PLACING THE CLINTON ADMINISTRATION’S PRIVACY ANNOUNCEMENT IN PERSPECTIVE: MOVING FORWARD, BUT KEY ISSUES LEFT UNADDRESSED AND FILLING IN DETAILS WILL NOT BE EASY CDT’s analysis August 11, 1998

-- Vice President Gore's Press Release

On July 31, Vice President Gore announced on behalf of the Clinton Administration a series of privacy proposals, describing them as an "electronic Bill of Rights." While the points announced by the Vice President represent a good beginning, they should more accurately be viewed as just the rough draft of the first 3 or 4 articles of a Bill of Rights that needs to be considerably bolder and more comprehensive.

The announcement signaled to the business community that the Administration would no longer adhere to a strictly self-regulatory approach. The Administration heeded advocates’ warnings that the privacy discussion must expand beyond electronic commerce, to include issues such as financial and medical records privacy. In addition, the Administration took a first step toward creating a privacy infrastructure, announcing that the Office of Information and Regulatory Affairs would play a centralizing and coordinating function on privacy issues.

Clearly, Administration officials, like many in Congress of both parties, are eager to respond to growing public concern about privacy, including wariness about:

• the collection of information during commercial transactions online;
• the misuse of medical and financial information;
• identity theft;
• children’s privacy;
• the use of personal information for profiling; and
• the privacy consequences of the growing use and digitization of public records.

While some of the moves announced by the Vice President were quite conservative – for example, endorsing legislation already passed by the Senate to criminalize identity theft and delaying adoption of a highly unpopular health care identification number – others evidenced a willingness to grapple with tough issues. For example, the effort to examine, in collaboration with state and local governments, the privacy impact of the digitization and widespread availability of public records such as property records and drivers license which contain detailed personal information indicates a willingness to grapple with the complex assignment of promoting governmental openness and protecting personal privacy.

However, on some points, such as medical records privacy, the Administration’s proposals so far have fallen short of the Vice President’s rhetoric. And mirroring the Federal Trade Commission’s position, the Administration endorsed legislation to protect children’s privacy online while continuing to withhold judgment on the need for such action to protect adults.

Other pressing privacy concerns were left totally unaddressed — most notably the inconsistency between the Administration’s stated commitment to privacy and its continuing efforts to promote backdoors in encryption products. The FBI’s plans for digital wiretapping were also not within the scope of Gore’s speech.

Following is CDT’s analysis of some of the issues raised by the recent announcement and an indication of what to look for in coming months and into next year.

THE FIRST STEP: THE NEED FOR A "PRIVACY VOICE" WITHIN THE EXECUTIVE BRANCH

The Administration announced that it would be giving the Office of Management and Budget responsibility for coordinating privacy issues across the Executive Branch. While this is a first step, CDT believes that a more formal privacy office should be created to provide the government and private sector with an ongoing source of privacy expertise, a forum for discussion of technology and privacy issues, and a focal point for the development of privacy policy.

References:

CDT’s letter on the need for a privacy entity http://www.cdt.org/privacy/ntia.html

Privacy and Consumer Advocates call on Secretary Daley and White House to develop a National Privacy Policy http://www.cdt.org/privacy/daleyletter.html

OMB Watch's Report – A Delicate Balance: The Privacy and Access Practices of Federal Government Web Sites http://ombwatch.org/ombw/info/balance.html

HEALTH ID NUMBER POSTPONED PENDING ADOPTION OF COMPREHENSIVE MEDICAL RECORDS PRIVACY LAW

The Administration halted implementation of the section of the Kassebaum-Kennedy Health Insurance Portability Act of 1996 that called for the establishment of a national health identifier. The Vice President said, "The Administration will not implement such a system until there is in place a meaningful medical records privacy bill." CDT opposed this section of the Kassebaum-Kennedy bill when it was enacted, and we applaud the Administration’s action, and similar Congressional efforts to halt the national health identifier, such as the "Patient Privacy Rights Act of 1998" (S. 2352), sponsored by Senators Leahy, Ashcroft, Burns and Abraham, and the "Patient Privacy Act " (H.R. 4281), sponsored by Representative Paul.

The Administration stated that it would continue to push for comprehensive privacy legislation to protect medical records. However, the draft bill released by the Department of Health and Human Services last February lacked limits on law enforcement access and otherwise fell short of giving patients adequate control of their health information.

Furthermore, a national health ID number raises numerous threats to privacy even if comprehensive privacy legislation was enacted.

The Vice President criticized the House of Representatives’ "Patient Bill of Rights Act" (H.R.3605) for permitting disclosure of too much information without a patient's consent and overriding state laws that provide greater protections. (Also, like the Administration proposal, the House bill sets no limits on law enforcement access to health records.) Previously, President Clinton indicated that he would veto the House bill.

On a final note, the Administration stated that it would propose regulations governing the security of health information in the hands of health plans, health care clearinghouses, health care providers, and others. But security in the digital age requires strong encryption, and the Administration’s current stance on encryption remains a chink in our security armor. Individuals and businesses should be able to use locks strong enough to protect their personal and proprietary information, without government-mandated backdoors.

References:

CDT’s 1996 statement opposing the national health ID: http://www.cdt.org/privacy/health/headline3.html

RISKS OF PROFILING AND IDENTITY THEFT LINKED TO READY AVAILABILITY OF FINANCIAL RECORDS AND GOVERNMENT INFORMATION

The Administration’s package contained a number of actions that begin to tackle the growing proliferation of personal information in the marketplace and its tie to identity theft.

Last year, at the direction of Congress, the FTC studied the issue of "look-up" services, which sell detailed personal information profiles. The FTC’s study resulted in a self-regulatory plan endorsed by fourteen major database companies and enforceable by the FTC. Now, the Administration has said that if self-regulatory mechanisms for "look-up" services are not successful, it will pursue other means to ensure adequate privacy protection.

Much of the raw data needed to develop these enhanced "look-up" databases are in fact drawn from government records – such as drivers licenses, land titles, property tax records, voting registration records, occupational licenses, firearms permits, court records and arrest records. There is currently no public policy consensus on what rules should control third party access to "personally identifiable information" contained in these public records. The Administration announced that it will launch a privacy dialogue with state and local governments on public records to examine the appropriate balance between the privacy of personal information collected by governments, the right of individuals to access public records, and First Amendment values

The Administration urged Congress to pass legislation sponsored by Senators Kyl and Leahy (S. 512) to crack down on identity theft. The Administration also endorsed legislation sponsored by Representatives Leach and LaFalce ( H.R. 4321) that will make it a federal misdemeanor to obtain confidential customer information from a bank by fraudulent means.

CDT believes these efforts are a step in the right direction. However, protecting individual privacy will require that individuals regain control over their personal information. Efforts to criminalize bad behavior are important, but they must be coupled by policies – self-regulatory and legislative – that limit the flow of personal information from both public and private sources into the marketplace.

References:

CDT's Comments on the Federal Trade Commission's Spring 1997 Public Workshop on Consumer Information Privacyhttp://www.cdt.org/privacy/970415_cdt_db.html

P-Track Informationhttp://www.cdt.org/privacy/960920_Lexis.htmll

USPIRG's Report- Identity Theft II: Return To The Consumer X-Files http://www.igc.org/pirg/consumer/xfiles/index.htm

CDT letter supporting Kyl-Leahy bill http://www.cdt.org/privacy/idtheft/105s512support.html

Robert Gellman, Public Records: Access, Privacy, and Public Policy (March 1995) (prepared for the Center for Democracy and Technology) http://www.cdt.org/privacy/pubrecs/pubrec.html

ONLINE PRIVACY: RULES NEEDED FOR ADULTS AS WELL AS CHILDREN

The Administration stated that it will seek legislation to protect the privacy of children under 13 in the online environment, but would continue to rely on private sector efforts to address adults’ privacy concerns. CDT welcomes the move to protect children, but we believe that the FTC should be given the authority to establish and enforce baseline privacy standards for all Americans.

Special rules need to be developed for children to address the inability of young children to comprehend and consent to the collection and use of personal information; the need for parental involvement in children’s online activities involving personal information; the potential risk to children posed by the public posting of information that facilitates contact (both online and offline) with a child; and the need to ensure that business practices and privacy protections do not inappropriately interfere with children’s ability to access information and receive information that they have requested and the benefits of interactivity.

But, given the breadth and diversity of the Internet, it is time for the government to step in, pull together all the relevant parties, and establish appropriate privacy rules of the road for us all.

References:

CDT Staff Counsel Deirdre Mulligan's July 21, 1998 testimony before the House Telecommunications Subcommittee on "Electronic Commerce: Privacy in Cyberspace," calling for legislation giving the FTC jurisdiction to set baseline privacy standards for the Internet. [Summary]

CDT Staff Counsel Deirdre Mulligan's March 26, 1998 testimony before the House Subcommittee on Courts and Intellectual Property

CDT Calls Government Response To Industry Inaction Inadequate

CDT's Analysis of the FTC's December 16, 1997 report "Kids Surf"