AMERICAN CIVIL LIBERTIES UNION * CENTER FOR DEMOCRACY AND TECHNOLOGY * ELECTRONIC PRIVACY INFORMATION CENTER * ELECTRONIC FRONTIER FOUNDATION * FREE CONGRESS FOUNDATION * LAW ENFORCEMENT ALLIANCE OF AMERICA
May 2, 2001
Attorney General John Ashcroft
Department of Justice
10th & Pennsylvania Ave., NW
Washington, D.C. 20530
Dear Attorney General Ashcroft:
It was a pleasure to meet with you to discuss privacy issues on April 19, 2001. It was refreshing to hear of your commitment to privacy, especially with regard to electronic communications. We write to summarize our views on three of the topics we discussed at the meeting: Carnivore, the need to strengthen privacy protections in our electronic surveillance laws, and the need to provide additional protections regarding law enforcement access to medical records.
The FBIs current use of the Carnivore system (and the various other versions of that system) threatens the privacy of electronic communications and cannot be squared with the Fourth Amendment, the Electronic Communications Privacy Act, or the Foreign Intelligence Surveillance Act. Carnivore gives law enforcement agencies not only direct access to communications involving the target of a court order, but access as well to the communications of many non-target subscribers of the Internet Service Provider where it is installed. This threatens everyones privacy. Instead, law enforcement should make the Carnivore hardware and software available to an ISP that needs it, so that Carnivore is under the control of the ISP, restoring a form of check and balance to the process. The ISP would be required to turn over to law enforcement only the communications of the target of a court order, and provide law enforcement access to no others. This would bring surveillance of electronic communications more in line with the longstanding practice of conducting surveillance of wire communications, wherein law enforcement agents are not allowed into the central office switches of telephone companies.
We want to make it clear that the recommendations for audit trails and other limited measures in the December 8, 2000 report of the Illinois Institute of Technology Research Institute do not satisfy the privacy concerns raised by Carnivore. IITRI was specifically precluded from considering the legal and constitutional privacy issues that Carnivore has created. Those issues can be addressed in part by ensuring that the ISP, not law enforcement, controls the technology used to separate the communications of targets from the communications of non-targets, and by placing on the ISP the responsibility to provide law enforcement with the communications of only the target. Finally, we urge you in the strongest terms to reject the notion advanced by some that ISPs be subjected to mandates similar to those imposed on telephone companies under the Communications Assistance to Law Enforcement Act.
Updating Privacy Protections In Electronic Surveillance Laws
The rapid advance of technology has created more opportunities for law enforcement surveillance, and more threats to privacy. This has upset the balance between privacy and law enforcement needs that is a hallmark of our electronic surveillance laws. The Electronic Communications Privacy Act of 1986 and the other surveillance statutes should be updated to ensure that they adequately protect privacy. For example, cellular telephones can increasingly be used to pinpoint a persons location with amazing accuracy. Nonetheless, the legal standard that applies when law enforcement seeks access to location information is unclear. We believe that the probable cause standard for location information is appropriate. We are hopeful that you will continue to support it, as you did when you co-sponsored the E-Privacy Act (S. 2067) in the 105th Congress. Similarly, it is time to extend to electronic communications all of the privacy protections accorded to voice communications under the federal wiretap law, and to update the pen register and trap and trace statute to give judges meaningful control over the interception of transactional data about communications. With these and other changes, we can ensure that law enforcement access to electronic communications will be subject to appropriate safeguards.
Law Enforcement Access to Medical Records
The final regulation that the Department of Health and Human Services issued to implement the Health Insurance Portability and Accountability Act does not meaningfully limit law enforcement access to sensitive medical information. Section 164.512(f) of the final regulation has five defects in that it:(i) lacks a requirement of judicial review of law enforcement access to medical records;
(ii) provides an inadequate legal standard for law enforcement access;
(iii) fails to require notice to the person whose medical information is given the police;
(iv) includes an overbroad identification exception that allows the release of patient information any time the police are trying to identify a suspect or fugitive; and
(v) lacks an adequate enforcement mechanism such as the exclusionary rule.
This portion of the HIPAA regulation was drafted with substantial input from the Reno Department of Justice. Secretary Thompson has announced that he intends to modify the regulation before it is enforceable two years hence. We ask that you recommend that Secretary Thompson strengthen the privacy protections in this regulation by deleting the identification exception, requiring a warrant or court order based on probable cause for law enforcement access to personally identifiable medical records, and by requiring notice to the person whose medical records are sought. Many existing privacy laws, including the law governing access to video rental records (18 USC 2710), already include similar protections. We urge you to ensure that those protections are extended to medical records as well, and to support the exclusion from evidence at trial of medical records seized in violation of the HIPAA regulation.
Thank you for giving us a chance to present our views. We were pleased to hear of your commitment to privacy. We understand from the meeting that you intend to appoint a high level person to serve as a liaison for privacy interests, and we look forward to working with that person.
Gregory T. Nojeim
Associate Director/Chief Legislative Counsel
American Civil Liberties Union
122 Maryland Ave., NE
Washington, DC 20002
James X. Dempsey
Center for Democracy and Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
Electronic Privacy Information Center
1718 Connecticut Avenue, NW, Suite 200
Washington, DC 20009
Director of Public Policy
Electronic Frontier Foundation
454 Shotwell St.
San Francisco, CA 94110
Vice President for Technology Policy
Free Congress Foundation
717 2nd St., NE
Washington, DC 20002
James J. Fotis
Law Enforcement Alliance of America
7700 Leesburg Pike #421
Falls Church, VA 22043