The House Committee on Government Reform
Subcommittee On Government Management, Information and Technology
April 12, 2000
Privacy Commission Act
Mr. Chairman and Members of the Committee, the Center for Democracy and Technology (CDT) is pleased to have this opportunity to testify about privacy in the online environment and HR 4049, a bill to establish the Commission for the Comprehensive Study of Privacy Protection. CDT is a non-profit, public interest organization dedicated to developing and implementing public policies to protect and advance civil liberties and democratic values on the Internet. One of our core goals is to enhance privacy protections for individuals in the development and use of new communications technologies. We thank the Chairman for the opportunity to participate in this hearing and look forward to working with the Committee to develop policies that support civil liberties and a vibrant Internet.
I hope to offer the Committee CDT's view on the importance of privacy; what can be done to protect it; and, specifically, what this Committee can do to help. I will attempt to outline three major points:
|Privacy is a key concern for the future.|
I would like to first address privacy, people's expectations of privacy, and the ways in which the evolution of the Internet may threaten personal privacy. As many of you know, the Center for Democracy & Technology has long been an advocate for protecting privacy on the Internet.
CDT believes that a starting point for thinking about privacy online should be individuals' long-held expectations of autonomy, fairness, and confidentiality. By autonomy, we mean the individual's ability to browse, seek out information, and engage in a range of activities without being monitored and identified. Fairness requires policies that provide individuals with control over information that they provide to the government and the private sector. In terms of confidentiality, we need to continue to ensure strong protection for e-mail and other electronic communications. Policy efforts should ensure that those expectations are respected online as well as offline. These expectations exist in both the public and the private sectors.
As it evolves, the Internet poses both challenges to and opportunities for protecting privacy. The Internet accelerates the trend toward increased information collection that is already evident in our offline world. The trail of transactional data left behind as individuals use the Internet is a rich source of information about their habits of association, speech, and commerce. When aggregated, these digital fingerprints could reveal a great deal about an individual's life. The global flow of personal communications and information coupled with the Internet's distributed architecture presents challenges for the protection of privacy.
Recent surveys confirm that more Americans are alarmed by the growing threats to privacy. For example, a March 10, 2000 Business Week Poll [ 1 ] shows that 41% of those online are very concerned about the use of their personal data. This was up from 31% in the same magazine's 1998 study. [ 2 ] More telling are the 63% of those who have been online, who have not shopped online, but are very concerned about personal privacy. A September 1999 Wall Street Journal Poll indicated that privacy is the top concern of Americans for the next century. A Wired Magazine survey in the latest issue showed that when American adults are asked what they like least about the Internet they respond that privacy is the number one issue, three times greater than that of any other concern.
These concerns are not unfounded. Almost every day, another privacy concern or security violation surfaces in the news. In the past two months alone we have seen privacy problems at such well-known companies as DoubleClick, [ 3 ] H&R Block, [ 4 ] Intuit, [ 5 ] and TWA [ 6 ] along with countless others. We will not be able to realize the promise of the Internet to promote e-commerce growth sand social interaction online if people cannot protect their privacy.
|Multiple approaches are needed to protect privacy.|
Protecting privacy on the Internet requires a multi-pronged approach that involves industry self-regulation, technology, and legislation.
|A commission to study privacy could help, but must not be used as an excuse to delay.|
A Congressional commission could be an excellent starting point for thoughtful Congressional action on complex consumer and government privacy issues. But it is essential that Congress not allow a commission to slow progress in other areas.
Congressionally appointed privacy commissions of the sort contemplated in HR 4049 could help in each of these three areas. In fact, over the last 30 years, dozens of federal government commissions, workshops and advisory boards have put together some of the most complete and important work on privacy. However, while these federal commissions have provided some of the best theoretical work in the privacy area worldwide, they have not often translated into real privacy protections for individuals. For example, the National Information Infrastructure Advisory Council put together a set of principles in 1995 agreed upon by industry, privacy advocates and government officials, yet these principles have not been used since their creation.
In developing a new commission, we urge the committee to:
CDT would like to see four specific areas examined in detail:
As mentioned in HR 4049, the Privacy Act of 1974 was designed to protect the personal records of individuals held within the federal government and halt the spread of the Social Security Number as an identifier. As early as 1977, a Congressionally-appointed Commission found that the Privacy Act was not as effective as Congress had hoped. [ 9 ] To make matters worse, the Office of Management and Budget (OMB) has not updated its Privacy Act Guidance since a year after the Act passed.
The advent of the Internet requires that the Privacy Act be revisited. A 1997 OMB Watch study showed that government Web sites were clearly violating the Privacy Act, [ 10 ] and an April, 1999 CDT study showed that only a third of government agencies had privacy policies on their Web sites. [ 11 ] With an OMB report on agency compliance with the Privacy Act and a GAO study on privacy notices on Government Web sites expected soon, now seems an ideal time for a Congressional Commission to work with the National Institute of Standard's Computer Systems Security and Privacy Advisory Board to move the Privacy Act into the 21st century.
The issue of public records is a difficult one. Members of this subcommittee, with jurisdiction over both the Privacy Act and the Freedom of Information Act, know that decisions must often be made to balance the important democratic principles of privacy and openness. However, these two great American values need to be looked at not as competitors, but as teammates, in as much as they both lead to greater government accountability. The Internet age has shown that we can no longer assume that just because a record that reveals personally identifiable information is stored in a dusty back room, it is protected. Similarly, government documents currently not exempt in any way, should be on the Internet and open to view -- a process that has failed to date. [ 13 ] A commission could help Congress, and this subcommittee in particular, examine how to insure that privacy is protected while undertaking the process of making government more accountable by putting more government documents online.
Most public records are at the state and local level. Almost two years ago, Vice President Gore called for a dialogue between states and the federal government to address these issues. [ 14 ] While some basic education seems to be under way, no results or information from this dialogue are publicly available. A commission that met in various locations around the country, such as the one proposed in HR 4049, would be in a much better position undertake the task at hand.
The principles of access and security are agreed upon fair information practices, but definitions and implementations of these practices vary widely. The Federal Trade Commission (FTC) Advisory Committee on Online Access and Security was created to begin to build consensus on the most difficult of these issues. The Advisory Committee is due to issue its final findings in the form of guidance to the FTC next month. The Commission proposed in HR 4049 could review the work of the Committee and look into how it can most effectively be implemented in both the public and private sectors.
Existing federal privacy law has had difficulty allowing Americans redress when a privacy violation has been found. In particular, Privacy Act cases are rarely brought to court because of the barriers for individuals to show both harm as well as a direct violation of the law. [ 15 ] It is difficult to say what should happen after a privacy violation since the costs to the individual are not easy to measure and often permanent -- once information is out in the world it is hard to bring it back. While the importance of the individual right of action plays an important role in allowing citizens to actively protect their own privacy, we must also examine the ideas of regulatory and non-regulatory privacy agencies, which could be more effective in investigating and highlighting invasive practices in both the public and private sectors. The Commission should examine this issue and provide Congress with recommendations on redress for the future.
While these four areas may not be a complete list of the issues that a Congressional Commission should examine, they represent the type of vital concerns that need to be looked into in greater detail.
CDT is also concerned that the Commission is currently too time consuming for organizations with limited staff resources. The Commission is set to have 20 hearings in 18 months. The staff time in travel alone from any organization willing to commit to participate would be overwhelming. This is particularly difficult for civil liberties and consumer groups who already have resource difficulties. A modified schedule of 12 or 8 meetings (3 or 2 in each geographical region) in 18 months seems more appropriate.
The Internet privacy legislation currently in front of Congress cover a wide range of issues. Many of these have been well documented in work undertaken by previous commissions and advisory boards. Studying privacy to map protections for the future must remain a high priority and should continue to explore new areas. A commission that would take on the more difficult issues facing privacy would be welcomed. However, such a commission must not be allowed simply to derail legislative hearings and actions on privacy for another 18 months as daily stories of privacy invasions and consumer concerns continue to multiply. While the commission is doing its important work in the areas outlined above, we hope that you will join us in working on ensuring greater corporate and government responsibility, privacy enhancing technologies and legislative efforts to protect privacy.
A History of Federal Government Privacy Commissions, Workshops and Advisory Boards in the Digital Age
The following is a partial listing of federal government privacy initiatives and the resulting recommendations over the past 30 years. While the focus here are initiatives that directly affect the privacy of government and online services, there have also been a large number of health privacy and several financial privacy initiatives. [ 16 ]
Health Education and Welfare Advisory Committee on Automated Personal Data Systems, 1972 [ 17 ]
In 1972, Elliot L. Richardson, then Secretary of the U.S. Department of Health Education and Welfare (HEW), appointed an Advisory Committee on Automated Personal Data Systems to explore the impact of computerized record keeping on individuals. In the committee's report, published a year later, the Advisory Committee proposed a Code of Fair Information Practices. These practices have been the basic element for all future Fair Information Practices and future U.S. laws, including the Privacy Act of 1974.
The basic principles of the 1973 Code are as follows:
2. There must be a way for an individual to find out what information is in his or her file and how the information is being used;
3. There must be a way for an individual to correct information in his or her records;
4. Any organization creating, maintaining, using, or disseminating records of personally identifiable information must assure the reliability of the data for its intended use and must take precautions to prevent misuse; and
5. There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without his or her consent.
Privacy Protection Study Commission of 1977 [ 18 ]
In 1977, at the height of the initial controversy over the legality of computer matching, the Privacy Protection Study Commission, charged with studying the issues raised by the Privacy Act and recommending future legislation, issued its report: Personal Privacy in an Information Age. The Commission was created by the Privacy Act in a provision adopted during final negotiations and accepted as less controversial than creating an Executive branch oversight agency.
The Commission's report recommended that the Privacy Act be more vigorously enforced, and suggested a number of ways to make the Act more effective. The Commission found that the Privacy Act did not lead to the benefits originally expected from the passage of the Privacy Act. The report included a proposed revision of the Act that clarified ambiguities, provided individuals with broader remedies, and tightened the exemptions in the Act. The Commission also recommended that Congress pass additional information privacy legislation to protect information held in private sector databases. Including a set of Fair Information Practices that employers would voluntarily follow when collecting data about individuals for hiring purposes and have served as a basis for many subsequent guidelines.
The Fair Information Practices from the report are as follow:
An employer should limit external disclosures of information in records kept on individual employees, former employees, and applicants; it should also limit the internal use of such records.
2. Individual Access
B. An employer should assure that the personnel and payroll records it maintains are available internally only to authorized users and on a need-to-know basis.
(2) the techniques that may be used to collect such information;
(3) the types of sources that are expected to be asked;
(4) the types of parties to whom and circumstances under which information about the individual may be disclosed without his authorization, and the types of information that may be disclosed;
(5) the procedures established by statute by which the individual may gain access to any resulting record about himself;
(6) the procedures whereby the individual may correct, amend, or dispute any resulting records about himself.
No employer should ask, require, or otherwise induce an applicant or employee to sign any statement authorizing any individual or institution to disclose information about him, or about any other individual, unless the statement is:
(1) in plain language;
(3) specific as to the individuals and institutions he is authorizing to disclose information about him;
(4) specific as to the nature of the information he is authorizing to be disclosed;
(5) specific as to the individuals or institutions to whom he is authorizing information to be disclosed;
(6) specific as to the purpose(s) for which the information may be used;
(7) specific as to its expiration date, which should be for a reasonable period of time not to exceed one year.
5. Medical Records
B. Upon request, an individual who is the subject of a medical record maintained by an employer, or another responsible person designated by the individual, should be allowed to have access to that medical record, including an opportunity to see and copy it. The employer may charge a reasonable fee for preparing and copying the record.
C. An employer should establish a procedure whereby an individual who is the subject of a medical record maintained by the employer can request correction or amendment of the record.
Each employer and agent of an employer should exercise reasonable care in the selection and use of investigative organizations, so as to assure that the collection, maintenance, use, and disclosure practices of such organizations fully protect the rights of the subject being investigated.
7. Arrest, Conviction, and Security Records
B. Unless otherwise required by law, an employer should seek or use a conviction record pertaining to an individual applicant or employee only when the record is directly relevant to a specific employment decision affecting the individual.
C. Except as specifically required by federal or state statute or regulation, or by municipal ordinance or regulation, an employer should not seek or use a record of arrest pertaining to an individual applicant or employee.
D. Where conviction information is collected, it should be maintained separately from other individually identifiable employment records so that it will not be available to persons who have no need of it.
E. An employer should maintain security records apart from other records.
An employer should periodically and systematically examine its employment and personnel record-keeping practices, including a review of:
(2) the items of information contained in each type of employment record it maintains;
(3) the uses made of the items of information in each type of record;
(4) the uses made of such records within the employing organization;
(5) the disclosures made of such records to parties outside the employing organization;
(6) the extent to which individual employees, former employees, and applicants are both aware and systematically informed of the uses and disclosures that are made of information in the records kept about them.
1980 - 1989
Organization for Economic Cooperation and Development Guidelines (OECD) on the Protection of Privacy and Transborder Flows of Personal Data [ 19 ]
In late 1980, the OECD issued Guidelines concerning privacy. The US provided input through a private sector government collaboration headed by the National Telecommunications Infrastructure Administration (NTIA) in the Department of Commerce and the Bureau for International Communications and Information Policy in the State Department. [ 20 ]
Although broad, the OECD guidelines set up important standards for future governmental privacy rules. These guidelines underpin most current international agreements, national laws, and self-regulatory policies. Although these guidelines were voluntary, about half of OECD member-nations had already passed or proposed privacy-protecting legislation in 1980. The United States endorsed the OECD Guidelines. By 1983, 182 American companies claimed to have adopted the standard although very few ever implemented practices that mapped to the guidelines.
The OECD Guidelines are as follows:
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Data Quality Principle
Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Purpose Specification Principle
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Use Limitation Principle
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified except:
b) by the authority of law.
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of
their use, as well as the identity and usual residence of the data controller.
Individual Participation Principle
An individual should have the right:
b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
A data controller should be accountable for complying with measures which give effect to the principles stated above.
The principles remain an international standard for privacy in the computer age.
Computer System Security and Privacy Advisory Board (CSSPAB) [ 21 ]
In 1987 Congress established the CSSPAB as a public advisory board as a part of the Computer Security Act. The Computer Security Act specifies that the Board's mission is to identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy.
The CSSPAB is composed of twelve members, in addition to the Chairperson, who are recognized experts in the fields of computer and telecommunications systems security and technology. The board examines those issues affecting the security and privacy of sensitive unclassified information in federal computer and telecommunications systems. The CSSPAB's authority does not extend to private-sector systems or federal systems which process classified information.
The CSSPAB advises the Secretary of Commerce and the Director of the National Institute of Standards and Technology (NIST) on computer security and privacy issues pertaining to sensitive unclassified information stored or processed by federal computer systems. The Board reports its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency, and appropriate committees of Congress.
1990 - 2000
National Information Infrastructure Advisory Council
In March 1995, the National Information Infrastructure Advisory Council, led by Secretary Ronald Brown at the Department of Commerce, was composed of 37 members, mostly from the private sector, was organized into three ŚMega-Projects' including one on privacy, security, and intellectual property. The Privacy project developed a set of Principles issued in the larger report entitled: "Project Common Ground."
The NIIAC Principles are as follows:
2 Protection of privacy is crucial to encouraging free speech and free association on the NII; however, such protections are not absolute and must continue to be balanced, where appropriate, by concepts of legal accountability and First Amendment rights.
3 To achieve its full potential, the NII must incorporate technical, legal, and self-regulatory means to protect personal privacy. The privacy of communications, information, and transactions must be protected to engender public confidence in the use of the NII. For instance, people should be able to encrypt all lawful communications, information, and transactions on the NII. Network-wide and system-specific security systems that ensure confidentiality, integrity, and privacy should be incorporated into the design of the NII. In an interactive electronic environment, transactional information should be afforded a high level of protection.
4 Existing constitutional and statutory limitations on access to information, communications, and transactions such as requirements for warrants and subpoenas, should not be diminished or weakened and should keep pace with technological developments. Privacy protections should be consistent across technologies, and should be technology neutral.
5 At a minimum, existing rights to review personally identifiable information and the means to challenge and correct inaccurate information should be extended into the NII.
6 Individuals should be informed, in advance, of other uses and disclosures of personally identifiable information provided by that individual or generated by transactions, to which that person is a party, on the NII. Personally identifiable information about an individual provided or generated for one purpose should not be used for an unrelated purpose or disclosed to another party without the informed consent of the individual except as provided under existing law.
7 Data integrity - including accuracy, relevance, and timeliness of personally identifiable information - must be paramount on the NII. Users of the NII, including providers of services or products on the NII, should establish ways of ensuring data integrity, such as audit trails and means of providing authentication.
8 The use of a personal identification system administered by any government should not be developed as a condition for participation in the NII.
9 Subject to public policies intended to secure and maintain the integrity and enforceability of rights and protections under U.S. laws - such as those concerning
intellectual property, defamation, child pornography, harassment, and mail fraud - spheres for anonymous communication should be permitted on the NII. Those who
operate, facilitate, or are otherwise responsible for such spheres must adequately address the sometimes conflicting demands and values of anonymity, on the one hand, and accountability, on the other.
10 Collectors and users of personally identifiable information on the NII should provide timely and effective notice of their privacy and related security practices.
11 Public education about the NII and its potential effect on individual privacy is critical to the success of the NII and should be provided.
12 Aggrieved individuals should have available to them effective remedies to ensure that privacy and related security rights and laws are enforced on the NII, and those who use the remedies should not be subject to retaliatory actions.
Information Infrastructure Task Force Principles for Providing and Using Personal Information [ 22 ]
The technology boom of the 1980s and 1990s caused many countries to review privacy guidelines. New privacy safeguards were needed to correspond with the booming use of computers in data collection. In the U.S., The Information Infrastructure Task Force's (IITF's) Information Policy Committee issued a series of Principles for Providing and Using Personal Information in June 1995. The statement of principles included a call for all participants of the National Information Infrastructure to observe several rules:
These guidelines were widely criticized by the privacy community as a retreat from the HEW and OECD guidelines. [ 23 ]
FTC and NTIA Initiatives
The FTC and NTIA have been more actively involved in addressing online privacy issues since the beginning of the massive growth of the World Wide Web. In April 1995, the FTC staff held its first public workshop on privacy on the Internet, and in November of that year the Commission held hearings on online privacy as part of its extensive hearings on the implications of globalization and technological innovation for competition and consumer protection issues.
In 1995, completed a paper entitled "Privacy and the NII: Safeguarding Telecommunications-Related Personal Information" [ 24 ] focused on privacy and online services. The overall purpose of the paper was to provide an analysis of the state of privacy in the United States as it relates to existing and future communications services and to recommend a framework for safeguarding telecommunications-related personal information. The analysis found "a lack of uniformity among existing privacy laws and regulations for telephony and video services" and recommended "a uniform privacy standard to provide notice and consent" as suggested in the IITF document.
In June 1996, the FTC conducted a two-day workshop to explore privacy concerns raised by the online collection of personal information, and the special concerns raised by the collection of personal information from children. The workshop looked into a wide range of issues including industry self-regulation, technology-based solutions, consumer and business education, and government regulation. The FTC in a December 1996 staff report entitled Consumer Privacy on the Global Information Infrastructure released a report based on the workshops. [ 25 ] A second workshop in June 1997 delved more deeply into these issues. As the Commission explained in its 1998 Report to Congress, "in all of these endeavors the Commission's goals have been (1) to identify potential consumer protection issues related to online marketing and commercial transactions; (2) to provide a public forum for the exchange of ideas and presentation of research and technology; and (3) to encourage effective self-regulation." [ 26 ]
On June 23-24, 1998, the NTIA held a public meeting on Internet privacy. [ 27 ] This meeting was meant to be a dialogue, roundtable and working session with academia, industry representatives, privacy advocates, public interest groups and Washington Policymakers.
The forum addressed the following issues:
On November 8, 1999, The National Telecommunications and Information Administration ("NTIA") of the United States Department of Commerce and the Federal Trade Commission held a public workshop on "online profiling," the practice of aggregating information about consumers' preferences and interests, gathered primarily by tracking their movements online, and using the resulting consumer profiles to create targeted advertising on Web sites. The agencies sought public comment addressing various issues related to the practice of online profiling, thousands of individuals participated. [ 28 ]
On March 31, 2000, the FTC hosted the first meeting of the Advisory Committee on Online Access and Security. [ 29 ] The purpose of the Advisory Committee is to provide advice and recommendations to the FTC on implementation of access and security fair information practices by domestic commercial Web sites. In particular, the Advisory Committee will address providing online consumers reasonable access to personal information collected from and about them and maintaining adequate security for that information. The Committee is expected to finalize its work in May 2000.
1. Green, Heather; Mike France and Marcia Stepanek and Amy Borrus. Business Week. March 20, 2000. http://www.businessweek.com/2000/00_12/b3673006.htm
2. Green, Heather with Catherine Yang and Paul C. Judge. A Little Net Privacy, Please. Business Week. March 16, 1998 http://www.businessweek.com/1998/11/b3569104.htm
3. Schwartz, John. "Web Firm Halts Profiling Plan: CEO Admits Mistake in Face of Probes, Privacy Complaints." Washington Post. March 3. 1999. A1.
4. Macavinta, Courtney. "Breach exposes H&R Block customers' tax records." CNet News.com. February 15, 2000. http://news.cnet.com/news/0-1005-200-1550948.html?tag=st.ne.1002.
5. Junnarkar, Sandeep. "Intuit plugs leaks to DoubleClick." CNet News.com. March 2, 2000 http://news.cnet.com/news/0-1007-200-1562341.html?tag=st.cn.1.
6. Konrad, Rachel. Airline's mistake exposes email addresses. CNet News.com.. March 21, 2000 http://news.cnet.com/news/0-1007-200-1580221.html?tag=st.cn.1.
7. Meland, Marius. "Microsoft, AOL Become Privacy Gatekeepers." Forbes.com. April, 7, 2000. http://biz.yahoo.com/fo/000407/mu2547.html
8. Alan Westin. Privacy and Freedom (New York: Atheneum, 1967) 7. See the appendix of this testimony for a listing of Fair Information Practice Principles and how they have developed over time.
9. Privacy Protection Study Commission. 1977. Personal Privacy in an Information Society. Washington, DC: Government Printing Office.
10. OMB Watch. "A Delicate Balance: The Privacy and Access Practices of Federal Government Web Sites." August, 19997. http://ombwatch.org/ombw/info/balance/exec.html
11. Center for Democracy and Technology. "Policy vs. Practice: A Progress Report on Federal Government Privacy Notice on the World Wide Web." April, 1999. http://www.cdt.org/privacy/fedprivacystatus.shtml
12. Public records that contain personally identifiable information include, but are not limited to: drivers licenses, driving records, motor vehicle registration and titles, property tax records, voting registration records, occupational licenses, use licenses (eg, ham radio, CB radio), firearms permits, court records (eg., bankruptcy, divorce), law enforcement records, political contributions, Security and Exchange Commission filings, financial disclosure filings, hunting and fishing licenses, US Postal Service address records, and vital statistics.
13. A CDT and OMB Watch joint report entitled "Ten Most Wanted Government Documents" details some of the failures of EFOIA and other federal open records laws -- http://www.cdt.org/righttoknow/10mostwanted/
15. The difficulties that individuals have had are well documented in the "Civil Remedies" section U.S. Department of Justice Office of Information and Privacy's Freedom of Information and Privacy Act Overview. September 1998 Edition. p. 711.
16. A more complete detailed summary will be available in Priscilla Regan's "Changing Institutional Roles and Responsibilities," a book chapter for Information Privacy: Looking Forward, Looking Back, edited by Mary Culnan, Robert Bies, and Michael Levy (forthcoming: Georgetown University Press).
17. United States Department of Health, Education and Welfare. 1973. Records, Computers and the Rights of Citizens. Washington, DC: Government Printing Office.
18. Privacy Protection Study Commission, 1977.
20. Regan, Forthcoming
23. See CDT's March 1995 comments to the IITF for an example: http://www.cdt.org/privacy/comments_iitf.html