Coalition Letter to Attorney General Ashcroft on Privacy Issues

AMERICAN CIVIL LIBERTIES UNION * CENTER FOR DEMOCRACY AND TECHNOLOGY * ELECTRONIC PRIVACY INFORMATION CENTER * ELECTRONIC FRONTIER FOUNDATION * FREE CONGRESS FOUNDATION * LAW ENFORCEMENT ALLIANCE OF AMERICA
_____________________________________________

May 2, 2001

Attorney General John Ashcroft
Department of Justice
10th & Pennsylvania Ave., NW
Washington, D.C. 20530

Dear Attorney General Ashcroft:

It was a pleasure to meet with you to discuss privacy issues on April 19, 2001. It was refreshing to hear of your commitment to privacy, especially with regard to electronic communications. We write to summarize our views on three of the topics we discussed at the meeting: Carnivore, the need to strengthen privacy protections in our electronic surveillance laws, and the need to provide additional protections regarding law enforcement access to medical records.

Carnivore

The FBI’s current use of the Carnivore system (and the various other versions of that system) threatens the privacy of electronic communications and cannot be squared with the Fourth Amendment, the Electronic Communications Privacy Act, or the Foreign Intelligence Surveillance Act. Carnivore gives law enforcement agencies not only direct access to communications involving the target of a court order, but access as well to the communications of many non-target subscribers of the Internet Service Provider where it is installed. This threatens everyone’s privacy. Instead, law enforcement should make the Carnivore hardware and software available to an ISP that needs it, so that Carnivore is under the control of the ISP, restoring a form of check and balance to the process. The ISP would be required to turn over to law enforcement only the communications of the target of a court order, and provide law enforcement access to no others. This would bring surveillance of electronic communications more in line with the longstanding practice of conducting surveillance of wire communications, wherein law enforcement agents are not allowed into the central office switches of telephone companies.

We want to make it clear that the recommendations for audit trails and other limited measures in the December 8, 2000 report of the Illinois Institute of Technology Research Institute do not satisfy the privacy concerns raised by Carnivore. IITRI was specifically precluded from considering the legal and constitutional privacy issues that Carnivore has created. Those issues can be addressed in part by ensuring that the ISP, not law enforcement, controls the technology used to separate the communications of targets from the communications of non-targets, and by placing on the ISP the responsibility to provide law enforcement with the communications of only the target. Finally, we urge you in the strongest terms to reject the notion advanced by some that ISP’s be subjected to mandates similar to those imposed on telephone companies under the Communications Assistance to Law Enforcement Act.

Updating Privacy Protections In Electronic Surveillance Laws

The rapid advance of technology has created more opportunities for law enforcement surveillance, and more threats to privacy. This has upset the balance between privacy and law enforcement needs that is a hallmark of our electronic surveillance laws. The Electronic Communications Privacy Act of 1986 and the other surveillance statutes should be updated to ensure that they adequately protect privacy. For example, cellular telephones can increasingly be used to pinpoint a person’s location with amazing accuracy. Nonetheless, the legal standard that applies when law enforcement seeks access to location information is unclear. We believe that the probable cause standard for location information is appropriate. We are hopeful that you will continue to support it, as you did when you co-sponsored the E-Privacy Act (S. 2067) in the 105th Congress. Similarly, it is time to extend to electronic communications all of the privacy protections accorded to voice communications under the federal wiretap law, and to update the pen register and trap and trace statute to give judges meaningful control over the interception of transactional data about communications. With these and other changes, we can ensure that law enforcement access to electronic communications will be subject to appropriate safeguards.

Law Enforcement Access to Medical Records

The final regulation that the Department of Health and Human Services issued to implement the Health Insurance Portability and Accountability Act does not meaningfully limit law enforcement access to sensitive medical information. Section 164.512(f) of the final regulation has five defects in that it:

(i) lacks a requirement of judicial review of law enforcement access to medical records;
(ii) provides an inadequate legal standard for law enforcement access;
(iii) fails to require notice to the person whose medical information is given the police;
(iv) includes an overbroad identification exception that allows the release of patient information any time the police are trying to identify a suspect or fugitive; and
(v) lacks an adequate enforcement mechanism such as the exclusionary rule.

This portion of the HIPAA regulation was drafted with substantial input from the Reno Department of Justice. Secretary Thompson has announced that he intends to modify the regulation before it is enforceable two years hence. We ask that you recommend that Secretary Thompson strengthen the privacy protections in this regulation by deleting the identification exception, requiring a warrant or court order based on probable cause for law enforcement access to personally identifiable medical records, and by requiring notice to the person whose medical records are sought. Many existing privacy laws, including the law governing access to video rental records (18 USC 2710), already include similar protections. We urge you to ensure that those protections are extended to medical records as well, and to support the exclusion from evidence at trial of medical records seized in violation of the HIPAA regulation.

Conclusion

Thank you for giving us a chance to present our views. We were pleased to hear of your commitment to privacy. We understand from the meeting that you intend to appoint a high level person to serve as a liaison for privacy interests, and we look forward to working with that person.

Sincerely,

Gregory T. Nojeim
Associate Director/Chief Legislative Counsel
American Civil Liberties Union

James X. Dempsey
Deputy Director
Center for Democracy and Technology

David Sobel
General Counsel
Electronic Privacy Information Center

Lauren Gelman
Director of Public Policy
Electronic Frontier Foundation

Lisa Dean
Vice President for Technology Policy
Free Congress Foundation

James J. Fotis
Executive Director
Law Enforcement Alliance of America