An Examination of Surveillance Technology and Their Implications for Privacy and Related Issues - The Philosophical Legal Perspective
Emir A Mohammed
In an age where instantaneous communications and technology facilitate easy and ready access to information (personal and otherwise), we find ourselves, as a society, caught between two seemingly diametric principles - open information and privacy. This paper takes a critical look at the often murky intersection of law, technology and information. It begins by addressing the semantic difficulties surrounding what privacy exactly means, and drawing on US and UK case law and statute, continues with an examination of information privacy (DeCew, 1997) (with regards to Credit Bureaus and computer profiling). A critical analysis of physical surveillance - both in public and the workplace - is then considered, with particular attention drawn to criminological research by Dr. Clive Norris and Gary Armstrong regarding the former.
Keywords: Information privacy, privacy, CCTV, computer profiling, surveillance, data protection.
This is a Refereed Article published on 30 June 1999.
Citation: Mohammed E, 'An Examination of Surveillance Technology and Their Implications for Privacy and Related Issues - The Philosophical Legal Perspective',1999 (2)The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/99-2/mohammed.html>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1999_2/mohammed/>
This paper is an attempt to briefly outline and examine some issues and conflicts that arise when the realms of technology and privacy meet. Some topics the author wishes to particularly explore include the information mosaic[ 1], public-workplace surveillance and the privacy issues\concerns they raise. Legislation and case law will primarily be drawn from the United States (US) and United Kingdom (UK).
Since privacy is at the core of this paper it is best to understand exactly (or as best possible) what it means. Perhaps the most cited definition of privacy within the legal field would be that of Judge Cooley (1888) 'The right to be let alone' and, similarly, Supreme Court Justice Louis Brandeis 'the right to be let alone [as] the most comprehensive of rights, and the right most valued by civilized men.' (Olmstead v United States (1928). Further, the National Telecommunications and Information Administration's 1995reporton privacy went further to distinguish between different 'types' of privacy. One of the different types they specifically single out, and one that is of great significance to this paper, is that of 'information privacy'.
Indeed, as DeCew (1997) has pointed out, informational privacy involves the expectation that certain information, including but not limited to, finances, medical history and sexual orientation, need not be divulged to the public. The key aspect of informational privacy being the freedom from unwanted intrusion and control and\or knowledge over who has access to such personal information. Perhaps one of her more important points is the fact that she rejects Alan Westin's (1967) definition of privacy[ 2] (it seems, given his definition, that informational privacy is the only aspect of privacy) in favour of treating informational privacy as but one of three aspects that need to be considered as a whole in order to fully understand what is meant by privacy[ 3]. The author agrees with her definition and shall now briefly her other two aspects of privacy, as it is a very important one[ 4].
The next aspect of privacy she identifies is 'accessibility privacy'. Now clearly this aspect of privacy overlaps with informational privacy as there would be situations where information would be sought in order to 'access' the person in question. She acknowledges this and argues that this category of privacy is intended to deal more with issues of physical surveillance. This aspect goes beyond activities such as sexual and bathroom activities (which the social norms already dictate as private). Physical closeness, private and public surveillance all tend to impede our accessibility privacy she argues. Indeed, invasion of this aspect of privacy often leads to fear, distraction and inhibition; hence, she notes, 'the stringent justifications and requirements that have historically been necessary for governmental surveillance to be allowed...' (DeCew, 1997: 76). These issues will also be relevant in discussing workplace privacy. Also of relevance to accessibility privacy is article twelve (12) of the Universal Declaration of Human Rights which states that 'no one shall be subjected to arbitrary interference with his[her] privacy, family, home or correspondence, nor to attacks upon his[her] honour and reputation.'
Finally, DeCew (1997) identifies an often overlooked\neglected aspect of privacy - 'expressive privacy'. This aspect of privacy essentially concerns freedom from coercion and discrimination when making personal decisions; indeed, a key feature of it seems to concern the free development of one's self-identity. She notes that 'it is the type of privacy at stake... where the Court has protected the decisions by families in the areas of reproductive control (Griswold v. Connecticut (1965)[ 5], Eisenstadt v. Baird (1972)[ 6], Roe v. Wade (1972)[ 7]), schooling (Pierce v. Society of Sisters (1925)[ 8]), and lifestyle (Loving v. Virginia (1967)[ 9], Stanley v. Georgia (1969)).' (DeCew, 1997: 78) In these cases expressive privacy protects one from fears, pressures and stigma associated with choosing alternative viewpoints, practices and lifestyles. It is this type of privacy that Kant (1993), in retrospect at least, seemed to be advocating when he said that the moral individual must be rational and autonomous. Indeed expressive privacy, and to some extent accessibility privacy, are almost necessary conditions for autonomy.
Perhaps then a broad definition of privacy would seem to be - control over and\or the freedom to choose how, when and by whom information (whether mental, physical or electronic) is to be disclosed to others; information which we do not usually consider these others entitled to possess, for however short\long a period of time.
Privacy issues here become very important, especially when we consider that nearly every transaction we make in the public world today ends up in a computer somewhere, for some period of time - whether a warranty registration card, borrowed library book[ 10], telephone bill, credit card purchase, the list goes on. Forester and Morrison (1994) liken this situation to a 'food chain', with the larger companies and governmental bodies at the top of the chain, data companies ('target-marketing companies') and credit bureaus in the middle, and finally private individuals who 'act as the plankton of this complex information ecology' (1994: 138).
Some of the major players in the information collection industry are the so-called 'credit bureaus'. The idea behind credit reporting (which is what credit bureaus, ideally, do) is determining your 'credit worthiness' - in other words, based on previously collected data[ 11], credit reporting concerns whether or not the person(s) in question has a future likelihood (statistical tendency) of paying off their debts. Essentially then, a credit report is your credit history.
The largest three in the US being, Experian (formerly TRW Information Systems and Services), Equifax and Trans Union. As an example of their collective data collection and storage capabilities, consider this, together they detail the financial activities of essentially every adult in the US. Indeed, the thought of the financial activities of every adult in the US being held within three non-Governmental organizations' databases is an unnerving one[ 12]. However, Forester and Morrison (1994) point out that perhaps even more unsettling are the practices of the smaller data companies and credit bureaus, who are clearly outclassed and dwarfed by the 'big three'. They comment that some of them will sell just about any kind of data to anyone willing to pay the right price for it 'including... jealous husbands' (Forester and Morrison, 1994: 139).
Note also that the 'big three' credit bureaus are not without problems of their own. In the US, the Texas attorney general's office has noted that it receives more complaints about TRW than any other business (Information week, 1991). Not to mention the 1991 law suits brought against TRW by the Attorneys General of six US states - Alabama, California, Idaho, Michigan, New York and Texas - all accusing TRW of violating personal privacy and failing to correct serious errors[ 13] in their credit reporting.
Indeed, it would seem that while recent, usable information is of great interest to these companies, accurate information might not be so high a priority. In the US, legal recourse for matters concerning credit bureaus can be sought through the Fair Credit Reporting Act (1970) which requires, among others, that bureaus provide correct and complete information in your credit reports. However it is useful to note, the legislation has been criticized on the grounds that anyone with a 'legitimate business need' can obtain your credit report. The word legitimate is not defined in the Act.
Another Act of relevance would be the Equal Credit Opportunity Act (1974) which requires creditors to outline specific reasons for credit denial (if any). The Act also obligates creditors to consider any additional information, as supplied by the credit seeker, in an attempt to reverse any denial of credit. Other relevant US Federal Statutes include the Consumer Credit Protection Act, Truth In Lending Act (1968) Fair Credit Billing Act (1968) and The Fair Credit Debt Collection Act (1977) - and all subsequent amendments thereof. The UK's Data Protection Act (1984) will be discussed later in this section as it has relevance to not only credit bureaus, but also computerized and automated usage of information in general. However, it is useful to note here that in the Data Protection Registrar's[ 14] 1995, 1996 and 1997annual reports, the largest, distinct category of complaints received concern 'consumer credit'.
In1988Roger Clarkecoined the term 'dataveillance' is his work Information Technology and Dataveillance, a term which aptly identifies what is at issue in the area of informational privacy. 'Dataveillance' refers to data surveillance practices (such as monitoring and investigating) which are achieved primarily through the use of telecommunications and computer technology.
Clarke(1991) also provides the useful distinction between personal and mass dataveillance. With the former being concerned with analyzing the information held on a particular individual/group (that is, one which has already been singled out). While mass dataveillance is concerned with the examination of a wide range of subjects in an attempt to identify those who 'fit' the search criteria (in other words, personal dataveillance is the end result of mass dataveillance).
The reader should also note that while data matching and profiling are particular kinds of dataveillance techniques, they are not synonymous terms. Data matching refers to 'exercises designed to assist in the detection of fraud are widely in operation in both the public and private sectors. The term 'data matching' essentially means the comparison of data collected by different data users, (or by the same data user in different contexts). The aim of the comparison is not primarily the creation of a larger file of information about the data subject but the identification of anomalies and inconsistencies within single set of data or between two or more different sets.' (Data Protection Registrar, 1997) Likewise, a Canadian report from the Ontario Information and Privacy Commissioner (1991) lists several other uses for data matching: the detection of fraud in government benefit programs; reduction of duplicate benefits or billing; the verification of continuing eligibility for a benefit program; the recoupment of incorrect payments or delinquent debts; the monitoring of grants and contract awards; the identification of corruption; the identification of program mismanagement; the monitoring of information such as audits, verifications, and cost comparisons; the improvement of program procedures and controls; the identification of those eligible for benefits but not currently claiming; and the construction of comprehensive databases intended for research purposes.
Whereas '[p]rofiling is a technique whereby a set of characteristics of a particular class of person is inferred from past experience, and data-holdings are then searched for individuals with a close fit to that set of characteristics.' (Clarke, 1995). A rather contemporary area of profiling is that of airline passenger profiling. For example, after the crash of TWA Flight 800 in July 1996, a White House Commission was formed to investigate aviation safety and security. In the Commission's (1997)reportit advocated the use of 'automated passenger profiling' to help increase airport and aviation security. So what exactly would an 'automated passenger profile' consist of then? To quote recommendation two (2) in Appendix A of the commission's report - '[f]actors to be considered for elements of the profile should be based on measurable, verifiable data indicating that the factors chosen are reasonable predictors of risk, not stereotypes or generalizations. A relationship must be demonstrated between the factors chosen and the risk of illegal activity.'
Here, the Commission's recommendations seem justified however there is more at issue than the Commission either realizes or wants to admit. Profiling is not an exact science; indeed in its standard criminological usage it lies somewhere between law and psychology (neither of these being hard sciences either). The obvious downside of profiling is that it treats its 'hits' (to use computer terminology) as guilty criminals before due process - 'innocence until proven guilty' being a significant aspect of most Western criminal legal systems. Further, the American Civil Liberties Union (ACLU) in a 1996statementto the White House Commission on Aviation Safety and Security argue that 'Yigal Amir, the man who assassinated Israeli Prime Minister Rabin, did not fit the 'profile' of a 'terrorist' and was therefore allowed unwarranted access to the Prime Minister.' Ironically enough, as this case illustrates, those who least fit the 'profile' may be the ones to fear the most, since it could be an intentional attempt on their part(s) to deceive the 'computer' - and from here on we get stuck in a vicious cycle.
Returning to an examination of recommendation two (2) Appendix A of the report, two troublesome words arise 'reasonable... [and] relationship'. The former represent a subjective vagueness (all so common in political and legal terminologies), however, it is actually the latter word which is most troubling. Indeed, any and every statistician would say that a 'relationship' can be demonstrated between any two (or more) things. My point being that at some point in this search for elements of the profile, the process becomes less and less objective ('measurable' and 'verifiable' being the terms they use) and more, as the ACLU argued, 'a stereotype'. Indeed the ACLU, in one of their most insightful remarks regarding airline profiling, has stated that passenger profiling is a rather 'speculative means of predicting conduct - in this case, criminal conduct - based on characteristics which individually do not suggest criminality.'
Today it would also seem that one of the greatest factors aiding the erosion of our information privacy, is the remiss or non-existent (as in the US) legislation in this field. Australia, the European Union (EU), including the UK, being perhaps the most progressive regions of the world in information privacy legislation (or 'data protection' legislation, as our European counterparts call it). Of particular relevance to this section would be a brief examination of the UK's Data Protection Act (1984) and the European Data Protection Directive (1995).
The purpose of Data Protection Act (1984) according to its long title is to 'regulate the use of automatically processed information relating to individuals and the provision of services in respect of such information.' The Act requires that data users[ 15] register with the Data Protection Registrar and observe eight (8) data protection principles (the last principle also applying to operators of computer bureaux[ 16]). The principles, based on the 1981 Council of Europe Convention on Data Protection (Treaty 108), attempt to essentially afford greater control to individuals on whom personal information is held[ 17], by mandating that such information be utilized in a manner consistent with the purpose(s) for which it was (fairly and lawfully) obtained. The principles also require that the information be accurate, relevant, and where necessary, kept current. The Act also imposes a duty on data users to, 'at reasonable intervals', inform individuals whether they are holding personal information on them. Further, the Act allows data subjects to access such information and, if necessary, correct or delete it. Finally, the last data protection principle requires that operators of computer bureaux provide 'appropriate security measures' for the information stored. However, as with any legislation the use of (intentionally or not) vague terms as 'fairly', 'adequate', 'relevant', 'reasonable intervals' and 'appropriate', pose some problems.
It is useful to note a few similarities in content between the data protection principles of Data Protection Act (1984) and the, previously mentioned, Fair Credit Reporting Act (1970). Indeed, in areas involving the processing of personal information issues as accuracy and appropriate use are central.
Next, a couple of comments on the European Data Protection Directive (1995). It appears that articles 6, 12 and 17 of the European Data Protection Directive contain, roughly, the same principles as those contained in the 1984 Data Protection Act[ 18]. However, as an aside, the Directive applies to automatically processed data and certain classes of manually processed data, unlike the Act, which only applies to the former. Another aspect of the Directive, that receives considerable attention, is its stance on transborder flows to non-EU countries.
The Directive had initially proposed that the electronic transfer of data be suspended to countries without an 'adequate' level of data protection. However, as Lloyd (1996) has pointed out, this approach was not only excessively ambiguous but if interpreted to mean 'equivalent', 'it would, in particular, have threatened data transfers to countries such as the United States which have favoured a sectoral approach to the problems of data processing rather than the omnibus model adopted within Europe.' Indeed as another author put it, '[c]onsidering, they [the EU] hope to force other countries to comply with their directive they are in some ways trying to regain some of their imperialistic power that they lost at the turn of the century by trying to control the communications of the next century.'[ 19] Though, this aspect of the Directive has been amended, account is now to be taken of 'all the circumstances surrounding a data transfer operation.' (Lloyd, 1996).
In the next section, I turn my attention to public and workplace surveillance issues.
Here I will deal with surveillance issues in its more traditional understanding. As opposed to the last section which dealt with the surveillance of individuals and groups of people through data, this section will deal with the surveillance of individuals and groups of people directly (though, as with some aspects of workplace surveillance, there will be an overlap).
I will not spend any time talking about 'high-tech' surveillance gadgetry and agencies as MI5 and the CIA; instead, this section is devoted to the (planned or current) use of Closed Circuit Television (CCTV) systems. CCTV systems are video surveillance equipment[ 20] used primarily to deter crime, and, where a crime has occurred, to provide videotaped evidence of the act.
So question becomes, do these systems actually deter crime? The empirical evidence is, not surprisingly, mixed - police in Scotland's Strathclyde region, according to Privacy International (1996), claimed a 75 per cent drop in crime following the installation of a GBP 130,000 closed circuit TV system. However, Dave Banisar, of the Electronic Privacy Information Center, mentioned in a CNN article that, 'cameras failed to deter crime in Times Square when New York officials tried the tactic there. When officials in New Jersey put cameras in subway stations there, Banisar said, crimes actually increased.' (Rochelle, CNN Correspondent, 1996).
In any event, even if there is a subsequent decrease in reported crimes after the installation of CCTV systems, it says nothing causally about the relationship between the latter and the former. Indeed, do we just assume that criminals, upon noticing the CCTV cameras, decide to amend their ways and look for legal employment? Clearly not, they simply move to areas that do not utilize such technology. This does not simply refer to criminals moving to other distinct regions, but also to private homes and other areas without CCTV systems in their current locale.
The CCTV enthusiast would reply to these criticisms by arguing that I am actually advocating the use of more CCTV systems. This simply is not the case. It seems to me that CCTV surveillance is a classic case of superficial attempts (by Government and local authorities) to achieve ends best arrived at through dealing with the root cause. In other words, CCTV surveillance does not address key issues like why do people become criminals and what can we do, as a society, to help and\or prevent them from becoming ones?
Then there are the concerns over who watches the watchers? Indeed, the personal prejudices and stereotypes of the camera operators may tend to spill over into their work. A study[ 21] by criminologists Dr. Clive Norris and Gary Armstrong, both of the University of Hull, confirms this. The study found, '[t]he young, the male and the black were systematically and disproportionately targeted, not because of their involvement in crime or disorder, but for 'no obvious reason''. Needless to say, a young black male would be at three times the risk for CCTV operator discrimination. Perhaps equally as disturbing was the finding that one in ten women were targeted for entirely 'voyeuristic' reasons by the male operators, according to the researchers. Among other interesting findings of the research, I am especially drawn to this one, of the '888 targeted surveillances' the researchers observed, 45 led to police deployments[ 22], of which, only 12 arrests (7 related to fighting and 3 to theft) were made. Thus, other than the reasons for the low deployment cited by the researchers (as mentioned in footnote ix), it is also interesting that of the deployments only about one-quarter led to actual arrests. It would seem then, that arguments in favour of CCTV surveillance systems ultimately fail in the end.
CCTV systems are however not only limited to Government\Public Law Enforcement purposes, increasingly they are also one of many means used to monitor employees (and customers) in the workplace - the subsequent topic of inquiry.
Surveillance of employees (and customers) in the workplace is not a new practice, however, it is becoming quite a ubiquitous one. Why this is so, what technologies are being used, and what does the law have to say (if anything) about such surveillance, are all questions the author wishes to address.
The technologies in place to monitor employees seem limited only by one's imagination. Computer-based monitoring systems record statistics about the employee assigned to that particular terminal, including the number of keystrokes per minute and the amount of time spent on the computer, among others (Danaan, 1990). In addition to which, computer-based monitoring systems may also track phone calls - how long and to whom the call was made - of course, this still does not preclude supervisors and management from actually listening in on phone calls.
Other computer-based technologies in place include software, such as Networking Dynamics Corporation's 'PEEK & SPY' software[ 23], which can remotely view an employee's terminal screen. With 'PEEK' the terminal user is aware he\she is being watched, since, PEEK is often used to remotely fix user problems; however, with 'SPY' the user is unaware that he\she is being watched. Supporters of all of these computer-based workplace surveillance technologies argue that they are a useful too for management to assess and compare employees' performances and thus, enables the right people to be promoted.
Electronic mail (e-mail) interception and\or surveillance, video surveillance and badges that transmit the location of its wearer, are also common[ 24] technologies in place. The uses of video surveillance include prevention, detection and evidence of fraud and theft (by both employees and customers) (Colombo, 1996). Other uses include the video taping employee-customer interaction for employee evaluations and verifying whether alleged 'workplace injuries' really occurred while on the job. Of course, video evidence may also be used to prove that injuries were in fact sustained by employees and customers while on the employer's premises, hence 'one reason why some corporations chose not to tell anyone that they've installed... cameras in the workplace.' (Colombo, 1996)
However, this author is skeptical - skeptical of the technology and the reasons behind it. Clearly all of these technologies invade the privacy of the employee; moreover, the technology tends to depersonalize the employee, treating him\her as a means to efficiency. Quality is sacrificed for quantity. In addition, values like autonomy and trust are forgotten in the modern workplace; employees are considered criminals, liabilities and litigations waiting to happen.
In the US, the Electronic Communications Privacy Act[ 25] is usually considered the relevant federal legislation in dealing with workplace surveillance. However, this Act was never intended to apply to workplace surveillance (although in theory it can) - indeed this explains why the Act itself is more commonly known as the Federal Wiretap Act. The Act concerns the interception of 'wire communications'[ 26] and the accessing of electronically stored communications. Under it, it is lawful for persons providing the electronic communications service to access stored e-mails. Thus, if the computer and e-mail system is owned by the employer, access is lawful - however, Johnson (1995) notes that this matter becomes complicated with independent service providers like 'Prodigy' or 'Compuserve'. Further, if the employer wishes to access e-mail while in transit, the interception chapter of the Act provides a clause which allows the provider of the electronic communications system to intercept e-mail 'as necessary to the rendition of the service or the protection of the rights or property of the provider...' (Johnson, 1995). Thus, providing an employer owns the e-mail system, he\she may claim that the interception of certain e-mails was necessary to assure that confidential trade secrets were not being disclosed to other competitors\companies.
Also, relevant court rulings are drawn from Bourke v. Nissan Motor Co (1991) and Flanagan v. Epson America Inc. (1991). In the former case two system administrators were fired for sending to one another lewd jokes and criticisms of their supervisor. However, the supervisor read their e-mails and they were subsequently fired - the system administrators' argued in court that their privacy had been violated. The court ruled otherwise, stating that since the company owned the e-mail system they had the right to read any e-mail. In the latter case, a class action lawsuit was filed on behalf of all employees whose e-mail had systematically been read. The court ruled that the ECPA did not apply since the interception was done using employer equipment.
Regarding workplace telephone conversations, the ECPA prohibits employers from listening in on employee's personal phone calls. The 'business extension exclusion' clause allows employers to listen in on calls made 'in the ordinary course of business' in other words monitoring is permitted if done for reasonable business purposes. However if the call is discovered to be of a personal nature the employer should immediately discontinue his\her surveillance of that particular call since monitoring of personal phone calls in the workplace is illegal under the Act. In addition, the 'business extension exclusion' clause also requires that the monitoring equipment be 'telephone related equipment' provided by the telephone company (Johnson, 1995).
Note also that while listening to (or recording the words of) a business phone call may be subjected to the above provisos, the monitoring of 'non-verbal' aspects of the phone call is not. In other words, monitoring the length, destination and number of calls made is legal since no 'content' of the phone call is revealed. Indeed, if an employer wishes to further avoid the provisos of the 'business extension exclusion' cause, he\she can turn to 'consent exclusions' (Johnson, 1995). Whereby, the employer draws employees' attention to the scope and manner in which their calls are monitored - including which phones or employees are monitored and whether only business calls or both business and personal calls are monitored. Since the ECPA states that it is also lawful to monitor phone calls as long as one of the parties consents to such monitoring. Indeed, obtaining an employee's signed and\or explicit consent to such practices offers even greater legal protection for the employer.
As for video surveillance, similar issues arise. Video surveillance is lawful (as it falls outside the scope of the ECPA) if no sound is present with the video images. Since, sound conveys the 'content' of the communications. And again as with telephone monitoring, implied consent would be assumed so long as the employer has an announced policy that video surveillance is being used - further, even if the 'content' of the communications were revealed, the surveillance would not be deemed illegal in light of such an announced policy (Johnson, 1995).
In the UK, the Data Protection of 1984 provides relevant legislation for issues regarding workplace monitoring and privacy insofar as data is being recorded (as with automated telephone call monitoring[ 27]). Indeed, the Employment Rights Act (1996) also seemed like relevant legislation from which to draw, however nowhere in the Act is the word 'privacy' even mentioned.
Indeed the technologies and issues raised above represent the mere 'tip of the iceberg' in this field. A whole host of other areas which technology threatens to invade our privacy include, but are not limited to, medical records, cryptography, national ID cards, 'on-line' privacy issues[ 28], even school records and seemingly innocuous 'Caller ID' systems.
Informational privacy also stands to be threatened by, planned or current, linkages between databases in the private and public sectors. It would seem that one our greatest protectors of informational privacy - administrative inefficiency - would soon be a thing of the past. Indeed, this has been one of the less obvious themes of this paper - the trade-off between privacy and competing interests - such as, freedom of information, freedom of expression, and the prevention and detection of crime. However, it is this author's position that the burden of proof lies with the Government and\or employer to show exactly why the proposed surveillance technologies need be implemented - as opposed to say, the burden of proof being on the community to show why it is not needed. Indeed, all of these cases center around what is necessary - a word that is not easy to define in the real world, where there are conflicting interests at stake.
Clarke, R. (1995) 'Profiling: A Hidden Challenge to the Regulation of Data Surveillance'. < http://www.anu.edu.au/people/Roger.Clarke/DV/PaperProfiling.html>.
Colombo, A. (1996) 'Hidden Cameras in The Workplace'. <http://www.imperium.net/~colombo/workcam.htm>.
Data Protection Registrar. (1997) 'A Guide to Developing Data Protection Codes of Practice on Data Matching'. <http://www.open.gov.uk/dpr/match.htm>.
Equifax/Harris. (1996) '1996 Equifax/Harris Consumer Privacy Survey'. < http://www.equifax.com/consumer/parchive/svry96/survy96a.html>.
Johnson, B. (1995) 'Technological Surveillance in the Workplace'. <http://www.fwlaw.com/techsurv.html>.
Lloyd, I. (1996) 'An outline of the European Data Protection Directive.' The Journal of Information, Law and Technology. <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_1/special/lloyd/>.
Privacy International. (1996) 'CCTV FAQ'. <http://www.privacy.org/pi/activities/cctv/cctv_faq.html>.
Rankin, M. (1985) 'Privacy and Technology: A Canadian Perspective'. In Science Council of Canada, A Workshop on Information Technologies and Personal Privacy in Canada. Ottawa: Minister of Supply and Services.
Rochelle, C. (CNN Correspondent) (1996) 'Public Cameras Draw Ire of Privacy Experts'. <http://www-cgi.cnn.com/US/9603/public_places/index.html>.
1. Not merely access to information, but the collection, compiling and use of such data.
A note here concerning 'data' and 'information' - I am personally of the opinion that the latter and former should not be treated as synonyms. 'Information' is useful data. In other words then, all information is data, but not all data can be properly called information. This point is moot, at best, and I will not pursue it, rather I will continue this paper using the traditional, interchangeable sense of the two words.
3. Indeed, she continually refers to legal definitions of privacy as 'narrow ones' and has an entire chapter devoted to the topic - 'Chapter two: Narrow Views of Privacy Developed from the Law.'
4. A similar 'three component' view of privacy was expressed by a 1985 task force on privacy and computers - privacy of territory and space, privacy of the person, and privacy as a function of human dignity and integrity in the face of massive information collected and stored about individuals. (Rankin, 1985: 325).
5. Griswold v. Connecticut, 381 U.S. 479 (1965). Here the Supreme court overturned the conviction of the director of 'Planned Parenthood' in Connecticut and a physician from Yale Medical School for violating that state's law banning the dissemination of contraceptive-related information (etc.) to married couples.
6. Eisenstandt v. Baird, 405 U.S. 438, 453 (1972). Again this case concerned contraception for marred couples. To quote Justice Brennan - 'if the right of privacy mean anything, it is the right of the individual, married or single, to be free from unwanted governmental intrusion into matters so fundamentally affecting a person as the decision whether or bear or beget a child.'
7. Roe v. Wade, 410 U.S. 438, 453 (1972). Perhaps the most well known legal case of the latter half of this century. Precedent for which was set by Eisenstandt v. Baird.
8. Pierce v. Society of Sisters, 268 U.S. 510 (1925). Here the notion of expressive privacy was extended, as laws requiring all students to be educated in public schools, were struck down.
9. Loving v. Virginia, 388 U.S. 1 (1967). With precedent from the Griswold decision, here Virginia's state laws against interracial marriages were struck down.
11. Data usually obtained from past credit granters, employment record, past\present landlord(s), public records, newspapers and direct investigation.
12. Even though Equifax/Harris' (1996) research shows that 'By a margin of two to one, the public expresses a preference for the present system of privacy protection over a federal government Privacy Commission.' Further they note - 'The preference for the present system is also evident among a majority of privacy pessimists (63%) (i.e., those people who predict that privacy protection will get worse in the year 2000).' I still doubt the validity of their research, aside from the usual methods of attacking statistical findings, I also include consumer mis-information\ingorance\ambivalence to the list.
13. Serious errors being ones that could lead to the denial of credit for the person(s) concerned.
14. The Data Protection Registrar has supervisory powers, as well as other duties imposed upon him by the Data Protection Act (1984) - the Act is discussed in more detail later in the paper.
15. Data user being defined within the Act as someone (including companies and such) who holds personal data. For the purposes of the Act, someone 'holds' data if: '(a) the data form part of a collection of data processed or intended to be processed by or on behalf of that person...; and (b) that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection; and (c) the data are in the form in which they have been or are intended to be processed as mentioned in paragraph (a) above or (though not for the time being in that form) in a form into which they have been converted after being so processed and with a view to being further so processed on a subsequent occasion.'
16. A person, including legal persons such as companies, runs a computer bureau if either of the following are met: '(a) as agent for other persons he causes data held by them to be processed; or (b) he allows other persons the use of equipment in his possession for the processing... of data held by them.' ['Data' is defined in the Act as 'information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.']
17. Any living individual on whom personal information is held, is referred to as a 'data subject' in the Act.
18. A tabular comparison of the Data Protection Act (1984) and the European Data Protection Directive (1995) can be found here - <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_1/special/consultation/>.
19. I had pasted and copied this from the Web, at which point my browser crashed and I am unable to re-find the name of the author and\or full citation (though the comment is a very interesting one, I felt it had to be included).
20. A series of inter-connected video cameras (with full pan, tilt, and zoom features) that are operated from a central control room. Some cameras may employ infrared technology, among other special features. (Privacy International, 1996).
21. Extensive references to the study is made here - <http://merlin.legend.org.uk/~brs/cctv/Suspects.html>.
22. To quote from the study: 'The low level of deployment was accounted for by 2 factors: that CCTV operators could not themselves intervene nor could they demand intervention by the police. This was compounded by the fact that suspicion rarely had a concrete, objective basis which made it difficult to justify to a third party such as a police officer why intervention was warranted.'
24. Or as with electronic badges and e-mail surveillance, have the potential to be very common.
25. The Omnibus Crime Control and Safe Streets Act of 1968 was amended by Electronic Communications Privacy Act (ECPA) of 1986, to include electronic communications. In 1994 the ECPA was further amended to include protection of cordless phone conversations. The Act can be found here - <http://www.lawresearch.com/v2/Ctprivacy.htm>.
26. Defined as communications containing the human voice transmitted over wire, fibre-optics, and such.
27. See Appendix A for text of an e-mail reply from the Data Protection Registrar's Compliance Officer on this matter.
28. Including e-mail privacy and identity privacy. With identity privacy ranging from everything to 'IP logging' to services which track your postings to newsgroups (such asDeja-news). Not to mention the unpalatable 'cookies' which, when set, record which web-sites you have visited (information which is later collected, by the web-site which initially set the cookie, and used for e-mail solicitation schemes, among other things).