(p.311) APPENDIX I Privacy in Federal Statutes
(p.311) APPENDIX I Privacy in Federal Statutes
This appendix is intended as an aide to the reader in evaluating the full spectrum of federal enactments. These categories are evaluated in the chapter dealing with federal policy (Chapter IV), but not every statute is discussed there. Web sites such as those of Privacilla.org (http://privacilla.org), the Electronic Privacy Information Center (http://epic.org), and the Privacy Rights Clearinghouse (http://privacyrights.org), which have extensive listings of federal policies, may also be a useful reference.
Categories of Federal Legislation Affecting Privacy
These categories are an attempt to organize the vast number of federal enactments. Some statutes appear in more than one category because they affect more than one area of policy. For example, the Bank Secrecy Act appears under the “financial information” category, since banking information is clearly financial. It also appears in the “authorizing governmental intrusions” category, since the act specifically allows the government to collect certain banking data for security purposes.
1. Medical Records
Statutes in this category restrict the release of sensitive personal medical information.
a. Health Insurance Portability and Accountability Act of 1996
b. Genetic Information Nondiscrimination Act of 2008
c. Substance Abuse Privacy Policies
d. Veterans Administration Privacy Policies
2. Financial, Credit, and Consumer Records
Statutes in this category protect personal-finance-related information as well as information on consumer purchases and credit information.
a. Bank Secrecy Act
b. Fair Credit Reporting Act of 1970
c. Fair and Accurate Credit Transactions Act of 2003
d. Gramm-Leach-Bliley Act of 1999
e. Section 7216 of the Internal Revenue Code
f. Right to Financial Privacy Act of 1978
g. Economic Espionage Act of 1996
3. Educational Records
Statutes in this category protect a broad range of data and information accumulated by schools and other covered educational institutions.
a. Family Educational Rights and Privacy Act of 1974
4. Personal Identity Information and Personally Sensitive Information
Statutes in this category protect information that identifies a person and could facilitate identity theft (e.g., Social Security numbers, driver's license information, credit-card numbers) as well as particular types of records containing highly intrusive, offensive, or sensitive content (e.g., autopsy photos, video-rental records, library records, parental records, adoption records, juvenile records, names of abortion patients).
a. Brady Handgun Violence Prevention Act of 1993
b. Cable Communications Policy Act of 1984
c. Census Confidentiality Statute
d. Children's Online Privacy Protection Act of 1998
e. Driver's Privacy Protection Act of 1994
f. Employee Polygraph Protection Act of 1988
g. Fair Credit Reporting Act of 1970
h. Fair and Accurate Credit Transactions Act of 2003
i. False Identification Crime Control Act of 1982
j. Genetic Information Nondiscrimination Act of 2008
k. Identity Theft and Assumption Deterrence Act of 1998
l. Substance Abuse Privacy
m. Video Privacy Protection Act of 1998
n. Identity Theft Penalty Enhancement Act of 2003
o. Internet False Identification Act of 2000
p. Telephone Consumer Protection Act of 1991
5. Personal Communications
Statutes in this category protect individuals' private communications (e.g., phone, cell-phone, and e-mail communications).
a. Cable Communications Policy Act of 1984
b. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
c. Communications Decency Act of 1996
d. Communications Assistance for Law Enforcement Act of 1994
e. Electronic Communications Privacy Act of 1986
f. Communications Act of 1934
g. Section 222 of the Telecommunications Act of 1996
h. Telephone Consumer Protection Act of 1991
i. Wireless Communications and Public Safety Act of 1999
6. Computer Use or Computer-Generated Information
Statutes in this cateogry protect against abuses of data compilations, focusing on abuses in the collection, retention, and distribution of mass amounts of information.
a. Computer Fraud and Abuse Act of 1984
b. Computer Matching and Privacy Protection Act of 1988
c. E-Government Act of 2002
d. Freedom of Information Act of 1966
e. Privacy Act of 1974
f. Electronic Communications Privacy Act of 1986
g. Stored Communications Act
7. Business Information
Statutes in this category protect trade secrets and proprietary information, the release of which would cause unreasonable harm to a particular party.
a. Economic Espionage Act of 1996
b. Employee Polygraph Protection Act of 1988
c. Freedom of Information Act of 1966
8. Exemptions from Public Records and Protection Against Public Intrusions
Statutes in this category protect particular types of publicly held information and exempt from disclosure materials deemed confidential or intrusive. These laws also protect against intrusions by the government that are not necessarily the result of the release of information (e.g., 42 U.S.C. § 1983 punishes misconduct relating to privacy rights, illegal surveillance, and the availability of information generated in the justice system). Laws in this category generally protect against intrusions into traditionally protected areas—home, family, and procreation.
a. Census Confidentiality
b. Computer Matching and Privacy Protection Act of 1988
c. Computer Security Act of 1987
d. E-Government Act of 2002
e. Freedom of Information Act of 1966
f. Paperwork Reduction Act of 1995
g. Privacy Act of 1974
h. Privacy Protection Act of 1980
i. Section 1983 of the Civil Rights Act of 1964
j. Social Security Number Confidentiality Act of 2000
(p.315) 9. Statutes Protecting Against Private Intrusions
These statutes protect against particular actions relating to privacy of the person but not release or misuse of information (e.g., stalking, video voyeurism, cyberstalking, telephone solicitation).
a. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
b. False Identification Crime Control Act of 1982
c. Identity Theft and Assumption Deterrence Act of 1998
d. Identity Theft Penalty Enhancement Act of 2003
e. Internal Revenue Code
f. Internet False Identification Act of 2000
g. Paperwork Reduction Act of 1995
h. Privacy Act of 1974
i. Privacy Protection Act of 1980
j. Social Security Number Confidentiality Act of 2000
k. Video Voyeurism Prevention Act of 2004
10. Statutes Authorizing Governmental Intrusions
These statutes authorize intrusions for national-security or other public purposes.
a. Bank Secrecy Act of 1970
b. Communications Assistance for Law Enforcement Act of 1994
c. Computer Fraud and Abuse Act of 1984
d. Electronic Communications Privacy Act of 1986
e. Foreign Intelligence Surveillance Act of 1978
f. Omnibus Crime Control and Safe Streets Act of 1968
g. USA PATRIOT Act of 2001
h. Protect America Act of 2007
Summary of Federal Statutes
1. Medical Records
1.a. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Pub. L. No. 104-191, 110 Stat. 1936.
(p.316) This act mandates procedures to protect the privacy of individuals receiving health-care services. Title I of HIPPA limits restrictions group health plans can place on benefits for preexisting conditions.1545 Title II of HIPPA mandates the Department of Health and Human Services to promulgate Administrative Simplification rules. The Administrative Simplification rules are designed to increase efficiency in the health care system by creating uniform standards for disseminating and use of health care information.1546
In 2000, rules designed to protect medical information were promulgated by the Clinton administration. However, these rules were amended in 2002 to permit certain health-related information to be shared without patient consent including their treatment and payment for certain marketing purposes. These new rules include certain privacy protections:
• Patients must be given notice of their rights under HIPPA by hospitals as well as how their medical information will be used.1547
• Patients have a right to see, copy, or correct inaccuracies in their medical records.1548
• When a covered entity uses or discloses protected health information from another covered entity, a covered entity must “make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”1549
• Health-care providers are prohibited from disclosing an individual's health information to their employers.1550
• individuals may choose not to have their names and health information publicly listed in a hospital's directory.1551
• Patients may request that their medical records are not shared. However, no consent is required for a patient's medical records to be transferred between doctors' offices for the purpose of medical treatment. A covered entity “is permitted to use or disclose protected health information” for “treatment, payment, or health (p.317) care operations” without a patient's consent. The use of medical information for certain marketing activities is permitted.1552
The U.S. House of Representatives passed the bill 420 to 3, but the Senate has yet to vote on the bill.1556
1.c. Substance Abuse Privacy, 42 U.S.C. § 290dd-2 (2000). Under 42 U.S.C. § 290dd-2, medical records maintained by any federal substance-abuse program that contains certain patient information—identity, diagnosis, treatment, etc.—is required to be maintained as confidential.1557 The statute allows the use of records by medical personnel, and makes exceptions to the confidentiality requirement in the case of court orders, and patient's consent.1558 Moreover, there is a further exception to the confidentiality requirement in the case of audits and research but required (p.318) that the patients identities are not disclosed.1559 Violators of the statute are subject to a fine.1560
2. Financial, Credit, and Consumer Records
2.a. Bank Secrecy Act, 31 U.S.C. §§ 5311–5330 (2000). This act reduces citizens' right to privacy concerning banking information. Financial institutions are required by the federal government to monitor customers, maintain records, and report personal financial transactions that “have a high degree of usefulness in criminal, tax and regulatory investigations and proceedings.”1563 “Suspicious activity reports” must be filed with the Treasury Department's Financial Crimes Enforcement Network (“FinCEN”).1564 Financial-institution reporting is secret, done without the knowledge or consent of an institution's customers. Reports of suspicious activity are available electronically to every U.S. attorney's office and to fifty-nine law-enforcement agencies, including the FBI, the Secret Service, and the Customs Service. Law-enforcement agencies need not suspect an actual crime before accessing a report. Additionally, no court order, warrant, subpoena, or even written request is needed to view these reports.1565
(p.319) 2.b. Fair Credit Reporting Act of 1970 (“FCRA”), 15 U.S.C. §§ 1681–1681u (2000). Congress enacted the FCRA to protect consumers from the disclosure of inaccurate and arbitrary personal information held by consumer reporting agencies.1566 The FCRA regulates the disclosure of personal information, but it does not restrict the amount or type of information that can be collected. Under the FCRA, consumer reporting agencies may disclose personal information to third parties only under specified conditions. Additionally, information may be released to a third party with the written consent of the subject of the report or when the reporting agency has reason to believe that the requesting party intends to use the information:
• for a credit, employment, or insurance evaluation;
• in connection with the grant of a license or other governmental benefit; or
• for another “legitimate business need” involving the consumer.1567
2.c. Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), Pub. L. No. 108-159, 117 Stat. 1952 (2003) (amending 15 U.S.C. §§ 1681–1681u). The congressional rationale of augmenting the Fair Credit Reporting Act of (15 U.S.C. § 1681 et seq.) with FACTA was to reduce instances of identity theft. Among FACTA are provisions that are designed to alert consumers and other procedures designed to detect and prevent identity theft.1568 However, Congress also effectively barred states from adopting stronger laws.1569
FACTA prevents medical creditors from “obtain[ing] or us[ing] medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit.”1570 But there are exceptions, and federal banking agencies were directed to issue regulations to cover uses of medical information to protect “legitimate operational, transactional, risk, consumer, and other needs.”1571
2.d. Gramm-Leach-Bliley Act of 1999 (“GLBA”), Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified at 15 U.S.C. §§ 6801–6809). The GLBA is (p.320) one of the most comprehensive consumer financial-privacy statutes in U.S. history.1572 It imposes strict obligations and restrictions on financial institutions in disclosing the personal financial information of customers to nonaffiliated third parties.1573
The GLBA regulates the privacy of personally identifiable, nonpublic financial information disclosed to nonaffiliated third parties by financial institutions. The act requires written or electronic notice of the categories of personal information collected, the categories of people the information will be disclosed to, the consumer's opt-out rights, and the company's confidentiality policy. The act also requires administrative, technical, and physical safeguards to protect the security and privacy of information.
2.e. Section 7216 of the Internal Revenue Code, 26 U.S.C. § 7216. Section 7216 of the Internal Revenue Code prohibits anyone who is involved in the preparation of tax returns from knowingly or recklessly disclosing or using the tax-related information provided other than in connection with the preparation of such returns. Anyone who violates this provision may be subject to a fine or even imprisonment. The regulations under section 7216 provide an exemption from this law for tax-return preparers who disclose taxpayer information to a third party for the purpose of having that third party process the return. Note that there is no requirement in section 7216 or its regulations that a preparer inform the client that a third-party provider is being used. In addition, section 7525 provides a client with a privilege similar to the attorney-client privilege when the client makes certain tax-related disclosures to, among others, certified public accountants (“CPAs”).1574
2.f. Right to Financial Privacy Act of 1978, 12 U.S.C. §§ 3401–3422 (2000). The Right to Financial Privacy Act was Congress's response to a U.S. Supreme Court decision finding that bank customers had no legal right to privacy in financial information of theirs held by financial institutions.1575 The statutes are largely procedural in nature in that they require agencies to provide notice to individual bank customers, as well as an opportunity to object before a bank or other financial institution (p.321) can disclose personal financial information. The Act, however, allows financial information to be revealed by mere written requests.1576
The Right to Financial Privacy Act was designed to protect the confidentiality of personal financial records by creating a statutory Fourth Amendment protection for bank records. The relevant section (12 U.S.C. § 3402) states that:
no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described
(1) such customer has authorized such disclosure in accordance with section 3404 of this title;
(2) such financial records are disclosed in response to an administrative subpoena or summons which meets the requirements of section 3405 of this title;
(3) such financial records are disclosed in response to a search warrant which meets the requirements of section 3406 of this title;
(4) such financial records are disclosed in response to a judicial subpoena which meets the requirements of section 3407 of this title; or
(5) such financial records are disclosed in response to a formal written request which meets the requirements of section 3408 of this title.1577
The statute prevents banks from requiring customers to authorize the release of financial records as a condition of doing business and states that customers have a right to access a record of all disclosures.1578
3. Educational Records
3.a. Family Educational Rights and Privacy Act of 1974 (“FERPA”), 20 U.S.C. § 1232g (2000). FERPA was enacted by Congress in 1974 with the intent of providing students or their parents various rights to inspect (p.322) student records, and to request any corrections they believe to be incorrect or misleading.1579 Moreover, student records may not be released without permission, except under certain circumstances.1580 FERPA applies only to educational agencies and institutions that receive funds from the U.S. Department of Education.1581
Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties:1582
• School officials with a legitimate educational interest
• Other schools to which a student is transferring
• Specified officials for audit or evaluation purposes
• Appropriate parties in connection with financial aid to a student
• Organizations conducting certain studies for or on behalf of the school
• Accrediting organizations
• Appropriate officials in cases of health and safety emergencies
• State and local authorities, within a juvenile justice system, pursuant to specific state law
FERPA also allows schools to disclose records without consent to comply with a judicial order or lawfully issued subpoena.1583
Schools may disclose, without consent, “directory information” such as a student's name, address, telephone number, etc.1584 However, schools must tell parents and eligible students about directory information and give parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them.1585 Schools must notify parents and eligible students annually of their rights under FERPA.1586 The actual means of notification (special letter, PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.
(p.323) Colleges and universities comply with these regulations by dealing exclusively with the student. Bills for tuition are an exception. Since student bills are financial records, involving yet another set of regulations, institutions are allowed to communicate with parents about financial records if the student authorizes the school to do so. Such authorization, however, applies only to financial records and may never include academic or other student records.1587
4. Personal Identity Information and Personally Sensitive Information
4.a. Brady Handgun Violence Prevention Act (“Brady Law”), (Pub. L. 103-159, 107 Stat. 1536, enacted 1993-11-30) codified at 18 U.S.C. § 921–922. The Brady Handgun Violence Prevention Act requires gun dealers to submit information about prospective buyers to a federal computer system to prevent sales to convicted felons, fugitives, and other disqualified persons from purchasing firearms. The information includes the potential purchaser's name, sex, race, date of birth, and state of residence. One provision mandates that law enforcement agencies “shall not disclose any such form or the contents thereof to any person or entity, and shall destroy each such form and any record of the contents thereof no more than 20 days from the date such form is received.”1588
4.b. Cable Communications Policy Act of 1984 (“Cable Act”), Pub. L. 98-549, 98 Stat. 2780 (codified at 47 U.S.C. §§ 521–59 (2000)). The Cable Act places restrictions the collection, maintenance, and dissemination of subscriber data by cable systems operators.1589 It specifically prohibits operators from collecting subscriber information without prior consent, unless it is needed to render service, detect unauthorized reception, is disclosed pursuant to a court order, or is made for other “legitimate business activitie[s].”1590 The Cable Act requires operators to notify subscribers of what personal information is collected, how it is used, the length of time it is retained by the operator, how and to whom it is disclosed.1591 (p.324) And cable operators must destroy any personal data collected when it is longer needed for the purpose for which it was collected.1592
4.c. Census Confidentiality, 13 U.S.C. § 9 (2000). Under 13 U.S.C. § 9, information provided for the census may only be used for its initial statistical purpose, and may not be published in a way that would allow an individual to be identified.
4.d. Children's Online Privacy Protection Act of 1998 (“COPPA”), Pub.L. 105-277, 112 Stat. 2581–728 (codified at 15 U.S.C. §§ 6501–6506 (2000)). COPPA regulates the collection of personal information on the Internet from children. It protects the privacy of children under the age of thirteen by requesting parental consent for the collection or use of any personal information of the users.1593
Some of the key requirements of the act that Web site operators must follow include:
• acquiring “verifiable parental consent” before collecting personal information from a child under the age of thirteen;1594
• disclosing to parents any information collected about their children by the Web site;1595
• providing a right to revoke consent and have information deleted;1596
• limiting the collection of personal information when a child participates in online games and contests;1597 and
• protecting the confidentiality, security, and integrity of any personal information that is collected online from children.1598
4.e. Driver's Privacy Protection Act of 1994, 18 U.S.C. §§ 2721–2725 (2000). This act prohibits states from disclosing personal information, such as an individual's photograph, Social Security number, driver's license identification number, name, address, telephone number, or medical or disability information, with certain exceptions.
4.f. Employee Polygraph Protection Act of 1988, Pub. L. 100-347, 102 Stat. 646 (codified at 29 U.S.C. §§ 2001–2009 (2000)). This act prohibits most private employers from using lie-detector tests either for preemployment (p.325) screening or during the course of employment.1599 Exceptions, however, are made for private security-service firms and pharmaceutical manufacturers, and FBI contractors.1600 The law does not apply to federal, state, or local governments. In the cases where polygraph testing is permitted, the testers are subject to strict standards regarding the length and conduct of the test.1601
4.g. Fair Credit Reporting Act of 1970 (see 2.b).
4.h. Fair and Accurate Credit Transactions Act of 2003 (see 2.c).
4.i. False Identification Crime Control Act of 1982 (“FICCA”), Pub. L. No. 97-398, 96 Stat. 2009 (codified at 18 U.S.C. §§ 1028, 1738 (2000)). FICCA was the product of a ten-year legislative process that prohibits the production, transfer, or possession of any document-making instrument used to produce false identification.1602 FICCA also provides penalties for (1) knowingly and unlawfully producing or transferring an identification document or false identification document; (2) possessing five or more false identification documents; (3) possessing false identification documents with the intent to defraud the United States; or (4) possessing an identification document that appears to be a U.S. document with knowledge that it is stolen or produced without authority.1603
4.j. Genetic Information Nondiscrimination Act of 2007 (see 1.b).
4.k. Identity Theft and Assumption Deterrence Act of 1998, Pub. L. No. 105-318, 112 Stat. 3007 (codified at 18 U.S.C. § 1028 (2000)). This act amends FICCA to encompass computer-aided false-identity crimes. It expands the scope of the fraudulent-identification-document crime to include document transfers by electronic means.1604
4.l. Substance Abuse Privacy (see 1.c).
4.m. Video Privacy Protection Act of 1998 (“VPPA”), Pub. L. No. 100-618, 102 Stat. 3195 (codified at 18 U.S.C. § 2710 (2000)). The VPPA prohibits videotape service providers from knowingly disclosing personal information, such as titles of rented videocassettes, without the individual's written authorization.1605 Congress passed the VPPA following the controversy that arose when Judge Robert Bork's video-rental records were (p.326) released during his Supreme Court nomination hearings. Although a private individual would likely be able to bring suit for a common-law invasion of privacy, a public figure like Judge Bork would probably not prevail, because the First Amendment would probably protect the information contained in his rental record.
4.n. Identity Theft Penalty Enhancement Act of 2003, Pub. L. No. 108-275, 118 Stat. 831 (codified at 47 U.S.C. § 1028A (West. Supp. 2006). The act adds the substantive offense of “aggravated identity theft,” caring a minimum sentence of two years.1606 Aggravated identity theft occurs when a person uses the identification of another person in the course of an enumerated felony.1607 Such enumerated felonies include, inter alia: theft of public money; false statements while acquiring a firearm; mail fraud; immigration, nationality, passport, and citizenship violations; and false social security statements.1608
4.o. Internet False Identification Act of 2000, Pub. L. No. 106-578, 114 Stat. 3075 (codified at 18 U.S.C. § 1028). The IFIA further amended the FICCA to include computer-aided false identification including computer templates in the prosecution of identity theft.1609
4.p. Telephone Consumer Protection Act of 1991 (“TCPA”) Pub. L. No. 102-243, 105 Stat. 2394 (codified principally at 47 U.S.C. § 227 (2000)). The TCPA is the principal law governing the conduct of telephone solicitations. Among its provisions are restrictions on the use of automatic telephone dialing systems. Specifically, they may not be used to dial the number of any emergency “medical physician or service office, health care facility, poison control center, or fire protection or law enforcement agency;” any patient rooms at hospitals or old-age homes; or any number assigned to a service for which the customer is charged.1610 The act creates a private cause of action for its enforcement.1611 Moreover, the TCPA does not preempt state law or regulations covering telemarketing.1612 Both the Ninth and Fourth Circuit Courts of Appeal upheld the constitutionality of the TCPA's restrictions.1613
(p.327) 5. Personal Communications
5.a. Cable Communications Policy Act of 1984 (see 4.b).
5.b. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM Act”), Pub L, No. 08-187, 117 Stat. 2699 (2003) (codified at 15 U.S.C. §§ 7701-7713 and 18 U.S.C. § 1037 (West Supp. 2006)). Aside from requiring unsolicited e-mails to include opt-out instructions and to include the sender's physical address, the statute authorizes the FTC to establish a “do-not-e-mail” registry.1614
5.c. Communications Decency Act of 1996 (“CDA”) Pub. L. No. 104-104, 110 Stat. 56, 133–43 (codified in scattered sections of 47 U.S.C. and 18 U.S.C.). The pertinent section reads:
(1) Treatment of publisher or speaker.—No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.1615
The provisions of the CDA that dealt with restrictions on obscene speech were declared unconstitutional in Reno v. ACLU.1616 The provision dealing with immunity for Internet service providers, however, has survived.
In the case of Zeran v. America Online,1617 the Fourth Circuit found that a service provider was not liable for failing to remove defamatory material from the Web, even after notice. A series of cases interpreting the CDA have immunized Internet sites that do not provide actual content.
5.d. Communications Assistance for Law Enforcement Act of 1994 (“CALEA”), Pub. L. No. 103-414, 108 Stat. 4279 (codified at 47 U.S.C. §§ 1001–10 (2000)). CALEA was enacted with the intent of protecting public safety and national security by ensuring that law enforcement agencies have the ability to conduct electronic surveillance. This is done by requiring that telecommunications operators modify and design their equipment and services so that they have surveillance capabilities. “Telecommunications carriers” for purposes of the statute include common carriers, facilities-based broadband Internet access providers, and providers of interconnected (p.328) Voice over Internet Protocol (VoIP) service.1618 When CALEA was passed in 1994, it was the first time that private telecommunications companies were required to modify their equipment and services to facilitate government surveillance.
5.e. Electronic Communications Privacy Act of 1986 (“ECPA”), Pub. L. No. 99-508, Oct. 21, 1986, 100 Stat. 1848 (codified at 18 U.S.C. §§ 2510, 2521, 2701, 2710, 3117 3121, 3126)). The ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968. It is aimed at preventing invasions into individuals' privacy by the government. However, the ECPA law also forbids private electronic communications operators from divulging their contents. The ECPA generally prohibits the use of pen registers and trap-and-trace without a court order with the exceptions of system testing and to record fraud.1619
5.f. Communications Act of 1934, 47 U.S.C. §§ 151–713 (2000). The Communications Act of 1934 and amendments to that act cover a broad range of issues relating to privacy, including protection of telecommunications, cable, and cell phone information.1620
5.g. Section 222 of the Telecommunications Act of 1996, Pub. L. No. 104-104, 110 Stat. 56 (codified at 47 U.S.C. § 222 (2000)). Section 222, entitled “Privacy of Customer Information,” states generally that “[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to… customers.” Section 222 places restrictions on the use of, disclosure of, and access to certain customer information.
In 1998, the FCC issued an opt-in regulation requiring customers to opt-in prior to companies using their customer data. The Tenth Circuit Court of Appeals, however, ruled the opt-in regulation unconstitutional in violation of the First Amendment.1621
5.h. Telephone Consumer Protection Act of 1991 (see 4.p).
5.i. Wireless Communications and Public Safety Act of 1999 (“911 Act”).1622 The 911 Act amended privacy provisions in the Telecommunications Act of 1996 to allow location information to be used for emergency-services purposes.
(p.329) Enhanced 911, or E911, is an FCC program that requires mobile phone services to be able to track and communicate the locations of users. GPS tracking is used in E911 service. Although E911 allows emergency-service providers to locate callers, E911 also allows third parties to track phones using the GPS signal. For example, parents can track their child's location.1623
6. Computer Use or Computer-Generated Information
6.a. Computer Fraud and Abuse Act of 1984, L. 98-473, 98 Stat. 2190 (codified at 18 U.S.C. § 1030 (Supp. 2001)). The Computer Fraud and Abuse Act makes certain activities designed to access a “federal interest computer” illegal.
Whoever… knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer … [or] knowingly and with intent to defraud traffics … in any password or similar information through which a computer may be accessed without authorization … shall be punished as provided in subsection (c) of this section.1624
The Patriot Act amended the Computer Fraud and Abuse Act with both procedural and substantive changes that may influence future prosecutions. Some changes will make it easier for law enforcement to investigate computer crimes, fight terrorism, and fight cyberterrorism. The title and purpose of the Patriot Act are the only apparent limits to these modifications.1625
6.b. Computer Matching and Privacy Protection Act of 1988 (“CMPPA”), Pub. L. No. 100-503, 102 Stat. 2507 (codified at 5 U.S.C. § 552a(o) (2000)). The CMPPA amended the Privacy Act of 1974 by prohibiting disclosures of personal information contained in databases to any government or private agency for “use in a computer matching (p.330) program.”1626 As amended by the CMPPA, the Privacy Act now requires agencies involved in computer matching programs to, inter alia:
• state “the purpose and legal authority” of the program;1627
• state “the justification for the program and [its] anticipated results;”1628
• describe the information and records used in the matching program;1629
• state the starting and completion dates of the project;1630
• provide notice procedures for individualized notice;1631
• provide procedures for the retention and destruction of records, and their security.1632
6.c. E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899 (codified at 44 U.S.C. §§ 3501–3521 (West Supp. 2005). The E-Government Act establishes many requirements for computer and Internet use within the federal government. With respect to privacy, the key requirement is that agencies must conduct privacy impact assessments.1633 Agencies must assess the reasons for holding an individual's information, with whom the information will be shared, the duration it is to be retained, and its intended use.1634 Unlike the Privacy Act of 1974, whose applicability is limited to U.S. citizens and legal residents, the E-Government Act of 2002 applies more broadly to “individuals.”1635
The Office of Management and Budget issued guidelines for what should be addressed in a privacy impact assessment: the specific information collected, the purpose for collection, the intended use of the information, a list of the parties with which the information may be shared, notice regarding the collection of information, security provisions, and whether a system of records notice has been created pursuant to the Privacy Act.1636
(p.331) Additional privacy protections in the act include prohibitions on the disclosure of information obtained for statistical purposes and the requirement that federal agencies post machine-readable privacy policies on their Web sites.1637
6.d. Freedom of Information Act (“FOIA”) (see 8.e).
6.e. Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 (codified at 5 U.S.C. 552a).1638 The Privacy Act applies only to federal governmental agencies1639 that maintain information that can be used to identify an individual.1640 The act restricts the disclosure of personal information, provides individuals with the right to access the contents of their files, and provides the right to seek amendment or correction of inaccurate information.1641
The Department of Justice notes that “the Act's imprecise language, limited legislative history, and somewhat outdated regulatory guidelines have rendered it a difficult statute to decipher and apply.”1642
7. Business Information
7.a. Economic Espionage Act of 1996 (“EEA”), Pub. L. No. 104-294, 110 Stat. 3488 (codified at 18 U.S.C. 1831–39). Congress enacted the EEA to prosecute individuals who steal trade secrets. The EEA broadly defines “trade secrets” as:
all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, and codes, whether tangible or intangible, and whether stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing, if—(A) the owner has taken reasonable measures to keep such information secret, and (B) the information derives independent (p.332) economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.1643
The EEA makes it a crime when an individual knowingly “steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret.”1644 The EEA also contains provisions to protect the trade secrets in court proceedings. Violators must forfeit proceeds stemming from the crime, and a court may order the forfeiture of any property used to commit or to facilitate the commission of the crime.1645 For more serious violations of the EEA, a defendant can be imprisoned for up to fifteen years or fined up to $500,000 or both.1646
7.b. Employee Polygraph Protection Act (see 4.f).
7.c. Freedom of Information Act (“FOIA”) (see 8.e).
8. Exemptions from Public Records and Protection Against Public Intrusions
8.a. Census Confidentiality (see 4.c).
8.b. Computer Matching and Privacy Protection Act (see 6.b).
8.c. Computer Security Act of 1987, Pub. L. No. 100-235, 101 Stat. 1724 (codified at 15 U.S.C. 271–278h) (1988)). The act defines “sensitive information” as “information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under [the Privacy Act] …”1647 The act also requires that minimum standards be established for federal information systems.1648
8.d. E-Government Act of 2002 (see 6.c).
8.e. Freedom of Information Act of 1966 (“FOIA”) Pub. L. No. 89-554, 80 Stat. 383 (codified at 5 U.S.C. 552). The FOIA requires federal agencies to make information publically available. There are, however, exceptions to FOIA that protect privacy interests from disclosure. A federal agency may withhold information about individuals in personnel and medical (p.333) files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy”.1649 Another exemption allows agencies to withhold records compiled for law-enforcement purposes.1650
8.f. Paperwork Reduction Act of 1995, Pub. L. No. 104-13, 109 Stat. 163 (codified at 44 U.S.C. 3501–20). The PRA established Office of Information and Regulatory Affairs within the Office of Management and Budget.1651 The OIRA is required to promulgate guidance for and oversight of federal agencies' information-management activities.1652
The act also requires federal agencies to ensure compliance with the Privacy Act and to coordinate management of the requirements of FOIA, the Privacy Act, the Computer Security Act, and related management laws.
8.g. Privacy Act of 1974 (see 6.e).
8.h. Privacy Protection Act of 1980, Pub. L. No. 96-440, 94 Stat. 1879 (codified at 42 U.S.C. 2000aa et seq.). The Privacy Protection Act mainly deals with protecting First Amendment freedom-of-the-press values. The act prohibits “a government officer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication, in or affecting interstate or foreign commerce.”1653 There, however, is an exception to the prohibition if there is probable cause that the possessor of the materials is involved in a criminal offense.1654
8.i. Section 1983 of the Civil Rights Act of 1871 (codified at 42 U.S.C. § 1983). Section 1983 of the Civil Rights Act provides:
Every person who under color of any statute, ordinance, regulation, custom, or usage, of any State or Territory or the District of Columbia, subjects, or causes to be subjected, any citizen of the United States or other person within the jurisdiction thereof to the deprivation of any rights, privileges, or immunities secured by the Constitution and laws, shall be liable to the party injured in an action at law, suit in equity, or other proper proceeding for redress, except that in any (p.334) action brought against a judicial officer for an act or omission taken in such officer's judicial capacity, injunctive relief shall not be granted unless a declaratory decree was violated or declaratory relief was unavailable.”1655
Section 1983 jurisprudence is extremely complicated, but has been expanded to apply to causes of action relating to privacy rights and surveillance.1656
8.j. Social Security Number Confidentiality Act of 2000, Pub. L. No. 106-433, 114 Stat. 1910 (codified at 31 U.S.C. § 3327 (2000)). This act prohibits Social Security numbers from being visible on or through unopened mailings or other checks or drafts issued by the Treasury Department.
9. Private Intrusions
9.a. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM”) (see 5.b).
9.b. False Identification Crime Control Act of 1982 (see 4.i).
9.c. Identity Theft and Assumption Deterrence Act of 1998 (see 4.k).
9.d. Identity Theft Penalty Enhancement Act (see 4.n).
9.e. Section 7216 of the Internal Revenue Code (see 2.e.).
9.f. Internet False Identification Act of 2000 (see 4.o).
9.g. Paperwork Reduction Act of 1995 (see 8.f).
9.h. Privacy Act of 1974 (see 6.e).
9.i. Privacy Protection Act of 1980 (see 8.h).
9.j. Social Security Number Confidentiality Act of 2000 (see 8.j).
9.k. Video Voyeurism Prevention Act of 2004.1657
The VVPA makes it a crime “to capture an image of a private area of an individual without their consent … under circumstances in which the individual has a reasonable expectation of privacy ….”1658 “Private area” includes the “naked or undergarment clad genitals, pubic area, buttocks, or female breast.”1659 Moreover, under the act, a reasonable expectation of privacy includes both a public and private dimension. The VVPA defines reasonable expectation of privacy as “circumstances in which a reasonable (p.335) person would believe that a private area of the individual would not be visible to the public, regardless of whether that person is in a public or private place.1660 Cedric Laurant, formerly of the Electronic Privacy Information Center, commented on the law: “Previous state laws did not prohibit activities like taking a picture up a woman's skirt, when the woman was in a public place…. This [law] will specifically target that kind of activity, which should mean people will have more privacy.”1661
10. Statutes Authorizing Governmental Intrusions
10.a. Bank Secrecy Act (see 2.a).
10.b. Communications Assistance for Law Enforcement Act of 1994 (“CALEA”) (see 5.d).
10.c. Computer Fraud and Abuse Act of 1994 (see 6.a).
10.d. Electronic Communications Privacy Act of 1986 (see 5.e).
10.e. Foreign Intelligence Surveillance Act of 1978 (“FISA”) Pub. L. No. 95-511, 92 Stat. 1783 (codified at 50 U.S.C. §§ 1801–1811). Intercepting private communications during the course of an ordinary criminal investigation has traditionally been viewed as a violation of privacy. In United States v. U.S. District Court,1662 the Supreme Court stated:
Given those potential distinctions between Title III criminal surveillances and those involving the domestic security, Congress may wish to consider protective standards for the latter which differ from those already prescribed for specified crimes in Title III. Different standards may be compatible with the Fourth Amendment if they are reasonable both in relation to the legitimate need of Government for intelligence information and the protected rights of our citizens.1663
In 1978, Congress passed the FISA, the statutory framework governing the procedures by which electronic surveillance and physical searches are conducted for foreign intelligence investigations.
(p.336) Traditionally, under the Fourth Amendment, a search warrant must be based on a probable cause belief that an individual is engaged in criminal activity. FISA, however, only requires that belief that “the acquisition of the contents of communications transmitted by means of communications used exclusively between or among foreign powers.1664 However, if the target of an investigation is a “U.S. person,” there still must be probable cause to believe that their activities involve espionage. Furthermore, a U.S. citizen may not be determined to be an agent of a foreign power “solely upon the basis of activities protected by the First Amendment to the Constitution of the United States.”1665
FISA also has a minimization requirement. Prior to the enactment of the Patriot Act, FISA-obtained information could be used in criminal proceedings so long that the “primary purpose” of the investigation was to collect foreign intelligence.1666 In a number of instances, however, there have overlaps between foreign intelligence gathering and criminal investigations. A common minimization procedure is known as an “information-screening wall.” These “walls” require a disinterested to review the information gathered by FISA surveillance, to screen it, and only pass on information that might be relevant evidence.1667
The Foreign Intelligence Surveillance Court (“FISC”) is a special court composed of seven federal district court judges and exercises jurisdiction over “applications for and grant orders approving electronic surveillance anywhere within the United States.”1668 Under the FISA, the Department of Justice reviews applications for warrants made by agencies prior to submitting them to the FISC. The attorney general also must approve all FISA applications.1669 The application must contain, inter alia,
• the identity of the target of the surveillance, and the nature of the information sought;1670
• a “statement of the facts and circumstances relied upon by the applicant to justify his belief that—(A) the target of the electronic surveillance is a foreign power or an agent of a foreign power; and (B) each of the facilities or places at which the electronic surveillance is directed is being used, or is about to be used, by a foreign power or an agent of a foreign power;”1671
• the proposed minimization procedures.1672
The case records are sealed and may not be revealed. There is no requirement that executed warrants be returned. Nor is there any certification requirement that surveillance was conducted pursuant to the warrant and its proposed “minimization” protocol. The FISA makes provision for review of FISC decisions by the Foreign Intelligence Surveillance Court of Review (FISCR).
10.f. Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. No. 90-351, 82 Stat. 197 (codified at 18 U.S.C. § 2510 et seq.). The act makes it a crime for one who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.”1673 However, the act also grants the Attorney General the right to apply for electronic surveillance in the course of investigating certain enumerated criminal offenses.1674
10.g. USA PATRIOT Act, Pub. L. No. 107-56, 115 Stat. 272 (codified in various sections of 18, 31, and 42 U.S.C.). The Patriot Act is a sweeping piece of legislation which amends several enactments protecting personal privacy. One key provision is the lowering of the FISA standard relating to intelligence investigations. Patriot Act section 218 lowers the preexisting FISA standard that “the purpose” of surveillance is to gather foreign intelligence to the lower threshold of requiring that foreign intelligence gathering be “a significant purpose” of surveillance.1675 The constitutionality of the “significant purpose standard” was considered by the Foreign Intelligence Surveillance Court (FISC).
(p.338) Title II of the Patriot Act amends the Omnibus Crime Control and Safe Streets Act to allow “roving wiretap, allowing the intercept of communications made by the target of an investigation without having to specify the particular telephone line or computer being monitored.”1676 The Patriot Act moreover liberalizes the use of pen registers and trap-and-trace devices. The FISA requirement that the surveillance be pursuant to “any investigation to gather foreign intelligence information or information concerning international terrorism” was replaced with the requirement that “any investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.”1677
The scope of the Patriot Act is extremely broad and it affects numerous pieces of preexisting laws protecting privacy including:
• the Electronic Communications Privacy Act of 1986;
• the Computer Fraud and Abuse Act of 1984;
• the Foreign Intelligence Surveillance Act of 1978;
• the Family Educational Rights and Privacy Act of 1974;
• the Money Laundering Control Act of 1986;
• the Immigration and Nationality Act of 1952;
• the Money Laundering Control Act of 1986;
• the Bank Secrecy Act of 1970;
• the Right to Financial Privacy Act of 1978;
• the Fair Credit Reporting Act of 1970.
(1545) 29 U.S.C. § 1181(a)(2) (2000).
(1546) 42 U.S.C. §§ 1320a–7c, 1395ddd, 1395b–5.
(1547) 45 C.F.R. 164.528.
(1548) 45 C.F.R. 164.524(b); 45 C.F.R. 164.526.
(1549) 45 C.F.R. 164.502(b)(1).
(1550) 45 C.F.R. 164.508(a)(1); 45 C.F.R. 164.504(a); 45 C.F.R. 164.504(c)(3).
(1551) 45 C.F.R. 164.510(a).
(1552) 45 C.F.R. 164.502(a)(1)(ii); 45 C.F.R. 164.506(a); 45 C.F.R. 164.501.
(1553) Genetic Information Nondiscrimination Act of 2008, § 202.
(1555) Id. § 2753. See Brandon Keim, Genetic Protections Skimp on Privacy, Says Gene Tester, WIRED, May 23, 2008, http://blog.wired.com/wiredscience/2008/05/genetic-protect.html (last visited June 23, 2008). This article points out several potential gaps in the act, including lack of protection for life insurance and long term disability applicants. There is a lack of clarity as to whether the act supersedes state laws. Also, if there is a surge in demand for genetic testing, these companies will have more information to distribute to entities, including law enforcement, that are not restricted by the act or other laws.
(1556) S. 358, 110th Cong. (2007).
(1557) 42 U.S.C. § 290dd–2(a).
(1558) 42 U.S.C. § 290dd–2(b)(c).
(1559) 42 U.S.C. § 290dd–2(b)(2)(B).
(1560) 42 U.S.C. § 290dd–2(f).
(1561) 38 U.S.C. § 7332(a)(1).
(1562) 38 U.S.C. § 7332(b).
(1563) 12 U.S.C. § 1951.
(1564) 31 U.S.C. § 5318(g)(1). See also Annunzio-Wylie Anti-Money Laundering Act, 102 Pub. L. No. 550, 106 Stat. 4044 (1992) (codified in various sections of 12, 18, 31 and 42 U.S.C.).
(1566) 31 U.S.C. § 1681(b).
(1567) 15 U.S.C. § 1681(b)(f).
(1568) 15 U.S.C. §§ 1681c–1, 1681m.
(1569) 15 U.S.C. § 1681t(b).
(1570) 15 U.S.C. § 1681b(g)(2).
(1571) 15 U.S.C. § 1681b(g)(5)(A).
(1574) 26 U.S.C. § 825(a)(1).
(1575) See United States v. Miller, 425 U.S. 435(1976) (holding that there is no Fourth Amendment right of an individual with respect to their bank records that could be vindicated by a challenge to the validity of the subpoenas).
(1576) 12 U.S.C. § 3408.
(1577) 12 U.S.C. § 3402.
(1578) 12 U.S.C. § 3404.
(1579) 31 U.S.C § 1232g(2).
(1580) 31 U.S.C § 1232g(5)(b).
(1581) 31 U.S.C § 1232g(a)–(b).
(1582) 34 C.F.R. § 99.31 (2007).
(1583) 31 U.S.C § 1232g(b)(1)(j).
(1584) 31 U.S.C § 1232g(a)(5)(a).
(1585) 31 U.S.C § 1232g(a)(5)(b).
(1586) 34 C.F.R. 99.7.
(1587) 31 U.S.C § 1232g(a)(1)(C)(i).
(1588) 18 U.S.C. § 923(g)(3)(B).
(1589) 47 U.S.C. § 551(a).
(1590) 47 U.S.C. § 551(c).
(1591) 47 U.S.C. § 551(a).
(1592) 47 U.S.C. § 551(e).
(1593) 15 U.S.C. § 6502(b)(1).
(1594) 15 U.S.C. § 6502(b)(1)(A)(ii).
(1595) 15 U.S.C. § 6502(b)(1)(A)(i).
(1596) 15 U.S.C. § 6502(b)(1)(B)(ii).
(1597) 15 U.S.C. § 6502(b)(1)(C).
(1598) 15 U.S.C. § 6502(b)(1)(D).
(1599) 29 U.S.C. § 2002.
(1600) 29 U.S.C. § 2006.
(1601) 29 U.S.C. § 2007(b).
(1602) 18 U.S.C. § 1028(a).
(1604) 18 U.S.C. § 1028(c)(3).
(1605) 18 U.S.C. § 2710(b)(1).
(1606) 18 U.S.C. § 1028A(a)(1).
(1608) 18 U.S.C. § 1028A(c).
(1609) 18 U.S.C. § 1028(d)(1)–(2).
(1610) 47 U.S.C. § 227(b)(1)(A)(i)–(iii).
(1611) 47 U.S.C. § 227(b)(3).
(1612) 47 U.S.C. § 227(e).
(1613) See Moser v. FCC, 46 F.3d 970 (9th Cir. 1995) cert. denied, 515 U.S. 1161 (1995); Destination Ventures Ltd. v. FCC, 46 F.3d 54 (9th Cir. 1995).
(1614) 15 U.S.C. § 7708.
(1615) 47 U.S.C. § 230(c)(1).
(1616) 521 U.S. 844 (1996).
(1617) 129 F.3d 327 (4th Cir. 1997).
(1618) 47 U.S.C. § 1001(8).
(1619) 18 U.S.C. § 3121(a)–(b).
(1620) Amendments relating to privacy include Privacy of Customer Information, 47 U.S.C. § 222 (2006) and Protections of Subscriber Privacy, 47 U.S.C. § 551(2006).
(1621) U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999), cert. denied, 530 U.S. 1213 (2000) (vacating the Commission's implementation of opt-in).
(1622) 47 U.S.C. § 615a (2000).
(1623) Amy Harmon, Cellphones That Track Kids Click with Parents, SEATTLE TIMES, Dec. 21, 2003, available at http://seattletimes.nwsource.com/html/nationworld/2001820367_track21.html.
(1624) 18 U.S.C. § 1030(a).
(1625) Ellen S. Podgor, Computer Crimes and the USA PATRIOT Act, CRIM. JUST., Summer 2002, at 60, available at http://www.abanet.org/crimjust/cjmag/17-2/crimes.html (last visited May 9, 2008).
(1626) 5 U.S.C. § 552a(o)(1).
(1627) 5 U.S.C. § 552a(o)(1)(A).
(1628) 5 U.S.C. § 552a(o)(1)(B).
(1629) 5 U.S.C. § 552a(o)(1)(C).
(1631) 5 U.S.C. § 552a(o)(1)(D).
(1632) 5 U.S.C. § 552a(o)(1)(D)–(E).
(1633) E-Government Act of 2002 § 208(b)(1).
(1635) Id. § 12:4.1.
(1636) Id. § 12:4.2.
(1637) E-Government Act of 2002 §§ 208(c)(2), 212(e)(4).
(1638) 5 U.S.C. § 552a (2000).
(1639) The definition of “agency” does not encompass the offices included within the Executive Office of the President, whose sole function is to advise and assist the president. Dale v. Executive Office of President, 164 F. Supp. 2d 22, 25 (D.D.C. 2001).
(1643) 18 U.S.C. § 1839(3)(A)–(B).
(1644) 18 U.S.C. § 1831(a)(1).
(1645) 18 U.S.C. § 1834.
(1646) 18 U.S.C. § 1831(a).
(1647) 18 U.S.C. § 278g–3.
(1648) 18 U.S.C. § 278g–3.(a).
(1649) 5 U.S.C. § 552(b)(6).
(1650) 5 U.S.C. § 552(b)(7).
(1651) 44 U.S.C. § 3503.
(1652) 44 U.S.C. § 3504.
(1653) 42 U.S.C. § 2000aa(a).
(1654) 42 U.S.C. § 2000aa(a)(1).
(1655) 42 U.S.C. § 1983.
(1657) 18 U.S.C. § 1801 (Supp. 2004).
(1658) 18 U.S.C. § 1801(a).
(1659) 18 U.S.C. § 1801(b)(3).
(1660) 18 U.S.C. § 1801(b)(5)(B).
(1661) Mark S. Sullivan, Law May Curb Cell Phone Camera Use, PCWORLD, July 23, 2004, available at http://www.pcworld.com/article/id,117035-page,1/article.html (last visited May 9, 2008).
(1662) States v. United States District Court (“Keith”), 407 U.S. 297 (1972).
(1663) Id. at 322–23.
(1664) 50 U.S.C. § 1802(a)(1)(A)(i).
(1665) 50 U.S.C. § 1861(a).
(1666) Foreign Intelligence Surveillance Act of 1978 §§ 1801(h), 1804(a)(5), 1804(a)(7)(B), 1805(a)(4). See also United States v. Truong Dinh Hung, 629 F.2d 908, 912–13, 916 (4th Cir. 1980) (holding that evidence obtained pursuant to FISA where the primary purpose is a criminal investigation is inadmissible in court).
(1667) STEPHEN J. SCHULHOFER, RETHINKING THE PATRIOT ACT: KEEPING AMERICAN SAFE AND FREE 37–38 (2005).
(1668) 50 U.S.C. § 1803. See also 50 U.S.C. § 1822(c) (granting FISC jurisdiction over physical searches conducted pursuant to FISA).
(1669) 50 U.S.C. §§ 1804(a)(2), (e).
(1670) 50 U.S.C. § 1804(a)(3), (6).
(1671) 50 U.S.C. § 1804(a)(4)(A)–(B).
(1672) 50 U.S.C. § 1804(a)(5).
(1673) 18 U.S.C. § 2511(1)(a).
(1674) 18 U.S.C. § 2516.
(1675) 50 U.S.C. § 1804(a)(7)(B). See generally William C. Banks, And the Wall Came Tumbling Down: Secret Surveillance After the Terror, 57 U. MIAMI L. REV. 1147, 1174–81 (2003) (discussing the erosion of the foreign intelligence and criminal investigation dichotomy).
(1676) 18 U.S.C. § 2518(11).
(1677) 50 U.S.C. § 1842(a).