Date: Nov 01, 2004
In this report, we look at key areas of surveillance and monitoring in the post-9/11 world, considering separately laws, policies and issues related to government monitoring and surveillance and those raised by business/industry monitoring and surveillance.
What we see in general is a trend, in the name of security and crime prevention, towards giving governments more expansive monitoring and surveillance powers that potentially invade privacy. As a result, pre-9/11 laws have been supplemented by more intrusive surveillance, e.g., in the U.S. by the Patriot Act, strongly opposed by privacy advocates, and in the United Kingdom by the Regulation of Investigatory Powers Act (RIPA). At the same time governments are expanding data collection and monitoring and surveillance of citizens and non-citizens, concerns about businesses uses of personal data have increased in some areas, partly as a result of national data protection laws.
While an in-depth review of national laws on government and business monitoring and surveillance is beyond the scope of this report, we generally consider several major aspects:
With the exception of traveler surveillance, which is primarily a government issue, these questions affect both government and private monitoring and surveillance activities.
In general, after 9/11, most countries changed laws to increase their powers of surveillance to combat terror and crime by:
As is apparent from the summary above, many of the government activities have focused on travelers. In the wake of 9/11, it became apparent that some of the hijackers had been on a watch list; some had overstayed visas; and some had forged drivers licenses. This resulted in a great push for more robust tools to track individuals entering the U.S. In Europe, the Madrid bombings have also helped accelerate the demand for expanded surveillance and monitoring ability, despite concerns about privacy implications.
The U.S. is requiring biometric passports under the Enhanced Border Security and Visa Entry Reform Act of 2002. There are 27 jurisdictions in the visa waiver program (countries who can enter the U.S. without a visa when traveling to the U.S. for 90 days or less). Effective October 26, 2004, machine-readable passports or a valid visa will be required. Because not all visa waiver countries have implemented biometric passports, the Department of Homeland Security (DHS) began enrolling visa waiver country travelers into the U.S. Visitor Immigration Status Indicator Technology (US-VISIT) program on about September 30. Swedish passports will comply with the U.S. visa waiver program requirements, as will Denmark. Finland, Norway, and Lithuania also have a biometric passport system. Belgium, Italy, Netherlands, and the UK are designing and testing biometric passports.
Governments are also exploring national identity cards using unique ID numbers, in some cases coupled with biometric information, which may be stored in a central data base (e.g. Germany, opposed by data protection administrators). Many countries already have national ID cards, used for different purposes. Countries with cards include Belgium, Egypt, France, Germany, Greece, Hong Kong, Malaysia and South Africa. So far, Australia, Canada, India, Ireland, New Zealand, the Nordic countries and the U.S. do not, but the government of the UK will soon reintroduce legislation under which a single biometric card would be issued along with the passport (UK's Information Commissioner opposes it), and Rep. Dreier(R-CA) may introduce it in the US. A form of this type of ID card may be issued in the U.S. for transportation workers. The Transportation Workers Identification Credentialing System is opposed by privacy advocates.
Countries leading the way on pre-screening and profiling are the U.S., Canada, Australia, and the Philippines.
Another question relates to how long traveler data can be retained, particularly where national laws include a purpose limitation and a requirement that data be retained no longer than necessary to fulfill the purpose for which it was collected. Data retention is not, strictly speaking, only a travel issue; it is also connected with communications/traffic surveillance (see below). In both instances we see that security demands are often trumping privacy concerns.
Surveillance of communications is probably the most typical and at the same time one of the most controversial surveillance issues. The right to privacy expected in connection with private conversations and communications conflicts with the position of most governments that surveillance is a government right and a necessity. Although in simplest form, communications surveillance involves the wiretap, it is more than that and includes:
Interception of "communications" has broadened to include not only use of telephone systems but also the Internet, mobile phones, faxes, SMS, net browsing and similar technologies and activities. In the privacy versus surveillance debate, the issue is increased ability of government (i.e., law enforcement entities) to intercept communications with less authorization; requests for wiretaps which have in most countries required judicial authorization, are now n some countries handled by other authorities. One prime example is the USA Patriot Act (and Patriot II).
Some of the most talked about government monitoring and surveillance laws in the U.S. include the USA. Patriot Act, US-VISIT, and CALEA.
The USA Patriot Act codified the use of Internet surveillance technology by the government, allowing access to sensitive traffic data with only a court order. The Act permits law enforcement agencies to electronically monitor computer "trespassers" without any warrant with the consent of the "victim". The FBI and other law enforcement agencies can conduct warrantless surveillance if a suspect user has engaged in "unauthorized activity" - which is undefined. Although the Patriot Act was adopted with almost unanimous support after 9/11, since then it has been criticized in Congress by both conservatives and liberals, fearful that it goes too far in invading privacy. (A bill put forward by Congressman Feingold would protect users with authorized access to a computer from surveillance and require a warrant after 96 hours.)
The USA Patriot Act has also generated reactions from foreign governments. The Privacy Commissioner of British Columbia, for example, is calling for an immediate freeze on outsourcing data to the U.S. saying the Patriot Act violates BC privacy law since it makes that citizens' personal information accessible to the U.S. government. In her report to Parliament, Canada's Privacy Commissioner also criticized the increased collection of personal data from Canadian citizens in the name of security, calling attention in particular to information collected and held on travelers.
The United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program has been in place since January 5, 2004, when it began applying to airports and seaports. DHS describes the US-VISIT program as a "continuum of security measures." Under the program, most visitors to the U.S. must provide fingerprints and photographs when entering the U.S. through selected points of entry. Effective September 30, travelers from countries covered under the Visa Waiver Program will also be processed through the US-VISIT system. (They include most of the EU Member States.) The Department of Homeland Security (DHS) announced in mid-October that it would be testing the program on land points of entry in Douglas, Arizona, Port Huron, Michigan and Laredo Texas in mid-November. The tests are designed to assure a smooth transition for the December 31, 2004 deadline for expansion of the US-VISIT program to the 50 busiest land ports of entry in the U.S.
Another important U.S. law allowing government surveillance of communications pre-dated 9/11: the Communications Assistance for Law Enforcement Act (CALEA).2 CALEA requires telecommunications providers and equipment manufacturers to build surveillance capabilities into telephone and similar systems. In 1999, at the request of the FBI, an order was issued under CALEA that required carriers to make available the physical location of the antenna tower that a mobile phone uses to connect to the beginning an end of a call. U.S. ISPs have so far been exempted from providing this information. The aim is to encourage other countries to pass laws to require similar capabilities of their telecommunications manufacturers and to allow for government interception.
Location-based tracking of calls is another aspect of the debate. Because of the technical way in which cell phone service is provided, service providers have always had at least a general idea of the location of a customer in order to place or receive calls. The ability to pin-point the location, however, has become more refined. The ability to track the location of a caller or call recipient has proven to be extremely helpful in emergency calls. There have been a number of reported examples of crime victims able to use cell phones to reach 911 being rescued, although some privacy advocates argued that consumers should be able to choose whether or not to be "tracked" when they signed up for service. At the same time, privacy advocates have expressed significant concern about the potential for location-specific ads to be served to cell phone customers, and so the concern has primarily involved businesses uses of location data for marketing purposes.
The U.S. is not alone in looking to expand the government's authority to engage in electronic eavesdropping. Many other countries have adopted laws to authorize government access to electronic communications, including telephone calls and e-mails.
The Telecommunications Act of 1997 obligates public telecommunications service providers (common carriers), including ISPs, to provide law enforcement bodies such help as is reasonably necessary for the enforcement of criminal laws. This means they must ensure that the public network can intercept communications. Carriers may be required to disclose customer registration details; the destination and origin of e-mails (including e-mail addresses), network and traffic data and even content.4
The Australian government proposed, in the Telecommunications Interception Legislation Amendment 2002, to grant powers to intercept and read e-mail, SMS, and voice mail without a warrant because this was "access to stored data," rather than intercepted in real time. This was originally rejected, but similar legislation has been reintroduced in 2004. The bill aims to differentiate between stored communications that have been read and those that have not. If they were read they could be accessed without a warrant. In response to objections, the language was changed so a warrant was not required to access a stored communication except for communications involving VOIP or other data stored on as highly transitory basis.
Switzerland has a law, introduced in 2000, that requires ISPs to take all necessary measures to allow for interception. In the Netherlands, too, ISPs have to have the capability to intercept all traffic. New Zealand's Telecommunications (Residual Powers Act) of 1987 requires network operators to assist in the operation of a call data warrant, but more intrusive laws have been proposed requiring ISPs to monitor and record communications transactions.
New issues are raised as new forms of transactional data are created which provide more detailed and personal information than was formerly the case with billing information or network efficiency information. Use of the Internet can reveal much about an individual's interests. The collection of this data potentially raises privacy concerns. Similarly, mobile phone data may provide location information which is also potentially sensitive. How these data are tracked by the government or by telecommunications entities at the behest of the government is another issue in the surveillance debate. (See Data Retention discussion below.) The major privacy advocacy groups are especially critical of the government's use of private databases, and of companies that simply turn over data at the request of a government entity. As a result, many U.S. companies are adopting policies about when they will respond to such requests, seeking to strike a balance between being responsive to legitimate requests from law enforcement officials, and protecting the company and its customers by requiring some type of legal process (subpoena, etc.) before turning personal data over to an agency.
In 2002, the European Parliament voted in favor of traffic data retention under the Electronic Communications and Privacy Directive (Directive 2002/58).5 Each Member could enact laws to retain the traffic and location data of all people using mobile phones, SMS, telephones, faxes, e-mails, the Internet, etc. This does not include data content. States may implement such requirements for all types of purposes without any special authorization. A number of countries have data retention schemes, e.g., Belgium, Denmark, France, Spain, Switzerland, and UK. Others oppose the idea. In the UK, the House of Lords insisted on limiting the Home Secretary's powers to require data retention to situations "directly or indirectly related to national security." They also wanted the emergency powers to lapse if they were not used within a certain time.
This draft was introduced by the justice ministries of France, Ireland, Sweden and the United Kingdom on 28 April 2004. According to the draft, EU member governments would require communications service providers - such as telecommunications companies, Internet service providers and other industries that provide related information services - to store information about every communication made by each of their customers for 1 to 3 years. Given the breadth of retained information covered in the proposal, this would include storing the location data of mobile phones, lists of websites visited, all details of phone calls made (including the identity, at least by number, of the caller and recipient), and details of any emails and text messages sent. In addition, companies that temporarily retain individual customer information for billing and related business purposes would be required to keep it in a form accessible to law enforcement and other government agencies for one to three years. Telecommunications service providers and ISPs have consistently opposed any mandates that would require them to store, or to destroy, data for periods longer or shorter than business necessity requires.
Surveillance cameras are used to monitor public and private spaces. The UK is said to be the leader in that type of surveillance. However, such CCTV systems are also used in other European countries, in the U.S. and in the Far East, e.g., Malaysia, for a variety of purposes. In Germany, they are connected with toll collection. There is some question as to whether their use complies, in the EU, with the Data Protection Directive. The UK's Data Protection Commissioner has issued a code of practice on their use. Their use is prohibited in Greece and restricted in Sweden. Earlier this year the Article 29 Committee issued an opinion on video surveillance.7
In Canada, they are restricted; Canada's Privacy Commissioner is suing the Royal Canadian Mounted Police for their use of the system, which the Privacy Commissioner claims is an unconstitutional breach of privacy.
Corporate surveillance of employees is growing, especially in the U.S. Monitoring and surveillance of employees is motivated based on perceived threats and fears of liability problems under various laws. Historically, employee monitoring and surveillance of, e.g., phone calls and e-mails, have been done primarily to assure compliance with laws prohibiting discrimination, verify that there are no intellectual property violations, and to assure customer satisfaction. More recently, Sarbanes-Oxley and HIPAA requirements appear to be factors in expanding employee monitoring and surveillance. Finally, as identity theft expands, and indications suggest that often identity theft is the result of company insiders who have access to customer personal data, monitoring and surveillance is expanding as a way to protect customers and minimize liability exposure. Video surveillance has been routinely conducted for site and employee security. There have been numerous lawsuits over the years arguing that employers have an obligation to maintain workplace security safety. Consequently, video surveillance is often used in parking lots, entry ways, etc.
Their use to monitor productivity and compliance with company policies is also expanding, however, and privacy concerns, especially in Canada, have resulted in determinations that this type of use is unduly invasive. A recent decision (October) found the use of web cameras for continuous indiscriminate surveillance violated the Canadian privacy law, and an earlier opinion on the use of video surveillance in rail yards to safeguard against employee theft was also found to present a well-founded privacy complaint.
The Canadian Privacy Commissioner, on the other hand, recently determined that a company had demonstrated the necessity of adapting a voice recognition system for accessing certain company business applications, although concluded that requiring employees to input the specific medical reason for sick leave was excessive.
There is no general law against workplace monitoring and surveillance in the U.S. Phone calls, e-mails and voice message systems can generally be monitored by the employer. Some state laws do require both parties to a phone call to consent to monitoring; in general, national businesses in the U.S. avoid violations by announcing that calls may be monitored at the outset of a call, thus notifying both customers and employees of the policy, and adopting e-mail policies that establish that e-mails can be monitored for a variety of purposes. Even e-mail messages marked "private" are typically subject to employer review. Most firms have adopted internal policies on monitoring of electronic communications which are communicated to employees.
Other countries have some restrictions. These restrictions stem from the fact that some communication by employees, even using the employer's equipment, are subject to privacy laws. In Europe, the Data Protection and Telecommunication Privacy Directives may restrict surveillance, though the latter applies only to public telecommunications systems or networks. The Data Directive, however, does generally apply together with national labor laws. In some countries (e.g., Italy), workplace surveillance may be conducted subject to agreement with labor unions. As noted above, video surveillance is not favored in Canada.
The Article 29 Data Protection Working Party issued an opinion data processing by employers, which included sections on monitoring and surveillance of electronic communications in the workplace which sets out certain conditions for monitoring, in 2001.8 Moreover, individual countries have restrictions, e.g., Austria, Germany, Norway, Sweden have laws or codes that restrict the practice. The Czech Republic has issued a guidance regarding workplace monitoring, acknowledging both the right to privacy of an employee and the right of the employer to pursue his legitimate interests by justified monitoring. Finland has a new law, and the UK has an Employment Practices Data Protection Code, which is not binding.9 France issued a report on "Cyber-Surveillance in the Workplace" in 2002 stipulating general principles that need to be followed in workplace monitoring. The Hong Kong Data Protection Commission also has a draft code of practice.
Australia also has restrictions on workplace monitoring, requiring formal e-mail use policies and proof that monitoring is justifiable (Privacy Amendment Act 2000). A proposed New South Wales workplace surveillance bill, if passed, would require companies to clearly set forth their Net and e-mail policies and provide notification. This would supercede the 1998 Workplace Video Surveillance Act. The Victoria Law Reform Commission has said it sees significant gaps in worker surveillance protection, with 76% of employers monitoring e-mails and 65% not notifying workers of the fact.
With the advent of much more robust data capabilities, many more companies are adopting consumer relationship management programs, integrating online and offline information on customers and consumers, including information purchased from third party data aggregators. Privacy advocates continue to express concern that businesses will abuse the vast amounts of data to redline or exclude certain consumers from products or services, like insurance or healthcare, or from employment. While critics continue to express concern about the potential for databases to be used for marketing, criticism of profiling and data aggregation has recently been focused more on the risk that governments will tap into the vast private data reservoirs, as indeed they have done both here and abroad.10 The issue of profiling and data aggregating will continue to generate concerns that affect both businesses and government data activities.
Electronic Product Codes (EPC) using wireless technology called Radio Frequency Identification (RFID) enables data to be transmitted by portable tags on products or other inanimate objects to readers that process the data. They are used in public areas (e.g., libraries) and use is expanding in both the government and private (retail businesses) sectors. The Department of Defense, for example, is requiring EPC and RFID use on products, and major retailers, like Wal-Mart and Albertsons's, are mandating EPC use beginning in 2005. In the private sector their use is primarily for logistical, anti-theft, and anti-counterfeiting support.
While many myths surround EPC systems, the major concern is that personal data may be associated with the database of information related to the tagged item, thus invading privacy by allowing the purchaser or user to be tracked through these readers. In addition, the U.S. Food and Drug Administration recently approved some human applications of EPC/RFID, called the VeriChip, fostering a new outcry about the privacy invasiveness and tracking capabilities this may involve. Some issues connected with RFID involve lack of notification, choice and access, in potential violation of data protection laws. Some countries have guidelines on use, e.g., Japan, Italy. The U.S. has pending legislation fostered by a group called Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN). The International Chamber of Commerce, through its EPC Task Force, is developing guidelines on EPC use that reflect generally-accepted fair information practice principles. The ICC's EPC Task Force hopes that the guidelines will be adopted by the ICC in December.
It is apparent that monitoring and surveillance by governments and business in a world where increasingly robust data collection, monitoring and surveillance tools are available present complex issues of privacy, security, convenience and necessity. A conflicting patchwork of laws exists, some encouraging or mandating monitoring and surveillance (or mandating actions, like data retention, that will facilitate monitoring and surveillance), and other laws protecting privacy. As the security versus privacy debate continues, companies must remain mindful of applicable legal frameworks and their own privacy, security and other policies in attempting to craft an appropriate path forward.
For more information on this article, please contact Sheila Millar at 202-434-4143 or firstname.lastname@example.org.
1See, e.g., Article 29 Working Group Opinion 6/2004 on the adequate protection of personal data contained in the Passenger Name Records of passengers transferred to the United States Bureau of Customs and Border Control, etc., June 22, 2004, at http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2004/wp95_en.pdf.
2Communications for Law Enforcement Act, Pub. L. No. 103-414,108 Stat. 4279(1994),codified at 18 U.S.C. and 47 U.S.C., Sections 229,1001-1010, 1021. See also, In the Matter of Communications Assistance for Law Enforcement Act (CC Docket No. 97-213), adopted April 5, 2002, finding that CALEA mandates monitoring capabilities.
3Regulation of Investigatory Powers Act 2000, Section 11.
4Telecommunications (Interception) Act of 1997, Part 13.
5President Bush urged the EU and individual Member States to adopt data retention laws in the wake of 9/11.
7 Opinion 4/2004 on the Processing of Personal Data by Means of Video Surveillance, February 11, 2004. See http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2004/wp89_en.pdf The Opinion includes a summary of national laws covering video surveillance.
8Opinion 8/2001 on the Processing of personal data in the employment context, September 13, 2001. See http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2001/wp48en.pdf
9The Employment Practices Data Protection Code: Part 3: Monitoring at Work. The Code is intended to help employers comply with the Data Protection Act. It covers obtaining information about workers, retention of records, disclosure etc. The Code was issued by the Information Commissioner under section 51 of the Data Protection Act. Employers have to comply with the Act, but the Code is a way of doing so. Any enforcement action would be based on a failure to meet requirements of the Act. The Code explains what data is protected from monitoring under certain circumstances. Monitoring is permitted but privacy must be maintained (there is much detail in the Code). "Monitoring" is defined broadly to include many types of activities.
10See "The Surveillance-Industrial Complex: How the American Government is Conscripting Businesses and Individuals in the Construction of a Surveillance Society," August, 2004, at http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=16226&c=282 A principal contention is that using private databases for surveillance is an attempt to circumvent the Privacy Act of 1974.