“Nothing to Hide, Nothing to Fear: Defending Privacy and Private Property”
The SafeView Research Report is intended to give you a snapshot of technology risk management issues. Airius Internet Solutions manages SafeView data and provides strategic, tactical and emergency risk management consulting. If you have any technology risk issues, please contact Airius with your questions at firstname.lastname@example.org.
Fourth Amendment of the US Constitution, September 25, 1789
Read more background here.
There is no such thing as a right to privacy. Our Declaration of Independence does not promise this. The Constitution does not explicitly mention privacy. The closest reference to privacy is within the Fourth Amendment of the Constitution of the United States.
Over the last century, the concept of privacy as a right for individuals has evolved.
“The Right to Privacy” is a law review article written by Samuel Warren and Louis Brandeis and published in the 1890 Harvard Law Review. It is “one of the most influential essays in the history of American law” and is widely regarded as the first publication in the United States to advocate a right to privacy, articulating that right primarily as a “right to be let alone”.
“The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle.”
“The Right to Privacy”, Samuel Warren and Louis Brandeis, Harvard Law Review, 12/15/1890
Privacy as a Human Right
The Universal Declaration of Human Rights (UDHR) is a declaration adopted by the United
Nations General Assembly on 10 December 1948 at the Palais de Chaillot, Paris. The Declaration arose directly from the experience of the Second World War and represents the first global expression of what many people believe to be the rights to which all human beings are inherently entitled. The full text is published by the United Nations on its website.
The Declaration consists of thirty articles which have been elaborated in subsequent international treaties, economic transfers, regional human rights instruments, national constitutions, and other laws. The International Bill of Human Rights consists of the Universal Declaration of Human Rights, the International Covenant on Economic, Social and Cultural Rights, and the International Covenant on Civil and Political Rights and its two Optional Protocols. In 1966, the General Assembly adopted the two detailed Covenants, which complete the International Bill of Human Rights. In 1976, after the Covenants had been ratified by a sufficient number of individual nations, the Bill took on the force of international law.
US Privacy Laws
The Constructs of Privacy in the US
Most states of the United States also grant a right to privacy and recognize four torts based on that right:
1. Intrusion upon seclusion or solitude, or into private affairs;
2. Public disclosure of embarrassing private facts;
3. Publicity which places a person in a false light in the public eye; and
4. Appropriation of name or likeness.
Evolution of Privacy Related Laws in the United States (don’t worry, this is summarized below)
- Fourth Amendment of the US Constitution, September 25, 1789 – protections against search and seizure without presumption of guilt and warrant
- “The Right to Privacy”, Samuel Warren and Louis Brandeis, Harvard Law Review, December 15, 1890 – attempts to define privacy, and looks at slander and libel to further define those private things that could hurt an individual if disclosed
- Universal Declaration of Human Rights, United Nations General Assembly, December 10, 1948 – the source of the understood meaning of fundamental freedoms for individuals, and a world record for the most translated document. After a univeral believe that the United Nations Charter did not go far enough to define freedoms and liberties, this was created following the atrocities of Germany and the Nazis during World War II. This document was initially understood to become the International Bill of Rights.
- Immigration and Nationality Act of 1952 – governs primarily immigration to and citizenship in the United States.
- Freedom of Information Act of 1966 – allows for the full or partial disclosure of previously unreleased information and documents controlled by the United States government. The Act defines agency records subject to disclosure, outlines mandatory disclosure procedures and grants nine exemptions to the statute.
- Bank Secrecy Act of 1970 – requires financial institutions in the United States to assist U.S. government agencies to detect and prevent money laundering.
- Fair Credit Reporting Act of 1970 – The foundation of consumer credit laws, this legislation was enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It was intended to protect consumers from the willful and/or negligent inclusion of inaccurate information in their credit reports.
- Privacy Act of 1974 – establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.
- Foreign Intelligence Surveillance Act of 1978 – prescribes procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between “foreign powers” and “agents of foreign powers”.
- Right to Financial Privacy Act of 1978 – The Right to Financial Privacy Act of 1978 protects the confidentiality of personal financial records by creating a statutory Fourth Amendment protection for bank records. The Act was essentially a reaction to the U.S. Supreme Court’s 1976 ruling in United States v. Miller, where the Court found that bank customers had no legal right to privacy in financial information held by financial institutions.
- Comprehensive Crime Control Act of 1984 – was the first piece of federal legislation to focus directly on computer abuses. Enacted on October 12, 1984, it provides federal prosecutors with a specific crime titled, “Fraud and related activity in connection with computers” to prosecute criminal computer activity.
- Computer Fraud and Abuse Act of 1986 – was written to clarify and increase the scope of the previous version of the Comprehensive Crime Control Act of 1984 while, in theory, limiting federal jurisdiction to cases “with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature.”
- Money Laundering Control Act of 1986 – for the first time in the United States criminalized money laundering. Additionally, the law requires that an individual specifically intend in making the transaction to conceal the source, ownership or control of the funds.
- Electronic Communications Privacy Act and the Stored Wire Electronic Communications Act of 1986 (collectively, the ECPA) – protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.
- Computer Matching and Privacy Protection Act of 1988 – amendments the Privacy Act of 1974, new provisions added procedural requirements for agencies to follow when engaging in computer-matching activities, provide matching subjects with opportunities to receive notice and to refute adverse information before having a benefit denied or terminated, and require that agencies engaged in matching activities establish Data Protection Boards to oversee those activities.
- Communications Assistance for Law Enforcement Act of 1994 – enhances the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to wiretap any telephone traffic; it has since been extended to cover broadband Internet and VoIP traffic. Some government agencies argue that it covers monitoring communications rather than just tapping specific lines and that not all CALEA-based access requires a warrant.
- USA Patriot Act of 2001 – Title II is titled “Enhanced Surveillance Procedures”, and covers all aspects of the surveillance of suspected terrorists, those suspected of engaging in computer fraud or abuse, and agents of a foreign power who are engaged in clandestine activities. It primarily made amendments to FISA, and the ECPA, and many of the most controversial aspects of the USA PATRIOT Act reside in this title. In particular, the title allows government agencies to gather “foreign intelligence information” from both U.S. and non-U.S. citizens, and changed FISA to make gaining foreign intelligence information the significant purpose of FISA-based surveillance, where previously it had been the primary purpose. It amended FISA, ECPA, the Money Laundering Act, the Bank Secrecy Act and the Immigration and Nationality Act.
- Cybersecurity Information Sharing Act of 2014 – allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. Opponents question CISA’s value, believing it will move responsibility from private business to the government, thereby increasing vulnerability of personal private information, as well as dispersing personal private information across seven government agencies, including the NSA and local police.
- USA Freedom Act of 2015 – imposes some new limits on the bulk collection of telecommunication metadata on U.S. citizens by American intelligence agencies, including the National Security Agency. It also restores authorization for roving wiretaps and tracking lone wolf terrorists.
Ownership of Private Digital Property
With significant changes in the laws around digital assets, content that is harvested legally is no longer the property of the original owner of the property. We can assume that local, state and federal authorities, along with internet service providers, healthcare, social media and cell companies, operating system, hardware and software manufacturers collectively have a library of personal data on each person.
This information has been harvested legitimately by all of these organizations for years at an ever increasing volume. Barring any successful challenge in supreme court, this data belongs to the collector. In this way, the government, law enforcement and commercial vendors harvest and keep personally identifiable information on billions of people around the world.
Individuals have little recourse to get the data that has been collected. While some laws and guidance exists regarding the safeguarding of this information, the data becomes the property of the collector once harvested, and may very well be governed by general and less restrictive information management policies. PII, healthcare data, financial information and all private communications may be stored in many third party repositories.
Internet Service Providers and cell service providers are generally secretive regarding the retention of customer access logs. However, it is reasonable to believe that they maintain logs for a year or more. The logs are property of the providers, and customers have NO claim to the data. It can include full transcripts of text messages for extended periods of time.
An individual has no rights associated to the harvested data. The party that collected it rarely has to disclose what they intend to collect, and they do not in practice disclose what has been collected, and how it is stored.
Surrendered Property Rights
Personal information is harvested by numerous parties. To avoid any confusion, any user must assume that ALL content distributed through the internet, through cell service, through broadband, has been collected, archived and saved by numerous parties. Let’s consider the implications:
1. Intellectual property is protected by copyright, trademark and patents. The challenge here is that sending a “private” email containing secret designs might constitute a public disclosure for the purposes of a patent.
2. Copyright is not granted to the harvester for all content. However, while there may not be a right of redistribution and modification, there is an implicit right of use.
3. Lawyers defending their clients against government have to assume that their communications with the clients are subject to review and scrutiny, without further disclosure, if those communications are electronic.
4. Businesses depend on technology to distribute ideas, opportunities, throughout the organization. Innovation can be stolen by an operating system vendor when a small developer uses electronic communications and cloud data storage. This might actually be authorized within the thousands of pages of EULAs that normal users are compelled to accept to just operate cell phones, tablets and small computers.
A problem not discussed yet is the reality that if law enforcement and vendors can and do harvest massive amounts of data using infrastructure built into our devices and the communications frameworks, competitors and conspirators are doing the same thing. Criminals, state and corporate sponsored cyber spies, do not abide to laws. An infrastructure that is designed to allow massive data harvesting may not discriminate between good guys and bad guys. Whoever has the key can open the lock. In some cases, a key is not even required.
What this means is that we have an infrastructure with weak protections around digital information, and taps at every point to harvest volumes of data. The taps are part of the underlying systems, so anyone gaining access could be collecting the same data. Since the good guys don’t log their collections, the bad guys don’t have to either.
Privacy Has Nothing to Do with Having Bad Things to Hide
The spirit of the law was to protect privacy and private property. With the advent of internet and email, laws initially defended routine harvesting of bulk data without warrants and just cause. Over time, protections eroded, and fear took precedence over privacy. Data was harvested in bulk by our government, and governments around the world. Despite recent changes in data collection laws, the data is still being collected and stored. Where government was grabbing everything, new laws make private companies directly responsible, and complicit with the mass surveillance of individuals.
Governments have created a weakness with laws that allow and encourage bulk data collection with little to no oversight. Vendors have incorporated logging and collection facilities – telemetry, customer experience program, and more – allowing them to harvest incredibly valuable information about individuals. Search engines collect even more data about individuals. When this harvesting is allowed by law, by design, without tracking the collection, and restricting it to finite activities, warrants, active cases, such activities allow the assumption of ownership of the collected data and rights.
Corporations have assets (information) that can be sold for profit. Service providers can provide detailed information about anyone, and do, without warrant. Fourth amendment protections apply to things owned by an individual, where a warrant is required to compel cooperation of the individual. When a third party has the data, the third party can choose to cooperate with no liability.
The infrastructure and legal climate may actually weaken prosecution of data harvesting by a state sponsored corporate spy who is able to copy all data transmitted over the internet. Since technology is so efficient at harvesting data, hacking from dark buildings in China is no longer required to collect data. A well funded effort can release popular software, make it free, and build in auto-update and user satisfaction technology.In doing so, users accept surrendering personal information by clicking on an End User License Agreement (EULA), and the harvester of the data is not committing a crime to steal private information.
Even though laws and business practices have undermined some protections afforded by the Fourth Amendment, data is still protected until it leaves the control of an individual.
A combination of the evolution of laws and technology has made it possible for legitimate organizations to collect massive sums of data from private individuals. Thanks to the same advances, rogue governments and shady organizations can harvest bulk data with equivalent ease.
The realistic likelihood is that every American and many individuals in Europe have already had their private information compromised by both legitimate and rogue sources. Without a way to track bulk collection, it is hard to audit the efficacy of data management practices, and it is impossible for organizations collecting to implement protections that only allow “secret” data collection from good guys while blocking the bad guys.
As this continues, digital commerce will be subject to problems validating the authentic source of a transaction. Individuals will be compelled to consider implants, use invasive biometrics, and accept even more intrusion into our privacy as we try to do basic things like buy gasoline and order things on Amazon.
The answer is not more technology while data is globally harvested. Individuals need to accept responsibility for any digital communications, assets, content, made available on the internet. In the next post, we will explore current technologies available to allow private users and organizations alike to protect data from good guys and bad guys equally.