Posted Jun 23, 2006 12:17 pm CDT
Employees at one Cincinnati company have a choice. They aren’t required to have ID chips implanted in their arms so their employer can monitor their movements. But they might need to do so should any wish to hold a position that would allow access to a secure data center where the company’s most sensitive materials are stored. The chip is based on technology called radio frequency identification, and its maker, VeriChip Corp. of Delray Beach, Fla., says two employees and the company’s CEO have agreed to be injected with the chips.
The Cincinnati company In question is—ironically—CityWatcher.com, which provides security cameras and other technical security support. The sensitive materials the company is protecting include video databases of thousands of hours of surveillance tapes recorded on behalf of governments and private businesses.
RFID is one of dozens of new technologies unleashed in the past half decade. Although few companies go so far as to implant RFID devices in employees, many institutions and individuals are using biometrics such as facial or iris recognition, fingerprint scans and satellite navigation technology to keep track of employees, children and even the elderly.
While many Americans embrace new technologies for their convenience and the promise of greater security, some legal experts worry that the law is not keeping pace with the introduction of ever-more invasive and pervasive technologies with potential for abuse, fraud or identity theft.
“Introducing this technology just because it exists and has some benefit is a very myopic way of making policy. The consequences of misuse or error are very dramatic and the risks are profound,” says George Washington University law professor Daniel Solove, author of The Digital Person.
“People may think they have nothing to fear because they have nothing to hide, but I don’t know of anyone who truly lives in a glass house,” he says. “Everybody has things they’d rather not have the world be privy to, from their bathroom habits to re-gifting a present to how much their salary is to what medications they take. Everybody has something they don’t want just anybody having access to.”
Living amid a technological revolution is forcing lawyers and courts to grapple with the issue of how much privacy the law should allow in a world where information travels at warp speed.
Increasing use of keycards, fingerprint technology or similar systems could allow bosses to know how long employees spend in the bathroom, what items they ordered from the cafeteria at lunch, and how many sodas or candy bars they bought from company vending machines. Such information could be used to target employees for wellness programs intended to curb health care costs, for example. In most circumstances, the tracking would be done whether the employees wanted it or not.
Lee Tien, an attorney for the San Francisco-based Electronic Frontier Foundation, poses an even more troubling example:
“A worker routinely stops at a particular diner or convenience store for lunch every day. Next door to his regular stop is a strip club, an adult movie theater or a similar venue. Since most [Global Positioning System devices] are only accurate within a few hundred feet, it could appear that the employee is stopping at the adult-oriented venue every day. How do you convince your boss that you’re innocent when his GPS is telling him you’re in a strip club every afternoon?”
Solove says mistakes and misinterpretation are bound to be huge problems in any system that purports to track someone’s every move.
“People make assumptions about how the info collected about them will be used, but how do you know how it will be used? Even if there’s an innocent explanation for everything you do, in this country we don’t want to have to answer for and explain every move we make. Eventually, knowing someone is watching is bound to have a chilling effect on even innocent behavior,” Solove says.
Meanwhile, computer maker IBM now offers fingerprint-scan technology for logging on to computers it sells to the business market, touting both high security and ease of use for laptop owners who need only press an index finger to a tiny pad on the keyboard to be logged on—and have their usage tracked. Other computer makers are also beginning to offer fingerprint-log-on devices.
Employers say this makes it more difficult for an unauthorized person to access the system than it would be using someone else’s password or keycard, since the finger itself needs to be pressed to the keypad for access to occur.
Solove worries about misuse of information by authorized users, such as employers or even family members. A recent Chicago Tribune article reported on ways that technology can be used to make sure elderly parents have not fallen or are taking their medications. But the monitoring can be more intrusive. One elderly nursing home resident who wore a tracking device fought to cancel his daughter’s access to his GPS records, saying she overstepped by keeping too-close tabs on his increasing weight and reporting too much to other family members.
The other danger that frightens Solove is the misuse of all this collected data by unauthorized users—hackers who find their way into databases, unscrupulous employees of the collecting companies who sell personal data, and other criminals.
Companies that collect information such as employee fingerprints rarely give much thought to protecting that information from outside hackers, Solove says. If someone were to access a database of digital fingerprint scans, the victims’ identities could be stolen in a fashion that would make it nearly impossible for the victim to prove that he, not the thief, was the real “Joe Jones.”
While some people take as gospel that fingerprints are unique, most fingerprints are stored as digital images, meaning copying a digital file might be all that’s needed to convince another computer to recognize a print and allow access, says Solove. For his part, John Proctor, spokesman for VeriChip, says a lot of the fear about uses of RFID and similar technology is based on inaccurate or incomplete information. He says the primary use for VeriChip is in the health services industry: Patients who have implanted chips can be treated more quickly and effectively especially when a situation arises in which a patient arrives at an emergency room unconscious.
“There’s no personal information on the chip at all. It’s just a 16-digit number. Using that number, a hospital employee calls up a private Web database, enters a unique password to track who is seeking access, and then searches the patient’s medical records using the 16-digit number. It’s very secure” and compliant with the Health Insurance Portability and Accountability Act, Proctor says.
But others see such uses of RFID as a precursor to more invasive technologies, such as GPS devices that would allow constant tracking of a person’s movements. While implantable GPS technology is not yet on the market, many attachable devices are already in use.
Parents are putting chips in children’s backpacks and on teenagers’ cars and tracking them via the Internet, while a school in New Jersey requires parents who want access to the campus to submit to an iris-recognition scanning system that will unlock outer security doors.
While few dispute that employers have a right to know what their employees are up to while on the clock, some worry about the routine invasiveness of a boss knowing that a salesman driving a company car made a stop at a convenience store on the way home from work. While it might be overlooked in normal circumstances, even such innocent infractions could be used by someone with an ax to grind.
And if a parent’s GPS system is hacked, a predator could monitor the child’s whereabouts—perhaps without the parent even being aware until something terrible happens.
The potential use of RFID technology in passports and driver’s licenses is one of the issues being closely monitored by the ABA’s Section of Individual Rights and Responsibilities. “Our concern is to see that basic privacy rights are safeguarded through legislation that takes into consideration the potential privacy impact of the use of these new technologies,” says Marc Rotenberg, chair of the section’s Privacy and Information Protection Committee.
Later this year, Congress may take up the question of mandatory notification of affected consumers when security is compromised, says Rotenberg, who is executive director of the Electronic Privacy Information Center in Washington, D.C. Some states, such as California, already have strong statutes requiring that companies notify individuals if their private information is illegally obtained, such as by hackers accessing an electronic database of consumer credit information.
“It’s one thing for the courts to say, as they have for years, that there’s no expectation of privacy when a police officer sees you do something in public. That’s very different, though, from being tracked from one place to another by a high-tech camera,” he says. Solove says many lawyers fail to think creatively about causes of action when clients’ privacy interests are violated. In addition to the usual torts of invasion of privacy, lawyers should consider causes of action such as breach of confidentiality and negligence when an organization allows unauthorized access to private information, such as files in a database that should be accessible only to authorized users.
“This area of law is really just developing. Common law recognizes a privacy right, and there are many ways to show a court how that fits within local jurisdiction,” says Solove. He points to exceptions to most states’ freedom of information acts as providing a wealth of ideas about the type of information the state legislature thinks should be kept private. Those exceptions can be used as examples for why a cause of action should be allowed. For example, most states prohibit the disclosure of employee personnel files, identifying information about those who use government services, student records, collective bargaining materials, and virtually anything that would not be discoverable in a court action. Solove says unauthorized disclosures of any of these sorts of materials could form the basis for an invasion-of-privacy tort action.
But Solove also thinks courts and lawyers should go even further in protecting litigants’ privacy. For example, almost anything is subject to discovery in a civil case—whether or not it would ultimately be admissible in court. Solove says judges should weigh the probable admissibility of highly personal information before allowing it to be discovered routinely in litigation. The harm, Solove notes, lies not merely in whether the information is used in court, but also in simply allowing an opposing party to gain access to information that has little chance of being legally relevant to the case.
The EFF’s Tien agrees that the law must change to recognize the potential sensitivity of certain information, even something as seemingly innocuous as a person’s location in a public space.
“The whole scope of privacy in public changes when you’re not just talking about who within a few blocks might see you, but rather who might be tracking you from miles away,” says Tien.
Even those things the law already recognizes as private are not always protected using the best practices available, Tien notes. He cites a recent example of credit card transaction information being lost by an overnight mail company while being sent from the issuing bank to a credit reporting company. The lost envelopes contained account numbers, names, addresses and other personal information about customers. Tien questions why such sensitive data was sent by such a relatively unsecured method in the first place.
Too Much Information
In a 2000 case, a California appellate court found that a husband’s use of fraudulently obtained prescription information about his soon-to-be ex-wife was protected by a statutory litigation privilege. The husband had received a printout of all his wife’s prescriptions for the previous year by telling a pharmacy employee that he needed the information for his tax return. The wife had previously notified the pharmacy of the divorce proceedings and expressly told the manager that she did not want any of her information released to her husband.
The husband used the prescription information in an attempt to show that the woman was unfit to care for the couple’s children. He also wrote to the state department of motor vehicles in an attempt to get the wife’s driver’s license suspended because, he contended, the medications made her unfit to drive. Both attempts failed, and the wife sued the husband and the pharmacy for breaching her privacy. Though the court found the husband immune from the privacy suit, it let stand a $100,000 verdict against the pharmacy. Wise v. Thrifty Payless Inc., 83 Cal. App. 4th 1296.
Solove says that, too often, lawyers fail to recognize the privacy interests at stake for clients involved in litigation and thus fail to seek pre-emptive protective orders before the opposing party can subpoena sensitive information.
In addition, Solove says, lawyers should ask clients about private information presented in the litigation that they prefer to have sealed from public review.
“Some things are public information, but a lot of things fall into a gray zone where it is up to the judge’s discretion as to whether to protect information. The lawyer should protect the client’s privacy by seeking closure,” he adds.
Lawyers, too, play a role in the devolution of individual privacy. In February, the senior counsel of the Electronic Privacy Information Center wrote to the state bar ethics committees of all 50 states decrying attorneys’ use of information brokers who get their data by unethical and often illegal methods.
Chris Jay Hoofnagle wrote that lawyers are the primary consumers of information gleaned through the practice known as “pretexting,” in which data brokers impersonate someone or use other fraudulent means to obtain private information. Included among the information that lawyers most often purchase are cell phone records, the sale of which has come under scrutiny by Congress in recent months.
Hoofnagle writes that attorneys violate at least five of the ABA Model Rules of Professional Conduct when they buy fraudulently obtained information from brokers, usually in an effort to gain an advantage in civil litigation.
Too often, Hoofnagle says, attorneys purposely turn a blind eye to the underhanded and often illegal tactics used by their hired investigators to get information about opposing parties.
“I don’t think attorneys tell investigators to use pretexting, but it’s certainly implicit when attorneys ask for a background check. Most of the info could be obtained legally by subpoena, but this is faster, cheaper and provides a veil of secrecy so that the subject of the investigation never knows how the information was obtained,” says Hoofnagle, who is director of EPIC’s San Francisco office.
Law enforcement may finally be catching up. In April, Illinois Attorney General Lisa Madigan sued New Jersey-based Advanced Research Inc., claiming its owners fraudulently obtained Illinois consumers’ cell phone records.
The suit alleges that the company obtained consumers’ records through employees misrepresenting themselves as cell phone account holders. The suit is the third filed by the Illinois attorney general against such companies.
But the courts are bound to see more litigation involving technology and privacy. “Common law is rarely bound by the four corners. It evolves. We need to think about privacy in a more robust way in this new age,” Solove says.
Margaret Graham Tebo, a lawyer, and Mark Hansen are both a senior writers for the ABA Journal.
Margaret Graham Tebo, a lawyer, and Mark Hansen are both a senior writers for the ABA Journal.