From: <cef2103@columbia.edu>
  To  : <cpc@emoglen.law.columbia.edu>
  Date: Tue, 10 May 2005 20:04:42 -0400

Paper 2: A Statutory Scheme for Privacy

A Statutory Scheme for Privacy
by Caitlin Friedemann

Several people in this class have made interesting proposals about
how the 4th or 9th Amendment could be better used to protect
privacy.  The Constitution does offer a solution, however, there
are practical difficulties (i.e. judicial restraint) that will
likely prevent it from ultimately being successful.  Another way to
address privacy protection problems would be to create a regulatory
scheme that addresses the different ways in which privacy is
invaded in the current data system.

The difficulty in creating laws to curb the abuses in the data
market is that government is one of the main beneficiaries of the
current system.  Politicians use personal information about their
constituents to determine not only how they will vote, but also how
their vote can be influenced.  However, recent fiascos by the data
companies have put the privacy issue in the news.  This publicity
could help to make fixing personal privacy laws more politically
valuable than taking advantage of them and could provide the
impetus for laws to be passed that provide more privacy protection.

There are four points at which regulation could be created to better
protect privacy: the collection, storage, transfer and use of
information.

Collection of Information

Regulation in this area could work both to prevent what information
can be collected or to devalue information currently collected to
make it less powerful.

An illustrative example is social security numbers.  They are
required almost as often as names but are much more powerful as
they can be used to open bank accounts, rent apartments, and more. 
People who choose not to give their number face difficulties and can
even be denied whatever they are applying for (even if the social
security number is not required).  To solve this, legislation could
be passed that gives people more of a right to withhold information
or that defines what type of information can be required for
certain applications. [1]  Devaluing could also work on social
security numbers.  If it is as easy to obtain them as a name,
perhaps they should be given the lower amount of power that public
information has as compared to “secret” information. [2]

The other problem in this area is governmental.  Government is
already prohibited from collecting certain information.  However,
the ease with which it can subpoena the information it requires
from private companies makes these restrictions moot.  A
legislative solution for this would be to put stricter limits on
the government’s subpoena power.

Storage of Information

One of the great disadvantages [3] of storing information in
computer databases is that it can be retained forever.  Protective
laws in this area could therefore restrict the amount of time that
a company could store sensitive personal information.  Another
disadvantage of storing information is that it can be stolen or
lost.  One simple solution for this would be to mandate encryption
of all stored personal information. [4]  Although it would not
prevent all fraudulent or criminal access to stored information,
encryption could help prevent lost or stolen personal data from
being misused.

Transfer of Information

Transfer of information occurs between private agencies and
government and among private agencies.  The former can be dealt
with by limiting government’s collection of information, but
regulating the latter would be more complicated.

This is probably the area where individual privacy interests are
invaded the most, however, it will also be one of the hardest to
regulate.  Databases are useful because they are large and contain
a variety of types of information about people.  Knowing the books
you buy, where you travel, and how much you earn makes it much
easier to predict what you will do or buy next than only knowing
one type of information.  Companies therefore have the motivation
to collect as much information as possible both for themselves and
to sell to other companies.

Information that is negligently or criminally transferred can easily
result in violations of personal privacy.  Victims of the resulting
misconduct (i.e. identity theft) find themselves without a remedy
because they cannot recover from (or even find) the thief and they
are not entitled to any damages from the companies.  Regulation to
help this could address the problem at the source by making
companies liable for the misuse (or criminal use) of information
when they were negligent (or even grossly negligent) in
transferring information.  This would place the burden of
protecting personal information on those most able to do so.

Use of Information

Regulation in this area would not necessarily protect privacy, but
would help protect people from their personal information being
misused to harm them.  The most difficult part of this would be to
define “misuse.”  Obviously a thief using your personal information
to steal your identity is harm.  But what about the government using
its knowledge of your book-buying habits and what you purchase at
the drug store to put you on the no-fly list?  Or what about a
small company that obtains your health information and uses
knowledge of your depression during college to deny you a job?

The best way to combat misuse of data by the government would be to
provide a simple administrative procedure for people to challenge
decisions made about them on the basis of their personal data. 
This procedure could be used to remedy both a misuse of data and to
correct incorrect information.

Preventing misuse of data by private individuals or companies would
be more difficult.  One way might be to add to the protected
categories that employers, landlords and others are prohibited to
use to make a decision.  Another way to do this would be to prevent
the use of illegally obtained information to make decisions. 
Violation of laws passed to protect the collection, storage and
transfer of information could be prima facie evidence of a misuse
of data in making a decision.

Conclusion

Legislation regarding use of information or any of the above
categories could contribute to the protection of personal privacy
and regulation in all four has the potential to dramatically change
American life for the better.


[1] This assumes that people will be savvy enough not to give out
their information at the promise of something free.

[2] What will then be required as a personal identifier is another
issue that has been addressed by others in their papers, comments,
and emails.

[3] Disadvantages from a privacy standpoint.  Many who wish to use
the information view this as an advantage.

[4] This could also be used during the transfer of information and
would prevent situations like that of the Iron Mountain data
company that had Time Warner info taken or lost from one if its
vans.


-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list