- About CEI
- Support CEI
Privacy Issues In Federal Systems: A Constitutional Perspective
Privacy Issues In Federal Systems: A Constitutional Perspective
Speech Given To National Institute of Standards and Technology Computer System Security and Privacy
March 16, 1999
Federal information-gathering systems of many different types raise similar concerns about privacy; some of these systems include tax enforcement systems, Know Your Customer programs to crack down on money laundering, medical databases, and so on. My testimony today is applicable to a wide range of systems, and will explore the following issues:
- The danger to human rights from federal information systems.
- Security concerns such as identity theft, as distinct from privacy concerns.
- The role of encryption, biometrics, and digital signatures in federal systems.
- The most effective rules for ameliorating federal threats to privacy, emphasizing the importance of limited government, limited agency discretion, and the Fourth Amendment.
Why Privacy is Important
Privacy in federal systems is an important component of protecting against threats to human rights. Federal agencies and employees have used information stored in federal systems to carry on personal or political vendettas, or violations of rights on a grander scale. Past abuses include: During World War II, U.S. census data was used to identify Japanese-Americans and place them in internment camps.
In 1995 over 500 Internal Revenue Service agents were caught illegally snooping through tax records of thousands of Americans, including personal friends and celebrities. Only five employees were fired for this misconduct.
In response, the IRS developed new privacy protection measures. These measures were useless, with hundreds of IRS agents being caught in early 1997, again snooping through the tax records of acquaintances and celebrities.
The Clinton administration reportedly obtained hundreds of FBI files, including those of:
- Billy R. Dale: Fired Travel Office Director
- Marlin Fitzwater: Bush's press secretary
- Ken Duberstein: Reagan's chief of staff
- James Baker: Bush's secretary of state
- Tony Blankley: Newt Gingrich's spokesman
Identity theft is another serious problem associated with the growth of centralized information databases. As I discuss in the next section, however, this privacy problem is distinct from concerns about privacy related to human rights.
Identity Theft: Security Problems Distinguished
Privacy is a broad concept; many subtle and difficult questions of business and medical ethics, limited government, and problems of identity theft are commonly swept together under the heading of "privacy" concerns. In fact, many of these issues are not closely related at all, and lumping them together does more harm than good. Here I distinguish security concerns from human rights concerns.
The problem of identity theft should be a major focus of attention to federal systems. Identity theft often occurs not because the database is holding too much information, but because it is holding the wrong kind of information and using it improperly.
Frequently, the "password" used to access one's record is a social security number, perhaps supplemented by mother's maiden name. Both social security numbers and surnames are names--useful because they remain constant over time and are known and used by many people. A name is a fundamentally different thing from a password.
A good password should be secret, difficult or impossible to reproduce or "crack," and it should not be public knowledge. A password should be changeable if the security of the original is compromised. Both social security numbers and mother's maiden name are terrible passwords, and they ought not to be used as such in federal systems.
Now, here is where the distinction between security concerns and human rights concerns comes into play. If federal systems are to be more secure against identity theft and other security breaches, how could we make them so? From a pure security standpoint, the answer is not to outlaw the use of social security numbers or other unique identifiers. Indeed, this might increase the risk of identity theft and other errors. The answer is to use better passwords. These might include
- true passwords, like PIN numbers, that can be changed from time to time;
- digital signatures;
- The use of biometric data like a voiceprint or fingerprint, under conditions that cannot easily be spoofed;
- the use of encryption.
Note that each of these solutions would in varying degrees reduce the risk of identity theft or other security breaches. And the best approach to some security problems might be to increase the amount and particularity of information stored in the system and used for authentication. But, in the case of biometrics in particular, this might be the worst approach to human rights concerns.
The approach to security problems that would satisfy both concerns would be to use non-biometric data to authenticate access requests whenever possible. Digital signatures offer a great deal of promise here.
Digital Signatures: A Federal Role?
This raises the question of whether legislation is called for to establish federal procedures for accepting and using digital signatures. I strongly recommend against legislation that would create or set a federal standard for the validity of digital signatures.
Digital signatures are a young technology. Considerable experimentation with different signature models will be necessary before the technology matures. It is vital that the private sector lead the way in these experiments. A premature federal standard could
- become a tool of unrelated policy goals;
- doom federal systems to become obsolete;
- cut off competition among competing signature models.
The courts can be trusted to decide when and under what circumstances digital signatures should be accepted, looking to the business community for guidance. This worked well with signatures transmitted by telegraphs, telephones, telexes, faxes, or photocopies of signatures, or audio recordings. In 1869, one court explained that telegraphed contract was valid, saying "It makes no difference whether that operator writes the offer or the acceptance . . . with a steel pen an inch long attached to an ordinary penholder, or whether his pen be a copper wire a thousand miles long. In either case the thought is communicated to the paper by the use of the finger resting upon the pen; nor does it make any difference that in one case common record ink is used, while in the other case a more subtle fluid, known as electricity, performs the same office." As long as the technology is reliable, there is no reason a court would not say the same of digital signatures.
Checking Dangers to Human Rights
Now I return to consider privacy as a fence against violations of human rights. Below I describe strategies that protect privacy and limiting this danger, in order of their effectiveness. What quickly emerges from this overview is that the best strategies for protecting privacy have entirely fallen out of the debate--an extremely unfortunate development.
Why Create More Databases? The Limited Government Model.
The United States Constitution created a government of narrowly defined and enumerated powers, a model that we have since abandoned. This model, however, is absolutely the best defense against dangers to privacy and human rights.
The more ambitious regulatory programs and agendas that are adopted by the federal government, the more likely the agencies that administer them are to begin to demand vast amounts of information from United States citizens about their personal lives. The higher that taxes go, the harder tax law will be to enforce, and the greater will become the IRS's demands for access to personal and business records.
This is exacerbated by a common phenomena--the fact that government agenda often grow, rather than shrink, in the face of failure. Money laundering convictions are difficult and expensive to obtain, ultimately catching only a few small fry and making the streets no safer; the crackdown on money laundering would fail any cost-benefit analysis. So what is the regulatory response? Enlarge the program. Regulate more. From this premise, the FDIC's disastrous "Know Your Customer" proposal followed inexorably and logically. Another example is Medicare, plagued by fraud and rising costs. Real market-based reforms have never been considered; instead, our medical records are opened to auditors and snoops.
Return to the limited government model would be the best defense against dangers to privacy and attendant dangers to human rights. Many federal information-gathering systems would simply never be called into existence.
Taking The Fourth Amendment Seriously.
The Fourth Amendment does not limit what information the government may collect, but, rather, it limits the means by which that information may be collected. It makes information collectors accountable to the judiciary. It is a critically important rein on government power.
Federal demands for information from the private sector should comply with the Fourth Amendment. No one in any context should be required to turn information over to the federal government without a showing of probable cause. Because the courts have been reluctant to enforce this limit, FDIC regulators have been able to pressure banks into spying on their customers under "voluntary" Know Your Customer programs.
The Danger in Delegation of Broad Discretion to Federal Agencies.
The recent outcry over the FDIC's Know Your Customer proposal shows that agency snooping programs will rarely sit well with the public. The legislature's accountability to the public is thus a key check on dangers to privacy.
When Congress delegates broad authority to administrative agencies, it increases dangers to privacy. The FDIC is reportedly likely to withdraw it's Know Your Customer proposal in response to public comments. But we should not be fooled for a single minute into thinking that the threat is gone.
The FDIC's broad regulatory powers enabled it to pressure many banks into adopting Know Your Customer policies "voluntarily." Even if the current proposal is abandoned, this merely means that Know Your Customer will not be official regulation. The policy will still be an integral part of the agency's guidelines and practice--which rarely, if ever, will come to the attention of the public.
Two key steps would rein in the power of administrative agencies to present such threats to privacy.
- Agency rules should not become binding unless Congress has affirmed them by vote.
- Agencies should not be permitted to issue vague guidelines, in practice binding but promulgated outside the safeguards of the Administrative Procedures Act.
The European Model.
Another type of privacy protection is the model of the European Data Protection Directive, which establishes limits on information collection, on the type of information collected, and on the duration for which it may be kept. As protections for human rights go, this is a feeble model, for the following reasons:
- Governments exempt themselves from limits that go to the heart of their powers, such as the power to tax or investigate crime.
- Governments must exempt many private databases (such as those kept by trade unions or churches) just to allow normal life to continue, so these databases remain and can be targeted by police.
- Most European governments have vast powers to regulate citizen's day to day lives, and limits on their use of information are a tiny bandaid on a bleeding wound.
To illustrate my point about the fallacies of this model, consider the situation in France. French authorities rigorously regulate (among other things) the hours per week that one may work. Police are sent into private businesses, appearing at the doors of one's office to demand that one stop working immediately, or be ticketed. Police stand outside the doors of office buildings and stop and search businessmen leaving their offices; the police confiscate laptops and cell phones, to ensure that the businessmen cannot work from home. The dangers to human rights are obvious and enormous. The violations of privacy are severe and outrageous. But the data protection directive does nothing to stop this. It makes no sense to give government's vast powers to control citizen's day to day lives, and trust to meaningless paper privacy tigers to guard human rights.
1. Trevor v. Wood, 36 N.Y. 307 (1867); Howley v. Whipple, 48 N.H. 487 (1869); La Mar Hosiery Mills, Inc. v. Credit & Commodity Corp., 216 N.Y.S.2d 186 (1961)(deeming "[t]he telegram with the typed signature of defendant's name [to have] emanated from the defendant which is responsible for it.").
2. Selma Sav. Bank v. Webster County Bank, 206 S.W. 870, 874 (Ky. 1918) (contract is formed when message is transmitted to telegraph operator by telephone).
3. A telex is a communication system consisting of teletypewriters connected to a telephonic network which sends and receives signals. Teletypewriters are electromechanical typewriters that transmit or receive messages coded in electrical signals carried by telephone or telegraph wires. See Apex Oil Co. v. Vanguard Oil & Service Co., 760 F.2d 417 (2d Cir. 1985) (telex); Joseph Denuzio Fruit Co. v. Crane, 79 F. Supp. 117 (S.D. Cal. 1948), vacated, 89 F. Supp. 962 (S.D. Cal. 1950), reinstated, 188 F.2d 569 (9th Cir.), cert. denied, 342 U.S. 820 (1951); Klein v. PepsiCo, Inc., 845 F.2d 76 (4th Cir. 1988).
4. Hessenthaler v. Farzin, 564 A.2d 990 (Pa. Super. 1989); Bazak Intl. Corp. v. Mast Industries, 535 N.E.2d 633 (N.Y. 1989); Beatty v. First Exploration Fund 1987 & Co., 25 B.C.L.R.2d 377 (1988).
5. Beatty v. First Exploration Fund 1987 & Co., 25 B.C.L.R.2d 377 (1988) (comparing telefacsimiles and photocopies).
6. A tape recording of an oral agreement satisfies the writing requirement of the statue of frauds, since it has been reduced to tangible form. Ellis Canning Co. v. Bernstein, 348 F. Supp. 1212, 1228 (D. Colo. 1972). Ellis Canning Co. v. Bernstein, 348 F. Supp. 1212 (D. Colo. 1972); see also Londono v. Gainsville, 768 F.2d 1223, 1227-28 n.4 (11th Cir. 1985). Another court, however, found that a tape will not do, absent evidence that both parties intended to authenticate the record. Swink & Co. v. Carroll McEntee & McGinley, Inc., 584 S.W.2d 393 (Ark. 1979).
7. Howley v. Whipple, 48 N.H. 487, 488 (1869).