This chapter explores the foundations of the legal right to privacy in the United States, juxtaposed against the accumulation and mining of data in today’s society. Businesses and government agencies have the capacity to accumulate massive amounts of information, tracking the behavior of ordinary citizens carrying out ordinary routines. Data mining techniques also provide the opportunity to analyze vast amounts of data to compile comprehensive profiles of behavior. Within this context, this chapter addresses the legal frameworks for data mining and privacy. Historically, privacy laws in the United States have adapted to changing technologies, but have done so slowly; arguably not keeping pace with current technology. This chapter makes clear that the legal right to privacy in the United States is not keeping pace with the accumulation, analysis, and use of data about each and every one of us.
TopIntroduction
In the classic Grimm’s fairy tale, Hansel and Gretel dropped bread crumbs as they walked through the forest so they could later follow them home. Of course, birds ate the crumbs, leaving Hansel and Gretel ultimately in the hands of the wicked witch. In modern society, we all leave crumbs wherever we go, only today’s crumbs are electronic and they never seem to go away. Transactional data are tracked, cell phones are monitored, Web surfing is recorded, and our moves in public are recorded by surveillance cameras (Froomkin, 2000). “The small details that were once captured in dim memories or fading scraps of paper are now preserved forever in the digital minds of computers, vast databases with fertile fields of personal data” (Solove, 2001, p. 1394). Our purchases now leave indelible traces, and the accumulation of these isolated transactions ultimately creates a recognizable portrait of each consumer (Karas, 2002).
It is not only businesses that collect and analyze data about our activities. The government is becoming increasingly reliant on consumer transactional data, using companies that already track that data (O’Harrow, 2005). Federal officials reportedly are routinely asking courts to order cell phone companies to furnish real-time tracking data to pinpoint the whereabouts of suspects (Nakashima, 2007b), and the FBI has been accused of seeking grocery-store purchase records in an effort to locate domestic terrorists (Singel, 2007). And the federal government itself maintains some 2,000 databases (Solove, 2001).
“Surveillance … has become a pervasive activity among both government and private organizations, as they rely on the details of peoples’ records to shape their dealings precisely to the circumstances of each individual they confront” (Rule, 2007, p. xi). The scope of data mining activities was exemplified shortly after the September 11, 2001 terrorist attacks in the United States, when the Defense Department tried to create a computerized surveillance system (called Total Information Awareness) to track the everyday activities of all American citizens with the goal of ferreting out terrorists (McClurg, 2003). Although Congress essentially killed the program, it was really nothing more than what hundreds of private companies are already doing (McClurg, 2003).
The U.S. legal system has recognized a “right to privacy” for over one hundred years. While its origin was sparked by changes in technology, it has recently failed to keep pace with technological advances in data collection and use. The right to privacy protects facts and conduct one wishes to keep private. But most data collected is publicly known or freely disclosed in individual transactions. As a result, the legal right to privacy does not adequately incorporate “informational privacy.” It does not provide any protection for how accumulated data are used. The concern is that data mining techniques expose every aspect of an individual’s life to businesses, the government, and possibly the public.
This chapter reviews privacy concerns arising from data mining used in two (overlapping) contexts—by businesses and by government entities. This dichotomy is based on the two principal aspects of privacy recognized within the U.S. legal system: a “civil” right to privacy that protects individuals from offensive conduct by other individuals (including businesses); and a constitutional right to privacy that protects individuals from government intrusions. While specific standards vary between these two aspects of privacy, they also incorporate parallel attributes—one of which is that there is no current legal framework to sufficiently restrict the use of data mining, by either businesses or the government, to protect individual privacy. There is also a third source of privacy protection, laws passed by Congress, which are briefly discussed later in this chapter. These privacy laws are only given a brief discussion because they are very specific in their application; covering only a small portion of data collection and mining activities.
Data mining techniques center on large databases, which often include data warehouses—multiple linked databases (Zarsky, 2002-2003). Therefore, many of the issues related to individual rights to privacy examined in this chapter relate not only to how data are used (data mining), but also how data are accumulated.