Berkman Center for Internet & Society
Course Syllabus
Introduction
Calendar
Syllabus
  • Privacy and Identity
  • Privacy Standards
  • Cross-Border Issues
  • Encryption
  • Cookies and Clickstreams
  • Free Speech and Filtering
  • Workplace Privacy
  • Medical Records
    • Lecture Hall
    Reference
    Feedback

    Privacy in Cyberspace

    with Professor Arthur Miller

    Professor: Professor Arthur Miller
    Teaching Fellows: Allison Liff, Mr. Antoun Nabhan, Brandon Ponichter, Ms. Emily Sexton, Jason Linder, Ms. Jessamyn Berniker, Ms. Jocelyn Dabeau, Mr. Alexander Macgillivray, Melanie Schneck, Slade Sullivan and Ms. Wendy Seltzer

    Course Dates: March 15, 1999 to May 1, 1999
    Registration: February 10, 1999 - June 1, 1999

    March 22, 1999
    1. Who's Watching and Why?: Privacy and Identity
    April 5, 1999
    2. Who's Watching the Watchers?: Privacy Standards
    April 12, 1999
    3. It's a World-Wide Web: Cross-Border Issues
      Over the past two weeks, we have explored the nature of privacy, information, and identity and we have looked at some responses to the privacy concerns raised by cyberspace. To understand the degree to which these responses may be implemented, and by whom, we need a clearer understanding of who has the power to control cyberspace, and by what mechanisms. To this end, we will focus this week on questions of sovereignty.

      Consider for a moment the governmental structures with which you are already familiar. Government in real space is geographically bounded. Territories traditionally have defined the scope of government's legislative authority; and where governments have attempted to reach beyond territories, it has only been when behavior outside territories has affected life within the government's domain.

      As mobility has increased, this model for sovereignty has been put under great strain. When people live in one area, yet work in another, and then send their kids to school in a third, a system of democratic government that restricts their influence to the first increasingly makes less and less sense. This has lead some scholars to question, even in real space, the exclusive reliance on geography as a basis for legislative jurisdiction, or citizenship participation.

      In cyberspace, the problem is only worse. One's behavior while in cyberspace can affect many in many other jurisdictions. And while one is always also in real space while one is in cyberspace, the behavior in cyberspace is increasingly behavior that is not really regulated properly by any individual sovereign, or set of sovereigns. There is emerging in cyberspace an existence that is outside of the life of any particular real world sovereign.

      The question for us this week is, in short, what real world sovereigns can do to govern this emerging independent existence in cyberspace. There are at least two distinct concerns which are important to consider separately.

      1. Law. What are the constraints, either political or legal, on a state's or nation's ability to govern activity on the Internet which it sees as affecting life within its real space borders? What are the legal tools available to a sovereign to control the conduct of its citizens on the Internet and of those individuals outside its borders whose conduct has effects within the sovereign's borders? It may be useful for you to read this short primer on jurisdiction to give you some feel for the background issues. When you feel comfortable with these jurisidictional considerations, have a look at Compuserve, Inc. v. Patterson, a federal appellate case which examines one state's claim of jurisdiction over a matter conducted entirely in cyberspace.

      2. Architecture. Some of the readings collected below focus less on what those in charge of regulating some aspect of the internet may do than on how they may go about doing it. The Internet comprises a wide variety of technologies, which may collectively be called the architecture of cyberspace. Most of these technologies may be used and tweaked in ways which constrain or encourage particular behavior patterns. Discovering what architectures are available and how they may be used are important parts of this week's lesson.

      To begin, please read this week's hypothetical.

    April 22, 1999
    4. Email Tapping, Digital Signatures, and Encryption: Protection for Your Electronic Communications

      For most of us, e-mail has quickly become a part of our daily interaction with the world. And yet, in the course of our normal routine, we rarely give thought to the security of these transactions. When we call someone or send a postal letter, we are secure in our expectations of privacy. Yet, most people do not stop to consider whether their electronic communications are afforded the same level of protection. Do we have an expectation of privacy in our electronic communications? If so, is that expectation unfounded?

      The law protects us to an extent, making it a federal offense to intercept or disclose the contents of electronic communications, either in the course of transmission or while in storage on a remote computer system. However, a number of uncertainties in the federal statute, widely known as the Electronic Communications Privacy Act, have not yet been hammered out by the courts. Who will be deemed to be a electronic service provider? Under what conditions may a service provider tap into your electronic communications? Under what terms will you be considered to have consented to the interception of your email?

      Technological protections, such as encryption technology, are available, but they are also restrained by the law. As encryption technology grows stronger, the government grows more concerned about their inability to "tap" such communications and the ability of organized crime rings, drug traffickers and terrorist organizations to communicate undetected over the borderless realm of cyberspace. To this end, the U.S. government has placed a number of export controls on strong encryption technologies. The SAFE Act, in its latest form, which recently passed the House of Representatives, has several major provisions which enhance consumer privacy and reduce export controls.

      The SAFE Act seems to address some of the major issues in email tapping as well as encryption, by setting a minimum to the standard required by law enforcement in order to invade privacy, and limiting their technical ability to do so. However, the harm it would do to law enforcement is unclear. It would be extremely difficult to accurately determine empirically how often encryption interferes with law enforcement since law enforcement may not be aware of many of those occurrences.

      What do you think US policy on exporting encryption programs should be? What about law enforcement and private access "keys" and encrypted emails? What standard of cause or suspicion should be necessary to infringe on privacy interests? Should we be more worried about a potential terrorist's communication going undetected in cyberspace or about the security of our own online transactions? If people shouldn't have a reasonable expectation of privacy in their email, should they be afforded this expectation when they employ encryption technology to safeguard their messages?

      As you go through the readings, think about these questions and what your model policies would be notwithstanding the current law.

      First, however, please read this week's hypothetical.

    April 27, 1999
    5. Cookies and Clickstreams: Madison Ave. is Watching You
      Introduction When you browse the Web, your browser communicates with web sites through the HyperText Transfer Protocol (HTTP) to get the web pages you request.  One of the distinguishing features of HTTP (as opposed to File Transfer Protocol and Telnet) is its instantaneous nature.  There is no real connection between a web server and browser during an HTTP session.  The browser makes a request, the server fills it and moves on to its next request.  When your browser makes another request, it does so as if it had never made the first.  This is a good thing because it reduces server load (the server does not need to keep a connection open with your computer while you browse a page) but it is a bad thing because your browser must make a new connection for every request and the server treats every request as unrelated to any other.  So-called "stateless" protocols are a problem for features like shopping carts or password saving because such features require some memory of what happened in previous requests from the same browser.  Tracking a user by transactional information, cookies and the proposed Open Profiling Standard (OPS) are ways in which web servers are attempting to introduce "state" into HTTP.

      Tracking Transactional Information

      To download this file, your browser sent a request to the Berkman Center server asking for the text of the page along with its accompanying images and scripts.  The page requested, and the IP address to send it to, must have been sent to our server.  Depending on which browser you use, however, other information, such as the name and version of the browser and the page that referred you to this one, might also be supplied.  Our webserver stores all the information your browser provides and, with that information, a good web sleuth could determine much more about you, such as how long you stayed at the site, what links you followed and ignored on our site, where you are, what company you work for (or which Internet Service Provider you use) and what type of computer you are using.

      We collect that information to help us in tailoring our web pages for our users and to allow you to continue checking discussion groups without having to re-enter your username and password.  However, as the Center for Democracy and Technology warns:

        When [transactional information is] correlated with other sources of personal information, including marketing databases, phone books, voter registration lists, etc, a detailed profile of your online activities can be created without your knowledge or consent. (CDT Privacy Demonstration Page, Center for Democracy and Technology, visited March 18, 1998)

      Cookies

      According to Netscape, the first to implement cookie technology:
        Cookies are a general mechanism which server side connections (such as CGI scripts) can use to both store and retrieve information on the client side of the connection. The addition of a simple, persistent, client-side state significantly extends the capabilities of Web-based client/server applications. (PERSISTENT CLIENT STATE HTTP COOKIES, Netscape, visited March 18, 1998)
      In English, c|net explains,
        Cookies are small data files written to your hard drive by some Web sites when you view them in your browser. These data files contain information the site can use to track such things as passwords, lists of pages you've visited, and the date when you last looked at a certain page. (C|NET Glossary: Cookie, C|NET, visited March 18, 1998)
      Most browsers support cookie technology which allows any web server to write directly to a cookie file on your hard drive and read the cookies they set. Though cookies were first used for site personalization, shopping baskets, and saving userids and passwords, they are now also used for targeted marketing and tracking across sites (see Cookie Central and Cookies Revisited by HotWired's Marc Slayton for more information).  DoubleClick, an advertising company, sets cookies for targeted advertising and tracking across sites through its banner ads on a wide variety of sites.  Chances are better than even that you have a DoubleClick cookie in your cookie file.  The company's $400 million market value is another indication that they are successful.

      See also: The Cookie Central Unofficial Cookie FAQ and Junkbusters.

      Do some online research of your own

    May 3, 1999
    6. Free Speech, Journalism, and Filtering: --When one person's privacy is another person's speech.
    May 10, 1999
    7. Workplace Privacy: In the Workplace, Everybody Knows If You're a Dog
    May 19, 1999
    8. Medical Records
      Benefits of Increased Data Collection

      Greg Borzo, "Automation trends in medicine," AMNews staff. American Medical News, October 13, 1997

      This article discusses a new project at the University of California San Diego School of Medicine called the Patient Centered Access to Secure Systems Online (PCASSO). PCASSO will put patients' full medical records on the Internet, permitting physicians and health-care providers to view them from anywhere with Internet access. Borzo reports that such a system will help patients become "providers" of their own care, since they can ask doctors to define and clarify things in their records. Borzo talks briefly about the security measures the system will employ to prevent unauthorized users from gaining the patients' medical information.

      HealthCare Industry Report: Document Imaging, Workflow, and Electronic Patient Records

      This site provides three insightful articles relating to managing computerized patient records. In his article, "What Healthcare REALLY Needs to Know About Managing Electronic Documents," Bob Smallwood details the benefits health care providers derive from using Electronic Paper Records (EPR). He argues that they, "...reduce labor, eliminate lost files and loose sheets, improve access to authorized users, increase security (with a 100% audit trail), and provide quicker documentation for claims." Debbie Madison argues in her article, "Breaking Away from Paper," that "With the click of a button, the physician can access each chart to be reviewed and completed. Physicians can also edit transcribed documents online in real time rather than sending them back to the transcriptionists...The hospital estimates that emergency department physicians are completing charts in 1/15 of the time it previously took with paper..." And, finally, in their article, "The Journey to the Electronic Health Record," Mary Lu Lander and Angela Daniel give further explanation of the way electronic health records work and their benefits.

      TeleMed

      This is the site to a health care environment entitled TelMed, created by the Los Alamos National Laboratory in collaboration with the National Jewish Center for Immunology and Respiratory Medicine. TelMed "is an intuitive patient-record system that supports image, audio, and graphical data, ... integrates complete patient records with detailed radiographic data, and allows the remote sharing of patient and radiological data over networks...TeleMed improves clinical diagnosis and reduces the cost of health care by eliminating the time-consuming and costly activity of data gathering and by enabling easy use of powerful analysis tools."

      LaserCard System

      This site advertises a LaserCard System, which stores a patient's medical information electronically on a card that the patient carries with him or her. The site claims that the optical memory card can "transport secure, partial or complete electronic patient records, helping to expedite care, reduce costs, and perhaps save lives."

      The Dystopic Alternative

      The 1997 movie "Gattaca," written and directed by Andrew Niccol, was an flashy flop that nevertheless prompted viewers to consider the society that we might end up with if medical databases were combined with a little biological determinism. Andrew Niccol spoke at the Computers, Freedom, and Privacy in Washington, D.C. this year.

      Current Federal Legislation

      The following two acts provide some limited protection for medical information privacy:

        The Privacy Act of 1974.  This act generally provides that no federal agency may disclose information without the consent of the individual.

        Americans with Disabilities Act.  This act provides that: employers may not ask for medical information prior to offering employment; once hired, the employer may not require any medical examination that is not required of all employees holding similar positions; if a potential employee is not hired, the employer must prove that it is physically impossible for the individual to do the work required. This act applies to businesses with more than 25 employees.

      In 1996, the Kennedy-Kassebaum Health Insurance Portability and Accountability Act of 1996 was enacted. Under one of its provisions to simplify the administration of health insurance, the Act calls for the Secretary of Health and Human Services (HHS) to develop standards for the exchange of electronic health information and for the creation of unique health identifiers for individuals, employers, and health plans.

      Within this same bill, Congress called for the development of recommendations to protect the privacy and confidentiality of Americans' health records.

      The recommendations, presented to Congress by HHS Secretary Donna Shalala, propose to "provide important new rights for patients and define responsibilities and limitations for those who need to have access to these medical records." Shalala's recommendations include: a nationwide standard; leave for the states to enact stronger standards if they wish; granting patients access to their own medical records and the ability to make corrections; ensuring that those who provide and pay for health care give patients clear written explanations of how they intend to use, keep and disclose the information; and providing punishment for those who misuse personal health information.

      The recommendations provide for an exception to privacy requirements for law enforcement officials acting in their official capacities. If Congress does not pass legislation with regard to privacy, the Health Insurance Portability and Accountability Act of 1996 calls for the Secretary of the Health and Human Services to impose confidentiality controls on electronic transaction systems.

      The ACLU has voiced concerns with the HHS recommendations. The organization claims the proposal: fails to allow individuals to insist on paper records; fails to protect records from being up-linked to national databases; and fails to prohibit the creation of a system of "unique health identifiers" (a de facto national health I.D., much like one's Social Security Number) that would be attached to every piece of medical information. The organization also claims the law enforcement exception is too wide and could lead to abuses.  

      Proposed Federal Legislation

      The following bills, introduced during the current session of Congress, are attempts to provide federal protection to health and medical information in an age of computerization.

      Currently there are several proposed laws designed specifically to protect genetic information from misuse. For the purposes of this course, we will highlight proposed laws that seek to protect health and medical information generally.

      S. 1921 Health Care PIN Act

      Introduced by Senator Jeffords (R-VT), this bill seeks to protect against the unauthorized and inappropriate use of health information that is created or maintained as part of medical treatment, health care plan administration, or medical research.  If enacted, this bill would allow individuals to inspect and copy their individual medical information upon written request.  Additionally, this bill would require health care providers, employers, health or life insurers, and health researchers to provide notice of their confidentiality practices.

      S.1368. Medical Information Privacy and Security Act (MIPSA)

      Introduced by Senators Leahy (D-VT) and Kennedy (D-MA), this bill would prohibit discrimination on the basis of all protected health information in employment and insurance. Protected health information is defined to include any individually identifiable information that is created during, or becomes part of the health care treatment, diagnosis, enrollment, payment, plan administration, testing, or research processes. In addition, every patient would have the right to challenge the accuracy and completeness of his or her protected health information. The bill would also establish an Office of Health Information Privacy within the Department of Health and Human Services.

      H.R. 52: Fair Health Information Practices Act of 1997

      This bill is an amendment to section 552a of title 5, United States Code to protect personally identifiable health information, as improper use "may unfairly affect the ability of the individual to obtain employment, education, insurance, credit, and other necessities." Representative Condit (D-CA) offers the movement of individuals and health information across state lines, the computerization of health information, and the emergence of multi-state health care providers as justifications for the need for uniform Federal law.

      H.R. 1367. Federal Internet Privacy Protection Act of 1997

      Introduced by Representative Barrett (D-WI), this bill is designed to prohibit Federal agencies from making available through the Internet certain confidential records with respect to individuals, including medical history records. It also provides for remedies in cases in which such records are made available through the Internet.

      H.R. 1815. Medical Privacy in the Age of New Technologies Act of 1997

      This bill, introduced by Representative McDermott (D-WA), notes the lack of protection of health information in some states and the threats to confidentiality posed by computerization and the possibility of unauthorized electronic access and suggests the need for minimum Federal standards of protection. One of the stated purposes of H.R. 1815 is to restrict the gathering of aggregate health information for financial gain or other purposes without obtaining the consent of each subject.

      H.R. 2368: Data Privacy Act of 1997

      Introduced by Representative Tauzin (R-LA), this proposed act includes a provision that restricts the use, for commercial marketing purposes, of any personal health or medical information obtained through an interactive computer service without the consent of the individual.

       

      Privacy Laws by State, Electronic Privacy Information Center, Current as of October 1994.

      This extensive database allows users to click on any state and provides a chart for each state's privacy legislation. If a state legislates privacy for a certain topic (medical records is an included area), an X appears next to the topic.
       

      "Legislative Survey of State Confidentiality Laws, with Specific Emphasis on HIV and Immunization," Final Report Presented to the U.S. Centers for Disease Control and Prevention, Professor Lawrence O. Gostin, J.D., LL.D. (Hon.), Georgetown University Law Center and The Johns Hopkins School of Hygiene and Public Health; Zita Lazzarini, J.D., M.P.H., Harvard School of Public Health; and Kathleen M. Flaherty, J.D., Georgetown/Johns Hopkins Program on Law and Public Health , Feb. 1997.

      This report provides a thorough overview of state laws for each area of medical privacy concern. For each sub-topic, the researchers have analyzed how states handle privacy concerns and how many states legislate privacy in medical records. For example, the report analyzes state laws regarding health care information, public health data, redress of medical privacy violations, and protection for HIV and immunization information. Below, we provide only a small sample of the information that is available in this report regarding medical privacy and electronic media. The report also provides an overview of gaps in federal and state laws and provides recommendations for new legislation.

      "Computers and other electronic media are fast becoming the storage method of choice for medical and other personal information. Despite this fact, only twenty-two states have specific provisions regarding the protection of confidentiality of records maintained on electronic or computerized media. These provisions offer varying degrees of protection. Several states, such as Tennessee, use the same standards for confidentiality of computerized or electronic records as those applied to paper records. In other states, including Arkansas, statutes governing confidentiality of computerized health care information apply only to public health data; private physicians, hospitals and other health care facilities may or may not be held to the same definition. Oklahoma's Health Care Information System Act provides that individual forms, computer tapes or other forms of data collected by and furnished to the Division of Health Care Information or to a data processor shall be confidential. Statutory protection of computerized data may also lack specificity. Florida requires only that computerized records be kept in accordance with "sound" record-keeping practices."

       

      Case Law

      Cases involving medical records privacy generally implement a balancing test, weighing an individual's right or expectation of privacy against the employer's or government's need to access medical records. As you read these cases, apply your own balancing test:  do you feel that individual privacy is being sufficiently protected?

      Also, bear in mind that computer networks can collect, aggregate, and disseminate personal medical information on a vastly increased scale. What effect, if any, will cyberspace have on future judicial determinations similar to these cases?

      Whalen v. Roe, 429 U.S. 589 (1977)
      (When you reach the Supreme Court search screen, enter 429 U.S. 589 in the citation search.)

      Patients and physicians brought an action challenging the constitutionality of New York statutes that mandated that the state be provided with a copy of every prescription for certain drugs and that also provided security measures to protect that information. The Supreme Court reversed a lower court decision and held that the statutes were a reasonable exercise of the state's broad police power. Other courts interpret this decision as recognizing that individuals do have a limited right to privacy in their medical records. What do you think?

      United States v. Westinghouse Elec. Corp., 638 F.2d 570 (3d Cir. 1980) [full text available on Lexis/Nexis or Westlaw]

      The United States sought to compel an employer--by authority of the Occupational Safety and Health Act--to produce employee medical records. The employer objected, raising the privacy interests of its employees and their medical records. The Court of Appeals held that strong public interest in facilitating research and investigations of the National Institute for Occupational Safety and Health justified minimal intrusion into privacy surrounding employees' medical records, and that the employer was not justified in its blanket refusal to give the Institute access to records or in seeking to condition their disclosure on compliance with the employer's strict terms.

      Doe v. SEPTA 72 F.3d 1133 (3d Cir. 1995)
      (When you reach the 3d Circuit search screen, enter "SEPTA" in the party name search.)

      A public employee filed suit against his employer and supervisor for violating his right to privacy after the employer discovered that the employee had AIDS. This discovery was made by examining records of drug purchases made through its employee health program. The Court of Appeals recognized a limited constitutional right to privacy in one's prescription records; however, the Court held that the employer's need for access to employee prescription records outweighed the employee's interest in confidentiality.

      Bloodsaw v. Lawrence 1998 WL 39209 (9th Cir.(Cal.))
      (When you reach the 9th Circuit search screen, enter "Bloodsaw" in the party name search.)

      The Court of Appeals held, inter alia, that the constitutionally protected privacy interest in avoiding disclosure of personal matters clearly encompasses medical information and its confidentiality.

      Electronic Privacy Information Center, "Minnesota Takes the Lead on Agreement to Protect 41 Million Americans,"Oct. 25, 1995.

      This article describes a settlement with two of the largest health care companies in the U.S. The settlement requires the companies to substantially reform their methods of marketing prescription drugs. Under the terms of the settlement, consumers must be advised about the extent to which confidential information in their files will remain confidential, including the fact that medical histories and prescription drug usage could be made available to consumers' employers.

      International Views Regarding Medical Privacy  Federal Privacy Legislation in Australia.  This site provides a list of links and summaries for public and private sector privacy laws in Australia. While these do not specifically address medical records, the laws give some insight into the direction of Australian views with regard to privacy generally.

      European Commission, Press Release: Council Definitively Adopts Directive on Protection of Personal Data, July 25, 1995.  This press release summarizes the European Union's 1995 privacy directive.

      Gesundheitsdatenshutz.  Gesundheit is German for health, daten is data, and schutz is protection. Generally, the site notes that German-speaking countries (Austria, Germany, Switzerland) have not yet addressed such issues in any systematic way, but have begun to show concern for the protection of medical privacy. The German and Swiss Data Protection Registrars (one each for the federal states and one for Germany as a whole) have "issued several cautionary statements about smart cards in the health care field which are being tested in Germany with approval of the physicians' chamber."

      The Doctrine of Confidentiality, Irish Medical Journal, June/July 1997.  This article discusses current Irish judicial opinions with respect to medical records confidentiality. Generally, it explains, "[t]he doctor's duty of confidentiality as regards the patient's medical records, is also governed, ethically by the Irish Medical Council's Guide to Ethical Conduct and Behavior and Fitness to Practice, and legally by the Common Law Doctrine of Confidentiality." It also explores the impact of electronic data on individuals' privacy and the security of medical records.

      June 30, 1999
      Privacy in Cyberspace Reference Library
      June 30, 1999
      The Bot's questions

        Prepared: November 17, 1999 - 08:02:29 PM
        Berkman Center for Internet & Society