1. . Professor of Law, University of Miami School of Law. B.A. Yale, M.Phil Cambridge, J.D. Yale. I am grateful for advice from Caroline Bradley, Patrick Gudridge, and Eugene Volokh, for research assistance from SueAnn Campbel and Julie Dixson, and extraordinary secretarial assistance from Rosalia Lliraldi. The errors that survive are my own. Unless otherwise noted, this article seeks to reflect legal and technical developments as of Feb. 1, 2000. All Internet citations were current as of May 22, 2000. . Deborah Radcliff, A Cry for Privacy, Computer World, May 17, 1999 <http://www.computerworld.com/home/print.nsf/all/990517privacy>. The comment was in response to a question at a product launch. See also Edward C. Baig, Marcia Stepanek & Neil Gross, Privacy: The Internet Wants Your Personal Info., What's in It for You?, Bus. Wk., Apr. 5, 1999, at 84 (quoting McNealy as saying, "You already have zero privacy. Get over it."). . Louis D. Brandeis, Other People's Money and How the Bankers Use It 92 (1914). Brandeis actually intended this comment to include both public and private institutions: "Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman." Id. . See Karl G. Heider, Ethnographic Film 11-15, 49-62 (1976) (discussing ways in which the act of filming may distort or misrepresent reality); Shoshana Zuboff, In the Age of the Smart Machine: The Future of Work and Power 344-45 (1988) (describing the phenomenon of "anticipatory conformity" among persons who believe they are being observed). Cf. Estes v. Texas, 381 U.S. 532, 545 (1965) (noting that it is "highly probable that the presence of cameras in the courtroom will influence jurors). . The definition differs from that used in United States constitutional law. The constitutional right to privacy is frequently described as having three components: (1) a right to be left alone; (2) a right to autonomous choice regarding intimate matters; and (3) a right to autonomous choice regarding other personal matters. See Laurence H. Tribe, American Constitutional Law § 15-1 (2d ed. 1988); Ken Gormley, One Hundred Years of Privacy, 1992 Wis. L. Rev. 1335, 1340. . The European Union's Privacy Directive, Council Directive 95/46 of the European Parliament and of the Council on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, is probably the most comprehensive attempt to protect informational privacy, although experts disagree about its domestic and especially extraterritorial effects. Compare Paul M. Schwartz & Joel R. Reidenberg, Data Privacy Law: A Study of U.S. Data Protection (1996), with Peter P. Swire & Robert E. Litan, None of Your Business World Data Flows, Electronic Commerce, and the European Privacy Directive (1998). . Benjamin Franklin, Poor Richard's Almanac (1735), reprinted in The Oxford Dictionary of Quotations 211 (2d ed. 1959). . See 8 U.S.C. § 1324a(a)(1)(B) (1996) (prohibiting hiring workers without verifying identity and authorization to work in the United States). Employers must complete an INS Form I-9, Employment Eligibility Verification Form, documenting this verification and stating the type of ID they examined. See Verification of Employment Eligibility, 8 C.F.R. § 274a.2 (1999). . See Boehner v. McDermott, 191 F.3d 463, 465 (D.C. Cir. 1999) (describing the taping of a cell phone call including Speaker Gingrich); Office of the Independent Counsel, Referral to the United States House of Representatives pursuant to Title 28, United States Code, § 595(c) § I.B.3 ("The Starr Report") <http://icreport.loc.gov/icreport/6narrit.htm#L7> (describing recording of Lewinsky calls by Linda Tripp); Paul Vallely, The Queen Brings Down The Shutters, The Indep., Aug. 19, 1996, available in 1996 WL 10952752 (noting the taping of intimate conversation of Prince Charles).
Although the phenomenon of ad hoc surveillance and eavesdropping is an interesting one, this article concentrates on more organized corporate and government surveillance and especially profiling. . See Roger Clarke, Information Technology and Dataveillance, 31 Comm. ACM 498 (May 1988) (defining dataveillance as "the systematic use of personal data systems in the investigation or monitoring of the actions or communications of one or more persons") <http://www.anu.edu.au/
people/Roger.Clarke/DV/CACM88.html>. . So-called "reality" television programming provides a possible glimpse of this world. The popularity of these shows demonstrates the supply of willing watchers, and there appear to be many willing subjects. See, e.g., Associated Press, Actress Bares All in Santiago Glass House, CNN.com, Jan. 26, 2000 <http://cnn.com/2000/WORLD/americas/01/26/chile.glass.house.ap/> (describing actress "spending two weeks in a house in central Santiago made of nothing but glass"). . David Brin, The Transparent Society (1998). . See, e.g., U.S. GAO, Government and Commercial Use of the Social Security Number is Widespread 1 (1999) (Letter Report, GAO/HEHS-99-28), available in <http://
frwebgate.access.gpo.gov/cgi-bin/useftp.cgi?IPaddress=162.140.64.88&filename=he99028.pdf&
directory=/diskb/wais/data/gao> (noting "the SSN is used for a myriad of non-Social Security purposes, some legal and some illegal"); Flavio L. Komuves, We've Got Your Number: An Overview of Legislation and Decisions to Control the Use of Social Security Numbers as Personal Identifiers, 16 J. Marshall J. Computer & Info. L. 529, 535 (1998) ("SSN use is so important to business and government in this country that a person who is assertive about their privacy rights may find herself in a position in which another will refuse to do business with her unless she furnishes her SSN."). . The phenomenon is everywhere, from the Starr Report to confessional talk shows, from mainstream films to the Internet's 24x7 webcams. Cf. Herbert Marcuse, One-dimensional Man: Studies in the Ideology of Advanced Industrial Society 74-81 (1964) (warning of "repressive desublimation" in which capitalism absorbs sexuality, strips it of threat and danger, drains it of its original meaning, repackages it as a commodity, then sells it back to the masses); see also Anita L. Allen, Privacy and The Public Official: Talking About Sex as a Dilemma For Democracy, 67 Geo. Wash. L. Rev. 1165, 1165 (1999) (noting that public servants now believe that "what takes place in private, unless dull and routine, is likely to become public knowledge anyway"); Clay Calvert, The Voyeurism Value in First Amendment Jurisprudence, 17 Cardozo Arts & Ent. L.J. 273, 274 (1999) (arguing for First Amendment right to "to peer and to gaze into places from which we are typically forbidden, and to facilitate our ability to see and to hear the innermost details of others' lives without fear of legal repercussion"); Andrew Leonard, Microsoft.orgy,
Salon, July 21, 1998 <http://www.salon.com/21st/feature/1998/07/cov_21feature.html> (describing how exhibitionists turned the Microsoft NetMeeting server, which provides means for PC cam video conferencing, into "a 24-hour international sex orgy"). . The extent to which modern ideas of privacy have historic roots is open to debate. While the distinction between the "private" home and the "public" outside is presumed to be ancient, see Jürgen Habermas, The Structural Transformation Of The Public Sphere 4 (1962), it is clear the conception of the home has changed. Peter Ackroyd's description of the home of Sir Thomas Moore, for example, with its numbers of servants, retainers, and even a fool, bears little relation to the home life of even the modern rich. See Peter Ackroyd, The Life of Thomas Moore 255-56 (1998). And, of course, one would not expect a concern with informational privacy in its modern form to predate the privacy-destroying technologies, mass data storage, or modern data-processing to which it is a reaction. . This article thus does not consider suggestions arising from law and economics that privacy is best understood as a mere intermediate good. See Richard A. Posner, The Right of Privacy, 12 Ga. L. Rev. 393, 394 (1978). Treating privacy as an intermediate good, then-Professor Posner concluded that personal privacy is generally inefficient, because it allows persons to conceal disreputable facts about themselves and to shift costs of information acquisition (or the cost of failing to acquire information) to those who are not the least-cost avoiders. Data concealment by businesses is generally efficient, however, since allowing businesses to conceal trade secrets and other forms of intellectual property will tend to spur innovation. See id. Useful correctives to Posner's views include Kim Lane Scheppele, Legal Secrets: Equality and Efficiency in the Common Law 43-53, 111-26 (1988); James Boyle, A Theory of Law and Information: Copyright, Spleens, Blackmail, and Insider Trading, 80 Cal. L. Rev. 1413, 1443-57, 1471-77 (1992), and Edward J. Bloustein, Privacy Is Dear at Any Price: A Response to Professor Posner's Economic Theory, 12 Ga. L. Rev. 429 (1978). . Readers needing persuasion on this point should consult Part I of Jerry Kang, Information Privacy in Cyberspace Transactions, 50 Stan. L. Rev. 1193, 1202-20 (1998).
"In a Wall Street Journal/NBC News poll last fall, Americans were given a list of eight concerns that might face them in the new century and were asked to rank the ones that worry them the most. Loss of personal privacy ranked at the top of the list, cited by 29%." See also Glenn R. Simpson, E-Commerce Firms Start to Rethink Opposition to Privacy Regulation as Abuses, Anger Rise, Wall St. J., Jan. 6, 2000, at A24. In a recent survey, 80% of United States residents, 68% of Britons, and 79% of Germans polled agreed strongly or somewhat with the assertion that "consumers have lost all control over how personal information is collected and used by companies"; however, 59%, 63%, and 55% of Americans, Britons, and Germans respectively also agreed that existing laws and organization practices in the their country provide a reasonable level of consumer privacy protection. IBM, IBM Multi-National Consumer Privacy Survey 22 (1999) <http://ibm.com/services/files/privacy_survey_oct991.pdf>. In a different survey, 92% of Canadians expressed some concern, and 52% were "extremely concerned" about privacy. John D.R. Craig, Invasion of Privacy and Charter Values: The Common-Law Tort Awakens, 42 McGill L.J. 355, 357 (1997). . Due to limitations of space, and of my knowledge, this article also adopts an artificially United States-centric focus, although the problems discussed here are of global importance. . Employers' concern about "cyberslackers" is fanned by consultants' reports that "employees who surf the web from their office PCs are costing Corporate America more than $1 billion a year." Michele Masterson, Cyberveillance at Work: Surfing the Wrong Internet Sites on the Job
Could Get You Fired, CNN.com, Jan. 4, 2000 <http://www.cnnfn.com/2000/01/04/technology/
webspy/>; cf. Eugene Volokh, Freedom of Speech, Cyberspace, Harassment Law, and the Clinton Administration, Law & Contemp. Probs. (forthcoming 2000) (arguing that sexual hostile environment harassment law is now so pervasive and potentially hair-trigger that prudent employer must carefully monitor workplace, including Internet use, for employee access of sexually themed materials). . See Ann Cavoukian, Info. and Privacy Comm'r/Ontario Data Mining: Staking a Claim on Your Privacy (1998) <http://www.ipc.on.ca/web_site.eng/matters/sum_pap/
PAPERS/datamine.htm>:
Data mining is a set of automated techniques used to extract buried or previously unknown pieces of information from large databases. Successful data mining makes it possible to unearth patterns and relationships, and then use this "new" information to make proactive knowledge-driven business decisions. Data mining then, "centres on the automated discovery of new facts and relationships in data. The raw material is the business data, and the data mining algorithm is the excavator, sifting through the vast quantities of raw data looking for the valuable nuggets of business information."
Data mining is usually used for four main purposes: (1) to improve customer acquisition and retention; (2) to reduce fraud; (3) to identify internal inefficiencies and then revamp operations[;] and (4) to map the unexplored terrain of the Internet. The primary types of tools used in data mining are: neural networks, decision trees, rule induction, and data visualization.
Id. (citations omitted) (quoting Joseph P. Bigus, Data Mining with Neural Networks 9 (1996)). . See Oscar H. Gandy, Jr., The Panoptic Sort 91 (1993); Oscar H. Gandy, Jr., Legitimate Business Interest: No End in Sight? An Inquiry into the Status of Privacy in Cyberspace, 1996 U. Chi. Legal F. 77. . See Kang, supra note 16, at 1239. . See Jeff Sovern, Opting In, Opting Out, or No Options at All: The Fight for Control of Personal Information, 74 Wash. L. Rev. 1033, 1033-34 (1999):
[Y]ou can buy lists of people who have bought skimpy swimwear; college students sorted by major, class year, and tuition payment; millionaires and their neighbors; people who have lost loved ones; men who have bought fashion underwear; women who have bought wigs; callers to a 900-number national dating service; rocket scientists; children who have subscribed to magazines or have sent in rebate forms included with toys; people who have had their urine tested; medical malpractice plaintiffs; workers' compensation claimants; people who have been arrested; impotent middle-aged men; epileptics; people with bladder-control problems; buyers of hair removal products or tooth whiteners; people with bleeding gums; high-risk gamblers; people who have been rejected for bank cards; and tenants who have sued landlords. There are lists based on ethnicity, political opinions, and sexual orientation. . See Phil Agre, RRE Notes and Recommendations, Red Rock Eater News Service, Dec.
26, 1999 <http://commons.somewhere.com/rre/1999/RRE.notes.and.recommenda14.html>:
Go to a part of town where your kind isn't thought to belong and you'll end up on a list somewhere. Attend a political meeting and end up on another list. Walk into a ritzy boutique and the clerk will have your credit report and purchase history before even saying hello. . . . The whole culture will undergo convulsions as taken-for-granted assumptions about the construction of personal identity in public places suddenly become radically false. . . .
And that's just the start. Wait a little while, and a market will arise in "spottings": if I want to know where you've been, I'll have my laptop put out a call on the Internet to find out who has spotted you. Spottings will be bought and sold in automated auctions, so that I can build the kind of spotting history I need for the lowest cost. Entrepreneurs will purchase spottings in bulk to synthesize spotting histories for paying customers. Your daily routine will be known to anyone who wants to pay five bucks for it, and your movement history will determine your fate just as much as your credit history does now. . . .
Then things will really get bad. Personal movement records will be subpoenaed, irregularly at first, just when someone has been kidnapped, but then routinely, as every divorce lawyer in the country reasons that subpoenas are cheap and not filing them is basically malpractice. Then, just as we're starting to get used to this, a couple of people will get killed by a nut who [has] been predicting their movements using commercially available movement patterns. . Data mining can be used to generate lists of political preferences. Senator John McCain and Texas Governor George W. Bush each contracted with Aristotle Publishing <http://
www.Aristo.org>, a firm that offered to target web users by matching web browsing habits and web site signup data with voter registration records. See Lauren Weinstein, Web Tracking and Data
Matching Hit the Campaign Trail, Privacy Forum Digest, Dec. 24, 1999 <http://www.vortex.com/
privacy/priv.08.22>. . Of course, disclosure also helps prevent evils that can hide behind the veil of anonymity. See A. Michael Froomkin, Flood Control on the Information Ocean: Living with Anonymity, Digital Cash, and Distributed Databases, 15 J.L. & Com. 395, 404-07, 410-11 (1996). . See Financial Crimes Enforcement Network ("FinCEN"), FinCEN Follows the Money: A Local Approach to Identifying & tracking Criminal Proceeds 5 (1999), <http://www.treas.gov/fincen/followme.pdf>. Approximately 200 staffers plus 40 "long-term detailees" from 21 other regulatory and law enforcement agencies use financial, law enforcement, and commercial databases to operate FinCEN. See id. at 3. Working with foreign "financial intelligence units," FinCEN formed the "Egmont Group," an international cooperation designed to exchange information and expertise. See id. at 6. . See FinCEN, Helping Investigators Use the Money Trail <http://www.treas.gov/
fincen/follow2.html>; see also FinCEN, supra note 26, at 5 (stating that analysts may provide information through FinCEN's Artificial Intelligence System on previously undetected possible criminal organizations and activities so that investigations can be initiated). . See, e.g., David Cay Johnston, New Tools for the I.R.S. to Sniff Out Tax Cheats, NY Times, Jan. 3, 2000, <http://www.nytimes.com/00/01/03/news/financial/irs-tax.html> ("The [data mining] technology . . . being developed for the I.R.S. . . . will be able to feed data from every entry on every tax return, personal or corporate, through filters to identify patterns of taxpayer conduct. Those taxpayers whose returns suggest . . . that they are highly likely to owe more taxes could then quickly be sorted out and their tax returns audited."); see also Steven A. Bercu, Toward Universal Surveillance in an Information Age Economy: Can We Handle Treasury's New Police Technology?, 34 Jurimetrics J. 383, 400-01 (1994) (discussing FinCEN and possible privacy problems). . Air travelers are profiled by a $2.8 billion monitoring system that uses a secret algorithm to compare their personal data to profiles of likely terrorists. See Declan McCullagh, You? A Terrorist? Yes!, Wired, Apr. 20, 1999, <http://www.wired.com/news/news/politics/story/19218.html>:
The CAPS [computer-assisted passenger screening] system operates off the computer reservation systems utilized by the major United States air carriers as well as some smaller carriers. The CAPS system relies solely on information that passengers presently provide to air carriers for reasons unrelated to security. It does not depend on the gathering of any additional information from air travelers, nor is it connected to any law enforcement or intelligence database.
Security of Checked Baggage on Flights Within the United States, 64 Fed. Reg. 19220, 19222 (1999) (to be codified at 14 C.F.R. pt. 108) (proposed Apr. 19, 1999). . Examples of this profiling in the wake of the Columbine shootings include a psychological tool being offered by the FBI to identify "potentially violent" schoolchildren, see Jon Katz, Take the FBI's Geek Profile Test, Slashdot, Nov. 29, 1999 <http://slashdot.org/features/99/11/23/
1712222.shtml>, and Mosaic-2000, a profiling tool developed by the Bureau of Alcohol, Tobacco, and Firearms, see Frances X. Clines, Computer Project Seeks to Avert Youth Violence, N.Y. Times, Oct. 24, 1999. See also Software to Predict "Troubled Youths," Slashdot, Oct. 24, 1999 <http://slashdot.org/yro/99/10/24/1147256.shtml> (open discussion of Mosaic-2000); Gavin de Becker Inc., Mosaic-2000 (1999) <http://www.gdbinc.com/mosaic2000.htm> (analysis of Mosaic-2000). . Clarke, supra note 9. . See 13 U.S.C.A. §§ 8-9 (West Supp. 1999) (census); 26 U.S.C.A. § 6103 (West Supp. 1999) (tax return data). Despite these rules, however, there have been suggestions that because census information is detailed, it could be cross-indexed with other data to identify individuals. For example, if one knows that there is only one person in a particular age group, of a particular ethnicity, or with some other distinguishing characteristic within the census tract, and one can extract the "aggregate" data for all individuals with the characteristic in the area, one has individualized the data. Cf. Robert G. Schwartz, Jr., Privacy In German Employment Law, 15 Hastings Int'l & Comp. L. Rev. 135, 146 (1992) (describing 1983 decision of German Federal Constitutional court striking down census questions that it believed would allow identification of respondents). . See generally Lillian R. Bevier, Information About Individuals in the Hands of Government: Some Reflections on Mechanisms for Privacy Protection, 4 Wm. & Mary Bill Rts. J. 455 (1995) (discussing government's use of data provided by citizens). . 42 U.S.C. § 653 (1996). . See Department of Health and Human Services, What is NECSRS? <http://
ocse.acf.dhhs.gov/necsrspub/Navigation/Questions/Ques.htm#NECSRS1> (stating that the "National Electronic Child Support Resource System . . . is used to identify and electronically index Federal, State, and local resource materials"). . See Electronic Privacy Information Center ("EPIC"), Reno Proposes National DNA Database, EPIC Alert, Mar. 4, 1999 <http://www.epic.org/alert/EPIC_Alert_6.04.html>. . See Megan's Law, N.J. Stat. Ann. § 2C:7-1 to 7-11 (West 1999) (registration of sex offenders); Violent Crime Control and Law Enforcement Act of 1994, Pub. L. No. 103-322, 108 Stat. 2038 (1994) (codified as amended at 42 U.S.C.A. § 14071 (West Supp. 1999)) (federal equivalent of Megan's Law). . See Ian Grayson, Packer Sets up Big Brother Data Store, Australian, Nov. 30, 1999 <http://technology.news.com.au/news/4277059.htm>. . See Financial Action Task Force on Money Laundering, 1997-1998 Report On Money Laundering Typologies ¶ 28, <http://www.ustreas.gov/fincen/typo97en.html> (noting imposition of Geographic Targeting Orders pursuant to Banking Secrecy Act that required certain money transmitters to report all cash transfers to Columbia of over $750 during 360-day period). . See Froomkin, supra note 25, at 449-79. . As a result, health care related data will be part of a giant distributed database. See generally Paul M. Schwartz, Privacy and the Economics of Personal Health Care Information, 76 Tex. L. Rev. 1 (1997); Paul M. Schwartz, The Protection of Privacy in Health Care Reform, 48 Vand. L. Rev. 295 (1995); Spiros Simitis, Reviewing Privacy in an Information Society, 135 U. Pa. L. Rev. 707 (1987); see also U.S. GAO, Medical Records Privacy: Access Needed for Health Research, but Oversight of Privacy Protections Is Limited, GAO/HEHS-99-55 (1999), <http://www.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=gao&docid=f:he99055.txt.pdf>.
HHS is expected to issue medical privacy regulations by February 21, 2000, defining rules for the security and disclosure of health care data. The draft regulations allow disclosure of health information without an individual's authorization for research, public health, oversight, and some other purposes; otherwise written authorization is required. Databases must be kept secure. Collectors of medical data must conform to fair information practices, inform people how their information is used and disclosed, and ensure that people can view information being held about them. The draft rules propose that their protections would attach as soon as information is "electronic" and run with the information as long as the information is in the hands of a covered entity. The proposed rules do not, however, apply to downstream recipients of medical data. See NPRM HHS, Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59,918 (1999),
<http://aspe.hhs.gov/admnsimp/pvcnprm.pdf> (technical corrections available in <http://aspe.hhs.gov/
admnsimp/nprm/991215fr.pdf>). . Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, § 264, 110 Stat. 1936 (1996) (codified as amended at 42 U.S.C. § 1320d- 2). . See note Error! Bookmark not defined.. infra and accompanying text. . Cf. Tina Kelley, An Expert in Computer Security Finds His Life Is a Wide-Open Book, N.Y. Times, Dec. 13, 1999, at C4 (describing how a group of "security experts" were able to dig up vast amounts of information on a self-described "average citizen"). . See, e.g., Timothy Egan, Police Surveillance of Streets Turns to Video Cameras and Listening Devices, N.Y. Times, Feb. 7, 1996, at A12 (detailing the methods and equipment of several cities' police departments). . Nick Taylor, Closed Circuit Television: The British Experience, 1999 Stan. Tech. L. Rev. VS 11, ¶ 1, <http://stlr.stanford.edu/STLR/Symposia/Privacy/99_VS_11/article.html>. . See id. ¶¶ 12-14. . Hidden Cameras Solutions, Catalogue <http://www.concealedcameras.com/catalogue/
main.html>. . See City of London Police, Your Help Is Needed . . . , June 18, 1999 <http://
www.cityoflondon.gov.uk/citypolice/j18frame.htm>; City of London Police, Identity Parade, June 18, 1999, <http://www.cityoflondon.gov.uk/citypolice/idparade8.htm> (asking viewers to help "identify any of these people photographed during the June 18 incident in the City of London"; as of December 21, 1999, some photos were missing, labeled "now identified"). . They may also be racist. See Taylor, supra note 46, ¶¶ 26-27. . See, e.g., Teacher Fired for Not Making Kids Wear IDs, Charleston Gazette & Daily Mail, Feb. 5, 1999, available in 1999 WL 6710744 (stating that a teacher objected to a bar code because he believed it to resemble the "mark of the beast"); Americans United For Separation of Church and State, Teacher Who Fears "Mark of the Beast" Fired in West Virginia, Church & State: AU Bull., Mar. 1999 <http://www.au.org/cs3991.htm>. . See, e.g., Visionics, Corp., FaceIT: An Award-Winning facial Recognition Software Engine <http://www.visionics.com/Newsroom/PDFs/Visionics_Tech1.pdf> (describing one such system); Taylor, supra note 47, ¶ 39 (citing TIMES (London), Oct. 15, 1998). . Alex Richardson, TV Zooms in on Crooks' 'Faceprints,' Birmingham Post, Oct. 15, 1998, available in 1998 WL 21493173. For some reason, the police chose to test the system in the poorest part of London. See Taylor, supra note 46. . See Visionics Corp., Visionics' Face Recognition Technology Chosen For Cutting Edge Israeli Border Crossing, Sept. 21, 1999 <http://www.visionics.com/Newsroom/PRs/bazel1.htm>. . See Daniel J. Dupont, Seen Before, Sci. Am., Dec. 1999 <http://www.sciam.com/1999/
1299issue/1299techbus5.html>. . See Image Data, LLC, Application of Identity Verification and Privacy Enhancement to Treasury Transactions: A Multiple Use Identity Crime Prevention Pilot Project 3 (1997) <http://www.epic.org/privacy/imagedata/image_data.html> (document submitted to United States Secret Service proposing to "show the technical and financial feasibility of using remotely stored digital portrait images to securely perform positive identification"); Brian
Campbell, Secret Service Aided License Photo Database, CNN.com, Feb. 18, 1999 <http://
www.cnn.com/US/9902/18/license.photos/>. . See generally J. Bradford DeLong & A. Michael Froomkin, Speculative Microeconomics for Tomorrow's Economy, in Internet Publishing and Beyond: The Economics of Digital Information and Intellectual Property (Brian Kahin & Hal Varian eds., forthcoming 2000) <http://www.law.miami.edu/~froomkin/articles/spec.htm>. . See Alan Sipress, Tracking Traffic by Cell Phone: Md., Va. to Use Transmissions to Pinpoint Congestion, Wash. Post, Dec. 22, 1999, at A1 (stating that Maryland and Virginia will track "anonymous" callers on highways to measure speed of traffic). . See Compatibility of Wireless Services with Enhanced 911, 61 Fed. Reg. 40,348, 40,349 (1996) (codified at 47 C.F.R. pt. 20). The FCC's approach differs from that adopted by some telephone manufacturers who have designed their phones with Global Positioning Satellite ("GPS") receivers. These receivers display the phone's precise latitude, longitude, and elevation, which the user can then relay to the 911 operator, but only if the user is able to speak. See Steve Ginsberg,
Cell Phones Get a Homing Device, S.F. Business Times, Sept. 28, 1998 <http://www.amcity.com/
sanfrancisco/stories/1998/09/28/focus7.html>. . See FCC, Third Report and Order in the Matter of Communications Assistance for Law Enforcement Act, CC Docket No. 97-213, ¶¶ 12, 21, 22, Aug. 26, 1999 <http://www.fcc.gov/
Bureaus/Engineering_Technology/Orders/1999/fcc99230.wp>. . See Watching Me, Watching You, BBC News, Jan. 4, 2000 <http://newsvote.bbc.co.uk/
hi/english/uk/newsid_590000/590696.stm>. . See Daniel Polak, GSM Mobile Network in Switzerland Reveals Location of its Users, Privacy Forum Digest, Dec. 31, 1997 <http://www.vortex.com/privacy/priv.06.18>. . See, e.g., Nicole Krau, Now Hear This: Your Every Move is Being Tracked, Ha'aretz, Mar. 10, 1999, available in 1999 WL 17467375 (stating that Israeli cellular phone records are stored by cellular phone companies and sold to employers who wish to track employees, as well as provided to government when ordered by court); see also Richard B. Schmitt, Cell-Phone Hazard: Little Privacy in Billing Records, Wall St. J., Mar. 16, 1999, at B1 (stating that AT&T wireless unit fields roughly 15,000 subpoenas for phone records per year). . See Gabriel Sigrist, Odilo Guntern: Le Détenteur de Natel Doit Pouvoir Rester Anonyme,
Le Temps July 7, 1998 <http://www.inetone.com/cypherpunks/dir.98.07.1398.07.19/msg00084.html>. . See generally Santa Clara Symposium on Privacy and IVHS, 11 Santa Clara Computer & High Tech. L.J. (1995) (dedicated to privacy and "intelligent vehicle highway systems"). . See Margaret M. Russell, Privacy and IVHS: A Diversity of Viewpoints, 11 Santa Clara Computer & High Tech. L.J. 145, 163 (1995). . See id. at 164-65. . See Andrew Sparrow, Car Tagging May Help Cut Theft, Says Minister, Daily Telegraph (London), Oct. 17, 1998, available in 1998 WL 3053349. . See, e.g., Ontario Info. and Privacy Comm'r, 407 Express Toll Route: How You Can Travel this Road Anonymously (1998) <http://www.ipc.on.ca/web_site.eng/matters/
sum_pap/PAPERS/407.htm> ("A significant amount of work was required to ensure that the 407 ETR toll and billing system did not compromise personal privacy."). . See, e.g., University of Southern California, Novel Neural Net Recognizes Spoken Words Better Than Human Listeners, Sci. Daily Mag., Oct. 1, 1999 <http://www.sciencedaily.com/
releases/1999/10/991001064257.htm> (announcing advance in machine recognition of human speech). . See Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2710 (1968). . See Robert G. Boehmer, Artificial Monitoring and Surveillance of Employees: the Fine Line Dividing the Prudently Managed Enterprise from the Modern Sweatshop, 41 DePaul L. Rev. 739, 739 (1992) ("Except for outrageous conduct and the use of one of a discrete group of techniques that Congress has chosen to regulate, the law supplies employees with precious little protection from the assault on workplace privacy. Similarly, the law provides employers with little guidance concerning the permissible depth of their intrusions."). . Covert video surveillance violates some states' laws. See Quentin Burrows, Scowl Because You're on Candid Camera: Privacy and Video Surveillance, 31 Val. U. L. Rev. 1079, 1114-21 (1997) (collecting cases and statutes). . See Gary Marx, Measuring Everything That Moves: The New Surveillance at Work <http://web.mit.edu/gtmarx/www/ida6.html>. . See Daniel Grotta & Sally Wiener Grotta, Camera on a Chip, ZDNet PC Mag, Oct. 7, 1999 <http://www.zdnet.com/pcmag/stories/trends/0,7607,2349530,00.htm>. . See Stuart Glascock, Stealth Software Rankles Privacy Advocates, TechWeb, Sept. 9, 1999 <http://www.techweb.com/wire/story/TWB19990917S0014>. . See Duncan Campbell, Directorate Gen. for Research, Development of Surveillance Technology and Risk of Abuse of Economic Information: An Appraisal of Technologies for Political Control (1999) <http://jya.com/ic2000-dc.htm> [hereinafter STOA Report]. . Id. at Summary ¶ 2. . "Contrary to reports in the press, effective 'word spotting' search systems automatically to select telephone calls of intelligence interest are not yet available, despite 30 years of research. However, speaker recognition systems--in effect, 'voiceprints'--have been developed and are deployed to recognise [sic] the speech of targeted individuals making international telephone calls." Id. at Summary ¶ 7. . See id. § 3 ¶ 72. . See Patent 5937422: Automatically generating a topic description for text and searching and sorting text by topic using the same <http://cryptome.org/nsa-vox-pat.htm>. . See Suelette Dreyfus, This Is Just Between Us (and the Spies), Independent, Nov. 15, 1999 <http://www.independent.co.uk/news/Digital/Features/spies151199.shtml>. . STOA Report, supra note 77, §1, ¶ 6. . See id. § 2, ¶ 60. . See Madeleine Acey, Europe Votes for ISP Spying Infrastructure, Techweb, May 13, 1999 <http://www.techweb.com/wire/story/TWB19990513S0009>. . See 1994 Pub. L. No. 103-414, 108 Stat. 4279 (1994) (codified as amended at 47 U.S.C §§ 1001-1010 and scattered sections of 18 & 47 U.S.C.); cf. James X. Dempsey, Communications Privacy in the Digital Age: Revitalizing the Federal Wiretap Laws to Enhance Privacy, 8 Alb. L.J. Sci. & Tech. 65 (1997) (arguing that recent changes in communications technology have required reexamination of privacy policy). . See Implementation of the Communications Assistance for Law Enforcement Act, 60 Fed. Reg. 53,643, 53,645 (proposed Oct. 16, 1995). To be fair, the FBI assessment lumped together wiretap needs along with less intrusive forms of surveillance such as pen registers and "trap and trace" operations, which reveal information about who is speaking to whom without disclosing the substance of the conversation. See id. . See Implementation of Section 104 of the Communications Assistance for Law Enforcement Act, 62 Fed. Reg. 1902 (proposed Jan. 14, 1997). . See Center for Democracy and Technology, Brief of Amicus Curiae, Cellular Telecomms. Indus. Ass'n v. United States Tel. Ass'n, No. 1:98CV01036 & 1:98CV0210 (D.D.C. 1999) <http://
www.cdt.org/digi_tele/capacitybrief.shtml>; Center for Democracy and Technology, Comments on the FBI's Second CALEA Capacity Notice, Feb. 18, 1997 <http://www.cdt.org/digi_tele/970218_
comments.html>. . Warrants are not required abroad, either when the United States is wiretapping foreigners, see, e.g., United States v. Rene Martin Verdugo-Urquidez, 494 U.S. 259 (1990) (holding that the Fourth Amendment does not apply to the search and seizure, by United States agents, of property owned by a nonresident alien and located in a foreign country), or even when democratic foreign governments are wiretapping their own citizens. See, e.g., Nick Fielding & Duncan Campbell, Spy
Agencies Listened in on Diana, Sunday Times (London), Feb. 27, 2000 <http://www.the-times.co.uk/
news/pages/sti/2000/02/27/stinwenws02035.html?999> (alleging that "a loophole in the 1985 Interception of Communication Act means intelligence officials can put individuals and organisations [sic] under surveillance without a specific ministerial warrant"). . See Administrative Office of the U.S. Courts, 1998 Wiretap Report 5 (1999) <http://www.uscourts.gov/wiretap98/contents.html;> Associated Press, State Authorities' Wiretapping Up, May 5, 1999 <http://jya.com/wiretap98.htm>. . See Marc Cooper, Wired, NEWSTIMESLA.COM., Jan. 23, 1998 <http://www.
newtimesla.com/archives/1998/081398/feature1-2.html> ("Under the single wiretap authorization that produced the Gastelum-Gaxiola case, a mind-boggling 269 phone lines, including an entire retail cellular phone company, were monitored. Taps on just three pay phones at the L.A. County jail in Lynwood, for instance, yielded about 100,000 conversations in six months, according to the Public Defender's office."). . See id. . Administrative Office of the U.S. Courts, supra note 91, at Table 5. . There is reason to doubt that they do. See, e.g., Cooper, supra note 92 (describing LAPD officers' testimony concerning hundreds of illegal "hand offs" of information, acquired in one wiretap, in order to initiate new cases via fictitious informants); Los Angeles Public Defenders Office, State Wiretap Related Cases <http://pd.co.la.ca.us/cases.htm> (listing known and suspected cases affected by illegal LAPD use of wiretap information). . There are also powerful commercial incentives to privately gather caller information. For example, British Telecom searched its records to find people who were regularly calling competing Internet service providers, and had its sales staff call and encourage them to switch to BT. See Office of Telecomms., OFTEL Acts to Ensures Fair Competition in Marketing of BT Click Internet Services, Sept. 24, 1998 <http://www.worldserver.pipex.com/coi/depts/GOT/coi6043e.ok?> (announcing OFTEL had forced BT to cease practice after complaints). . To find out what your browser says about you, visit Privacy Analysis of Your Internet Connection at <http://privacy.net/anonymizer/>. . See Anonymizer <http://www.anonymizer.com/3.0/index.shtml>. . See generally Netscape, Cookie Central <http://www.cookiecentral.com/>. . See Chris Oakes, Doubleclick Plan Falls Short, Wired News, Feb. 2000 <http://
www.wired.com/news/business/0,1367,34337,00.html>. . E.g., Chris Oakes, Mouse Pointer Records Clicks, Wired News, Nov. 30, 1999 <http://
www.wired.com/news/technology/0,1282,32788,00.html>. . A trojan horse is a "malicious, security-breaking program that is disguised as something benign, such as a directory lister, archiver, game, or . . . a program . . ." FOLDOC, Trojan Horse <http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?query=trojan+horse>. . See Draft Cyberspace Electronic Security Act Bill, Aug. 4, 1999, § 203 (to amend 18 U.S.C. 2713) <http://www.cdt.org/crypto/CESA/draftCESAbill.shtml>. A "back door" is a deliberate hole in system security. See FOLDOC, Back Door <http://wombat.doc.ic.ac.uk/foldoc/
foldoc.cgi?back+door>. . See Robert O'Harrow, Jr., Justice Department Mulls Covert-Action Bill, Wash. Post,
Aug. 20, 1999, at A1 <http://www.washingtonpost.com/wp-srv/business/daily/aug99/encryption20.htm>. . See The Center for Democracy and Technology, A Briefing on Public Policy Issues Affecting Civil Liberties Online, CDT Pol'y Post, Sept. 17, 1999, at 22 <http://www.cdt.org/
publications/pp_5.22.shtml/#3> (noting change in administration position). . For the strange saga of the attempts to censor the Walsh report, see The Walsh Report: Review of Policy Relating to Encryption Technologies <http://www.efa.org.au/Issues/
Crypto/Walsh/>. . See id. § 1.2.33.
Authority should be created for the AFP, the NCA and ASIO to alter proprietary software so that it performs additional functions to those specified by the manufacturer. Such an authority, which clearly should be subject to warranting provisions, would, for example, enable passive access to a computer work station of a LAN and link investigative capability more effectively to current technology. While there are issues of liability, the Review is convinced the effort should be made to accommodate these so that a target computer may be converted to a listening device. This capacity may represent one of the important avenues of accessing plain text.
Id.
The opportunity may present itself to the AFP, NCA or ASIO to alter software located in premises used by subjects of intensive investigation or destined to be located in those premises. The software (or more rarely the hardware) may relate to communication, data storage, encoding, encryption or publishing devices. While some modifications may have the effect of creating a listening device which may be remotely monitored by means of the telecommunications service, for which purposes extant warranting provisions would provide, others may create an intelligent memory, a permanent set of commands not specified in the program written by the manufacturer or a remote switching device with a capacity to issue commands at request. The cooperation of manufacturers or suppliers may sometimes be obtained by agencies. When manufacturers or suppliers are satisfied the modification has no discernible effect on function, they may consent to assist or acquiesce in its installation. It will not always be possible, however, to approach manufacturers or suppliers or the latter may be in no position to consent to modification of proprietary software. When agencies are investigating a high priority target, practising [sic] effective personal and physical security, moving premises and changing telephone/fax regularly, an opportunity to access the target's computer equipment may represent not only the sole avenue but potentially the most productive.
Id. § 6.2.10. . See generally Julie E. Cohen, A Right to Read Anonymously: A Closer Look at "Copyright Management" in Cyberspace, 28 Conn. L. Rev. 981 (1996) <http://www.law.georgetown.
edu/faculty/jec/read_anonymously.pdf>; Julie E. Cohen, Lochner in Cyberspace: The New Economic Orthodoxy of "Rights Management," 97 Mich. L. Rev. 462 (1998) <http://www.law.
georgetown.edu/faculty/jec/Lochner.pdf>; Julie E. Cohen, Some Reflections on Copyright Management Systems and Laws Designed to Protect Them, 12 Berk. Tech. L.J. 161 <http://www.law.
berkeley.edu/journals/btlj/articles/12_1/Cohen/html/text.html>. . See, e.g., Digimark Corp. <http://www.digimarc.com/>. . See note Error! Bookmark not defined.. supra. . See Matt Curtin, Gary Ellison & Doug Monroe, "What's Related?" Everything But Your Privacy, Oct. 10, 1998 <http://www.interhack.net/pubs/whatsrelated/>.
Netscape promises not to misuse the information, and there is no reason to doubt this. See Netscape, Are there Privacy Issues with What's Related? <http://home.netscape.com/escapes/
related/faq.html#12>. Nonetheless, the threat seems particularly acute because Netscape itself sets a fairly detailed cookie before allowing download of browsers containing 128-bit cryptography. Curtin et. al, supra. Furthermore, Netscape's reaction to the Curtin, Ellison, and Monroe report was intemperate at best. Netscape set its "what's related" feature to show the Unabomber manifesto as "related" to the report! See Matt Curtin, "What's Related?" Fallout <http://www.interhack.net/
pubs/whatsrelated/fallout/>. . Bob Van Voris, Black Box Car Idea Opens Can of Worms, Nat'l L.J., June 7, 1999 <http://www.lawnewsnetwork.com/stories/A2024-1999Jun4.html>. . See Stephanie Miles, Intel Downplays Chip Hack Report, Feb. 24, 1999 <http://news.
cnet.com/news/0-1003-200-339182.html?tag=> ("Pentium III's serial code can be retrieved without the user's knowledge or approval."). . See Patrick Gelsinger, A Billion Trusted Computers (Jan. 20, 1999) <http://www.intel.
com/pressroom/archive/speeches/pg012099.htm>; see also Robert Lemos, Intel: Privacy Is Our Concern as Well, ZDNet News, Jan. 20, 1999 <http://www.zdnet.com/zdnn/stories/news/
0,4586,2190019,00.html> (noting Intel's argument that security justifies a loss of some privacy). . See Big Brother Inside Homepage <http://www.bigbrotherinside.com/#notenough>. . See Michael Kanellos & Stephanie Miles, Software Claims to Undo Pentium III Fix, CNET News, Mar. 10, 1999 <http://news.cnet.com/news/0-1003-200-339803.html?tag=> . . DSL stands for "Digital Subscriber Line." See generally John Kristoff, comp.dcom.xdsl Frequently Asked Questions <http://homepage.interaccess.com/~jkristof/xdsl-faq.txt>. . See generally Steve King, Ruth Fax, Dimitry Hasking, Weaken Ling, Tom Meehan, Robert Fink & Charles E. Perkins, The Case for IPv6 4 (1999) <http://www.ietf.org/internet-drafts/draft-iab-case-for-ipv6-05.txt> (touting IPv6's "enhanced features, such as a larger address space and improved packet formats"); Ipv6: The Next Generation Internet! <http://www.ipv6.org>. . See King et al., supra note 118, at 34 (defining IPv6 required header to include "a generic local address prefix to a unique token (typically derived from the host's IEEE LAN interface address)"; see also IEEE, Guidelines for 64-bit Global Identifier (EUI-64) Registration Authority <http://standards.ieee.org/regauth/oui/tutorials/EUI64.html> (explaining ID numbers). . Bill Frezza, Where's All the Outrage About the IPv6 Privacy Threat?, TechWeb, Oct. 4, 1999 <http://www.internetwk.com/columns/frezz100499.htm> . See Thomas Narten, & R. Draves, Privacy Extensions for Stateless Address Autoconfiguration in IPv6 (Internet Draft) 1 (1999) <ftp://ftp.isi.edu/internet-drafts/draft-ietf-ipngwg-addrconf-privacy-01.txt>. . See Yusef Mehdi, Microsoft Addresses Customers' Privacy Concerns, PressPass, Mar. 8, 1999 <http://www.microsoft.com/presspass/features/1999/03-08custletter2.htm> ("The unique identifier number inserted into Office 97 documents was designed to help third parties build tools to work with, and reference, Office 97 documents. The unique indentifier generated for Office 97 documents contains information that is derived in part from a network card . . . ."). Until the most recent revisions, these numbers were then transmitted during the Windows 98 registration process. See Mike Ricciuti, Microsoft Admits Privacy Problem, Plans Fix, CNET News, Mar. 7, 1999 <http://news.cnet.com/news/0-1006-200-339622.html?st.ne.160.head>. . See David Methvin, WinMag Exclusive: Windows 98 Privacy Issue Is Worse than You
Thought, TechWeb, Mar. 12, 1999, <http://www.windowsmagazine.com/news/1999/0301/0312a.htm>.
Users can test for the problem at Pharlap Software, Windows 98 RegWiz Privacy Leak Demo Page <http://security.pharlap.com/regwiz/index.htm>. A patch for Word 97, Excel 97, and PowerPoint 97 is available at <http://officeupdate.microsoft.com/downloadDetails/Off97uip.htm> . Associated Press, Microsoft Promises a Patch for ID Feature, Mar. 9, 1999 <http://
search.nytimes.com/search/daily/homepage/bin/fastweb?getdoc+cyber-lib+cyber-lib+4112+0+
wAAA+microsoft%7EID%7Eprivacy> ("the company also acknowledged it may have been harvesting those serial numbers from customers--along with their names and addresses--even when customers had explicitly indicated they didn't want the numbers disclosed."). . Kathleen Murphy, $4B Sought from Yahoo for Not Sharing Customer Data, Internet World News, Dec. 27, 1999 <http://www.internetworldnews.com/GetThisStory.cfm?Storyid=
746B3487-B95D-11D3-976500A0CC40B49B>. . See John Markoff, Bitter Debate on Privacy Divides Two Experts, N.Y. Times, Dec. 30, 1999 <http://www.nytimes.com/library/tech/99/12/biztech/articles/30privacy.html>. . See Jason Catlett, A Study of the Privacy and Competitiveness Implications of an Annuity Model for Licensing Microsoft Windows 2000, Junkbusters, Mar. 4, 1999 <http://www.
junkbusters.com/ht/en/bill.html>. . See Lauren Weinstein, IDs in Color Copies--A PRIVACY Forum Special Report, Privacy Forum Digest, Dec. 6, 1999 <http://www.vortex.com/privacy/priv.08.18>. . See U.S. Bureau of Engraving and Printing, Counterfeit Deterrence Features <http://
www.bep.treas.gov/countdeterrent.htm>. . See Ny Teknick, Electrolux Demonstrates the Smart Fridge Concept, ETHOS News, Mar. 4, 1999 <http://www.tagish.co.uk/ethosub/lit7/1484e.htm>; see also Joseph 'Jofish' Kaye, Counter Intelligence & Kitchen Sync: White Paper, 3 (June 1999) (unpublished manuscript) <http://www.media.mit.edu/ci/research/whitepaper/cil3.htm> (detailing "Kitchen Sync," the "digitally connected, self-aware kitchen"). . See Joseph Kaye, Niko Matsakis, Matthew Gray, Andy Wheeler & Michael Hawley, PC Dinners, Mr. Java and Counter Intelligence: Prototyping Smart Appliances for the Kitchen (Nov. 1, 1999) (unpublished manuscript submitted to IEEE) <http://www.media.mit.edu/ci/ieee.cga.jofish/
ieee.cga.jofish.htm> ("We predict--even assume, in many of our scenarios--that all products sold will have a digital ID."). . See Alice LaPlante, The Battle for the Fridge: The Food Industry Is Looking to Hook Up Your Home to the Supply Chain, Computerworld, Apr. 5, 1999, at 52(1) <http://www.chic.sri.
com/library/links/smart/fridge.html> ("CIOs in the grocery industry are putting in the proper technical infrastructure to collect and consolidate customer data."). . For a list of possibilities, see Java Card Special Interest Group, Introduction to Biometrics <http://www.sjug.org/jcsig/others/biometrics_intro.htm>. . See generally Ontario Info. & Privacy Comm'r, Consumer Biometric Applications: A Discussion Paper <http://www.ipc.on.ca/web_site.eng/matters/sum_pap/papers/cons-bio.htm> (discussing biometrics, its benefits and concerns, and its effects on privacy); Clarke, supra note 9. . See generally Dutch Data Protection Authority (Registratiekamer), R. Hes, T.F.M. Hooghiemstra & J.J. Borking, At Face Value: On Biometrical Identification and Privacy § 2 (1999) <http://www.registratiekamer.nl/bis/top_1_5_35_1.html> (discussing the various applications of biometrics). . See, e.g., Guy Gugliotta, The Eyes Have it: Body Scans at the ATM, Wash. Post., June 21, 1999, at A1 <http://www.washingtonpost.com/wp-srv/national/daily/june99/scans21.htm>. . See 8 U.S.C.A. § 1101(a)(6) (West Supp. 1999); Theta Pavis, U.S. Takes Immigration in Hand, Wired, Sept. 15, 1998 <http://www.wired.com/news/news/technology/story/15014.html> (describing INSPASS system, which relies on handprints). . See John D. Woodward, Jr., U.S. Dep't of Commerce, Comments Focusing on Private Sector Use of Biometrics and the Need for Limited Government Action § II.B (1998) <http://
www.ntia.doc.gov/ntiahome/privacy/mail/disk/woodward.htm> ("Arizona, California, Connecticut, Illinois, Massachusetts, New Jersey, New York and Texas are using finger imaging to prevent entitlement fraud. Florida, North Carolina and Pennsylvania have biometric operational systems pending."); Connecticut Department of Social Services, Digital Imaging: Connecticut's Biometric Imaging Project <http://www.dss.state.ct.us/digital.htm> (providing links to extended descriptions of biometrical imaging of AFDC and General Assistance recipients for identification purposes). . See Ann Cavoukian, Biometrics and Policing: Comments from a Privacy Perspective § 4, in Polizei und Datenschutz--Neupositionierung im Zeichen der Informationsgesellschaft (Data Protection Authority ed., 1999) <http://www.ipc.on.ca/web_site.eng/matters/
sum_pap/PAPERS/biometric.htm>. . See id. at § 4. In addition, some people, for religious or personal reasons, find submitting to a biometric testing to be unacceptable. Even if the scan does not require a blood sample or other physical invasion, it may encroach on other sensibilities. See Ontario Info. & Privacy Comm's 136 ("Having to give something of themselves to be identified is viewed as an affront to their dignity and a violation of their person. Certain biometric techniques require touching a communal reader, which may be unacceptable to some, due to cultural norms or religious beliefs."); see also note 165 infra. . See Dutch Data Protection Authority (Registratiekamer et al.), supra note 135, §§ 2.2-2.3. . See DNA Fingerprinting, Encyclopedia Britancica Online <http://search.eb.com/
bol/topic?eu=31233&sctn=1&pm=1> (noting that DNA is usually unique with "the only exception being multiple individuals from a single zygote (e.g., identical twins)"). . The FBI Combined Index DNA Indexing System ("CODIS") alone currently contains information on 38,000 people. Approximately 450,000 samples await processing. See EPIC, supra note 36. But see Ng Kang-Chung, South China Morning Post, Feb. 12, 1999, Legislators Fear DNA Test Plans Open to Abuse, available in 1999 WL 2520961 (describing the Hong Kong legislature's fears of "allowing police to take DNA samples from suspects too easily") . . See EPIC, supra note 36. . Mannvernd, Association for Ethical Science, The Health-Sector Database Plans in Iceland, July 7, 1998 <http://www.simnet.is/mannvernd/english/articles/27.11.1998_mannvernd_
summary.html>. . See SPIN-2 High Resolution Satellite Imagery <http://www.spin-2.com/>. . The improved pictures will come from the Ikonos satellite. See Ikonos, Space Imaging - Products - Carterra <http://www.spaceimaging.com/products/Ikonos.html>. . See Joseph Rose, Satellite Offenders, WIRED, Jan. 13, 1999 <http://www.wired.com/
news/news/technology/story/17296.html>. . See Gary Fields, Satellite "Big Brother" Eyes Parolees, Apr. 8, 1999, USA Today, at 10A. . See Satellites in the Driving Seat, BBC News, Jan. 4, 2000 <http://newsvote.bbc.co.uk/
hi/english/uk/newsid_590000/590387.stm> (reporting that half of the users in the test said they would be willing to adopt the system voluntarily). . See Jon Hibbs, Satellite Puts the Brake on Speeding Drivers, Telegraph, Jan. 4, 2000 <http://www.telegraph.co.uk:80/et?ac=000141005951983&rtmo=kLJAeZbp&atmo=kLJAeZbp&pg=/et/00/1/4/nsped04.html>; "Spy in the Sky" Targets Speeders, BBC News, Jan. 4, 2000 <http://
newsvote.bbc.co.uk/hi/english/uk/newsid_590000/590336.stm>. . See Watching Me, Watching You, supra note 61. . See Hibbs, supra note 151. . Semayne's Case, 77 Eng. Rep. 194, 195 (K.B. 1604), quoted with approval in Wilson v. Layne, 526 U.S. 603, 609-10 (1999). . See United States v. Kyllo, 190 F.3d 1041, 1046-47 (9th Cir. 1999) (holding that the use of a thermal imager did not require a warrant because it "did not expose any intimate details" of the inside of a home, and therefore a privacy interest in dissipated heat was not one that society would accept as "objectively reasonable"); United States v. Robinson, 62 F.3d 1325, 1328-29 (11th Cir. 1995) (holding that a thermal imager search does not violate the Fourth Amendment); see also United States v. Ishmael, 48 F.3d 850, 853-55 (5th Cir. 1995); United States v. Myers, 46 F.3d 668, 669-70 (7th Cir. 1995); United States v. Ford, 34 F.3d 992, 995-97 (11th Cir. 1994); United States v. Pinson, 24 F.3d 1056, 1058-59 (8th Cir. 1994); but see United States v. Cusumano, 67 F.3d 1497, 1500-01 (10th Cir. 1995), aff'd en banc, 83 F.3d 1247 (10th Cir. 1996) (raising the possibility that thermal scans without a warrant violate the Fourth Amendment and arguing that other circuit courts have "misframed" the Fourth Amendment inquiry); State v. Young, 867 P.2d 593, 594 (Wash. 1994) (holding that a warrantless thermal image search violates State and Federal Constitutions). For an analysis of the lower courts' thermal imaging cases, see Lisa Tuenge Hale, United States v. Ford: The Eleventh Circuit Permits Unrestricted Police Use of Thermal Surveillance on Private Property Without A Warrant, 29 Ga. L. Rev. 819, 833-45 (1995); Susan Moore, Does Heat Emanate Beyond the Threshold?: Home Infrared Emissions, Remote Sensing, and the Fourth Amendment Threshold, 70 Chi.-Kent L. Rev. 803, 842-58 (1994); Lynne M. Pochurek, From the Battlefront to the Homefront: Infrared Surveillance and the War on Drugs Place Privacy Under Siege, 7 St. Thomas L. Rev. 137, 151-59 (1994); Matthew L. Zabel, A High-Tech Assault on the "Castle": Warrantless Thermal Surveillance of Private Residences and the Fourth Amendment, 90 Nw. U. L. Rev. 267, 282-87 (1995). . See Marcus J. Kuhn & Ross Anderson, Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations <http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf>. . Email from Ross Anderson to ukcrypto mailing list (Feb. 8, 1998) (available at <http://www.jya.com/soft-tempest.htm>). . Tempest-resistant fonts designed by Ross Anderson are available at <http://www.cl.cam.ac.uk/~mgk25/st-fonts.zip>. . See generally Alyson L. Rosenberg, Passive Millimeter Wave Imaging: A New Weapon in the Fight Against Crime or a Fourth Amendment Violation?, 9 Alb. L.J. Sci. & Tech. 135 (1998). . See Millivision, Security Applications <http://www.millivision.com/security.html>; Merrik D. Bernstein, "Intimate Details": A Troubling New Fourth Amendment Standard for Government Surveillance Techniques, 46 Duke L.J. 575, 600-04 (1996) (noting that although Millivision can see through clothes it does not reveal anatomical details of persons scanned). . See Millivision, Concealed Weapon Detection <http://www.millivision.com/cwd.html>. . See Millivison, Contraband Detection <http://www.millivision.com/contband.html> ("As an imaging system, millimeter wave sensors cannot determine chemical composition, but when combined with advanced imaging software, they can provide valuable shape and location information, helping to distinguish contraband from permitted items."). . See id. (containing links to various models). . Deepti Hajela, Airport X-Ray Device Spurs Concerns, AP Online, Dec. 29, 1999 (quoting testimony of ACLU legislative counsel Gregory T. Nojeim). . See <image (reproduced below).
[note: copyright permission not yet secured] . Judy Jones, Look Ahead to the Year 2000: Electronic Arm Of The Law Is Getting More High-Tech, Courier-J. (Louisville, KY), Oct. 19, 1999, available in 1999 WL 5671879. . See Kris Pister, Joe Kahn, Bernhard Boser & Steve Morris, Smart Dust: Autonomous Sensing and Communication in a Cubic Millimeter <http://robotics.eecs.
berkeley.edu/~pister/SmartDust/>. . See id. . See David Brin, The Transparent Society (1998); Neal Stephenson, The Diamond Age (1995) (imagining a future in which nanotechnology is so pervasive that buildings must filter air in order to exclude nanotechnology spies and attackers). . For an extreme example, see Moore v. Regents of California, 793 P.2d 479, 488-97 (Cal. 1990) (holding that a patient had no cause of action, under property law, against his physician or others who used the patient's cells for medical research without his permission). . See Spiros Simitis, From the Market to the Polis: The EU Directive on the Protection of Personal Data, 80 Iowa L. Rev. 445, 446 (1995) (noting the traditional view, now retreating in Europe, that "data . . . were perfectly normal goods and thus had to be treated in exactly the same way as all other products and services."). . See ABA Model Code of Professional Responsibility Cannon 4 (1999); ABA Model Rules of Professional Conduct Rule 1.6. (1999). . Or even the average value to a well-informed consumer. . See Joel R. Reidenberg, Setting Standards for Fair Information Practice in the U.S. Private Sector, 80 Iowa L. Rev. 497, 519-23 (1995); Sovern, supra note 22, at 1033 (arguing that "businesses have both the incentive and the ability to increase consumers' transaction costs in protecting their privacy and that some marketers do in fact inflate those costs."). . See Richard S. Murphy, Property Rights in Personal Information: An Economic Defense of Privacy, 84 Geo. L.J. 2381, 2413 (1996). . See Viktor Mayer-Schönberger, Generational Development of Data Protection in Europe, in Technology and Privacy: the New Landscape 219, 232 (Philip E. Agre & Marc Rotenberg eds., 1997). . For an innovative, if slightly cute, attempt to teach children about privacy, see Media Awareness Network, Privacy Playground: The First Adventures of the Three Little Cyberpigs, <http://www.media-awareness.ca/eng/cpigs/cpigs.htm>. . See, e.g., Information and Privacy Comm'r/Ontario, Canada & Registratiekamer [Dutch Data Protection Authority], The Netherlands, 1 Privacy-Enhancing Technologies: The Path to Anonymity 1 (1995) <http://www.ipc.on.ca/web_site.ups/matters/
sum_pap/papers/anon-e.htm>. . P3P is the Platform for Privacy Preferences Project, a set of standards, architecture, and grammar to allow complying machines to make requests for personal data and have them answered subject to predetermined privacy preferences set by a data subject. See Joseph M. Reagle, Jr., P3P and Privacy on the Web FAQ <http://www.w3.org/P3P/P3FAQ.html> ("P3P [allows] [w]eb sites to express their privacy practices and enable users to exercise preferences over those practices. P3P products will allow users to be informed of site practices (in both machine and human readable formats), to delegate decisions to their computer when appropriate, and allow users to tailor their relationship to specific sites."). . "[I]f police are lawfully in a position from which they view an object, if its incriminating character is immediately apparent, and if the officers have a lawful right of access to the object, they may seize it without a warrant." Minnesota v. Dickerson, 508 U.S. 366, 375 (1993); see also Michigan v. Long, 463 U.S. 1032, 1049-50 (1983). . See generally A. Michael Froomkin, Legal Issues in Anonymity and Pseudonymity, 15 The Information Society 113 (1999). . On masks, however, see text accompanying notes 297-299 infra (discussing antimask laws in several states). . 120 S. Ct. 666, 668 (2000) (upholding Driver's Privacy Protection Act of 1994, 18 U.S.C. §§ 2721-25 (1994 ed. and Supp. III), against claim that it violated federalism principles of Constitution). . Id. at 671 (quoting United States v. Lopez, 514 U.S. 549, 558-59 (1995)). . In Kleindienst v. Mandel, 408 U.S. 753, 765-70 (1972), the Court acknowledged a First Amendment right to receive information, but said that the right must bow to Congress' plenary power to exclude aliens. See also Lamont v. Postmaster General, 381 U.S. 301, 305-07 (1965) (invalidating a statutory requirement that foreign mailings of "communist political propaganda" be delivered only upon request by the addressee); Martin v. City of Struthers, 319 U.S. 141, 146-49 (1943) (invalidating a municipal ordinance forbidding door-to-door distribution of handbills as violative of the recipients' First Amendment rights); The Rights of the Public and the Press to Gather Information, 87 Harv. L. Rev. 1505, 1506 (1974) ("[W]hen the public has a right to receive information, it would seem to have a [F]irst [A]mendment right to acquire that information."). . See Los Angeles Police Dep't. v. United Reporting Publ'g Corp., 120 S. Ct. 483, 489-90 (1999); Zemel v. Rusk, 381 U.S. 1, 16-17 (1965). . See generally Phillip E. Hassaman, Annotation, Taking Unauthorized Photographs as Invasion of Privacy, 86 A.L.R.3d 374 (1978). The classic case is Daily Times Democrat v. Graham, 162 So. 2d 474, 478 (Ala. 1964), reflected in the Restatement (Second) of Torts: "Even in a public place, however, there may be some matters about the plaintiff, such as his underwear or lack of it, that are not exhibited to the public gaze; and there may still be invasion of privacy when there is intrusion upon these matters." Restatement (Second) of Torts § 652B cmt. C (1977). . United States v. Vazquez, 31 F. Supp. 2d 85, 90 (D. Conn. 1998) (finding no invasion of privacy where plaintiffs were photographed on a city sidewalk in plain view of the public eye); see also Jackson v. Playboy Enter., 574 F. Supp. 10, 13 (S.D. Ohio 1983); Fogel v. Forbes, Inc., 500 F. Supp. 1081, 1087 (E.D. Pa. 1980) (no invasion of privacy when photographing plaintiff at "a public place or a place otherwise open to the public"); People for the Ethical Treatment of Animals v. Bobby Berosini, Ltd., 895 P.2d 1269, 1281 (Nev. 1995) (no invasion of privacy filming backstage before live performance); Cox v. Hatch, 761 P.2d 556, 564 (Utah 1988) (no invasion of privacy when photographing "in an open place and in a common workplace where there were a number of other people"); Jaubert v. Crowley Post-Signal, Inc., 375 So. 2d 1386 (La. 1979) (holding that the First Amendment protects the right to take and publish photos of a house from a public street); Mark v. KING Broad. Co., 618 P.2d 512, 519 (Wash. Ct. App. 1980), aff'd sub nom. Mark v. Seattle Times, 635 P.2d 1081 (Wash. 1981) (no invasion of privacy when filming interior of pharmacy from the exterior of the building). . Vazquez, 31 F. Supp. 2d at 90 (quoting Mark, 618 P.2d at 519). . The United States Customs offers travelers the option of choosing a pat down search instead of the X-ray, arguing that some might find the imaging to be less intrusive. See Hajela, supra note 164. . See note 188 supra. . Cf. Andrew Jay McClurg, Bringing Privacy Law out of the Closet: A Tort Theory of Liability for Intrusions in Public Places, 73 N.C. L. Rev. 989, 1063 (1995) (making a similar distinction in connection with a privacy tort and proposing that "most situations involving actionable public intrusions would involve the defendant using some form of technological device (e.g., video camcorder, single-frame camera, audio recording device, binoculars, telescope, night vision scope) to view and/or record the plaintiff"). . See 18 U.S.C. § 2512(1)(a)-(b) (1986) (prohibiting mailing, manufacturing, assembling, possessing, or selling of "any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications," so long as there is a connection with interstate commerce). The section also bans advertising such devices unless for official use only. See id. § 2512(c). . Cf. Forster v. Manchester, 189 A.2d 147, 150 (Pa. 1963) (rejecting an invasion of privacy claim because "all of the surveillances took place in the open on public thoroughfares where appellant's activities could be observed by passers-by. To this extent appellant has exposed herself to public observation and therefore is not entitled to the same degree of privacy that she would enjoy within the confines of her own home"); Daily Times Democrat v. Graham, 162 So. 2d 474, 478 (Ala. 1964) (relying on Foster v. Manchester for the proposition that it is not "such an invasion to take his photograph in such a place, since this amounts to nothing more than making a record, not differing essentially from a full written description of a public sight which anyone present would be free to see"). . The constitutionality of limits on data gathering in public places may be tested by anti-paparazzi statutes. The statute recently adopted in California suggests how such a law might look, although the California statute artfully avoids the interesting constitutional issues. The key parts of the statute state:
b) A person is liable for constructive invasion of privacy when the defendant attempts to capture, in a manner that is offensive to a reasonable person, any type of visual image, sound recording, or other physical impression of the plaintiff engaging in a personal or familial activity under circumstances in which the plaintiff had a reasonable expectation of privacy, through the use of a visual or auditory enhancing device, regardless of whether there is a physical trespass, if this image, sound recording, or other physical impression could not have been achieved without a trespass unless the visual or auditory enhancing device was used.
. . . .
(e) Sale, transmission, publication, broadcast, or use of any image or recording of the type, or under the circumstances, described in this section shall not itself constitute a violation of this section, nor shall this section be construed to limit all other rights or remedies of plaintiff in law or equity, including, but not limited to, the publication of private facts.
Cal. Civ. Code § 1708.8(b), (e) (West 1999). By limiting the offense to invasions offensive to a reasonable person, where there was already a reasonable expectation of privacy, and exempting republishers, the statute avoids the hard issues. See generally Privacy, Technology, and the California "Anti-paparazzi" Statute, 112 Harv. L. Rev. 1367 (1999); Andrew D. Morton, Much Ado About Newsgathering: Personal Privacy, Law Enforcement, and the Law of Unintended Consequences for Anti-paparazzi Legislation, 147 U. Pa. L. Rev. 1435 (1999). . See Near v. Minnesota ex rel. Olson, 283 U.S. 697, 716 (1931) ("No one would question but that a government might prevent actual obstruction to its recruiting service or the publication of the sailing dates of transports or the number and location of troops."). . See U.S. Const. art. I, § 8, cl. 8. . See Taucher v. Born, 53 F. Supp.2d 464, 482 (D.D.C. 1999) (upholding a First Amendment challenge to § 6M(1) of the Commodity Exchange Act, 7 U.S.C. § 6m(1) (amended 1994), as applied to publishers of books, newsletters, Internet websites, instruction manuals, and computer software providing information, analysis, and advice on commodity futures trading, because speech may not be proscribed "based solely on a fear that someone may publish advice that is fraudulent or misleading"). . Id. at 530. . E.g., Snepp v. United States, 444 U.S. 507, 510-15 (1980) (holding that government could enforce secrecy contract with former CIA agent); Cohen v. Cowles Media Co., 501 U.S. 663 (1991) (holding that a confidential source could recover damages for publisher's breach of promise of confidentiality). . In Detroit Edison Co. v. NLRB, 440 U.S. 301 (1979), the Court protected informational privacy interests in holding that the National Labor Relations Board could not compel a company to disclose results of psychological tests on individual employees to a union without the employees' consent. The Court held that, under federal labor law, the employees' right to privacy outweighed the burden on the union despite the union's assertion that it needed the data. . 443 U.S. 97, 102 (1979). . Id. at 103; quoted with approval in Florida Star v. B.J.F., 491 U.S. 524, 524 (1989). . 420 U.S. 469, 472 (1975). . Id. at 494-95. . 435 U.S. 829 (1978). . Id. at 837. . 443 U.S. 97 (1979). . Id. at 103. . 491 U.S. 524 (1989). . 514 U.S. 476 (1995). In 44 Liquormart, Inc. v. Rhode Island, 517 U.S. 484 (1996), a fractured Court overturned Rhode Island's ban on truthful advertising of the retail price of alcoholic beverages. . Florida Star, 491 U.S. at 532-33 (quoting Cox Broad. Corp. v. Cohn, 420 U.S. 469, 491 (1975)). . Daily Mail, 443 U.S. at 102. . Id. at 103; see also Florida Star, 491 U.S. at 532-33 (quoting Daily Mail, 443 U.S. at 103, with approval). . Daily Mail, 443 U.S. at 103. . See Florida Star, 491 U.S. at 534 n.8 (citations omitted):
The Daily Mail principle does not settle the issue whether, in cases where information has been acquired unlawfully by a newspaper or by a source, government may ever punish not only the unlawful acquisition, but the ensuing publication as well. This issue was raised but not definitively resolved in New York Times Co. v. United States, and reserved in Landmark Communications. We have no occasion to address it here. . Washington is notoriously leaky. Except for the rare prior restraint cases involving national security such as New York Times v United States, 403 U.S. 713 (1971) (the "Pentagon papers" case), and United States v. Progressive, Inc., 467 F. Supp. 990 (W.D. Wis. 1979) (the H-bomb case), the government's unbroken practice is to either ignore leaks, or, occasionally, to seek to impose after-the-fact criminal sanctions on the leakers but not on the press. See L. A. Powe, Jr., Mass Communications and the First Amendment: An Overview, 55 Law & Contemp. Probs. 53, 57-58 (1992) ("It has been almost twenty years and five administrations since Branzburg v. Hayes held that there is no general first amendment privilege for reporters who wish to protect their confidential sources. Yet there has not been a single subpoena to trace an inside-the-Beltway leak of information . . . .") (citation omitted). . 191 F.3d 463 (D.C. Cir. 1999). Judge Randolph authored the court's opinion, with Judge Ginsburg concurring in the judgment and with parts of the opinion. Judge Sentelle dissented. . See 18 U.S.C. § 2511(1)(c)-(d), creating civil and criminal causes of action against anyone who:
(c) intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection;
(d) intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection . . . ." . Boehner, 191 F.3d at 468. . Id. . See id. at 466-67 (citing United States v. O'Brien, 291 U.S. 367, 376 (1968), for proposition that "when 'speech' and 'nonspeech' elements are combined in the same course of conduct, a sufficiently important governmental interest in regulating the nonspeech element can justify incidental limitations on First Amendment freedoms"). . See id. at 469. . Florida Star v. B.J.F., 491 U.S. 524, 524 (1989) (quoting Smith v. Daily Mail Publishing Co., 443 U.S. 97, 103 (1979)). . See Boehner, 191 F.3d at 480 (Ginsburg, J., concurring). . See id. at 480-84 (Sentelle, J., dissenting). . Id. at 484-85. . See id. at 485. . Bartnicki v. Vopper, 200 F.3d 109, 113 (3d Cir. 1999). . Id. . See 191 F.3d at 467 (noting that the ultimate publishers of the conversation were not defendants in the Boehner case). . Cohen v. Cowles Media Co., 501 U.S. 663, 669 (1991). . Id. at 670. . See Barnicki, 200 F.2d at 124. . See id. at 130. . Id. at 125. The government also argued that the Act would "deny[] the wrongdoer the fruits of his [own] labor," but the majority noted on the facts neither defendant was the "wrongdoer"--the eavesdropper--so that justification did not apply. Id. . Id. at 126. . Id. at 133-34 (Pollak, J., dissenting). . Cf. Bernstein v. United States, 176 F.3d 1132, 1146 (9th Cir. 1999), opinion withdrawn, rehearing en banc granted, 192 F.3d 1308 (9th Cir. 1999) (deciding that source code is speech). . 120 S. Ct. 483, 489 (1999). . Neither party briefed or argued the First Amendment issue, except that the United States' reply brief responded to a claim, by an amicus, that Condon was analogous to the government targeting a particular member of the press for adverse treatment. See Reply Brief for the Petitioners at 17, Reno v. Condon, 120 S. Ct. 666 (2000) (No.98-1464), available in 1999 WL 792145. . As Eugene Volokh reminded me, "cases cannot be read as foreclosing an argument that they never dealt with." Waters v. Churchill, 511 U.S. 661, 678 (1994) (plurality opinion) (citing United States v. L.A. Tucker Truck Lines, Inc., 344 U.S. 33, 38 (1952)); see also Miller v. California Pac. Med. Ctr., 991 F.2d 536, 541 (9th Cir. 1993) ("It is a venerable principle that a court isn't bound by a prior decision that failed to consider an argument or issue the later court finds persuasive."). . See 18 U.S.C. § 2721(c) (1999):
An authorized recipient of personal information . . . may resell or redisclose the information only for a use permitted under subsection (b) . . . . Any authorized recipient (except a recipient under subsection (b)(11)) that resells or rediscloses personal information covered by this chapter must keep for a period of 5 years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request. . Reno v. Condon, 120 S. Ct. 666, 668 (2000). . See id. (noting that the DPPA is generally applicable). In Travis v. Reno, 163 F.3d 1000, 1007 (7th Cir. 1998), Judge Easterbrook characterized First Amendment arguments against the DPPA as "untenable." It is clear from the context, however, that Judge Easterbrook was speaking only of the alleged First Amendment right to view driver's license records, and did not address the republishing issue. . 120 S. Ct. 483, 489 (1999). . See id. . Ironically, a vision that makes it possible to restrict the speech of persons who receive contraband information in the name of privacy is also the most compatible with diverse enactment such as the Uniform Computer Information Transactions Act and the Copyleft license, each of which impose private conditions on data dissemination. . See generally Eugene Volokh, Cheap Speech and What it Will Do, 104 Yale L.J. 1805 (1995). . "[N]early every action, recommendation, or policy decision in the foreign policy or national security field is classified as a secret by someone at some time, often without valid reason, except for bureaucratic convenience," Floyd Abrams, Henry Mark Holzer, Don Oberdorfer & Richard K. Willard, The First Amendment and National Security, 43 U. Miami L. Rev. 61, 75 (1988) (remarks of Washington Post reporter Don Oberdorfer). . 447 U.S. 557, 566 (1980). . See Restatement (Second) of Torts § 652C (1977) (stating that it is an invasion of privacy for someone to appropriate the name or likeness of another); see also Cal. Civ. Code § 3344.1 (1999) (extending the right protect one's name or likeness from publicity for 70 years after death). For a survey of the evolving right of publicity in the United States, compare Theodore F. Haas, Storehouse of Starlight: The First Amendment Privilege to Use Names and Likenesses in Commercial Advertising, 19 U.C. Davis L. Rev. 539 (1986) (arguing that the Supreme Court has begun a revolutionary reinterpretation of the constitutional status of commercial advertising, creating a tension between the right to control the use of one's name and likeness, and the free speech rights of advertisers), with James M. Treece, Commercial Exploitation of Names, Likenesses, and Personal Histories, 51 Tex. L. Rev. 637 (1973) (arguing that only those who can show actual injury from the appropriation of their name or likeness should be compensated; otherwise the First Amendment should prevail). . Rubin v. Coors Brewing Co., 514 U.S. 476, 482 (1995) (citing Central Hudson Gas & Electric Corp. v. Public Serv. Comm'n of N.Y., 447 U.S. 557, 562 (1980) (quoting Ohralik v. Ohio State Bar Ass'n, 436 U.S. 447, 455-56 (1978))). . 15 U.S.C. §§ 1681-1681s (1999). . See id. § 1681c (prohibiting reporting of bankruptcies that are more than 10 years old; "[c]ivil suits, civil judgments, and records of arrest that, from date of entry, antedate the report by more than seven years or until the governing statute of limitations has expired, whichever is the longer period;" tax liens paid seven or more years earlier; or other noncriminal adverse information that is more than seven years old. None of the prohibitions apply if the transaction for which the report will be used exceeds $150,000, or the job on offer pays more than $75,000 per year.); see also id. § 1681k (requiring that consumer credit reporting agencies have procedures in place to verify the accuracy of public records containing information adverse to the data subject). . 47 U.S.C. § 551 (1999). . 102 Stat. 3195 (1988) (codified as 18 U.S.C. § 2710 (1999)). The act allows videotape rental providers to release customer names and addresses to third parties so long as there is no disclosure of titles purchased or rented. Customers can, however, be grouped into categories according to the type of film they rent. See id. § 2710(b)(2)(D)(ii). . See Kang, supra note 16, at 1282 (arguing that the proposed Cyberspace Privacy Act survives First Amendment scrutiny because of its similarity to the Cable Act and the Video Privacy Protection Act, neither of which have been successfully challenged on First Amendment grounds). . See generally Equifax Serv., Inc. v. Cohen, 420 A.2d 189 (Me. 1980),(characterizing Equifax's interest as commercial speech, but nonetheless finding that the First Amendment was violated). . See A. Michael Froomkin, The Metaphor Is the Key: Cryptography, the Clipper Chip, and the Constitution, 143 U. Pa. L. Rev. 709, 850-60 (1995) (discussing fear in the context of constitutional archetypes) <http://www.law.miami.edu/~froomkin/articles/clipper.htm>. . See Morton, supra note 195, at 1470 (noting that current Fourth Amendment law is settled in regard to an individual's reasonable expectation of privacy). . See William J. Clinton & Albert Gore, Jr., A Framework for Global Electronic Commerce § 2 (1997) (the "E-Commerce White Paper") <http://www.iitf.nist.gov/eleccomm/ecomm.htm>. . See Joel R. Reidenberg, Restoring Americans' Privacy in Electronic Commerce, 14 Berkeley Tech. L.J. 771, 789 (1999) ("During the debate over self-regulation, U.S. industry took privacy more seriously only when government threats of regulation were perceived as credible."); see also Peter P. Swire, Markets, Self-Regulation, and Government Enforcement in the Protection of Personal Information, in Privacy and Self-Regulation in the Information Age 3, 11 (U.S. Dep't of Commerce ed., 1997) (arguing that industry members might rationally prefer an unregulated market in which they can sell personal information to a self-regulated market, and therefore only the threat of mandatory government regulation can induce them to self-regulate). . Roger Clarke, The Legal Context of Privacy-Enhancing and Privacy-Sympathetic Technologies, Apr. 12, 1999 <http://www.anu.edu.au/people/Roger.Clarke/DV/Florham.html>. . See <http://www.truste.org/webpublishers/pub_join.html#step3> (describing TRUSTe's services). . See id. at Investigation Results <http://www.truste.org/users/users_investigations.html> (stating that TRUSTe posts results of its investigations "[f]rom time to time"). The page currently lists the results of only six investigations (as of April 2000). . See RealNetworks' Privacy Intrusion, Junkbusters <http://www.junkbusters.com/ht/
en/real.html> (detailing the controversies surrounding the GUID discovery); TRUSTe, Truste &
RealNetworks Collaborate to Close Privacy Gap, <http://www.truste.org/about/about_
software.html> (describing TRUSTe's efforts to resolve the GUID situation); RealJukebox Update, RealNetworks <http://www.realnetworks.com/company/privacy/jukebox/privacyupdate.html> (announcing RealNetwork's release of a software update designed to address customer concerns about privacy); Robert Lemos, Can You Trust TRUSTe?, ZDNet News, Nov. 2, 1999 <http://www.zdnet.
com/zdnn/stories/news/0,4586,2387000,00.html> (claiming that TRUSTe does not take active measures to assure that its license holders do not violate consumer privacy). . See TRUSTe & RealNetworks Collaborate, supra note 267 (explaining that the GUID incident was outside the scope of TRUSTe's privacy seal program because it did not involve collection of data on RealNetworks' website); see also TRUSTe FAQ <http://www.truste.org/users/
users_investigationfaqs.html> (stating that TRUSTe does not deal with software or offline privacy practices but only with information collected and used by web sites). . See Watchdog #1723--Microsoft Statement of Finding, TRUSTe <http://www.truste.org/
users/users_w1723.html> (announcing that Microsoft had not violated its TRUSTe license because the manner in which the information was transferred did not fall within the boundaries of the TRUSTe license agreement, but acknowledging that the data transfer did compromise consumer trust and privacy). . See TRUSTe &RealNetworks Collaborate, supra note 267 (announcing TRUSTe's plan to extend its privacy services to RealNetworks' software applications and to form a working group of software and Internet experts to advise TRUSTe how to extend its privacy seal program). . See Jamie McCarthy, TRUSTe Decides Its Own Fate Today, SLAS DOT, Nov. 8, 1999 <http://slashdot.org/yro/99/11/05/1021214.shtml> (detailing several other debacles, in which trustmark holders violated privacy policies or principles but kept their accreditation). . Janet Kornblum, FTC, GeoCities Settle on Privacy, CNET News, Aug. 13, 1998 (quoting on FTC statement) <http://news.cnet.com/news/0-1005-200-332199.html>. . Id. (quoting GeoCities' membership sign-up form). . Id. (quoting FTC statement). . See Jamie McCarthy, Is TRUSTe Trustworthy?, The Ethical Spectacle, Sept. 1998 <http://www.spectacle.org/998/mccarthy.html> (detailing the denial). . See TRUSTe, TRUSTe Sponsors, <http://www.truste.org/about/about_sponsors.htm> (listing TRUSTe's corporate sponsors). . See McCarthy, supra note 271 (noting that TRUSTe is by far the industry leader in the United States. Its only competitor, BBBOnline, has fewer than 100 members, compared to TRUSTe's 750.). . See, e.g., note 269 supra. . See Children's Online Privacy Protection Rule, 16 C.F.R. § 312.5 (effective April 21, 2000) (requiring parental consent prior to collection of information from children under 13). . See Roger Clarke, Senate Legal and Constitutional References Committee Inquiry Into Privacy and the Private Sector (July 7, 1998) <http://www.anu.edu.au/people/
Roger.Clarke/DV/SLCCPte.html> . See, e.g., OECD, Guidelines on the Protection of Privacy and Transborder
Flows of Personal Data <http://www.oecd.org/dsti/sti/it/secur/prid/PRIV-EN.HTM>; Roger Clarke, Internet Privacy Concerns Confirm the Case for Intervention <http://www.anu.edu.au/
people/Roger.Clarke/DV/CACM99.html>. . See Brian McWilliams, Real Hit With Another Privacy Lawsuit, InternetNews.com, Nov. 10, 1999 <http://www.internetnews.com/streaming-news/article/0,1087,8161_236261,00.html>. . 18 U.S.C. § 1030 (1999). . See McWilliams, supra note 282. . Herbert Burkert, Privacy Enhancing Technologies and Trust in the Information Society (1997) <http://www.gmd.de/People/Herbert.Burkert/Stresa.html>. . Reidenberg, supra note 263, at 789; see also Joel R. Reidenberg, Lex Informatica: The Formulation of Information Policy Rules through Technology, 76 Tex. L. Rev. 553, 584 (1998) (advocating that companies which do not protect personal data through PETs should have legal liability). . For some suggested basic design principles, see Information and Privacy Commissioner/Ontario, Canada & Registratiekamer, supra note 178; see also Ian Goldberg, David Wagner & Eric Brewer, Privacy-enhancing Technologies for the Internet <http://www.cs.
berkeley.edu/~daw/papers/privacy-compcon97-www/privacy-html.html> (describing existing PETs and calling for additional ones). . For a discussion of such systems, see generally Santa Clara Symposium on Privacy and IVHS, supra note 65. . See Herbert Burkert, Privacy-Enhancing Technologies: Typology, Critique, Vision, in Technology and Privacy, supra note 176, at 125, 125-28. . See Carl Kozlowski, Chicago Security-Device Shop Gets Caught in Privacy Debate, Chi. Trib., Dec. 16, 1999, available in 1999 WL 28717597 (describing $400 to $1600 pocket-sized detectors that vibrate when recording devices are near). . For a discussion of encryption, see generally Froomkin, supra note 260. . See generally id.; A. Michael Froomkin, It Came From Planet Clipper: The Battle Over Cryptographic Key "Escrow," 1996 U. Chi. Legal F. 15 (1996); Bernstein, Karn, and Junger: Constitutional Challenges to Cryptographic Regulations, 50 Ala. L. Rev. 869 (1999). . Bernstein v. United States, 176 F.3d 1132, 1146 (9th Cir. 1999) (citations omitted), opinion withdrawn, reh'g en banc granted, 192 F.3d 1308 (9th Cir. 1999). . See Revisions to Encryption Items, 65 Fed. Reg. 2491 (2000) (to be codified at 15 C.F.R. pts. 734, 740, 742, 770, 772 & 774); see also Letter from the Dep't of Commerce, Bureau of Export Admin., to Cindy A. Cohn, attorney, McGlashnand Sarrail (Feb. 17, 2000) <http://cryptome.org/
bxa-bernstein.htm> (explaining that source code is not considered "publicly available" and thus remains subject to post-export reporting requirements). . See Reuters, Strong Encryption for Win 2000 <http://www.wired.com/news/technology/
0,1282,33745,00.html>. . See David McGowan, Free Contracting, Fair Competition, and Article 2B: Some Reflections on Federal Competition Policy, Information Transactions, and "Aggressive Neutrality," 13 Berkeley Tech. L.J. 1173, 1214-24 (1998); cf. Celine M. Guillou, The Reverse Engineering of Computer Software in Europe and the United States: A Comparative Approach, 22 Colum.-VLA J.L. & Arts 533 (1998) (contrasting rules generally allowing reverse engineering of software in the European Union with more restrictive rules in the United States). . See, e.g., Walpole v. State, 68 Tenn. 370, 372-73 (1878). . See Wayne R. Allen, Klan, Cloth and Constitution: Anti-Mask Laws and the First Amendment, 25 Ga. L. Rev. 819, 821 n.17 (1991) (citing statutes from 10 states); Oskar E. Rey, Antimask Laws: Exploring the Outer Bounds of Protected Speech Under the First Amendment--State v. Miller, 260 Ga. 669, 398 S.E.2d 547 (1990), 66 Wash. L. Rev. 1139, 1145 (1991). Additionally, 18 U.S.C. § 241 makes it a felony for two or more persons to travel in disguise on public highways or enter the premises of another with the intent to prevent the free exercise and enjoyment of any legal right or privilege by another citizen. See 18 U.S.C. § 241 (1999). . Decisions holding antimask laws unconstitutional include: American Knights of Ku Klux Klan v. City of Goshen, 50 F. Supp. 2d 835, 840 (N.D. Ind. 1999) (holding that a city ordinance prohibiting mask-wearing for the purpose of concealing identity in public violated First Amendment rights to freedom of expression and anonymity); Aryan v. Mackey, 462 F. Supp. 90, 91 (N.D. Tex. 1978) (granting temporary restraining order preventing enforcement of antimask law against Iranian students demonstrating against the Shah); Ghafari v. Municipal Court, 150 Cal. Rptr. 813, 819 (Cal. Ct. App. 1978) (holding that a statute prohibiting wearing masks in public was overbroad and finding the state's fear that violence would result from the mere presence of anonymous persons is "unfounded").
Cases upholding antimask laws include: Church of the American Knights of the Ku Klux Klan v. Safir, No. 1999 U.S. App. LEXIS 28106 (2d Cir. Oct. 22, 1999) (staying order of injunction against an 1845 New York state law forbidding masks at public demonstrations); Ryan v. County of DuPage, 45 F.3d 1090, 1092 (7th Cir. 1995) (upholding a rule prohibiting masks in the courthouse against a First Amendment challenge on grounds that the rule was reasonable because "[t]he wearing of a mask inside a courthouse implies intimidation"); Hernandez v. Superintendent, Fredericksburg-Rappahannock Joint Security Center, 800 F. Supp. 1344, 1351 n.14 (E.D. Va. 1992) (noting that a statute might have been held unconstitutional if petitioner had demonstrated that unmasking himself would have restricted his ability to enjoy free speech and freedom of association); Schumann v. State, 270 F. Supp. 730, 731-34 (S.D.N.Y. 1967) (denying temporary injunction of enforcement of a statute requiring licensing of assemblage of masked persons); State v. Miller, 398 S.E.2d 547 (Ga. 1990) (rejecting challenge to antimask statute); State v. Gates, 576 P.2d 1357, 1359 (Ariz. 1978) (rejecting a challenge to an antimask provision in an indecent exposure statute); Walpole, 68 Tenn. at 372-73 (enforcing statute); Hernandez v. Commonwealth, 406 S.E.2d 398, 401 (Va. Ct. App. 1991). Compare Allen, supra note 298, at 829-30 (arguing for the validity and retention of antimask laws), with Rey, supra note 298, at 1145-46 (arguing that antimask laws are unconstitutional). . 514 U.S. 334 (1995). . For a micro-economic argument that this change would be efficient given existing market imperfections, see Kenneth C. Laudon, Extensions to the Theory of Markets and Privacy: Mechanics of Pricing Information, in Privacy and Self-Regulation in the Information Age, supra note 275, at 41. . See, e.g., Rochelle Cooper Dreyfuss, Finding (More) Privacy Protection in Intellectual Property Lore, 1999 Stan. Tech. L. Rev. VS 8 <http://stlr.stanford.edu/STLR/Symposia/Privacy/
index.htm>; Diane Leenheer Zimmerman, Information as Speech, Information as Goods: Some Thoughts on Marketplaces and the Bill of Rights, 33 Wm. & Mary L. Rev. 665 (1992) (worrying that this is a bad thing). . See text accompanying notes 256-258 supra. . Kang, supra note 16, at 1293 n.332. . See, e.g., Paul Schwartz, Privacy and Democracy in Cyberspace, 52 Vand. L. Rev. 1609, 1686 (1999) (noting "the lack of incentives to make the majority of firms oppose their self-interest, which lies in maintaining the status quo"). . Cf. Philip E. Agre, Introduction, in Technology & Privacy, supra note 176, at 1, 11 (noting an information asymmetry between firms and consumers: firms control the releases of information about themselves and about what information they have on consumers). . Viktor Mayer-Schönberger, Generational Development of Data Protection in Europe, in Technology & Privacy supra note 176, at 219, 232. . See id. at 233. . Cf. Richard S. Murphy, Property Rights in Personal Information: An Economic Defense of Privacy, 84 Geo. L.J. 2381, 2410-16 (1996); Carl Shapiro & Hal R. Varian, U.S. Government Information Policy 16 <http://www.sims.berkeley.edu/~hal/Papers/policy/policy.html>. . The tort currently requires an objectively reasonable expectation of privacy in place or circumstances. See Restatement (Second) of torts § 652B (1965). Some jurisdictions also require an actual trespass by the defendant. See, e.g., Pierson v. News Group Publications, Inc., 549 F. Supp. 635, 640 (S.D. Ga. 1982). . "The time has come," argues Professor McClurg, "for courts to recognize openly and forthrightly the existence of the concept of 'public privacy' and to afford protection of that right by allowing recovery for intrusions that occur in or from places accessible to the public." McClurg, supra note 192, at 1054-59 (proposing to revive the tort of invasion of privacy in public places through application of a multipart test); see also Diane L. Zimmerman, Requiem for a Heavyweight: A Farewell to Warren and Brandeis' Privacy Tort, 68 Cornell L. Rev. 291, 347-48, 358-62 (1983). . See Dow Chemical Co. v. United States, 476 U.S. 227, 239 (1986) (holding that taking aerial photographs is not a Fourth Amendment search); Shulman v. Group W Prod., Inc, 955 P.2d 469, 490 (Cal. 1998) (distinguishing between an accident scene, in public view, and medivac helicopter, where there was a reasonable expectation of privacy); see also Prosser and Keeton on the Law of Torts § 117 (5th ed. 1984). . Cal. Civ. Code. § 1708.8(b) (West 1999):
A person is liable for constructive invasion of privacy when the defendant attempts to capture, in a manner that is offensive to a reasonable person, any type of visual image, sound recording, or other physical impression of the plaintiff engaging in a personal or familial activity under circumstances in which the plaintiff had a reasonable expectation of privacy, through the use of a visual or auditory enhancing device, regardless of whether there is a physical trespass, if this image, sound recording, or other physical impression could not have been achieved without a trespass unless the visual or auditory enhancing device was used.
Id § 1708.8(k):
For the purposes of this section, "personal and familial activity" includes, but is not limited to, intimate details of the plaintiff's personal life, interactions with the plaintiff's family or significant others, or other aspects of plaintiff's private affairs or concerns. Personal and familial activity does not include illegal or otherwise criminal activity as delineated in subdivision (f). However, "personal and familial activity" shall include the activities of victims of crime in circumstances where either subdivision (a) or (b), or both, would apply. . 18 U.S.C. § 2512(1)(a), (b) (2000):
Except as otherwise specifically provided in this chapter, any person who intentionally--
(a) sends through the mail, or sends or carries in interstate or foreign commerce, any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications;
(b) manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce. . See Annotation, Validity, Construction, and Application of Statutes Relating to Burglars' Tools, 33 A.L.R.3d 798 (1970 & Supp. 1999). ("Statutes making unlawful the possession of burglars' tools or implements have been enacted in most jurisdictions."). . For a criticism of these and other limitations, see Privacy, Technology, and the California "Anti-Paparazzi" Statute, supra note 195, at 1378-84. . See Mayer-Schönberger, supra note 307, at 232; Schwartz & Reidenberg, supra note 5. . See Swire & Litan, supra note 5; Schwartz & Reidenberg, supra note 5. . See FTC Children's Online Privacy Protection Rule, 16 C.F.R. § 312.5 (effective Apr. 21, 2000), (requiring parental consent prior to collection of information from children under thirteen). . Brin, supra note 11, at 8-9. . Id. at 13. . Id. . International agreements to which the United States is a party speak in at least general terms of rights to privacy. Article 12 of the Universal Declaration of Human Rights, adopted by the United Nations in 1948, states that "[n]o one shall be subjected to arbitrary interference with his privacy, family, home or correspondence." G.A. Res. 217A (III), U.N. GAOR, 3d Sess., Supp. No. 13, at 71, UN Doc. A/810 (1948) <http://www.hrweb.org/legal/udhr.html>. Similarly, Article 17 of the International Covenant on Civil and Political Rights states that "[n]o one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation." International Covenant on Civil and Political Rights, March 23, 1976, art. 17, 999 U.N.T.S. 171 <http://www.unhchr.ch/html/menu3/b/a_ccpr.htm>.
Both agreements state that "[e]veryone has the right to the protection of the law against such interference or attacks." . Potentially invidious categories such as ethnicity are sometimes subject to special regulation. . David H. Flaherty, Controlling Surveillance: Can Privacy Protection Be Made Effective, in Technology & Privacy, supra note 176, at 167, 170. . Some states require consent of both parties, some just one. . In the case of analog cellular phones, the tools are available in most Radio Shacks, although they require slight modification. See Rich Wells, Radio Shack PRO-26 Review <http://
www.durhamradio.ca/pro26r.htm>; cf. Boehner v. McDermott, 191 F.3d 463, 465 (D.C. Cir. 1999) (describing the use of a scanner to eavesdrop). . See generally Richard B. Stewart, The Reformation of American Administrative Law, 88 Harv. L. Rev. 1667 (1975). . See Robert Gellman, Does Privacy Law Work?, in Technology & Privacy, supra note 289, at 193, 214-15. . See text following note 284 supra. . Cox Broadcasting Corp. v. Cohn, 420 U.S. 469, 487 (1975); see also Griswold v. Connecticut, 381 U.S. 479, 484-85 (1965) (describing how the Third and Ninth Amendments create "zones of privacy"). . E.g., Nixon v. Administrator of Gen. Serv., 433 U.S. 425, 465 (1977) (suggesting that the former President has a privacy interest in his papers). In Whalen, the Court accepted that the right to privacy includes a generalized "right to be let alone," which includes "the individual interest in avoiding disclosure of personal matters." Whalen v. Roe, 429 U.S. 589, 599 (1977) (finding that whatever privacy interest exists for patients in information about their prescriptions was insufficient to overcome the compelling state interest). . The leading counterexample to this assertion is United States Dept. of Justice v. Reporters Comm. for Freedom of Press, 489 U.S. 749 (1989), in which the Supreme Court held that there was a heightened privacy interest in an FBI compilation of otherwise public information sufficient to overcome an FOIA application. Even if the data contained in a "rap sheet" were available in public records located in scattered courthouses, the compilation itself, the "computerized summary located in a single clearinghouse" was not. Id. at 764. . Other than its direct prohibition of slavery, the United States Constitution does not directly regulate private conduct.
Some state constitutions' privacy provisions also apply only to the government. For example, the Florida constitution provides that "[e]very natural person has the right to be let alone and free from governmental intrusion into the person's private life except as otherwise provided herein. This section shall not be construed to limit the public's right of access to public records and meetings as provided by law," Fla. Const. art I., § 23, but this does not apply to private actors. See Hon. Ben F. Overton & Katherine E. Giddings, The Right of Privacy in Florida in the Age of Technology and the Twenty-first Century: A Need for Protection from Private and Commercial Intrusion, 25 Fla. St. U. L. Rev. 25, 53 (1997). . Some state constitutions go further. Compare State v. Hunt, 450 A.2d 952 (N.J. 1982) (holding that the New Jersey state constitution creates a protectable privacy interest in telephone billing records), with United States v. Miller, 425 U.S. 435 (1976), and California Bankers Assn. v. Shultz, 416 U.S. 21 (1974) (finding no such right in the Federal Constitution).
In 1972 the people of the State of California adopted a ballot initiative recognizing an "inalienable right" to "privacy": "All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy." Cal. Const. art. I, § I.
In 1994 the California Supreme Court held that the 1972 privacy initiative created a right of action against private actors as well as the government. See Hill v. National Collegiate Athletic Ass'n, 865 P.2d 633, 644 (Cal. 1994). Although it described informational privacy as the "core value furthered by the Privacy Initiative," the court also listed several conditions that would have to be met before a claim asserting that right could succeed. A plaintiff must show: (1) that the public or private defendant is infringing on a "legally protected privacy interest"--which in the case of informational privacy means an individual's right to prevent the "dissemination or misuse of sensitive and confidential information"; (2) a "reasonable expectation of privacy" based on "an objective entitlement founded on broadly based and widely accepted community norms"; and (3) a "serious invasion" of privacy by the defendant. Id. at 654-55. Even then, the court stated that privacy claims must be balanced against countervailing interests asserted by the defendant. Id. at 653. . Some issues are common to both public and private contexts: for example, whether the subject enjoys a reasonable expectation of privacy. Even if the question is the same, however, the answer may be different. Generally the same technology initially raises distinct issues in the two contexts, at least until the information is sold, although this too may create its own special issues. Cf. United States Department of Justice v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 752-53, 762-63, 780 (1989) (holding that the FBI could not release criminal rap sheet consisting predominately of information elsewhere on public record when disclosure would invade subject's privacy). . The line of cases beginning with New York Times Co. v. Sullivan, 376 U.S. 254 (1964), is a good example of this phenomenon. Case law defining the circumstances in which a publisher could defend itself against a charge of libel--a problem of data use--generates a set of rules and procedures defining data collection actions that reporters must obey in order to be able to prove they complied with basic norms of nonrecklessness.