ally been looking for ways to allow evidence obtained by law enforcement officials to be used over the objections of defendants who maintain that it was illegally collected. It is not likely, Blakey maintained, that the courts would allow it costs more to send an encrypted message. Citicorp uses a simple encryption for its electronic mail and a much more sophisticated system for its electronic funds transfers, whose security is of far greater concern to the bank. Those trans Computer users and civil libertarians are concerned there is potential for abuse unless computer transmissions are given the same legal protections as telephone conversations. private wiretappers to use those definitions to slip through a blind spot in the law and escape punishment. Wiretappers would face liability under either the wire fraud statute or the Communications Act, he said. Nonetheless, Blakey, like many other experts in this area, said he would "applaud any effort by Congress to take a look at the specific protections" available for computer communications. Several legislators already are. Kastenmeier's staff has been looking at the issue, and Sen. Walter D. Huddleston, D-Ky., a member of the Select Committee on Intelligence, has indicated he would support legislation to protect non-aural communications. Whatever the state of the law, catching private wiretappers is not easy. No one has a good estimate of the amount of private wiretapping that is going on, said computer security expert Ware. Although it is technically easy to intercept microwave transmissions, most would-be wiretappers are deterred from seeking to tap the phone company's network that way because of the high cost of sifting through the mass of messages flowing through the microwave links to find the ones they want. (That is not a problem if the wiretapper is looking for the messages of a single company, such as Citicorp, that are carried along a private network.) Usually private wiretappers seek to intercept messages by breaking into local phone lines near the subject, say security experts. The Carter Administration, which was concerned about the Soviet Union's intercepting microwave transmissions with equipment in its offices in New York, San Francisco and Washington, undertook a series of steps to increase the security of government communications and pushed private companies to protect their communications through encryption, or encoding of the information. Only about 100 companies, mainly financial institutions worried about embezzlers sending phony messages to transfer funds, encrypt their data communications, said a government official. Firms have resisted encryption because 56 NATIONAL JOURNAL 1/14/84 security payment records to uncover pay. ments to people who have died. In one case, during the final months of the Carter Administration, a regional HHS office in Sacramento analyzed its enforcement records to compile a portrait of what it called a "welfare queen" and then ran that profile against a list of county welfare recipients. Those who met the characteristics were singled out for further investigation, though because of staff limits, the office actually investigated only a few of those identified. Over all, an HHS official estimated, fers cost twice as much to send as the the federal government has undertaken To some extent, new telecommunications technology itself will offer greater protection against interception. More messages are being sent through packet switching technology, which breaks up a communication into separate pieces and routes each piece along whatever space is free on many different communications paths. The result is that a single message may travel on several different paths, and the bits of information following each other on any single path may be unrelated. AT&T is changing its current system under which a phone conversation follows on the same communications path as the tones that indicate which phone number has been dialed. That system allows wiretappers to program their computers to look for a specific phone number and then begin recording. Under the new system, which is already in place in half of the interstate network, the tones will travel along a different path from the communication itself. Neither of these offer insurmountable problems to the most sophisticated wiretappers-such as the Soviet Union-but they do make the job harder, communications experts say. COMPUTER MATCHING Another area where privacy laws are fuzzy is the use of computer matching, a technique used by government investigators to find fraud. Matching takes many forms, but generally it entails the computer comparison of two lists to find anomolies that would indicate fraud. Supporters say that matching is a costeffective and efficient way to uncover possible fraud in federal programs without creating an undue invasion of privacy. "Of course we have to match," said former privacy commission chairman Linowes. "You have a need for law enforcement, for proper administration in government. You just can't say one thing is completely wrong in most cases." Critics say that even if each individual use can be justified, the cumulative uses of computer matching can constitute a serious invasion of privacy. Public opposition quickly grounded plans discussed by the Johnson Administration to create a national data bank that would have centralized all the data held on individuals by the government. Matching, said John H. Shattuck, national legislative director of the American Civil Liberties Union (ACLU), accomplishes the same end "through the back door." Some critics say that matching undermines 4th Amendment protections, since the records of all individuals in a program are searched, not only those for whom program administrators have reason to suspect of a crime. Others, such as Sen. William S. Cohen, R-Maine, worry that in the rush to find waste and fraud, the privacy implications of the growing use of matching are being overlooked. "As you look at each case, you can make a reasonable case for an exemption from our privacy law," Cohen said in an interview. "I'm trying to say we need to stand back and take a broader view. looking for fraud], more constitutional, more indigenous to our society, which is not being felt at this time: the need to protect privacy in our technological society." In Massachusetts, for example, state welfare officials have compared recipient. There is another pressure [besides roles for welfare, medicaid, food stamps and other benefit programs against account records in the state's banks to find beneficiaries with more than the legal limit in assets. The Health and Human Services Department (HHS) has matched welfare rolls against lists of federal employees and compared the employee lists with the list of those who have defaulted on student loans. The department's Project Spectre compares medicaid and medicare death files to social The Massachusetts case demonstrates both the advantages and hazards of matching. In one instance, the state terminated the medicaid benefits of an elderly woman in a nursing home because she possessed assets over the limit. But it was later revealed that her major holding was a funeral bond, which is permitted under the rules. Since then, the state has made procedural changes in the match program that have alleviated many of the concerns of advocates for benefit recipients. And the state estimates it has saved at least $5 million by finding 2,000 benefit recipients with assets over the legal limit. The law governing the use of federal records is the 1974 Privacy Act. The act generally prohibits the dissemination of government records outside of the agency that collected them. But because of a concession made to get the bill through, the law allows agencies to exchange records for "routine use." That is defined as a purpose "compatible" with the one for which the records were originally collected. The routine use exemption has become the legal basis for matching. Matching critics say that the intent of the privacy law was to prevent records from being passed between government agencies on a regular basis. "I don't think there was anything more clearly thought about than that," said James H. Davidson, a former Senate aide who helped draft the law. "That is what the Privacy Act is about." When the Carter Administration proposed its first match of federal employees against welfare rolls, the Civil Service Commission initially resisted on the ground that such use of employment records would violate the act. But eventually, the commission backed down. And Shattuck said that whatever the intent of the Privacy Act's drafters, the language of the statute makes it virtually impossible to challenge a match in court. "I think any match that uses information that is not clearly in the public domain is a violation of the Privacy Act," he said. "Unfortunately, the act is written in such a way as to make that extremely difficult to prove in a court of law." Christopher C. DeMuth, administrator of the Office of Management and Budget's (OMB) office of information and regulatory affairs, which is charged with ensuring federal compliance with the Privacy Act, agreed that the law does not offer clear guidance on what matches might be inappropriate. Congress, he said, "had to settle for a formulation that is sometimes attacked as too nebulous." But he said the fears about matching have proven unfounded. "The fears that these matches would be used as fishing expeditions have not come to pass," he said in an interview. "The matches have been quite narrow and related to highly plausible concerns about fraud and abuse." With budget cuts forcing welfare program administrators to trim benefit rolls, few legislators have expressed much con Sen. William S. Cohen says there is a "need to protect privacy in our technological society." cern about the privacy implications of matching. The House Government Operations Committee recently criticized OMB for not monitoring agency compliance with the Privacy Act. Cohen held hearings in December 1982 on matching and is planning hearings on matches conducted by the Internal Revenue Service, including the use of mailing lists purchased from private firms to look for tax evaders and the growing use of IRS data for nontax purposes such as aiding in the collection of student loans. Recently, the National Senior Citizens Law Center won a case in the U.S. District Court for the District of Columbia stopping a proposed Social Security Administration program that would have required recipients of supplemental security income benefits to disclose their tax returns. But over all, said Cohen, there is "not a whole lot of interest" in the subject among his colleagues. "The potential for abuse is there," he said, "although it does not seem imminent to most individuals." That assessment does not surprise Robert Ellis Smith, who has been watching these issues for almost a decade as publisher of the Privacy Journal. "I think legislation often gets enacted by anecdote," he said. "And the anecdotes are often more compelling on the side of access." CONTROLLING RECORDS For records held by the federal government, the Privacy Act establishes minimum standards that allow individuals to see and correct their own records. But for the vast majority of records held by private firms, there are no laws. Congress has passed legislation placing some limits on the use of records held by banks, credit bureaus and educational institutions. And last year, as part of cable television legislation, the Senate voted to limit the use of information about subscribers without their consent. Similar provisions are contained in the House version of the bill, which has passed the House Energy and Commerce Subcommittee on Telecommunications, Consumer Protection and Finance. In full committee, it is likely that efforts will be made to revise those standards to reflect objections from the cable industry and advertisers who sell products on cable. But generally, Congress has paid little attention to the central thrust of the privacy commission's study in the mid1970s. The commission argued that basic principles were needed to govern data collection and use of information about individuals held by institutions and to ensure that individuals could see and correct information about themselves. Since that report, only the legislation governing bank records, which is considered weak by many privacy experts, was enacted. Another major proposal dealing with medical records failed. Like the issues of electronic mail and protection of computer transmissions, the use of privately held records has not yet attracted sustained political attention. "Our concepts involving information privacy haven't even begun to be addressed," said former privacy commission chairman Linowes. "We don't have a public policy on information protection and privacy." Such a policy would not require limiting the advance of computer and communications technology, Linowes and other experts argue, but would establish principles of law. "The technology makes it easier both to collect and disseminate personal information without the person's knowledge," said Richard M. Neustadt, who worked on privacy issues as an associate director of the domestic policy staff in the Carter Administration and is now the senior vice president of Private Satellite Network Inc. "But that's nothing new. We've had personal records existing in file cabinets for a long, long time. All the computer does is put more records in and make it easier to get at. "What we're seeing is old problems made more complicated, more real. But they are solvable. I think you can have your cake and eat it too, if we write some good rules about this stuff. Unfortunately, there doesn't seem to be much interest in doing that in Washington now." NATIONAL JOURNAL 1/14/84 57 [From the New York Times, Mar. 13, 1984] IRS SEEKS LINKS TO COUNTY COMPUTERS IN TEXAS TO FIND DEBTORS (By David Burnham) WASHINGTON, March 12.-An Internal Revenue Service office in Texas is seeking to establish electronic links with the computers of 80 counties that will provide it instant access to local records concerning property taxes, voter registration and automobile ownership. The I.R.S., which already has established such a link with one major county in Texas, said it would use the information to track down individuals who had failed to pay their taxes. Spokesman for the revenue agency in Dallas and Washington said the Texas project had not yet been attempted in other sections of the country, and there are no plans for expansion at this time. The project raises the question of whether the impact of information changes when it can be instantaneously assembled, according to critics of the plan. Although the information that will be transmitted to the service by computer terminals has long been publicly available, the project has generated opposition from conservative Texas politicians and a spokesman for the American Civil Liberties Union. The criticism voiced by several members of the commission that governs Tarrant County, the area around Fort Worth, was so sharp that two weeks ago the I.R.S. withdrew its proposal to establish a direct link with that county's computers. OFFICIALS FEAR EFFECTS "This was just another extension of the drive by the Federal Government to gradually increase its power over local government," said B.D. Griffin, a Tarrant County commissioner. Secretary of State John Fainter raised another objection, saying, "The specter of the I.R.S. having direct access to voter registration records may intimidate those persons considering registering to vote." But Glenn Cagle, the director of the revenue service district that covers 143 counties of northern Texas, defended his plan as a way of reducing the costs of gaining information the Government could obtain anyway and said he was surprised by the opposition. "I am not going to speculate on the motives of the critics," he said. "But the fact is this is an election year." An I.R.S. spokesman in Washington, Scott Waffle, said he too was surprised by the adverse reaction. "All that is happening down there is an effort to improve the Government's efficiency by lessening the cost of obtaining information that always has been available to anyone who asks for it," he said. Mr. Waffle added that the project was not the result of a national directive to the I.R.S.'s 63 districts and that as far as he knew was not currently being pursued in other regions. The district that is moving to develop direct computer links has its headquarters in Dallas. In 1982, the individuals and businesses within its borders filed 4,858,821 of the 171 million tax returns the agency received. Last summer, Mr. Cagle wrote each of the counties requesting information about the extent to which their records were computerized and whether they would be interested in the project to give the I.R.S. direct access to them. Marlene Gaysek, an agency public affairs official in Dallas, said the district was negotiating with 80 of the counties and expects to complete arrangements with 20 of them soon. According to the contract that has been signed with Dallas County, which has 1,644,000 residents, the revenue service will have a county terminal in its Dallas office that will allow its 2,000 employees to make nearly instantaneous checks about the property owned and the property taxes paid by every person in the county; the name and address of all persons with a registered vehicle; the make, year and weight of that vehicle, and the name and address of every registered voter. Although the I.R.S. requested access to all the data in the voter registration files, the Dallas County commissioners ruled the agency could not obtain the dates of birth, Social Security numbers or telephone numbers of individuals. Miss Gaysek said the computer links would save the agency about $200,000 a year because lower-paid clerks, rather than field agents, would be able to gather information, and travel costs would be avoided. She said the district office would not use its computer access to compile complete new lists of all individuals living in an area that then would be matched against computerized lists of taxpayers. "There has been a real misunderstanding," she said. "We're not taking wholesale lists for computer matching purposes, we are using our direct access to track individual taxpayers. We need this detailed information when we file a tax lien against someone or check to make sure a taxpayer's financial statement is correct.' PRIVACY ISSUE RAISED James C. Harrington, an attorney in the state office of the A.C.L.U. in Austin, said that even though the information the I.R.S. would receive by computer was public, the use of county data conflicted with one of Congress' chief goals in protecing Federal records; a guarantee in the Privacy Act that the information an individual provides the Government for one purpose will not be used for another without the individual's permission. "We generally oppose this kind of cross computerization because despite what any agency says, history tells us that the information the I.R.S. is collecting will be compiled into a giant centralized data base," he said. "History also teaches that we have to develop appropriate legal restraints on all Government agencies." Tony Bonilla, the chairman of the National Hispanic Leadership Conference, said: "The bottom line is that this project is not necessary. The I.R.S. already has enough information about every taxpayer." [From the New York Times, Apr. 8, 1984] U.S. AGENCIES TO GET DIRECT LINK TO CREDIT RECORDS (By David Burnham) WASHINGTON, April 7.-Federal agencies will be able to obtain direct 24-hour-aday computer access to Americans' credit records under contracts now being negotiated by the General Services Administration. The Government has almost completed arrangements for establishing direct electronic links, between about 100 Federal agencies and seven major credit reporting companies that keep records on more than 100 million individuals and companies. The Government already has the legal right to obtain credit information before it grants loans. Once the links are in place, agency personnel could examine, almost instantaneously, the current status of bank loans, liens, divorce records, and department store, oil company and credit card accounts. DETAILS OF FEDERAL LOANS In addition, Federal agencies will give the private credit reporting companies details about loans made to individuals or companies by such agencies as the Department of Education or the Small Business Administration. Authorization for the new links was contained in legislation approved by Congress in 1982, and the sharing of information between the public and private sectors will be carried out under many of the guidelines established in the Fair Credit Reporting Act of 1968. Robert Ellis Smith, the publisher of The Privacy Times, said Thursday at a House hearing that arrangements for the links were almost complete. MOST SHOCKING ASPECT Mr. Smith, testifying before the House Judiciary Subcommittee on civil liberties, said "the most shocking aspect" of the exchange was that the credit reporting business "has a poor reputation for maintaining the accuracy of its information." He said one of the major credit reporting companies, TRWs Inc., estimated that a third of the million people who each year demand to see their records "challenge the information they see in their files." An official in the Office of Management and Budget, John F. Donahue, confirmed that the contracts establishing the new communication networks were nearly complete. He said the system was an important new weapon in the Government's arsenal against waste and fraud in Federal programs. Mr. Donahue said that under new guidelines published by his agency last summer, all agencies that grant loans to individuals or companies, or that sign con tracts with corporations, are required to make credit checks in which a wide range of personal information will be made available to the Government. Law-enforcement agencies have more limited access to the detailed credit records. According to Marvin Kaplan, a spokesman for the Association of Credit Bureaus, such agencies as the Federal Bureau of Investigation can obtain only names, addresses, former addresses and places of employment, unless they get a court order. Five of the credit reporting companies collect computerized information about the credit of individual Americans and two collect similar data on companies. The information, generally maintained in large computers and updated monthly, is sold to merchants, banks and other lenders. REVENUE SERVICES TEST PROTESTED While the credit information has been used by Government agencies in the past, the combination of the new budget office regulations and the development of the computerized links are expected to make such checks far more extensive. Also at the Thursday hearing, Alexander C. Hoffman of the Direct Marketing Association testified against a test by the Internal Revenue Service to determine whether national mailing lists can be used to identify individuals who have not paid their taxes. [From the Christian Science Monitor, Apr. 17, 1984] WHO'S SNOOPING AND HOW? U.S. AND U.S.S.R. "PEER INTO MIST" (By Peter Grier) WASHINGTON.-Pretending to be a Soviet eavesdropper, I peer into the purple mists of nothern Virginia, searching for the Pentagon. I am standing on the roof of an apartment on upper Wisconsin Avenue, one of the highest spots in Washington. Next door, the spindly legged frame of the new Soviet embassy is just emerging from morning shadows. From this vantage point, two things about the half-finished embassy quickly become apparent: 1. The Soviets will have a great view. 2. Their antennas will pick up more than HBO and "This Week with David Brinkley." To the south, next to the gray ribbon of I-395, the Pentagon is clearly visible. To the east is American Telephone & Telegraph's (AT&T) Arlington switching station, which sends an electronic beam of phone calls shooting right over the Soviet site. A few blocks north are the towers of the Naval Security Station and Western Union's Tenleytown microwave relay. The prospect of foreign aerials in the midst of this electronic interchange illustrates a dilemma of modern telecommunications. Whiz-bang technology makes the United States system the best in the world, say telecommunications experts-but that same technology makes it relatively easy to intercept messages. The U.S.S.R. from trawlers, trucks, and rooftops, has been listening in on our phone calls for years, say U.S. officials with access to intelligence information. The National Security Agency, the U.S. government's secretive electronic intelligence arm, scans an unknown amount of US messages headed overseas, according to court records and civil liberties advocates. Furthermore, it may be perfectly legal for anyone to eavesdrop on computer communications. Experts worry that wiretap law may cover only human speech, leaving the "beedle-de-beep" of computer talk unprotected. In general, it is the demise of the wire which has made these activities possible. Once, phone calls traveled only paths of copper; today many are shot across country by microwave. Microwave beams can be a third of a mile across, and to catch them, all an eavesdropper must do is hoist small dish antennas in their path. If the beam is an AT&T trunk line, sophisticated computer analysis is then required to unravel it. Overseas messages bounced off satellites are even easier to grab. With a good dish, satellite traffic can be stolen from anywhere in the U.S. from ships offshore, "even from Cuba," wryly notes a former White House communications official. Wireless phones are vulnerable, too. If you have a cheap model, neighbors may be able to hear parts of your conversation on AM radio. Last December, police in Woonsocket, R.I., used this eavedrop technique to snare a 19-member drug ring. All this doesn't mean there are lots of little guys out there listening to your calls. For the most part, only nations indulge in extensive electronic eavesdropping. |