Intrusion in the Sphere of Personal Communications
This chapter addresses the right to privacy in personal communications and how privacy is compromised by personal computing.
INTRODUCTION
In the realm of information technology, much as in ay other medium, the actual or perceived threat of terrorism and organized crime has led to an intrusion into personal life and an abridgement of individual rights in the name of protecting citizens from harm.
Historically, law enforcement has been focused on intercepting and monitoring communications by actions such as reading private mail, using listening devices to monitor verbal conversation, or wiretapping private telephone lines. Such surveillance methods have been treated by democratic countries as contrary to basic civil rights and they have been permitted only in limited circumstances and subject to judicial control and oversight.
Electronic communications facilitate the interception and surveillance of messages among individuals, and grants greater power to the surveillor in that digital messaging can more easily be collected, stored, analyzed, and processed. Moreover, due to the novelty of the medium, the same safeguards to civil rights that apply to other forms of communication are not in place in the digital medium: an has greater latitude in its handling of e-mail than it does of telephone calls, and legislators seem reluctant to be as vigilant in the context of electronic media.
PRIVACY
While there is come coincidence among the protections afforded to citizens in Western nations, the origins and understandings of privacy and the rights of the individual vary.
The "Right to be Let Alone"
The right to privacy is often tracked back to Warren and Brandeis (1890) who argued for the individual's "right to be let alone" - to communicate to others under certain circumstances with an expectation of privacy. The essay derived this right from intellectual property rights, specifically to "own" one's ideas and thoughts and control to whom they are disseminated; the concept of a social contract and breach of confidence; the Fourth Amendment protection against unreasonable search and seizure; and the Fifth Amendment protection against self-incrimination.
This "right to be let alone" was first tested in the 1950's and 1960's, during a time at which the government (McCarthyism) heavily monitored private communication and used the collected information to prosecute or harass citizens. However, the rulings at the time led privacy to be derivative of a "thing" or a "place" rather than of communication itself.
The Right to Respect for Private and Family Life
Meanwhile in Europe, the European Convention on Human Rights (ECHR), in 1953, sought to preserve "respect for [a person's] private and family life, his home, and his correspondence" against the whim of government authorities and private organizations (businesses, chiefly). The ECHR document is interpreted and enforced by an independent court, but is often incorporated into domestic law and enforced by agencies in each nation.
By the terms of this treaty, no public authority may interfere with the exercise of this right unless it is done in accordance with the law and is in the interests of national security, public safety, the prevention of crime, the protection of health or morals, or the protection of the rights and freedoms of others - which provides ample loopholes. Examples are given of instances in which the court upheld violations of this right, as well as instances in which the right was defended - ultimately, it seems arbitrary and circumstantial.
Information Privacy and the Right to Informational Self-Determination
The concept of information privacy is the right of "individuals, groups, or institutions to determine for themselves how, when, and to what extent information about them is communicated to others." There is some disagreement on the source of this right, whether it is as an extension of property rights (information about a person belongs to them) or an intrinsic right, but it is generally accepted that an individual should have the ability to limit the information about himself that anyone else may collect, as well as control over the sharing or dissemination of that information to others.
DATA PROTECTION
The right to information privacy brings with it the requirement, on the part of others with whom this information has been shared, not merely to refrain from disseminating it further, but also to safeguard the information against third parties. This has been seen as an impediment to those who maintain data, and the emergence of "data havens" in countries with no legal requirements for safeguarding data has been a response.
The author describes a handful of initiatives in varying degrees of detail:
OECD Guidelines
The Organisation for Economic Co-operation and Development (OECD) introduced "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data" in 1980 (predating the Internet and the IT explosion) to protect citizens against the misuse of their personal information by public and private organizations.
The Guidelines exhibit four basic themes -- the need to guarantee basic rights of privacy, the need to ensure free flow of information, the avoidance of unjustified national restrictions on transborder data flow and the need to harmonize the provisions of the various national laws
These guidelines were non-binding, though a number of governments used them as a basis or the development of laws to protect personal information.
Council of Europe Convention
Slightly later (1985), the Council of Europe adopted a "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data" to establish "parameters" for a person's right to the confidentiality of personal data. A handful of governments signed the convention, but others (particularly the U.S., which was leading the IT boom) regarded it as unduly restrictive.
The EU Data Protection Directives
In 1995, the European Parliament developed a Data Protection Directive that extended personal information protections developed for the telecommunications sector to the online medium. This directive imposed "broad obligations" on organizations that collected data and "broad rights" to individuals whose data has been collected.
The European Union Charter of Fundamental Rights
In 2000, the EU established a charter of fundamental rights and freedoms for citizens, in which the right to privacy and the protection of personal data was listed. The Charter includes a right of every EU citizen "to the protection of personal data concerning him or her". Article 8(2) provides that "such data must be processed fairly for specific purposes and on the basis of consent of the person concerned or some other legitimate basis laid down by law". It also grants a right of access to the individual to data which has been collected concerning him or her, and a right to have such data rectified.
The charter has not yet been ratified (for reasons other than this particular passage) and remains mired in the bureaucratic process, with no predicted adoption date in sight.
ELECTRONIC INTRUSION AND DATA RETENTION
An additional concern of the present age is that, by virtue of the technology, it is easier for organizations to store data for the long term (retaining it even after the reason for which it was provided was fulfilled) and aggregating data from various sources to create a "profile" of users that they did not consciously, and in one act, provide.
Communications Data
Apart from the information a user consciously submits, there is additional data by virtue of the communications medium (e.g., they physical location of a cell phone user) that alone do not convey any significant meaning, but tracked over time, can provide a "near complete map" of an individual's private life (e.g., their whereabouts at any given time of the day). Because this information pertains to a specific individual, it is considered to be "personal data" and should be afforded the same protections as any other personal information.
The Mandatory Retention of Communications Data
The paradigm shift that was brought about through the extension of the scope of Article 15(1) of the E-Privacy Directive prepared the ground for far reaching reform proposal concerning the mandatory retention of communications data. In April 2004, the governments of the UK, France, Ireland and Sweden submitted a joint proposal for a draft Framework Decision which was intended to put in place a pan-European framework. The proposal as drafted would have required the retention, for a minimum of 12 months and a maximum of 36 months, of all communications data generated by CSPs within the EU.
In the wake of 9/11 a proposal was drafted requiring service providers to retain, for up to 24 months, all telecommunications data collected by the company, including:
- Data necessary to trace and identify the source of a communication (telephone number, name and address of subscriber, sender's IP address, etc.).
- Data necessary to identify the recipient of a communication (number dialed, name and address of recipient, IP address of recipient, etc.).
- Data necessary to identify the date, time and duration of a communication (date of the communication, start and end time of a telephone conversation, logo-on and log-off time of Internet access service).
- Data necessary to identify the type of communication.
- Data necessary to identify users' communication equipment or what purports to be their equipment.
- Cell site data necessary to identify the location of mobile communication equipment
The intention of this legislation, which was adopted "after one of the shortest legislative procedures in the history of the EU," was to compel these companies to retain this data to assist in investigating, detecting, and prosecuting "serious crime."
The lack of clear definition, and the liberal verbiage that grants member states the ability to access this data at will, are cause for concern.
CONCLUSION
The author expresses grave concern over the collection and use of private data by the state, and paints rather a nightmare scenario in which statistical analysis is applied to vast volumes of data in order to predict criminal behavior and act in a proactive manner against citizens who have done nothing, on the basis that the data collected about them suggests that they potentially might. Or when companies and other institutions make decisions about candidates for employment or applicants to college based on statistical inference ... which is an interesting point, but is somewhat ironic (given that the author's polemic seems to be against data collection, and these examples use the same kind of inference). But one point rings true: given the current political climate of fear in the wake of the terrorist attacks of 9/11, the eagerness of government to collect data and monitor citizens has come to "it constitute a real threat to the fundamental rights of individuals and the democratic order."