This is now somewhat out-of -date, was prepared in August for presentation to a US Senator.
1. MEDICAL RECORDS
The American Health Information Management Association confirms that 17 outside organizations have access to a person's hospital records. The association also states that some 150 persons typically have access to patient records in teaching hospitals, and some 75 do in non-teaching facilities. These records often contain genetic backgrounds and a detailed history of a patient's diseases, tests, treatments, medications, and dietary habits. They may also contain information of communicable diseases, eating disorders, and sexual functioning. They may also hold data about the medical history of the patient's family, references to sexual assaults, and indications of substance abuse or mental illness. They often contain information about the patient's job and salary and give the doctor's personal appraisal of the patient's character, personality, and mental state.
In hearings before Congress, the following has been documented:
More than a third of the Fortune 500 companies scan their employees medical files before making hiring, firing, and promotion decisions.
Life insurers obtain data on clients' genetic backgrounds and use this information to drop coverage or reject applications.
HMO's use these records to "cherry pick" or only recruit the healthiest clients.
Internet information brokers sell an individual's entire medical file for $400 to lawyers, detectives, and political and business foes.
A banker in Maryland gained access to data sold by state employees and called in the loans of customers with cancer.
A newspaper obtained the medical records of a congressional candidate and published file information on an attempted suicide.
The Health Insurance Portability Act of 1996 required Congress to pass a medical privacy bill by August 21, 1999, or if Congress doesn't act, the Department of Health and Human Services will have the authority to issue regulations.
The Health Care Financing Administration has issued regulations to implement its Outcome and Assessment Information Set. This program will require the 9,000 certified home health care providers to prepare a 19 page assessment of four million patients and then every 60 days until services conclude. The data will be sent electronically to state agencies, then to databases maintained by the HCFA. In addition to names, addresses, and information about medical conditions, the assessment asks whether patients are depressed or feel "a sense of failure." It asks if patients have attempted suicide, exhibited "socially inappropriate behavior," made any "sexual references," and touches on personal finances.
Sources: Washington Post, March 11, 1999; Chicago Tribune, July 17,
1999; Washington Times, August 16, 1999
On December 7, 1998, the FDIC, the Federal Reserve System, the Comptroller of the Currency, and the Office of Thrift Supervision published their "Know Your Customer" proposed regulation. As proposed, the regulation would require each bank to develop a program designed to determine the identity of its customers; determine its customers' sources of funds; determine the normal and expected transactions of its customers; monitor account activity for transactions that are inconsistent with those normal and expected transactions; and report any transactions of its customers that are determined to be suspicious in accordance with the OCC's existing Suspicious Activity Reporting regulation. As a result of overwhelming public opposition, the proposed regulations were officially withdrawn. However, an American Bankers' Association survey shows that 88 percent of banks have already adopted "Know your Customer" programs. Under the existing program, to report a "suspicious" deposit or withdrawal a bank employee fills out a five page form that includes the customer's name, address, social security number (SSN), driver's license or passport number, date of birth, and information about the transaction, which is submitted to the Financial Crimes Enforcement Network (FinCEN), a sister agency of the IRS. An estimated 100,000 reports were filed last year. The IRS, the Postal Service, bank regulators, and federal and state law enforcement agencies share access to the data, many by modem dialup.
Sources: Federal Register, December 7, 1998; Wired News, December 10,
1998, March 30, 1998, and June 30, 1999
In the 1994 DNA Identification Act, Congress authorized the FBI to create a Combined DNA Index System (CODIS), merging DNA samples collected by federal and state law enforcement agencies into a nationwide database. Under current law in most jurisdictions, DNA samples can only be taken from individuals who have been convicted of crimes where tissue samples could be left at the crime scene, such as sex offenses and other violent felonies. However, in March of this year, Attorney General Janet Reno requested the National Commission on the Future of DNA to consider her proposal to include DNA samples from everyone who is arrested for any type of offense. There were 15 million arrests last year, many for issues of conscience or petty offenses. Unlike fingerprints, DNA samples provide an entire genetic footprint not only of the individual, but also of his immediate kin.
Sources: USA Today, March 1, 1998; Intellectual Capital, March 25, 1999
4. DRIVER'S LICENSE
NATIONAL ID CARD
The Illegal Immigration Reform and Immigrant Responsibility Act of 1996 tasked the Department of Transportation to formulate regulations imposing a national standard for all state-issued driver's licenses. The Act prohibits federal agencies from accepting any form of identification that does not conform to the national standard after October 1, 2000. The National Highway Traffic Safety Administration issued the proposed regs on June 17, 1998. The rulemaking requires states to display all applicants' SSN on the driver's license. It also requires states to set up an electronic verification system for the applicants' SSN, and mandates what primary and secondary documents may be accepted by the state for identification purposes. Proposed security features are also listed, including digitized fingerprints, digital photographs, and voice recognition files. Persons without the approved ID would not be able to board a plane, open a bank account, seek employment, purchase a firearm, or receive medicare or medicaid benefits.
Image Data LLC, a New Hampshire company has been purchasing driver's license photos from various states. The company is seeking to build a national database of personal information to help retailers prevent identity theft. The Washington Post disclosed on February 18, 1999, that the company received $1.5 million in federal funds and technical assistance from the U.S. Secret Service. The Post reports that Congressional leaders envisioned using the photo file to combat terrorism, immigration abuses, and other identity crimes.
Source: Center for Technology Policy; National Center for Policy Analysis;
Washington Post, February 18, 1999; Wired News, July 22, 1999
Two recent European Parliament reports (An Appraisal of the Technologies of Political Control, 1998; Interception Capabilities 2000, 1999) and various media reports have confirmed the existence of Echelon, run by the National Security Agency of the U.S. Echelon is a grid of super computers operated by UKUSA (the United States, Britain, Canada, Australia, and New Zealand). It is a maze-like system which can intercept telephone, data, cellular, fax, and Email transmission sent anywhere in the world. The reports also disclose the existence of ILETS (International Law Enforcement Telecommunications Seminar), led by the FBI and which is seeking backdoor wiretap capabilities in all forms of modern communications, including satellite communications systems. Concerns about domestic spying has led the House Permanent Select Committee on Intelligence to investigate the matter. The chairman, Representative Peter Goss, recently released a report stating the general counsel of NSA is claiming attorney-client privilege between his office and the director of NSA, which extends to the entire agency, and is refusing to turn over documents that outline the agency's criteria for conducting domestic surveillance.
Sources: Wired News, May 10, 1999; TechWeb, May 19, 1999; New York Times, May 27, 1999; ABC News, July 16, 1999
The Justice Department has a legislative proposal (the Cyberspace Electronic Security Act) ready to go to the hill. This legislation asks Congress for new authority allowing federal agents armed with search warrants to secretly break into homes and offices and to disable security on personal computers and to implant "recovery devices" or otherwise modify computers to ensure that any encrypted messages or files can be read by the government.
Sources: Washington Post, August 20, 1999; Centre for Democracy and Technology, August 20, 1999
The Federal Intrusion Detection Network (FIDNET) is another Clinton Administration proposal, authored by the National Security Council. It would establish an extensive computer monitoring system to be overseen by the FBI. FIDNET calls for a sophisticated software system to monitor activities on non-military government networks and a separate system to track networks used in crucial industries like banking, telecommunications, and transportation. Thousands of software monitoring programs would constantly track computers looking for indications of computer network intrusions and other illegal acts. All data would be collected at the National Infrastructure Protection Center, an interagency task force housed at the FBI.
Source: New York Times, July 28, 1999
6. OTHER CONCERNS
The Personal Responsibility and Work Opportunity Reconciliation Act of 1996 has resulted in the federal government creating a vast computerized data-monitoring system that includes all individuals with new jobs and the names, addresses, social security numbers and wages of nearly every working adult in the United States. Starting this summer, banks and other financial institutions will be obligated to search for data about delinquent parents, providing authorities with details about bank accounts, money-market accounts and other holdings of the parents. California reports that smaller banks, who can't afford the search programs, are sending all of their account information on all customers to the authorities.
Based on the Communications Assistance for Law Enforcement Act, the FBI and the Department of Justice have sent proposals to the FCC which would:
Enable law enforcement agencies to track the location of individuals through their cellular telephones.
Let police agents continue wire tapping telephone conference calls-even after the individual for whom the original court order was obtained hangs up.
Allow federal agents to continue and retain digits punched during a long distance call-even if they have nothing to do with the calls destination, and even if they contain sensitive computerized financial or personal information sent through after the call is ended.
INTELLIGENCE AUTHORIZATION ACT OF 1998
This legislation authorized a new "roving wiretap" provision, applicable in all criminal investigations and not limited for use against terrorist suspects, which removes "intent" from the legal standard and requires the government to show only that a target's use of multiple phones has the "effect" of preventing interception.
JUVENILE CRIME BILL
In the Senate version of this bill, judges will be required to approve police surveillance of numeric pagers without subjecting law enforcement requests to the more exacting current requirements of search warrants or wiretap orders. The House version has no such provision.