioner of Canada regarding implementation of RFID technology.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

CSA Model Code for the Protection of Personal Information (II.A.a.i.)
Radio Frequency Identification (RFID) (V.A.a.5.)
Security threats and vulnerabilities (V.A.b.)
Information management (V.c.i.)

Surveillance & Investigation in Canada

hannah — Tue, 20 Jul 2010 12:00:50 +0000

The introduction of Bills C-46 and C-47 in Canada sparked concern regarding the role of the federal government and other authorities to expand surveillance and increase investigation of the Canadian public. The bills were tabled June 2009 and continue to be met with much concern. This article will elaborate on the significant aspects of each bill, with an eye to some of the potential privacy concerns that may be raised.

Bills C-46 & C-47

In June 2009, the Canadian federal government tabled two significant pieces of legislation: the Investigative Powers for the 21^st Century Act (Bill C-46) and the Technical Assistance for Law Enforcement in the 21^st Century Act (Bill C-47).

Bill C-46 allows police and other authorities to collect digital evidence amongst numerous devices and computer networks. These may be interprovincial or even international. A motivating factor for this bill is to ensure that multiple avenues are examined, in a timely manner, especially since digital data often has a short life span. Some important issues in the Bill C-46 legislation include:

Transmission Data

This includes the data from telephone and internet communications. However, this does not include the content.
This ensures that communications can be traced back to the original service provider. This allows police to trace domestic and international cybercrime.
Determining the origin of transmission can help identify the jurisdiction of telecommunications.

Preservation Order

A preservation order is a temporary order that requires a telecommunications service provider to safeguard and store data (e.g. usage and location) related to a specific communication. It is also known as a “quick freeze” order.
This is restricted only to the data that is related to a particular investigation.

Tracking Warrants

This allows police to remotely activate tracking devices found in some technologies (e.g. cell phones, car tracking devices).
This may permit police to install new devices to enable tracking.
Authorities can have special orders for tracing mobile communications devices as well as their owners.

International Considerations

International cooperation is crucial for many cybercrime investigations.
The proposals in this bill strengthen the instruments that enable broad-based international cooperation in investigation as well as prosecution of computer-related crimes.

Bill C-47 does not provide police or other law enforcement authorities with additional powers, but it does mandate that authorities have a technical solution in place to actually intercept telecommunications. At this point, Canada does not require companies to build interception capability into their telecommunications networks. This means that when warrants are issued, they cannot be acted upon, since the service provider’s network cannot be intercepted. This may create a safe haven for criminal activity.

In response, Bill C-47 requires companies to create intercept-capable infrastructures, which includes paying for the new equipment and software involved. The government will provide compensation for any required retrofits. The intention is to introduce intercept solutions as flexibly and gradually as possible. This will ensure that telecommunication services are able to build and maintain interception capability without creating undue burdens on the company. Eventually, Bill C-47 will allow authorities to obtain individual information such as name, phone number, address, IP address, and other mobile phone identifiers.

Perspectives

Some proponents of the Bills have argued that the legislation is not too different from other criminal legislation affecting privacy interests. They argue that Canada is far behind the curve in terms of lawful access legislation. For instance, both the US and Australia have implemented such legislation for more than ten years. Introducing such measures will enable Canadian companies to comply with international obligations, facilitating international competition.

However, others have cautioned that these measures should not simply be implemented because of the choices of other countries. It is important to note that in a number of countries interception and surveillance measures were passed, in spite of public opposition.

Opponents of the bills argue that while the proposals are presented as security measures, they may lead to a “chilling effect.” This means that citizens may become nervous about the monitoring of their online activities. Lawful surveillance may silence debates and shut down the development of legal online activities.

Other observers commented on the fact that there is increased collaboration between government and private actors to track citizens’ actions and activities in the digital world. Surveillance and interception is largely justified based on user agreements. These contain provisions which allow the telecommunications service providers to monitor and transmit the information to authorities. However, many users do not read or understand these agreements. They are also unable to negotiate the terms with the service providers. Arguably, users have no choice but to hand over their constitutional rights, if they want to have access to such necessities as telephone and internet services.

OPC Concerns

The Office of the Privacy Commissioner of Canada (OPC) recommends that Parliament remain cautious about surveillance and interception legislation, which will often have repercussions on other jurisdictions as well as a significant impact upon the privacy rights of Canadians. In a joint resolution issued by the federal Privacy Commissioner as well as provincial commissioners and ombudspersons, there must be a clear and demonstrable need for acquiring before expanding investigative powers of law enforcement and other national security agencies. According to the Commissioners and ombudspersons, the federal government has not provided satisfactory evidence that supports the need for the new powers outlined in the proposed legislations.

The joint resolution argues that the proposed legislations allow authorities to access personal information, such as unlisted telephone numbers, email addresses and IP addresses. However, Canadians consider this information extremely sensitive and expect it to remain confidential. The use of computers and other remote devices should also remain private. Arguably, the proposed legislation does not only target serious criminal offenses, but it might also be applied to investigations of minor infractions and non-criminal matters.

While the OPC and the ombudspersons are not completely opposed to legislation regarding the monitoring of digital data, it must take into account individual privacy rights and the legitimate needs of law enforcement authorities. The following outlines the OPC’s recommendations regarding Bill C-46 and Bill C-47:

The federal government needs to demonstrate that the expanded surveillance is actually essential and justified.
The federal government should explore alternatives to the proposed Bills.
The Bills should be limited to only specific, serious crimes and life-threatening emergencies.

If there are any legislative proposals on surveillance, they should embody the following characteristics:

Minimally intrusive
Have well-defined limits on the use of the new powers.
Have appropriate legal thresholds for court authorization.
Require draft regulations to be publicly reviewed before being enforced.
Provide effective oversight.
Publicly report the use of powers.
Have a five-year Parliamentary review.

In taking these recommendations into account, Parliament will be able to update surveillance and investigation legislation appropriately to meet the needs of law enforcement.

Summary

This article examines the proposals in Bill C-46 and Bill C-47, which are the Investigative powers for the 21^st Century Act and the Technical Assistance for Law Enforcement in the 21^st Century Act, respectively. It looks at the new powers that may be afforded to police and other law enforcement bodies across Canada. It introduces a number of different perspectives on the Bills. For some, the Bills do not present an issue for concern, as many other countries have introduced similar legislation and Canada is simply catching up with these obligations. But for others, those who are opposed to the Bills point out the repercussions in varied contexts. Finally, the article examines the OPC’s response and recommendations to surveillance legislation.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

Privacy policy, legal requirements (V.C.b.b.)
End user expectations (V.C.c.a.i.)
Vendor and contract management (V.C.e.)

Privacy Act of 1974

jbrook — Wed, 10 Feb 2010 12:00:05 +0000

The Privacy Act of 1974 is a public sector law that regulates the use of personal information by the United States Government. Specifically it establishes rules, similar to the Fair Information Practice Principles that determine what information may be collected and how it may be used in order to protect the personal privacy of U.S. citizens.

Data Collection and Management

The Privacy Act of 1974 applies to Federal Government Agencies and governs their use of a system of records. By definition, a system of records is “any group of records under the control of any agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

The following rules govern the use of a system of records:

No Federal Government record keeping system may be kept secret
No agency may disclose personal information to third parties without the consent of the individual (with some exceptions)
No agency may maintain files on how a citizen exercises their First Amendment rights
Federal personal information files are limited only to data that is relevant and necessary
Personal information may able be used for the purposes it was originally collected unless consent is received from the individual.
Citizens must receive notice of any third party disclosures including with whom the information is shared, the type of information disclosed and the reasons for its disclosure.
Citizens must have access to the files maintained about them by the Federal Government
Citizens must have the opportunity to correct or amend any inaccuracies or incompleteness in their files

Data Sharing

The Privacy Act of 1974 places restrictions on the ability of Federal agencies to share a system of records with third parties, including other agencies. However, the Privacy Act does recognize the need of the government to share records in order to improve security, maintain accuracy and consolidate resources. This is often accomplished through matching programs which allow certain data elements in one system of records to be searched against records in another system in order to find any data matches. Such matches would link together the information from both systems.

In order for any agency to run a matching program with a system of records from an another agency, their must first be a written agreement between both parties. The Committee on Governmental Affairs of the Senate, and the Committee on Government Operations of the House must receive a copy of the agreement. It must also be made available to the public.

A Data Sharing Agreement:

Must state the purposes and legal justifications for the matching program
Must provide rational for the program by estimating the results and savings that will be achieved
Must describe the records to be matched including the specific data elements, estimate the number of records to be matched and provide estimated start and completion dates for the program
Must describe how the privacy principles of the Privacy Act will be implemented in the program (ie: notice to the individual, ensure accuracy and completeness, limited used of results)
Must provide an accuracy assessment of the unmatched records
Must include a statement allowing the Comptroller General to monitor compliance with the Privacy Act if necessary.

Federal Register

To ensure that no system of records is kept secret, the Privacy Act requires all government agencies to provide a System of Records Notice (SORN) to biennially to be published in the Federal Register. Each SORN must also be published on the agencies website under the Electronic Privacy Act Amendment.

Each SORN must contain:

The name location of the records system
The title and business address of the individual overseeing the system of records at the agency
The types of individuals about whom records are kept
The categories of records kept in the system
The general sources from which data is collected
The privacy and usage policies of the agency, including those for access controls, storage, retrievability and destruction.
How an individual may determine if an agency maintains a record about them in their system of records
How an individual may gain access to the records an agency maintains about them

Exceptions to the Privacy Act

While the Privacy Act did take significant steps towards protecting privacy, there are a few important distinctions within the act that create holes in its protection.

The Privacy Act only applies to a system of records maintained by an agency. Records systems kept by government institutions not considered an agency are exempt. Further more a system of records is defined as a group of records which uses personally identifiably information or signifiers to retrieve a file. There may be records systems which contain personal information but does not use that information to search for and gain access to a record. Such system of records would also be exempt under the Act.

The Privacy Act also contains a “routine use” exception which allows the disclosure of information without the notice or consent of the individual. Routine use is defined as “the use of such record for a purpose which is compatible with the purpose for which it was collected.” The vague definition of routine use allows agencies to expand their definition of compatible purpose at will, eventually allowing more and more information to be disclosed under the routine use exception. As long as the SORN contains a listing of the routine uses of the information, an agency is considered compliant with the Privacy Act.

Summary

Like the Freedom of Information Act, the Privacy Act of 1974 seeks to protect the privacy of U.S. citizens by giving them the ability to monitor the use of their personal information by the U.S. government. Though the Privacy Act does make significant steps in the protecting the right of privacy, it is also limited enough in its scope and implementation to only provide adequate protection. Privacy professionals and U.S. citizens should be familiar with the Privacy Act of 1974 in order to effectively understand their rights and work to create more comprehensive privacy legislation in the future.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

The Privacy Act of 1974 (I.C.b.i.-iv.)