Privacy International Report - USA

Constitutional Framework

There is no explicit right to privacy in the United States Constitution. The Supreme Court has ruled that there is a limited constitutional right of privacy based on several provisions in the Bill of Rights. This includes a right to privacy from government surveillance into an area where a person has a "reasonable expectation of privacy"[1] and also in matters relating to marriage, procreation, contraception, sexual activity, family relationships, child rearing and education.[2] The Supreme Court has also recognized a right of anonymity[3] and the right of political groups to prevent disclosure of their members' names to government agencies.[4] Some states within the country have incorporated explicit privacy protections into their constitutions.[5] A right to privacy is specifically stated in the constitutions of 10 states.[6]

The Supreme Court ruled in 1976 that individuals do not have constitutional privacy interests in data transferred to third parties, meaning that specific statutes would have to be enacted to protect data held by others.[7] Rather than enact general statutory protections for personal data, the United States has taken a sectoral approach to privacy regulation so that records held by third parties, such as consumer marketing profiles or telephone calling records, are generally not protected unless a legislature has enacted a specific law. Many such laws have been enacted by both the federal and state governments.

The tort of privacy was first adopted in 1905, and all but two of the 50 states recognize a civil right of action for invasion of privacy in their laws.[8] The four traditionally recognized privacy torts are: intrusion upon an individual's seclusion or private affairs, public disclosure of embarrassing private facts, painting an individual in a "false light" in the public eye, and appropriation of an individual's name or likeness.[9]

Privacy Laws

The Privacy Act of 1974 protects records held by United States government agencies and requires agencies to apply fair information practices.[10] Its effectiveness is significantly weakened by administrative interpretations of a provision allowing for disclosure of personal information for a "routine use" compatible with the purpose for which the information was originally collected. Limits on the use of Social Security numbers have also been undercut in recent years because of widespread use of the identifier among governmental agencies[11] and because the private sector employs the identifier for both identification and authentication purposes.[12] The act also allows certain agency systems of records to be exempt from accuracy and other requirements.

The United States has no comprehensive privacy protection law for the private sector. A patchwork of federal laws covers some specific categories of personal information.[13] These include financial records,[14] health information,[15] credit reports,[16] video rentals,[17] cable television,[18] children's (under age 13) online activities,[19] educational records,[20] motor vehicle registrations,[21] and telemarketing.[22]

The Gramm-Leach-Bliley Act, which formally eliminated traditional ownership barriers between different financial institutions such as banks, securities firms, and insurance companies, set weak protections on financial information that is likely to be shared among merged institutions. These privacy provisions became effective in July 2001. The law allows information sharing amongst affiliates but offers individuals a limited opt-out for information sharing among non-affiliates. Consumer privacy was improved under the law when the FTC determined that the Social Security number qualified as non-public personal information, thus it is subject to the notice and opt-out requirements in certain contexts. The data industry has been unsuccessful in challenging this determination.[23]

The sole federal law governing information use online is the Children's Online Privacy Protection Act (COPPA), which went into effect in April 2000. This law requires parental consent before information is collected from children under the age of 13.[24] In April 2005, the FTC requested public comments on the utility of the COPPA Rule, which directs Web site operators that collect information about children to notify parents or obtain parental consent before using or disclosing such information.[25] At the conclusion of the review, the Commission determined that the Rule "continues to be valuable to children, their parents, and Web site operators," and decided to retain COPPA in its current form.[26]

In 2003, Congress passed legislation significantly amending the Fair Credit Reporting Act (FCRA) of 1970 and the nation's first spam regulation.[27] Congress amended the FCRA, passing the Fair and Accurate Credit Transactions Act (FACTA),[28] because portions of the FCRA statute were expiring that would allow states to pass more stringent privacy protections.[29] Congress amended the law to protect financial institutions from state privacy regulation but also created new privacy rights. For instance, under regulations that took effect in 2004, individuals may obtain a free credit report from each of the credit bureaus once a year. Credit reporting agencies are required to disclose credit scores, but they may charge a fee for their provision. Individuals will have a new right to opt-out of marketing solicitations that flow from affiliate sharing of personal information. The act also now allows individuals to file fraud alerts, which require credit reporting agencies to inform others that fraud may be present. Identity theft victims also can request transaction records when businesses have extended credit to an impostor in order to try to ascertain the identity of the impostor.

Privacy Case Law

The United States Supreme Court has considered many important privacy cases over the last several years. In January 2000, the Supreme Court heard Reno v. Condon, a case addressing the constitutionality of the Drivers Privacy Protection Act (DPPA), a 1994 law that protects drivers' records held by state motor vehicle agencies. In a unanimous decision, the Court found that the information contained in the records was "an article of commerce" and could be regulated by the federal government.[30] In June 2001, the Supreme Court ruled in the case of Kyllo v. United States that the use of a thermal imaging device, without a warrant, to detect heat emanating from a person's residence constituted an illegal search under the Fourth Amendment.[31] The Fourth Amendment protects individuals from intrusions into areas where there is a "reasonable expectation of privacy."[32] In November 2000, the Supreme Court held that suspicionless vehicle checkpoints, used to discover and interdict illegal narcotics, violate the Fourth Amendment.[33] Also, in March 2001, the Supreme Court held that a state hospital cannot perform diagnostic tests to obtain evidence of criminal conduct without the patient's consent; such a test is unreasonable and violates the Fourth Amendment.[34]

In the 2001 term, the Supreme Court addressed anonymity, searches on buses, and student privacy. In Watchtower Bible v. Village of Stratton, the Court invalidated a law that required registration with the government before individuals could engage in door-to-door solicitation. The Court held that a pre-registration requirement violated the First Amendment, which guarantees freedom from government restrictions on free expression, and individuals' right to anonymity.[35] Student privacy was diminished in a series of cases involving drug testing, "peer grading" (the practice of allowing a fellow student to score a test), and the right to sue under a federal student privacy law. In Board of Education v. Earls, the Court held that random, suspicionless drug testing of students involved in non-athletic extracurricular activities was justified under the "special needs" exception to the Fourth Amendment.[36] In Owasso Independent School District v. Falvo, the Court held that both peer grading and the reporting aloud of peer grades did not violate the Family Educational Rights and Privacy Act of 1974 (FERPA).[37] In Gonzaga Univ. v. Doe, the Court held that the FERPA does not give individuals a right to sue for violations of privacy.[38]

In the 2002 term, the Supreme Court ruled that a "Megan's Law statute," which requires sex offenders to have their pictures and addresses put on the Internet, does not violate the Ex Post Facto clause[39] of the Constitution.[40] In a related case, Connecticut Dept. of Public Safety v. Doe, the Court unanimously held that inclusion in a public sex offender registry, without a separate hearing on the offender's risk to the community, does not violate the Due Process Clause of the Constitution.[41] In a far-reaching opinion in 2003, the Supreme Court ruled in Lawrence v. Texas that a state law that prohibited homosexual sodomy violated the due process rights in the Constitution.[42] The Court reversed an earlier opinion in which it had upheld sodomy statutes.[43] The court decision states: "The petitioners are entitled to respect for their private lives. The state cannot demean their existence or control their destiny by making their private sexual conduct a crime…"[44] The Court also cited with approval the European Court of Human Rights and other foreign courts that have affirmed the "rights of homosexual adults to engage in intimate, consensual conduct." The decisions were brought to the attention of the high court in an amicus brief filed by the former UN High Commissioner for Human Rights.[45]

In the 2003 term, the Supreme Court considered the Privacy Act, a privacy exemption to the Freedom of Information Act, vehicle searches, and the issue of whether police could compel an individual to identify himself in public. In Doe v. Chao, the Court ruled that a plaintiff in a Privacy Act suit must demonstrate actual damages to qualify for the act's minimum statutory award of USD 1,000.[46] In that case, the Department of Labor identified black lung benefits claimants with their Social Security number and exposed the identifier to public view in violation of the Privacy Act. In National Archives & Records Administration v. Favish, the Supreme Court expanded a privacy exemption in the Freedom of Information Act.[47] That case involved a request for access to pictures of a suicide victim, who happened to be a senior Executive Administration employee. Noting that five separate investigations had been made into the circumstances of the suicide, the Court denied access to the photographs. Although American law generally does not recognize privacy interests after the death of the data subject, the Court held that surviving family members have a right to personal privacy with respect to their close relatives' death-scene images. This right outweighed the public's interest in disclosure. In United States v. Flores-Montano, the Court upheld a US Customs search of a gasoline tank at the Mexico-California border, ruling that vehicle searches at US border checkpoints do not require suspicion.[48] In Thornton v. United States, the Court upheld, as a search incident to custodial arrest, the search of the passenger compartment of a vehicle when the suspect was first accosted after exiting the vehicle.[49] The Court had previously ruled that the Fourth Amendment allowed police to search a passenger compartment, in the interests of evidence preservation and police protection, when the suspect was accosted while still inside the vehicle.[50] In Hiibel v. Sixth Judicial District Court, the Court upheld a state statute that required individuals to identify themselves when requested by a police officer who has "reasonable suspicion" that the individual is involved in wrongdoing.[51] Such statutes exist in more than 20 US states. The decision is limited in scope because identification requirements must occur within the scope of a "Terry Stop," an encounter where a police officer can articulate facts that reasonably indicate that a suspect is involved in criminal activity.[52] The Court also pointed out that, while the statute requires an individual to reveal his or her name, he or she need not produce an identity document. However, as one of four dissenting Justices noted, a person's name can "provide the key to a broad array of information about the person," particularly when disclosed to officers with access to law enforcement databases.[53]

In the 2004 term, the Supreme Court ruled in Illinois v. Caballes that a canine sniff of an automobile did not violate the driver's constitutionally protected privacy right.[54] The Court held that because a canine sniff reveals the location of contraband alone and because one has no legitimate expectation of privacy in contraband under the Fourth Amendment, the measure did not violate a constitutionally cognizable privacy interest.[55] In Devenpeck v. Alford, the Court held that an arrest is justified if there is a legitimate basis, regardless of whether the stated reason for the arrest is meritorious or closely related. In that case, the suspect, who was driving a car with "wigwag" roof lights, tape recorded a conversation with a police officer who had stopped him for suspected impersonation of an officer. The officer then arrested him for violating the state privacy statute. Although the suspect's tape recording was later found not to have violated any state law, the Supreme Court ruled for the state because suspected impersonation of an officer was a legitimate basis for arrest.[56]

In June 2007, the Supreme Court ruled that vehicle passengers may challenge the legality of police stops. The Court found that traffic stops curtailed the travel of vehicle passengers as well as drivers, and that "no passenger would feel free to leave" after police detained the vehicle they were traveling in. The Court also noted that all nine Federal Courts of Appeals and 47 states allowed passengers to challenge the legality of vehicle stops on Fourth Amendment grounds.[57]

Data Protection Authority

There is no independent privacy oversight agency in the United States. The Office of Management and Budget (OMB) plays a limited role in setting policy for federal agencies under the Privacy Act, but it has not been particularly active or effective in this capacity.[58]

The Consolidated Appropriations Act of 2005, enacted on December 8, 2004, requires every federal agency to appoint its own privacy officer.[59] The privacy officers are responsible for ensuring the proper collection, use and disclosure of personal information handled by their respective agencies; ensuring that all systems of records adhere to the requirements of the Privacy Act and the agency’s own policies; conducting privacy impact assessments for all proposals of their respective agencies; preparing an annual report to Congress including all complaints and privacy violations; and educating agency employees regarding privacy legislation and policies.[60]

In July 2007, the Government Accountability Office released a report on the progress of the Department of Homeland Security Privacy Office in complying with its statutory mandates. The GAO concluded the Privacy Office has increased the number and quality of Privacy Impact Assessments issued, and it has managed to incorporate privacy considerations into DHS decision-making. However, the Privacy Office’s tardiness in releasing report has delayed the effectiveness of these reports and eroded the credibility of the Privacy Office.[61]

Department of Homeland Security

The Department of Homeland Security (DHS), established in 2003 under the Homeland Security Act, combined 22 agencies and was initiated under an estimated USD 38 billion budget.[62] President Bush requested a budget of USD 41.1 billion for fiscal year 2006, a seven percent increase over the budget for 2005.[63] This cabinet level agency has been granted increased law enforcement and information sharing powers but more limited open government responsibilities. For instance, the legislation allows the department to share intelligence and grand jury information with state and local authorities but broadly exempts "critical infrastructure information" submitted to the agency from the open government laws.

Limited privacy protections were included in the legislation creating DHS. The legislation created a civil rights officer and a separate privacy officer charged with the responsibility of compliance with the Privacy Act, with formulating privacy impact assessments for rules proposed by the department, and with preparing an annual report to Congress. Other portions of the law prohibit the government from creating a citizen snitch program called the "Terrorism Information Prevention System." The department is statutorily barred from developing a national identification system or card.

The Federal Trade Commission and Consumer Privacy

The Federal Trade Commission (FTC) has oversight and enforcement powers for the laws protecting children's online privacy, consumer credit information, and fair trading practices.[64] In recent years, the FTC has focused on enforcing existing law in the areas of telemarketing, spam, pretexting, and children's privacy.[65]

The FTC's actions under federal "unfair and deceptive" practices law essentially have created a "common law" of privacy in the country. Thus, when the agency brings a suit against a company for certain privacy-invasive practices, it can have industry-wide effect. However, the FTC continues to allege misrepresentations of the privacy of consumer information by online providers of goods and services. These cases, which have resulted in settlements, include suits against Gateway Learning, which rented personal information of consumers to marketers. The FTC challenged the company's retroactive changing of its privacy policy to allow sharing of this information with third parties.[66]

In April 2007, Internet company Google announced an agreement to acquire online advertising giant DoubleClick, Inc. for $3.1 billion.[67] EPIC, the Center for Digital Democracy, and the US Public Interest Research Group filed a complaint with the Federal Trade Commission, requesting that the Commission open an investigation into the proposed acquisition, specifically with regard to the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable.[68] The complaint explains the need for the FTC to consider consumer privacy interests in the context of a merger review involving the Internet's largest search profiling company and the Internet's largest targeted advertising company. The FTC issued a request for additional information and documentary materials regarding the proposed acquisition.[69]

Identity Theft

In 2006, the Federal Trade Commission listed identity theft as the No. 1 consumer complaint for the seventh year in a row, accounting for 36 percent of filed complaints and generating more than five times the amount of complaints of the second-place item.[70] The FTC suggested that Congress: extend the Gramm-Leach-Bliley Act Safeguards Rule to companies that are not financial institutions, require customers to be notified in cases of breach of security of private data, adopt laws to restrict the use of Social Security numbers, and enact cross-border fraud legislation to prevent access of databases by offshore third parties.[71]

In May 2006, President Bush created the President’s Identity Theft Task Force to "craft a strategic plan aiming to make the federal government’s efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution."[72] The Task Force’s April 2007 Strategic Plan focused more on how to expand law enforcement authority to combat identity theft after the crime has been committed than on creating stronger privacy and security practices to reduce the risk of identity theft being committed. The Task Force also did not address adoption of privacy enhancing technologies, data minimization, or meaningful remedies for security breaches and privacy violations.[73]

Unsolicited Commercial E-mails ("Spam")

Congress acted with similar motives of preempting more stringent state law in passing the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, known as the "CAN-SPAM" Act.[74] The act, which became effective January 1, 2004, defines spam as any message whose "primary purpose" is the "commercial advertisement or promotion of a commercial product or service." Spam must include notice that the message is an advertisement or solicitation, an opt-out notice, and a valid postal address of the sender. Address harvesting and dictionary attacks are illegal under the Act, but these practices are considered aggravating offenses, and they cannot serve as the sole basis of prosecution of a spammer. Enforcement of the act is limited to the FTC, state attorneys general, and Internet service providers (ISPs). CAN-SPAM gave the FTC the authority to create a do-not-spam registry, but the agency chose not to, citing impracticability.[75] Instead, the agency urged the private sector to increase sender authentication in an attempt to reduce "spoofed" spam. In a report to Congress in June 2005, the agency recommended against use of the "ADV" (advertising) label in the subject line of commercial e-mail, stating that the measure would have little effect on reducing spam.[76] In 2004 and early 2005, Florida, Georgia, Indiana, Maryland, Ohio, and Utah passed laws regulating unsolicited or bulk e-mail messages; most other states now have similar statutes.[77]

An FTC report found that using spam filtering technologies and techniques such as "masking" helps reduce the volume of unsolicited emails that consumers receive. [78] Researchers created 150 email accounts, some with spam filters, and some without, and posted the addresses at various places on the Internet. The study showed that Internet service providers that use spam filters reduced spam by 86-95% over a five-week period. Masking, a technique by which email addresses are presented in a human-readable, but not machine-readable form (for instance, by displaying "epic-info AT epic DOT org" instead of "epic-info@epic.org"), was found to be highly effective. Four masked addresses received one spam message over a five-week period, while four unmasked addresses received 6,416.

Medical Privacy

Protections for medical records were finally introduced in the United States in 2001. On December 20, 2000, the final rules governing the privacy of health records for the Health Insurance Portability and Accountability Act (HIPAA) of 1996 were unveiled; these rules took effect in April 2001. The protection offered by the rules is limited by a large number of exemptions. In addition, a variety of sectoral legislation on the state level may give additional protections to citizens of individual states.[79]

In April 2003, the first federal regulation protecting individually identifiable health information became effective for enforcement. The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, provide basic protections for individually identifiable health information and give individuals rights with respect to the information about them. The Privacy Rule is permissive in nature because it allows several types of disclosures but requires disclosures only to the individual or his personal representative and to the Secretary of Health and Human Services for the purpose of enforcement. The Privacy Rule allows state laws to remain in place where state law provisions provide greater protection.[80] State laws deal with health information in areas such as access to medical records, regulation of licenses for medical professionals and organizations, regulations for entitlement programs, mental health records, records related to conditions such as HIV/AIDS, and reproductive rights.[81] The federal Privacy Rule contains civil penalties for noncompliance and will be enforced by the Office for Civil Rights within the Department of Health and Human Services. The rule also contains criminal penalties for malicious misappropriation and misuse of health information, which are enforced by the DOJ.[82]

Consumer Information Security Breaches

Several security breaches continued to occur in private industry. In 2006, the largest data breach in US history was revealed when TJX Companies Inc. acknowledged that at least 45.7 million credit and debit cards were stolen by hackers who managed to penetrate its network. Another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information. The breaches occurred as far back as 2002.[83] Also in 2006, the U.S. Department of Veterans Affairs reported that the names, Social Security numbers and dates of birth of 26.5 million U.S. veterans were on a computer that was stolen from a Virginia employee's home. The personal data of about 2.2 million active-duty National Guard and Reserve troops were also likely stored on the stolen computer.[84]

Congress has responded to these breaches with proposed legislation, but no protective laws have thus far been passed. However, thirty-five state legislatures have passed laws requiring notification of consumers after disclosure of financial and other personal data.[85] The first, and most stringent of these is the California statute, effective since July 2003, that requires entities that store computerized information to notify California residents of a security breach of unencrypted personal data.[86] Several states are also considering legislation allowing credit card holders to "freeze" their accounts to forbid the transfer of their credit card data without their consent; credit card companies would charge a fee for this opt-out service.[87]

Electronic Surveillance

Surveillance of wire, oral, and electronic communications for criminal investigations is governed by the Omnibus Safe Streets and Crime Control Act of 1968 and the Electronic Communications Privacy Act of 1986 ("Title III").[88] Police are required to obtain a court order based on several legal requirements before capturing the content of a communication. Surveillance for national security purposes is governed by the Foreign Intelligence Surveillance Act of 1978 (FISA), whose requirements are less rigorous than those of the other two statutes, requiring only that the surveillance target be a "foreign power."[89] In 2004, the so-called Lone Wolf amendment extended FISA's coverage to include any non-United States person who "engages in international terrorism or activities in preparation therefore."[90] No probable cause to believe in a connection between the surveillance target and any particular nation or group need be shown, nor need the Court find probable cause to believe such a connection exists.[91] The number of FISA orders reached an all-time high in 2006, with the secret FISA Court approving 2,181 applications for physical search, electronic surveillance, or both. The Court denied five applications submitted by the federal government in 2006.[92]

In December 2005, the New York Times reported that President Bush had issued an order in 2002 allowing the National Security Agency unprecedented authority to conduct domestic surveillance.[93] The President contended that he has the authority to "order foreign intelligence surveillance within the United States" and "[t]he President’s constitutional authority to direct the NSA to conduct the activities he described is supplemented by statutory authority under the AUMF [Authorized Use of Military Force resolution], passed by Congress, September 18, 2001."[94] The documents supporting this proposition have not been revealed, despite a federal court ruling ordering the Department of Justice to either process and release documents related to the Bush Administration's warrantless surveillance program or explain why it is justified in withholding them.[95]

In August 2007, the Congress amended FISA in a way that significantly weakens the FISA court, which is the only institutional safeguard that stands between the power of the executive and the privacy rights of Americans.[96] The amendments go beyond what the Director of National Intelligence had said earlier was necessary to address specific problems with a ruling of the FISA court earlier this year, permitting warrantless surveillance of American citizens when one party to the conversation may be outside of the United States. It is the most dramatic change in the 30 year history of the FISA and will leave millions of Americans subject to electronic surveillance, without court review, regardless of whether they are suspected of any wrongdoing. However, the amendments will sunset in 180 days, which will provide an opportunity for further debate in Congress.[97] The opinion that gave rise to this sweeping change in federal wiretap law is secret.

The Foreign Intelligence Surveillance Court of Review (FISCR) convened for its first controversy in 2002 and broadly expanded the DOJ's surveillance authority under FISA. The court held that the DOJ could use looser foreign intelligence standards to conduct criminal investigations in the United States. In doing so, the Court of Review reversed a unanimous lower opinion that revealed a pattern of FBI misrepresentations and cast serious doubt on the veracity and accuracy of claims made by the DOJ and the FBI in support of requests for approval of national security and anti-terrorism surveillance.

The lower court found that DOJ and FBI officials had submitted erroneous information in more than 75 applications for search warrants and wiretaps and had improperly shared intelligence information with agents and prosecutors handling criminal cases on at least four occasions.[98] Because of these problems, the lower court refused to give DOJ the broad new surveillance powers it sought to employ after the September 11, 2001 terrorist attacks. Nevertheless, the Court of Review reversed the earlier decision, and permitted the government to remove the separation that has long existed between officials conducting surveillance on suspected foreign agents and criminal prosecutors investigating crimes.[99]

The use of electronic surveillance under Title III has more than tripled in the last 10 years. In 2006, 1,839 federal and state wiretaps were completed. About three quarters of the wiretaps were authorized for narcotics investigations. The agency also reported that federal officials requested 461 intercept applications in 2006, a 40 percent decrease over the number requested in 2004.[100]

The federal wiretap laws were amended in 1994 by the Communications Assistance to Law Enforcement Act (CALEA), which required telephone companies to redesign their equipment to facilitate electronic surveillance.[101] The Federal Communications Commission (FCC) issued regulations in November 1998 implementing the law.[102] The regulations include several additional provisions, including a requirement that all mobile phone companies facilitate location tracking of users. Privacy groups challenged the implementation of the law in federal court and telecommunications companies, who argued that the regulations give the government more power than authorized under the law and the Constitution.[103]

The "PATRIOT Act"

The USA PATRIOT Act, which was passed in the wake of the September 11, 2001, attacks, and renewed in March 2006, significantly weakened privacy protections in federal wiretapping statutes.[104] The act extended the "pen register" portions of federal wiretapping law, allowing Carnivore to be used to collect traffic data based solely on a prosecutor's certification that such information was relevant to an ongoing investigation.[105] The law made computer crimes and terrorism predicate offenses for initiation of a federal wiretap.[106] The law also authorized national application of a wiretap order, that is, a court in one jurisdiction can issue a warrant that could apply anywhere in the country.[107] Under the PATRIOT Act, courts can issue roving wiretaps, giving law enforcement the ability to monitor many different devices that a suspect may use.[108] Although supporters of the PATRIOT Act claimed that a sunset provision in the bill would limit police power, only some of the new surveillance provisions will expire. Also, several states followed suit by passing state legislation that loosens protections against wiretaps.[109]

The USA PATRIOT Act gave the FBI the power to issue National Security Letters (NSLs), an extraordinary search procedure to compel the disclosure of customer records held by banks, telephone companies, Internet Service Providers, and others.[110] The number of NSLs issued has grown dramatically since the PATRIOT Act expanded the FBI's authority to issue them. In March 2007, the Department of Justice Inspector General determined that the FBI abused its National Security Letter authority in 22% of the cases examined. Also, the FBI did not report the actual number of issued Security Letters to Congress.[111] The FBI acknowledged that there has been "inadequate auditing and oversight" of National Security Letter authority.

The FBI produced updated guidelines for the use of National Security Letters (NSLs).[112] The new guidelines continue the practices of allowing field offices to issue NSLs, as opposed to the pre-PATRIOT Act system of only headquarters issuance. FBI field offices also continue issuing NSLs under the lowered standard of "relevance to an ongoing investigation" permitted by the PATRIOT Act.

The 9/11 Commission

Over initial objections from the White House, Congress established the National Commission on Terrorist Attacks Upon the United States (more commonly known as the 9/11 Commission).[113] The commission was asked to investigate "facts and circumstances relating to the terrorist attacks of September 11, 2001," including those relating to intelligence agencies, law enforcement agencies, diplomacy, immigration issues and border control, the flow of assets to terrorist organizations, commercial aviation, the role of congressional oversight and resource allocation, and other areas determined relevant by the commission.[114]

The 9/11 Commission, a panel of five Democrats and five Republicans, held 12 public hearings between March 2003 and June 2004 before closing on August 21, 2004. Among the key recommendations of the commission that may affect privacy were the following:

• Improved use of "no-fly" and "automatic selectee" lists should not be delayed while the argument about a successor to CAPPS continues. This screening function should be performed by the Transportation Security Administration (TSA) and should utilize the larger set of watchlists maintained by the federal government. Air carriers should be required to supply the information needed to test and implement this new system.[115]
• Secure identification should begin in the United States. The federal government should set standards for the issuance of birth certificates and sources of identification, such as driver's licenses. Fraud in identification documents is no longer just a problem of theft. At many entry points to vulnerable facilities, including gates for boarding aircraft, sources of identification are the last opportunity to ensure that people are who they say they are and to check whether they are terrorists.[116]
• Americans should not be exempt from carrying biometric passports or otherwise enabling their identities to be securely verified when they enter the United States, nor should Canadians or Mexicans. Currently, US persons are exempt from carrying passports when returning from Canada, Mexico, and the Caribbean.[117]

Civil liberties organizations expressed caution about the recommendations of the 9/11 Commission. For example, EPIC wrote, "Significant errors have been found in both the no-fly watchlists and the automatic selectee system. This is a particularly serious problem for US persons who travel within the United States. There should be an independent evaluation of how best to operate these screening systems and still safeguard basic rights."[118] Regarding the development of a system of biometric identification, EPIC further said:

Some steps should be taken to reduce the risk of fraud and identity theft. Identification documents should be made more secure. However, the integration of secure identity cards with interconnected databases raises substantial privacy risks that will require new legislation and new forms of oversight. Privacy enhancing techniques that minimize the collection and use of personally identifiable information should also be considered. . . . There are significant privacy and civil liberties concerns regarding the use of such devices that must be resolved before the widespread deployment of biometric passports for US citizens. In particular, a system properly designed to ensure the security of the borders should not provide the basis for routine identification within the United States.[119]

The Commission also recommended certain safeguards to protect privacy and promote government oversight, including:

• As the President determines the guidelines for information sharing among government agencies and by those agencies with the private sector, he should safeguard the privacy of individuals about whom information is shared.[120]
• At this time of increased and consolidated government authority, there should be a board within the executive branch to oversee adherence to the Commission-recommended guidelines and the commitment the government makes to defend civil liberties.[121]

Civil liberties organizations, and even one member of the Commission, urged the establishment of an independent oversight board to safeguard civil liberties.[122]

In 2006, on the recommendation of the 2004 report of the National Commission on Terrorist Attacks Upon the United States (the 9/11 Commission), the Privacy and Civil Liberties Oversight Board was established. The Board consists of five members appointed by and serving at the pleasure of the President. The Board is specifically charged with responsibility for reviewing the terrorism information sharing practices of executive branch departments and agencies to determine whether guidelines designed to appropriately protect privacy and civil liberties are being followed; however, the Board's 2007 report provides few details on program operations or what internal controls are in place to protect civil liberties in any of the government programs evaluated, and does not even refer to the Privacy Act.[123]

In August 2007, Congress passed an Act implementing more recommendations of the 9/11 Commission. In particular, the Act strengthens the Board by requiring Senate confirmation for its members; however, the Board was not granted full independence, and remains in the Executive Office.[124]

Video Surveillance and Face Recognition Technology

Recent years have seen a new trend towards the increased use of video surveillance cameras linked with facial recognition software in public places.[125] Face recognition technology is still not reliable and remains unregulated by US laws. Studies sponsored by the Defense Department have shown the system is right only 54 percent of the time and can be significantly compromised by changes in lighting, weight, hair, sunglasses, subject cooperation, and other factors.[126] Tests on the face recognition systems in operation at Palm Beach Airport in Florida and at Boston Logan Airport have also shown the technology to be ineffective and error-ridden.[127] State-of-the-art facial recognition technology appears unable to recognize subjects with a high rate of accuracy.[128]

New York City is planning the "Lower Manhattan Security Initiative," based on London's "ring of steel." The NYC plan would greatly enhance the surveillance of downtown streets by installing another 3,000 cameras and license plate scanners to track the thousands of drivers who enter the Manhattan area daily, creating an operations center, and possibly using face recognition technology.[129] The city estimates the new surveillance system would cost $90 million, $10 million of which would come from Homeland Security grants and $15 million from NYC. The city also is seeking to charge drivers a fee for entering Lower Manhattan; the fees would go toward the surveillance project.

Tests conducted in 2006 by the US National Institute of Standards and Technology showed an improvement in the technology, though the images used were "controlled" still or 3-D photos, not photographs taken on the street. Uncooperative subjects and changes in the environment, such as positioning or lighting, would continue to befuddle the technology. In fact, smiling Germans and Britons have thwarted their countries' biometric passport systems. Guidelines had to be issued, requiring subjects ensure neutral facial expressions and look directly into cameras.

National Identity Card

On May 11, 2005, President Bush signed into law the Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, which included the controversial REAL ID Act of 2005.[130] The Real ID Act's provisions originated in a House bill and were slipped into the USD 82 billion appropriations bill with neither hearings nor committee approval, an act many believe was a deliberate maneuver to avoid Congressional debate. The REAL ID Act is a response to the 9/11 Commission's recommendations to prevent would-be terrorists from obtaining documentation. The law requires all states to comply, by May 2008, with federal standards when issuing driver's licenses. States failing to comply with the national standards would be ineligible to participate in such federally funded programs as veteran's benefits and Social Security – nor would holders of noncompliant driver's licenses be allowed to board airplanes.[131]

The new driver's licenses issued under the REAL ID Act will contain encoded, machine-readable data, to be determined by the Secretary of the Department of Transportation and the Secretary of the DHS. Applicants for driver's licenses will be required to provide proof of citizenship or immigration status prior to issue of a license; such proof will consist of either a passport or four documents containing a Social Security number, address, and other information. State motor vehicle department employees must then verify the information against federal databases and store the applicant's documentation and digital photograph in the database. Thus, the REAL ID Act creates a de facto national identity card at an estimated cost of up to USD 700 million over the next five years.[132] In addition to its high monetary cost, the act raises concerns because state motor vehicle department are already a favored target of identity thieves. The law follows several failed proposals to create a national ID card in the wake of the September 11, 2001 terrorist attacks;[133] however, nothing in the act's provisions would have prevented the September 11, 2001 terrorists from obtaining a driver's license.

Although the REAL ID Act was passed in May 2005,[134] and the Department of Homeland Security plans to implement the national ID system by 2008,[135] states and public organizations have rebelled against the scheme.[136] Sixteen states have passed legislation rejecting REAL ID and there also are bills in both US legislative houses that would repeal the Act creating the national identification system.[137]

Passenger Profiling and Prescreening

The Computer Assisted Passenger Prescreening System II (CAPPS II) aimed to conduct background risk assessments on all air travelers before they fly on commercial airliners. The profiling system will rely on experimental data-mining technology to sift through data from various commercial and government databases, assigning different "risk scores" to passengers. Based on these scores, passengers will either be denied boarding, subjected to a more intrusive physical search, or passed through normal screening. Civil libertarians have noted that CAPPS II may be scaled to other settings in the future, such as train stations, bus stations, or even the entrances of public buildings.[138]

CAPPS II was abandoned in late 2004, shortly after Delta Airlines refused to provide the government with the passenger data requested. TSA quickly replaced CAPPS II with the passenger-prescreening scheme "Secure Flight," giving the new program a slightly different mandate. Secure Flight is designed to compare passenger names against the "selectee" and "no fly" lists of the Terrorist Screening Database compiled by the Terrorist Screening Center.[139] Upon creation of Secure Flight, TSA promised to adopt measures for protection of personal data and for redress by passengers who were improperly flagged once the pilot program was completed. In March 2005, the Government Accountability Office (GAO) issued a report questioning the accuracy of Secure Flight passenger data, the efficacy of the program's privacy protections, and the adequacy of measures for redress by passengers.[140] In June 2005, DHS admitted that under Secure Flight, TSA had stored detailed passenger information[141] in violation of its own order stating that the agency would not do so.[142] In July 2005, GAO released another report on Secure Flight, stating that TSA "did not fully disclose to the public its use of personal information in its fall 2004 privacy notices."[143] Whereas the Secure Flight pilot program is supposed to be limited to data on persons who flew on commercial airlines in June 2004, TSA secretly used about 200,000 variations of the names of 43,000 actual passengers, resulting in the collection of information on an estimated 250,000 people who may or may not have flown that month.[144] An April 2006 report by the Department of Homeland Security's Privacy Office on the impact of the watch lists explained that "individuals who are mistakenly put on watch lists or who are misidentified as being on these lists can potentially face consequences ranging from inconvenience and delay to loss of liberty."[145]

In February 2006, there were 325,000 names on the watch lists, according to the National Counterterrorism Center, and the director of TSA's redress office has revealed that more than 30,000 people who are not terrorists have asked the agency to remove their names from the lists since September 11, 2001.[146] In January 2007, the head of TSA said that the watch lists were being reviewed, and he expected to cut the list of names in half.[147] However, he has not disclosed details, such as what the criteria would be for removing a name or when the review would be complete. These reports show that the watch lists are rife with mistakes and "false positives."

More limited attempts to create national identification systems include "enhanced visa" documents and "trusted traveler" programs. In July 2004, TSA initiated a database for its "Registered Traveler" program.[148] TSA has since announced that Registered Traveler's database records are exempt from certain provisions of the Privacy Act.[149] Enrollees in a three-month test period submitted biometric samples (fingerprint and iris scan) and underwent a background check. The value of the program is questionable for travelers, as enrollees were required to submit to normal screening; the card only reduced the likelihood that the travelers would be subject to secondary screening with a metal-detecting wand. The Registered Traveler pilot program was extended to September 2005, and included Boston, Los Angeles, Houston, Minneapolis-St. Paul, and Washington-Reagan airports; enrollment reached the agency's limit of 10,000 volunteers and has closed.[150]

Surveillance of Foreigners and Immigration Controls

In 2002, the government initiated several privacy-invasive programs as a result of the September 11, 2001 attacks. Among these is the United States Visitor and Immigrant Status Indicator Technology program (US-VISIT),[151] which requires visitors to the country to submit a biometric identifier to the government. When a visitor subject to US-VISIT applies for a visa to travel to the United States, he is fingerprinted and photographed at an overseas US consular office.[152] This biometric information is then checked against more than 20 interfacing government databases to determine the likelihood that the visitor is a criminal or terrorist.[153] When the visitor arrives at a US port of entry, he is again fingerprinted and photographed to verify that he is same person who was issued the visa.[154] The program will eventually be expanded to fingerprint visitors when they exit the US, as well.[155] In September 2004, US-VISIT was extended to apply to visitors to the United States traveling via air and seaports through the Visa Waiver Program.[156]

US-VISIT grew out of the National Security Entry-Exit Registration System (NSEERS), a national registry established by the Department of Justice in 2002. NSEERS requires non-immigrant aliens from 25 countries and others who "met a combination of intelligence-based criteria that identified them as a potential security risk."[157] Although the agency suspended most of the NSEERS requirements in 2003, foreign nationals of Iran, Iraq, Libya, Syria, and Sudan still must register at ports of entry; decisions to compel other foreign nationals to register may be made on the basis of questioning. US-VISIT, once fully implemented, will account for virtually all foreign nationals visiting the United States.[158] In June 2004, DHS awarded the Smart Border Alliance, led by the consulting firm Accenture, a USD 10 billion contract to design and oversee implementation of radio frequency identification (RFID) technology at border checkpoints under US-VISIT.[159] By January 5, 2004, the DHS had deployed US-VISIT at 115 airports and 14 major seaports.[160] US-VISIT is expected to be operational at each of the nation's more than 400 air, land and seaports by the end of 2005.[161]

A purported goal of US-VISIT is to protect the privacy of visitors to the United States. However, the Government Accountability Office reported in February 2005, that in conducting the legislatively mandated privacy impact assessment for US-VISIT, DHS had failed to address fully the privacy issues in system documentation. The DHS evaluation also failed to comply fully with recommendations of the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST).[162] Biometric data collected by US-VISIT currently includes digital fingerscans and photographs, the two parameters recommended by NIST. However, the choice of biometric technologies is at the discretion of the United States Secretary of State and the Secretary of Homeland Security.[163]

Additionally, immigration authorities, in conjunction with several other federal agencies, are implementing the Student and Exchange Visitor Information System (SEVIS).[164] This program, which is maintained by US Immigration and Customs Enforcement Office of DHS, is an Internet-based system that allows schools to transmit student information to the government for purposes of tracking and monitoring non-immigrant and exchange students. Accessible information includes a student's personally identifiable information, admission at port of entry, academic information, such as changes in program of study, and disciplinary information. Schools are required to transmit such information to the Bureau of Citizenship and Immigration Services (BCIS, formerly the Immigration and Naturalization Service) for the duration of a student's stay in the United States. In accordance with the PATRIOT Act, SEVIS was fully implemented by January 1, 2003. A recent Government Accountability Office report showed that problems remain in redressing data errors in student and exchange visitor records and that these errors can take months or even years to correct. Such errors make retention of such students in academic programs difficult.[165] Of the estimated 15,000 requests for data fixes initiated since the inception of the program through spring 2005, about 6,600 remained unresolved.[166] In February 2005, the DHS issued a privacy impact statement on SEVIS, wherein the agency reported that data files on students and exchange visitors are archived and retained for the statutory maximum period of 75 years.[167]

In November 2006, the Department of Homeland Security announced the Automated Targeting System, which "performs screening of both inbound and outbound cargo, travelers, and conveyances."[168] The Automated Targeting System, part of the Department of Homeland Security’s Customs and Border Protection, was originally established to assess cargo that may pose a threat to the United States. Now the Department proposes to use the system to establish a secret terrorism risk profile for millions of people, most of whom will be U.S. citizens. Simultaneously, it is seeking to remove Privacy Act safeguards for the database that provides neither adequate access nor the ability to amend or correct inaccurate, irrelevant, untimely and incomplete records.[169]

Data Mining

Total Information Awareness (TIA) was one of many post-September 11, 2001 responses to terrorism. TIA is a now-defunct program of the Defense Advanced Research Projects Agency (DARPA); TIA intended to scan ultra-large databases of personal information to detect the "information signature" of terrorists. The program was headed by Admiral John Poindexter and was renamed "Terrorism Information Awareness" to pacify critics.[170] Congress acted to limit the project in February 2003 by requiring DARPA to submit a detailed report on TIA and later in the year cut funding for Admiral Poindexter's entire Information Awareness Office.

States have pursued information sharing and data mining arrangements. Most notable amongst these systems was the now-defunct MATRIX, or Multi-state Anti-Terrorism Information Exchange.[171] This prototype database system run by the State of Florida and Seisint, a private company later acquired by LexisNexis, until exhaustion of federal funding on April 15, 2005. Built by a consortium of state law enforcement agencies headed by Florida, MATRIX combined public and private records from multiple databases with data analysis tools and provided a wealth of personal information in near-real time to law enforcement agents in 13 participating states. Most of the states that had been involved gradually withdrew their participation because of privacy concerns. In April 2005, however, Florida officials called for initiation of a more powerful successor to MATRIX that would include more types of data, such as financial and insurance records.[172]

The latest data sharing initiative creates "fusion centers," data sharing entities that acquire information from many sources, including private sector firms and anonymous tipsters.[173] The Department of Homeland Security is seeking to create a national network of local and state fusion centers. There are 43 current and planned fusion centers in the U.S., and some states have more than one. The federal agency has provided more than $380 million to state and local governments in support of these centers.[174] The fusion center program gives DHS enormous domestic surveillance powers.

A recent Congressional Research Service (CRS) report examined the Department of Homeland Security's utilization of data mining techniques to identify potential terrorist activities. The report found that while data mining can be effective, it also has limited capabilities for two reasons.[175] First, data mining cannot identify causal relationships, merely connections between variables. Second, although data mining reveals patterns, it does not show the significance of the pattern. The GAO report suggests that Congress may wish to consider data mining implementation and oversight issues in the future, because of the potential for mission creep, data inaccuracies, and privacy abuses.

Radio Frequency Identification (RFID)

RFID legislation has been proposed, but not yet passed, in at least 11 state legislatures during the past year.[176] Much of this legislation includes provisions for clear labeling of consumer products bearing RFID tags, a requirement originally proposed for federal legislation drafted by the Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), the "RFID Right to Know Act of 2003."[177]

In May 2005, the Government Accountability Office (GAO) identified 13 federal agencies that were using or planning to use RFID tags, mainly for physical access control and asset-tracking purposes.[178] GAO reported a general failure to address privacy issues raised by the use of RFID technology.[179]

The Department of State had planned to introduce the machine-readable "e-Passport," containing an RFID chip in the back cover, for US passport holders by the end of 2005. Privacy advocates and citizens raised concerns[180] that personal information—including the passport holder's name, photograph, birth date, and passport number—would be readable from several feet rather than several inches as the State Department had maintained. After test findings revealed that the embedded information could indeed be vulnerable to identity theft, the agency announced in the spring of 2005 that implementation of the electronic passports would be delayed pending resolution of the security issues.[181]

The US Department of Homeland Security is moving forward with the Western Hemisphere Travel Initiative[182] and the REAL ID system despite the fact that Homeland Security Secretary Michael Chertoff admitted in Congressional testimony in February 2007 that the agency is abandoning the use RFID-enabled documents in the US-VISIT border system because pilot testing failed.[183] By October 2006, the 27 countries in the US Visa Waiver Program (which allows their citizens to enter the US without having to apply for a visa) were required to use electronic passports.[184] About 15 million people per year travel to the US through the Visa Waiver Program. The State Department began issuing RFID-enabled passports in August 2006, arguing that the technology can be secured.[185] However, a number of researchers have been able to break the security of so-called "strengthened passports."[186]

Privacy advocates also have cautioned that without regulation, RFID use could have significant, negative impact on individual privacy.[187] At a Federal Trade Commission (FTC) workshop held in June 2004, FTC considered that RFID regulation was premature.[188] The Federal Communications Commission (FCC) already regulates the use of electromagnetic spectrum in RFID applications. FCC places limits on the power and spectrum allocation of RFID readers, which in turn will limit the read range of a particular tag.[189] In 2004, FCC reduced RF (radio frequency) power restrictions on DHS to improve the effectiveness of scanning shipping containers when they reach US ports.[190] On October 23, 2004, the Department of Defense (DOD) announced a policy requiring all suppliers to begin using RFID on the "lowest possible piece" of shipments to DOD by January 2005. The announcement cited improvement of data quality, items management, asset visibility, and maintenance of material as reasons for the new policy.[191] In February 2004, the US Food and Drug Administration (FDA) released a report suggesting that RFID could be instrumental in the fight against counterfeit drugs and help improve patient safety. The report claims it should be feasible to use RFID to track all drugs at the unit level by 2007.[192] In October 2002, the ruled that the VeriChip, an RFID chip designed to be implanted in the human body, is not a regulated medical device "for security, financial, and personal identification/safety applications," although specific health applications would be.[193] In October 2004, FDA allowed the use of the chip to provide easy access to individual medical records.[194] Airlines are beginning to develop pilot programs to test the use of RFID for luggage tags to enhance security and protect against lost or misdirected bags.[195]

In 2006, several US states began to legislate the use of RFID in human implants. Wisconsin and North Dakota passed legislation forbidding the compelled implantation of RFID chips in humans,[196] and Colorado, Ohio, Oklahoma and Florida are also debating such legislation.

In April 2007, the National Institute of Standards and Technology (NIST) issued its "Guidelines for Securing Radio Frequency Identification (RFID) Systems." NIST detailed how to address, in the context of an RFID system, the basic principles of the Organization for Economic Co-operation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.[197]

Voting Privacy

The Twenty-Sixth Amendment to the United States Constitution grants the right to vote to citizens aged 18 years or older. Application of direct recording electronic (DRE)[198] paperless voting technology in US public elections addresses some issues of voter privacy while potentially creating others. The greatest privacy benefits of DRE voting machines accrue to those who are visually disabled or have literacy challenges, or to language minorities. Critics of paperless DRE voting technology acknowledge the apparent usability benefits to some voters, but point to a critical vulnerability in their design.[199] There are also charges that if the restricted space around DRE voting machines were too small this would threaten voter privacy.[200] DRE voting technology has triggered strong debate between technologists,[201] election administrators,[202] voting rights activists, media, and NGOs.

Internet voting in the US is still in its infancy[203] with only two states, Arizona[204] and Michigan,[205] who have attempted some level of public elections using this method. In 2004, the US military sought to undertake for the first time an all Internet voting process for military personal and civilians living abroad.[206]

Voter registration lists are now the responsibility of state governments.[207] The Help America Vote Act (HAVA)[208] requires that voter registrants submit proof of identity by providing a state-issued identity document or the last four digits of their Social Security number. HAVA also created the US Election Assistance Commission (EAC), which manages the federal government’s role in voter registration.[209] HAVA requires that states create a single statewide-centralized voter registration database that will be used as the official list of qualified voters who may vote in Federal elections. EAC is preparing voluntary guidelines for states to help them in the development of these voter registration systems. Registration forms may include requests for name, current and previous address, home and work telephone numbers, birthplace, social security number,[210] birth date, race, gender, and party affiliation.[211] This registration information is made available to the people who manage political campaigns who can use the information to solicit voters for support.[212]

The Internet is making it much easier to engage in "free speech" in the form of monetary contributions to political causes and candidates.[213] However, Congress can regulate the volume of this speech.[214] Contribution of USD 200 or more will expose contributor's personally identifiable information to others.[215] However, the cumbersome presentation of this personally identifiable information on the Federal Election Commission (FEC) Web page has been greatly enhanced[216] with data mining technology.[217] The Federal Election Commission Act of 1971, as amended in 1974, limits political contributions to candidates for federal elective office by individuals or groups.[218]

Open Government

The Freedom of Information Act (FOIA) was enacted in 1966 and has been amended several times.[219] It allows for access to federal government records by any requestor, except those held by the courts or the White House. However, there are numerous exceptions, long delays at many agencies, and little oversight unless a requestor files a lawsuit to enforce its rights. It was amended in 1996 by the Electronic Freedom of Information Act to specifically provide access to records in electronic form.[220] Recently, the Congress enacted a "critical infrastructure information" (CII) exemption to the FOIA for the newly formed Department of Homeland Security. This exemption would shield information voluntarily provided to the government by private entities on security information from the FOIA.[221] Once disclosed to the government, CII could not be used against the company in civil litigation, and government agents who disclose the information would be subject to criminal penalties and fines. Since the creation of this loophole for the DHS, other agencies have sought similar exemptions from the FOIA. There are also laws in all states on providing access to government records.[222]

A 2007 report by OpenTheGovernment.org and People For the American Way Foundation documents how, at a time when technology should enable government openness, the executive branch limits public access to public information.[223] According to the report, President Bush has used executive orders to limit use of the Freedom of Information Act and Presidential Records Act, expanded the power to classify information for national security reasons, and created a range of new categories of "sensitive" information. In some cases, the government has gone so far as to reclassify documents that had been available to the general public for many years.

In August 2007, the Senate passed a freedom of information bill introduced by Senators Leahy and Cornyn.[224] The bill ensures that anyone who gathers information to inform the public, including freelance journalist and bloggers, may seek a fee waiver when they request information under FOIA. Further, the bill imposes a 20-day time frame for responding to requests, and allows FOIA requesters to obtain attorneys’ fees when they file a lawsuit to obtain records from the government and the government releases those records before the court orders them to do so. Finally, the bill creates an Office of Government Information Services in the National Archives, an ombudsman to mediate agency-level FOIA disputes, and a Chief FOIA Officer in every federal agency.[225]

Safe Harbor

The United States Department of Commerce and the European Commission in June 2000 reached an agreement on the Safe Harbor negotiations, allowing US companies to continue to receive personal data from Europe. This measure was taken in response to the European Union Data Protection Directive of 1995, which prohibited the transfer of data from European countries to nations that did not comply with adequate data protection principles. More than 500 companies have joined the Safe Harbor,[226] which requires organizations to assert compliance with seven principles. These principles include permitting individuals to opt-out from collection of personal data, giving individuals access to their personal data, and ensuring data integrity and security.[227]

In April 2004, university academicians, at the request of the European Commission, released a study that revealed numerous deficiencies in the implementation of the Safe Harbor program.[228] Based on the findings, the European Commission reported in October 2004 that a "substantial minority" of the companies on the Safe Harbor list had failed to comply with the principles. Some companies had not placed a visible privacy policy or given consumers control over the sharing of their data with third parties. The European Commission encouraged data protection authorities in the European Union to suspend data flows whenever there is, in the authorities' judgment, a substantial likelihood of a violation of the Safe Harbor Principles. To address deficiencies in the management and enforcement of Safe Harbor, the European Commission asked for greater guidance by the Department of Commerce and more proactive monitoring by the FTC.[229]

International Obligations

The US is a member of the Organization for Economic Cooperation and Development (OECD), and also has observer status at the Council of Europe. The US has signed and ratified the Cybercrime Convention.[230] The US is a member of the Asia-Pacific Economic Community, and participates in the Electronic Commerce Steering Group.[231]

[1] Katz v. United States, 386 U.S. 954 (1967).

[2] See, e.g., Griswold v. Connecticut, 381 U.S. 479 (1965); Whalen v. Roe, 429 U.S. 589 (1977); Paul v. Davis, 424 U.S. 714 (1976); Lawrence v. Texas, 539 U.S. 558 (2003).

[3] McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995).

[4] NAACP v. Alabama, 357 U.S. 449 (1958).

[5] See, e.g., California Constitution, Art. I § I.

[6] These 10 states are: Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington. See National Conference of State Legislatures, Privacy Protections in State Constitutions, available at [link].

[7] United States v. Miller, 425 US 435 (1976).

[8] See Lake v. Wal-Mart Stores, Inc., 582 N.W.2d 231 (Minn. 1998), for a review of state adoption of common law privacy torts.

[9] See generally Prosser & Keeton on Torts (5th ed. 1984).

[10] Privacy Act, Pub. L. No. 93-579 (1974), codified at 5 USC § 552a, available at [link]. See also EPIC's Privacy Act Web Page [link].

[11] General Accounting Office, Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards, GAO-02-352 (May 2002), available at [link].

[12] General Accounting Office, Social Security Numbers: Use Is Widespread and Protections Vary, GAO-04-768T (June 15, 2004), available at [link].

[13] See EPIC's Financial Privacy Resources Web Page [link].

[14] Right to Financial Privacy Act, Pub. L. No. 95-630 (1978); EPIC's Right to Financial Privacy Web Page [link].

[15] Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164, promulgated under the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191; EPIC's Medical Privacy Web Page [link].

[16] Fair Credit Reporting Act, Pub. L. No. 91-508 (1970), amended by Pub. L. No. 104-208 (1996), available at [link]; EPIC's Fair Credit Reporting Act Web Page [link].

[17] Video Privacy Protection Act, Pub. L. No. 100-618 (1988); EPIC's Video Privacy Protection Act Web Page [link].

[18] Cable Privacy Protection Act, Pub. L. No. 98-549 (1984), available at [link].

[19] Children's Online Privacy Protection Act, Pub. L. No. 105-277 (1998), available at [link]; EPIC's Children's Online Privacy Protection Act (COPPA) Web Page [link].

[20] Family Educational Rights and Privacy Act, Pub. L. No. 93-380 (1974), available at [link]; EPIC's Student Privacy Web Page [link].

[21] Drivers Privacy Protection Act, Pub. L. No. 103-322 (1994), available at [link]; EPIC's Drivers Privacy Protection Act Web Page [link].

[22] Telephone Consumer Protection Act, Pub. L. No. 102-243 (1991); EPIC's Telemarketing and the Telephone

Consumer Protection Act (TCPA) Web Page [link].

[23] Trans Union v. FTC, No. 01-5202 (D.C. Cir. 2002).

[24] FTC Privacy Initiatives supra; EPIC's Children's Online Privacy Protection Act (COPPA) Web Page, supra.

[25] See 70 Fed. Reg. 21,107 (April 22, 2005), Federal Trade Commission, "16 C.F.R. Pt. 312, Children's Online Privacy Protection Rule: Request for Comments," available at [link]; EPIC, "In the Matter of COPPA Rule Review 2005, Project No. P054505 [Comments]," June 27, 2005 [link].

[26] FTC Children’s Online Privacy Protection Rule, Retention of rule without modification, March 8, 2006, available at [link].

[27] Fair Credit Reporting Act, Pub. L. No. 91-508 (1970), amended by Pub. L. No. 104-208 (1996), available at [link]; EPIC's Fair Credit Reporting Act Web Page [link].

[28] Pub. L. No. 108-159 (2003), available at [link].

[29] See EPIC's Privacy Preemption Web Page [link].

[30] Reno v. Condon, 528 U.S. 141 (2000).

[31] Kyllo v. United States, 533 U.S. 27 (2001). The Fourth Amendment states: "The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

[32] Kyllo v. United States, supra.

[33] City of Indianapolis v. Edmond, 531 U.S. 32 (2000).

[34] Ferguson v. City of Charleston, 532 U.S. 67 (2000).

[35] Watchtower Bible & Tract Soc'y of N.Y. v. Village of Stratton, 536 U.S. 150 (2002).

[36] Board of Education v. Earls, 536 U.S. 822 (2002).

[37] Owasso Independent School District v. Falvo, 534 U.S. 426 (2001).

[38] Gonzaga Univ. v. Doe, 536 U.S. 273 (2002).

[39] That clause prohibits the government from applying a revised law that would result in a criminal punishment more severe than that which applied at the time the crime was committed.

[40] Smith v. Doe, 538 U.S. 84 (2003), available at [link].

[41] Connecticut Dept. of Public Safety v. Doe, 539 U.S. 1 (2003), available at [link].

[42] Lawrence v. Texas, 539 U.S. 558 (2003), available at [link].

[43] Bowers v. Hardwick, 478 U.S. 186 (1986).

[44] "Had those who drew and ratified the Due Process Clauses of the Fifth Amendment or the Fourteenth Amendment known the components of liberty in its manifold possibilities, they might have been more specific. They did not presume to have this insight. They knew times can blind us to certain truths and later generations can see that laws once thought necessary and proper in fact serve only to oppress. As the Constitution endures, persons in every generation can invoke its principles in their own search for greater freedom." Lawrence v. Texas, supra.

[45] Brief amici curiae of Mary Robinson, Amnesty International USA, Human Rights Watch, Interights, the Lawyers Committee for Human Rights, and Minnesota Advocates for Human Rights, July 2003, available at [link].

[46] 540 U.S. 614 (2004), available at [link].

[47] 540 U.S. 157 (2004), available at [link].

[48] 541 U.S. 149 (2004), available at [link].

[49] 541 U.S. 615 (2004), available at [link].

[50] See NY v. Belton, 453 U.S. 454 (1981).

[51] 542 U.S. 177 (2004).

[52] Terry v. Ohio, 392 U.S. 1 (1968).

[53] 542 U.S. at 196 (Stevens, J., dissenting). See also EPIC's Hiibel v. Sixth Judicial District Court of Nevada Web Page [link].

[54] 543 U.S. 405 (2005), available at [link].

[55] Id.

[56] 543 U.S. 146 (2004), available at [link].

[57] Brendlin v. California, 551 U.S. 1 (2007), available at [link].

[58] See Memorandum M-01-05, from Jacob J. Lew, Director, Office of Management and Budget, to Heads of Executive Departments and Agencies, December 20, 2000, available at [link]. This memorandum is the OMB's most recent posted document on personal privacy.

[59] Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, § 522, Pub. L. No 108-447 (2004), available at [link].

[60] Id. at s.552.

[61] GAO Report, "DHS Privacy Office Has Made Progress but Faces Continuing Challenges," July 24, 2007, available at [link].

[62] H.R. 5005, available at [link].

[63] Department of Homeland Security, "Budget in Brief: Fiscal Year 2006," February 7, 2005, available at [link].

[64] See FTC Privacy Initiatives Web Page [link].

[65] See FTC Privacy Initiatives supra.

[66] Federal Trade Commission, "Gateway Learning Settles FTC Privacy Charges," July 7, 2004 [link].

[67] Google Press Release, April 13, 2007, available at [link].

[68] Complaint and Request for Injunction, Request for Investigation and for Other Relief in the Matter of Google Inc. and DoubleClick Inc., April 20, 2007, available at [link].

[69] Securities and Exchange Commission Form 8-K Filing of Google Inc., May 25, 2007, available at [link].

[70] Federal Trade Commission, Consumer Fraud and Identity Theft Compliant Data: January – December 2006, February 7, 2007, available at [link].

[71] Prepared Statement of the Federal Trade Commission before the Senate Committee on Commerce, Science, and Transportation, on Data Breaches and Identity Theft, June 16, 2005, available at [link].

[72] President’s Identity Theft Task Force homepage [link].

[73] President’s Identity Theft Task Force Strategic Plan, April 2007, available at [link].

[74] Pub. L. No. 108-187 (2003), available at [link].

[75] CAN-SPAM Act of 2003: National Do Not Email Registry: A Federal Trade Commission Report to Congress, June 2004, available at [link].

[76] Federal Trade Commission, "FTC Issues Report to Congress: Requiring 'ADV' Labeling for Commercial E-Mail Won't Reduce Spam," (press release), June 17, 2005, available at [link].

[77] See National Council of State Legislatures, Unsolicited Commercial E-Mail Advertisements (Anti-Spam Legislation) 2005 Legislative Activity, Updated May 19, 2005 [link]; State Spam Laws Summary [link].

[78] "Email Address Harvesting and the Effectiveness of Anti-Spam Filters: A Report by the Federal Trade Commission’s Division of Marketing Practices," November 2005, available at [link].

[79] Robert Ellis Smith and Privacy Journal, Compilation of State and Federal Privacy Laws (2002 ed.) [link].

[80] Department of Health and Human Services, Office for Civil Rights, Regulation Text (Unofficial Version), "Standards for Privacy of Individually Identifiable Health Information," August 2003, available at [link].

[81] See generally EPIC's Medical Privacy Web Page [link].

[82] See Department of Health and Human Services, Office of Civil Rights, "Summary of the HIPAA Privacy Rule: HIPAA Compliance Assistance," May 2003, [link].

[83] TJX Companies Inc. Filing at the Securities Exchange Commission for fiscal year ending January 27, 2007, available at [link].

[84] Latest Information On Veterans Affairs Data Breach [link].

[85] National Conference of State Legislatures, "2006 Breach of Information Legislation," January 7, 2007 [link].

[86] California Civil Code, §§ 1798.29 and 1798.82, available at [link].

[87] Id.

[88] 18 USC 2510, et seq.; 18 USC 2701 et seq., available at [link].

[89] Foreign Intelligence Surveillance Act of 1978, 50 USC 1801; see also Electronic Frontier Foundation, Foreign Intelligence Surveillance Act Frequently Asked Questions (and Answers), at [link].

[90] Congressional Research Service, Intelligence Reform and Terrorism Prevention Act of 2004: "Lone Wolf" Amendment to the Foreign Intelligence Surveillance Act, December 29, 2004, available at [link]

[91] Pub. L. No. 108-458 (2003), § 6001(a).

[92] Letter from William E. Moschella, Assistant Attorney General, to J. Dennis Hastert, Speaker, United States House of Representatives, April 1, 2005, available at [link].

[93] James Risen and Eric Lichtblau, "Bush Lets U.S. Spy on Callers Without Courts," The New York Times, December 16, 2005, at A1, available at [link].

[94] Letter from Assistant Attorney General William E. Moschella to Chairman Roberts and Vice Chairman Rockefeller of the Senate Select Committee on Intelligence and Chairman Hoekstra and Ranking Minority Member Harman of the House Permanent Select Committee on Intelligence, December 22, 2005, available at [link].

[95] EPIC et al. and ACLU et al. v. Department of Justice, 06-cv-00096-HHK, February 16, 2006, available at [link].

[96] Keep America Safe Act 2007, S. 1927, available at [link].

[97] Id.

[98] In Re All Matters Submitted to the Foreign Intelligence Surveillance Court, No. Multiple (FISC May 17, 2002), available at [link].

[99] In Re: Sealed Case No. 02-001 (FISCR November 18, 2002), available at [link].

[100] Administrative Offices of the United States Courts, 2006 Wiretap Report, available at [link].

[101] Communications Assistance for Law Enforcement Act of 1994, Pub. L 103-411, available at [link].

[102] Federal Communications Commission, In the Matter of the Communications Assistance for Law Enforcement Act, CC Docket No. 97-213, November 5, 1998, available at [link].

[103] United States Telecom Association, et al., v. Federal Communications Commission and United States of America, No. 99-1442.

[104] H.R. 3162, Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT Act of 2001), Pub. L. No. 107-56, available at [link].

[105] Id. at §216.

[106] Id. at §201-2.

[107] Id. at §§216, 220.

[108] H.R. 3162, supra at § 206.

[109] National Review of State Surveillance Responses to September 11 Attacks, Constitution Project, April 8, 2002.

[110] USA PATRIOT Act of 2001, supra at Art. 505.

[111] A Review of the Federal Bureau of Investigation’s Use of National Security Letters, Office of the Inspector General, March 2007, available at [link].

[112] Comprehensive Guidance on National Security Letters, Federal Bureau of Investigation, June 1, 2007, available at [link].

[113] Pub. L. No. 107-306 (2002).

[114] The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks Upon the United States xv (2004) (Preface), New York: W. W. Norton.

[115] Id. at 393.

[116] Id. at 390.

[117] Id. at 388.

[118] EPIC, The 9/11 Commission Report Web Page [link].

[119] Id.

[120] The 9/11 Commission Report, supra at 394.

[121] Id. at 395.

[122] Richard Ben-Veniste and Lance Cole, "How to Watch the Watchers," New York Times, September 7, 2004.

[123] Privacy and Civil Liberties Oversight Board First Annual Report to Congress, March 2007, available at [link].

[124] Implementing the 9/11 Commission Recommendations Act of 2007, P.L. 110-53, available at [link].

[125] Robert O'Harrow, "Matching Faces with Mugshots: Software for Police, Others Stir Privacy Concerns," Washington Post, July 31, 2001, at A1. See also EPIC's Face Recognition Web Page [link].

[126] Declan McCullagh & Robert Zarate, "Scanning Tech a Blurry Picture," Wired News, February 16, 2002, available at [link].

[127] Hiawatha Bray, "'Face Testing' at Logan Is Found Lacking," Boston Globe, July 17, 2002.

[128] The federal government has sponsored Face Recognition Vendor Tests, a series of independently administered evaluations of available technology. Ten commercial vendors participated in the 2002 test, the results of which revealed problems in identifying images that were taken outdoors or from a non-frontal angle, as well as difficulty in recognizing subjects who were young, female, or both. (See P. Jonathan Phillips, Patrick Grother, Ross J. Micheals, et al., Face Recognition Vendor Test 2002: Evaluation Report (NISTIR 6965), March 2003, available at [link].) Because the data set for the 2002 test consisted mostly of images of Mexican subjects – taken from the US Department of State's Mexican non-immigrant visa archive – the effect of race on discernment capability was not assessed. The 2005 test, to be conducted by the National Institute of Standards and Technology (NIST) in the fall, is being sponsored by the DOJ, FBI, DHS, and other federal agencies. (Face Recognition Vendor Test 2005 Web Page [link].)

[129] Cara Buckley, "New York Plans Surveillance Veil for Downtown," New York Times, July 9, 2007, at A1, available at [link]; Tom Leonard, "'Ring of Steel' Plan to Protect New Yorkers," Telegraph, July 10, 2007 [link].

[130] Pub. L. No. 109-13 (2005).

[131] Kim Zetter, "No Real Debate for Real ID," Wired News, May 10, 2005 [link].

[132] Id.; see also EPIC's National ID Cards and REAL ID Act Web Page [link].

[133] IDs – Not That Easy: Questions about Nationwide Identity Systems (Stephen Y. Kent & Lynette I. Millett, eds., 2002), Committee on Authentication Technologies and Their Privacy Implications, National Research Council, available at [link].

[134] REAL ID Act, Public Law Number 109-13, 119 Stat. 231 (2005), available at [link].

[135] Department of Homeland Security, "Notice of Proposed Rulemaking: Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes," 72 Federal Register 10,819, March 9, 2007, available at [link].

[136] Stop REAL ID Campaign Web site [link]; EPIC and 24 Experts in Privacy and Technology, Comments on the REAL ID Draft Regulations, May 8, 2007, available at [link]; American Civil Liberties Union [link].

[137] See generally, EPIC's National ID Cards and REAL ID Act Web page section on State Anti-REAL ID Legislation [link].

[138] See generally EPIC's Passenger Profiling Web Page [link].

[139] Department of Homeland Security, Transportation Security Administration, Secure Flight Program [link].

[140] Government Accountability Office, Aviation Security: Secure Flight Development and Testing Under Way, but Risks Should Be Managed as System is Further Developed (GAO-05-356), March 2005, available at [link].

[141] See Department of Homeland Security, Transportation Security Administration, Notice to Supplement and Amend Existing System of Records and Privacy Impact Assessment, available at [link]; see generally EPIC's Secure Flight Web Page [link].

[142] Leslie Miller, "Gov't Collected Data on Airline Passengers," Associated Press, June 21, 2005, available at [link]; see also Department of Homeland Security, Transportation Security Administration, Docket No. TSA-2004-19160, Notice of Final Order for Secure Flight Test Phase; Response to Public Comments on Proposed Order and Secure Flight Test Records, available at [link].

[143] Specifically, the report elaborated: "[A] TSA contractor, acting on behalf of the agency, collected more than 100 million commercial data records containing personal information such as name, date of birth, and telephone number without informing the public. As a result of TSA's actions, the public did not receive the full protections of the Privacy Act." See Government Accountability Office, Aviation Security: Transportation Security Administration Did Not Fully Disclose Uses of Personal Information during Secure Flight Program Testing in Initial Privacy Notices, but Has Recently Taken Steps to More Fully Inform the Public (GAO-05-864R) (July 22, 2005), available at [link].

[144] Associated Press, "GAO: TSA Data Collection Violated Privacy Act: Agency Says Test Passenger Screening Program Overstepped Restrictions," July 22, 2005, available at [link].

[145] Department of Homeland Security, Privacy Office, "Report Assessing the Impact of the Automatic Selectee and No Fly Lists on Privacy and Civil Liberties as Required Under Section 4012(b) of the Intelligence Reform and Terrorism Prevention Act of 2004," (April 27, 2006) at 4-5, available at [link].

[146] Walter Pincus & Dan Eggen, "325,000 Names on Terrorism List," Washington Post, February 15, 2006, available at [link]; Anne Broache, "Tens of Thousands Mistakenly Matched to Terrorist Watch Lists," CNet News.com, December 6, 2005, available at [link].

[147] Edmund S. "Kip" Hawley, Assistant Secretary, Transportation Security Administration, Department of Homeland Security, "Testimony at Hearing on Aviation Security: Reviewing the Recommendations of the 9/11 Commission Before the S. Comm. on Commerce, Science & Transportation," 110th Congress (Jan. 17, 2007), available at [link].

[148] [link].

[149] Privacy Act of 1974: Implementation of Exemptions; Registered Traveler Operations Files, Federal Register, codified at 49 C.F.R. Pt. 1507, available at [link].

[150] Transportation Security Administration, Registered Traveler [link].

[151] [link]; see generally EPIC's US-VISIT Web Page [link].

[152] Id.

[153] Interim Final Rule and Notice, 69 Fed. Reg. 476 (January 5, 2004).

[154] Department of Homeland Security, US-VISIT [link].

[155] Id.

[156] Id.

[157] Department of Homeland Security, US-VISIT, supra.

[158] Id.

[159] See EPIC's Spotlight on Surveillance: US-VISIT Rolls Out the Unwelcome Mat, July 2005 [link]; EPIC's US-VISIT Web Page, supra.

[160] Department of Homeland Security, US-VISIT, supra; see also EPIC's US-VISIT Web Page, supra

[161] Id.

[162] Government Accountability Office, Department of Homeland Security: Some Progress Made, but Many Challenges Remain on US Visitor and Immigrant Status Indicator and Technology Program, Report No. GAO-05-202 (February 2005), available at [link]; see also Department of Homeland Security Privacy Office Report to Congress, April 2003-June 2004 (February 2005), available at [link].

[163] Department of Homeland Security, US-VISIT, supra.

[164] See EPIC's Spotlight on Surveillance: SEVIS Database Tracks Every Move of Foreign Students, Visitors, September 2005 [link].

[165] Performance of Foreign Student and Exchange Visitor Information System Continues to Improve, but Issues Remain, Testimony before Congressional Subcommittees, Joint Statement, Randolph C. Hite and Jess T. Ford, Government Accountability Office (March 17, 2005), available at [link].

[166] "SEVIS Data Fixes," SEVIS Newsletter (U.S. Immigrations and Customs Enforcement), May 2005, at 3, available at [link].

[167] Department of Homeland Security, The Student and Exchange Visitor Information System (SEVIS) Privacy Impact Assessment (February 5, 2005), available at [link].

[168] Department of Homeland Security, Notice of Privacy Act system of records, 71 Fed. Reg. 64543 (Nov. 2, 2006), available at [link].

[169] See EPIC’s Spotlight on Surveillance, Customs and Border Protection’s Automated System Targets U.S. Citizens, October 2006 [link].

[170] See generally EPIC's Terrorism Information Awareness Web Page [link].

[171] [link].

[172] "Florida Planning Son of Matrix," Wired News, April 25, 2005 [link]; see also Florida Department of Law Enforcement, Request for Information #003: Information Services to Support Domestic Security and Criminal Investigations.

[173] EPIC Spotlight on Surveillance, "National Network of Fusion Centers Raises Specter of COINTELPRO," June 2007 [link].

[174] Dep’t of Justice, Information Technology Initiatives [link].

[175] CRS Report "Data Mining and Homeland Security: An Overview," June 5, 2007, available at [link].

[176] See National Council of State Legislatures, "2005 Radio Frequency Identification Legislation" [link].

[177] This "notice" clause requires any consumer products bearing RFID tags to be conspicuously labeled. CASPIAN, "RFID Right to Know Act of 2003," available at [link].

[178] Government Accountability Office, "Information Security: Radio Frequency Identification Technology in the Federal Government," GAO-05-551, May 2005, available at [link].

[179] "The security of [RFID] tags and databases raises important considerations concerning the confidentiality, integrity, and availability of the data on the tags, in the databases, and in how this information is being protected. Measures to address these security issues, such as compliance with the risk-based framework mandated by FISMA (the Federal Information Security Management Act of 2002) and employing encryption and authentication technologies, can help agencies achieve a stronger security posture. Among the key privacy issues are notifying individuals of the existence or use of the technology; tracking an individual's movements; profiling an individual's habits, tastes or predilections; and allowing for secondary uses of information. While measures to mitigate these issues are under discussion, they remain largely prospective." Id., at 18.

[180] See, e.g., Letter from Electronic Frontier Foundation, Electronic Privacy Information Center, PrivacyActivism, et al. to Office of Passport Policy, United States Department of State, Comments on Department's Proposed Use of Passports Equipped with RFID Technology for US Citizens, April 4, 2005, available at [link].

[181] Sara Kehaulani Goo, "Security Concerns Prompt Passport Redesign," Washington Post, April 30, 2005, available at [link].

[182] Under the Western Hemisphere Travel Initiative proposal, individuals would use a long-range (more than 30 feet) RFID-enabled "PASS Card" to exit and enter the country. US Departments of State and Homeland Security, "Card Format Passport; Changes to Passport Fee Schedule Proposed Rule," 71 Federal Register 60928, October 17, 2006, available at [link]; see also, EPIC, Spotlight on Surveillance, "Homeland Security PASS Card: Leave Home Without It," August 2006 [link].

[183] Michael Chertoff, Secretary, Department of Homeland Security, Testimony at a Hearing on the Fiscal Year 2008 Department of Homeland Security Budget Before the US House Committee On Homeland Security, February 9, 2007, available at [link]; See also, EPIC's US-VISIT Web page [link]. See generally, EPIC's National ID Cards and REAL ID Act Web page [link].

[184] Those countries are: Andorra, Australia, Austria, Belgium, Brunei, Denmark, Finland, France, Germany, Iceland, Ireland, Italy, Japan, Liechtenstein, Luxembourg, Monaco, the Netherlands, New Zealand, Norway, Portugal, San Marino, Singapore, Slovenia, Spain, Sweden, Switzerland, and the United Kingdom. US Department of State, Press Release, "Majority of Visa Waiver Program Countries Meet Electronic Passport Deadline," October 26, 2006, available at [link].

[185] US Department of State, Press Release, "Department of State Begins Issuing Electronic Passports to the Public," August 14, 2006, available at [link]. Government officials have stressed that the passports will be protected from surreptitious cloning because the cover of the passport will block signals from reaching the RFID chip. However, the chip can still be read remotely and surreptitiously when the cover is opened, either by the passport holder or by anyone to whom the passport has been shown. The shielding on an RFID-equipped passport also eliminates an oft-touted benefit of RFID technology — that the chips can be read more quickly and without the need for human inspection. So now an official has to physically scan the e-passport through a contact reader in order open the RFID chip and then the RFID chip can wirelessly transmit. This is a process no faster than, and possibly longer than, the current one.

[186] In December 2006, the Department of Homeland Security Data Privacy and Integrity Advisory Committee adopted a report, "The Use of RFID for Identity Verification," which outlined security and privacy threats associated with RFID use in identification documents (such as "skimming" and "eavesdropping") and it urged against using RFID technology unless the technology is the "least intrusive means to achieving departmental objectives." Skimming occurs when information from an RFID chip is surreptitiously gathered by an unauthorized individual. Eavesdropping occurs when an individual intercepts data as it is read by an authorized RFID reader. Data Privacy and Integrity Advisory Committee, US Department of Homeland Security, "The Use of RFID for Identity Verification," December 6, 2006, available at [link].

[187] Federal Trade Commission Workshop, Radio Frequency Identification: Applications and Implications for Consumers, supra.

[188] "FTC Has No Plans to Regulate RFID," RCR Wireless, June 22, 2004.

[189] See Part 15 and other Parts of the Commission's Rules, Notice of Proposed Rulemaking & Order, 66 Fed. Reg. 56793, at para. 21 (2001).

[190] Kimberly Hill, "FCC Loosens RFID Rule for Homeland Security," CRM Daily, April 16, 2004, available at [link].

[191] Department of Defense, "DoD Announces Radio Frequency Identification Policy," October 23, 2003, available at [link].

[192] Food and Drug Administration, "Combating Counterfeit Drugs: A Report of the Food and Drug Administration," February 2004, available at [link].

[193] Nick Farrell, "Chips in Humans Okay, Says FDA," Personal Computer World, October 25, 2002, available at [link].

[194] See EPIC's VeriChip Web Page [link]. See also Barnaby J. Feder and Tom Zeller Jr., "Identity Badge Worn under Skin Approved for Use in Health Care," New York Times, October 14, 2004, available at [link].

[195] Jonathan Krim, "Embedding Their Hopes in RFID," Washington Post, June 23, 2004, available at [link].

[196] Marc L. Songini, "N.D. Bans Forced RFID Chipping, ComputerWorld, April 12, 2007 [link]; North Dakota, "SB 2415," signed April 4, 2007, available at [link]; However, voluntary implantation is still permissible under the North Dakota law, and the bill does not address what is considered "voluntary."

[197] NIST urged retailers, federal agencies, and other organizations to evaluate the potential security and privacy risks of RFID technology and use best practices to reduce them. "As people possess more tagged items and networked RFID readers become ever more prevalent, organizations may have the ability to combine and correlate data across applications to infer personal identity and location and build personal profiles in ways that increase the privacy risk," NIST said. National Institute of Standards and Technology, "Guidelines for Securing Radio Frequency Identification (RFID) Systems," April 2007, available at [link].

[198] [link].

[199] NCVI, Hearing Statement to the US Election Assistance Commission, "Use, Security, and Reliability of Electronic Voting Systems," May 5, 2004 [link].

[200] Annamarie Marcalus, "Mixed Reviews on Voting Electronically," Los Angeles Times, March 6, 2004, at 70.

[201] NVCI Web site [link].

[202] The National Association of Secretaries of State, Help America Vote Act Web Page [link].

[203] Richard L. Hasen, "Symposium Internet Voting and Democracy," April 2001, [link].

[204] Scott Thomsen, "Arizona Democrats Make History on Web," Associated Press, March 11, 2000.

[205] Alexandra R. Moses, "Party Says Just over 46,000 People Voted Online in State Democratic Caucuses," Associated Press, February 7, 2004.

[206] David Jefferson, Aviel D.Rubin, Barbara Simons, David Wagner, "A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)," January 20, 2004, available at [link].

[207] National Committee for Voting Integrity, Web Page on Centralized Voter Registration Databases [link].

[208] Help America Vote Act, Pub. L. No. 107-252 (2002), available at [link].

[209] Id.

[210] Carlos Sanchez, "VA Voters' Social Security Numbers Must Be Private, Appeals Court Rules," Washington Post, March 24, 1993, at C3.

[211] Kim Zetter, "Mining the Vein of Voter Rolls," Wired News, December 11, 2003 [link].

[212] Aristotle Industries, US Voter Lists, available at [link].

[213] Buckley v. Valeo, 424 U.S. 1, January 30, 1976, No. 75-436, available at [link].

[214] Federal Election Commission Contributions [link].

[215] Federal Election Commission Rules for Contributions [link].

[216] Leslie Walker, "Political Money, Tracked to Your Door," Washington Post, March 28, 2004, at F07, available at [link].

[217] Fundrace [link].

[218] US Code Title 2, Chapter 14, Subchapter I, Section 441a. – Limitations on contributions and expenditures, available at [link].

[219] Freedom of Information Act, Pub. L. No. 104-231 (1966), codified at 5 § USC 552, available at [link]; see also Litigation under the Federal Open Government Laws (FOIA) 2004 (Harry A. Hammitt, David L. Sobel, Tiffany A. Stedman, eds., 2004).

[220] Electronic Freedom of Information Act Amendments of 1996, available at [link].

[221] Testimony of David L. Sobel, EPIC General Counsel, before the House Committee on Energy and Commerce Subcommittee on Oversight and Investigations, Hearing on Creating the Department of Homeland Security: Consideration of the Administration's Proposal, July 9, 2002, available at [link].

[222] See Tapping Officials' Secrets (now "Open Government Guide"), Reporters Committee for Freedom of the Press, available at [link].

[223] David Banisar, "Government Secrecy: Decisions Without Democracy 2007", July 2007, available at [link].

[224] Openness Promotes Effectiveness in our National Government Act (the "OPEN Government Act"), S.849, available at [link].

[225] Id.

[226] Department of Commerce, Safe Harbor List [link].

[227] Department of Commerce, Safe Harbor Overview, at [link].

[228] See Jan Dhont, María Verónica Pérez Asinari, and Yves Poullet, Safe Harbour Decision Implementation Study, April 19, 2004, available at [link].

[229] Commission of the European Communities, Staff Working Document: The Implementation of Commission Decision 520/2000/EC on the Adequate Protection of Personal Data Provided by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce, October 20, 2004, available at [link].

[230] Signed November 23, 2001; ratified September 29, 2006. Council of Europe Cybercrime Convention, ETS No.185, available at [link].

[231] APEC Electronic Commerce Steering Group [link].