Friday, February 18, 2011

Legislative Review: "Do Not Track", "Kill Switch", and Body Scanner Images

There was a flurry of federal privacy legislation introduced this past week I thought I'd quickly review.

Jackie Speier's Privacy Bills

Let's begin with the the especially good. In particular, the "Do Not Track" (DNT) and financial privacy legislation being proposed by privacy stalwart, and Congresswoman, Jackie Speier. The bill would essentially allow Internet users to opt-out from "cookies, sniffing, scraping, or any other new and creative methods developed by those looking to profit through these activities."

The "DNT" legislation would allow the Federal Trade Commission to force online advertisers to respect the wishes of users who do not want to be tracked for marketing purposes. Why is this important?

The Center for Digital Democracy explains:

Perhaps the most powerful - but largely invisible - force shaping our digital media reality is the role of interactive advertising and marketing. Much of our online experience, from websites to search engines to social networks, is being shaped to better serve advertisers. Increasingly, individuals are being electronically "shadowed" online, our actions and behaviors observed, collected, and analyzed so that we can be "micro-targeted." Now a $24 billion a year industry [2008 estimates] in the U.S., with expected dramatic growth to $80 billion or more by 2011, the goal of interactive marketing is to use the awesome power of new media to deeply engage you in what is being sold: whether it's a car, a vacation, a politician or a belief. An explosion of digital technologies, such as behavioral targeting and retargeting, "immersive" rich media, and virtual reality, are being utilized to drive the market goals of the largest brand advertisers and many others.

As I have written in the past, the DNT option is an interesting concept - one that privacy advocates have supported in the past. The feature, which the FTC has said could be located within browsers, would prevent a person from being exposed to behavioural advertising and would function like 'do not call' lists of phone numbers.

This is a sensible component of a much larger web privacy strategy that will ideally put the individual in control, or ownership, of their own data. While I favor the opt-in versus over the opt-out method as a rule of thumb, certainly a visible DNT mechanism in browsers would be an acceptable piece of the internet "privacy puzzle". The bill would give the FTC 18 months to come up with a set of regulations that would require advertisers to allow users to "effectively and easily" choose not to have their online behavior tracked or recorded.

The second bill introduced by Speier would enable consumers to better control financial information collected about them by banks and other institutions. That bill includes a provision that would prevent companies from sharing consumer financial information without explicit pre-approval from the consumer, a process known as opting in.

Speier stated, "These two bills send a clear message — privacy over profit. Consumers have a right to determine what if any of their information is shared with big corporations, and the federal government must have the authority and tools to enforce reasonable protections."

My friend Ryan Calo, director of the Consumer Privacy Project at Stanford Law School, had some important insights I'd like to share, stating "It really is a strong pro-consumer bill," (noting that the bill's teeth included provisions that would allow state prosecutors to go after privacy violators if the FTC didn't have time or resources.) He, as I have argued, also noted that the bill was not a panacea for preserving online privacy, particularly being that it would apply only to consumers who elect not to be tracked — a process called opting out. Anyone who did not opt out, for instance because they did not know how or know that they could, would not be protected.

This goes back to the issue I always raise here: Opt-in should be the privacy standard, not opt-out. If you want my personal information to share and sell, and you want to track what I do and when I do it, than you should have to ask me, period.

Schumer/Nelson Body Scanner Legislation

As some of you may know, I have written extensively about why I believe these airport body scanners and the subsequent aggressive pat downs for those that choose that "option", are grossly ineffective, intrusive, expensive, and unnecessary.

This bill does - at least partly - address just one of the myriad of problems I have with them: the accessing and sharing of these digital strip searches with the public. The bill - approved by the Senate on Tuesday - would make the misusing of body scanner images a federal crime punishable by up to a year in prison.

In other words, its aim is to prohibit anyone with access to the scanned body images, whether security personnel or members of the public, from photographing or disseminating those images. Besides a prison term, violators could be fined up to $100,000 per violation.

A quick sidenote on this issue, the USA Today wrote a blistering editorial this week on what they called the "'Inexcusable' delay on TSA body-scanner safety reports". The article notes that "The Transportation Security Administration has told members of Congress that more than 15 million passengers received full-body scans at airports without any malfunctions that put travelers at risk of an excessive radiation dose. Despite the reassurance, however, the TSA has yet to release radiation inspection reports for its X-ray equipment - two months after lawmakers called for them to be made public following USA TODAY's requests to review the reports.

Fueling concerns about the potential for scanner malfunctions and the TSA's ability to identify problems: TSA and its contractors had failed in the past to detect when some baggage X-ray machines were emitting excessive levels of radiation or had safety features that were missing or disabled. The TSA says that it has made improvements since then and that all of its X-ray scanners - for people and luggage - have passed recent inspections by contractors. The agency in January asked the CDC to repeat its luggage X-ray study "to confirm the progress TSA has made," Lee says.

By the least this is an issue to keep an eye on.

Leiberman/Collins Kill Switch Legislation

It should surprise no one that one of the most anti-civil liberties bill's of the session would come from Senator Joe Lieberman. What's particularly revolting about this bill is we saw, just these past few weeks in Egypt, how government can use such power over the internet and the peoples access to information.

The USA Today has more:

The bill - crafted by Sens. Joseph Lieberman, I-Conn.; Susan Collins, R-Maine; and Tom Carper, D-Del. - aims to defend the economic infrastructure from a cyberterrorist attack. But it has free-speech advocates and privacy experts howling over the prospect of a government agency quelling the communication of hundreds of millions of people.

"This is all about control, an attempt to control every aspect of our existence," says Christopher Feudo, a cybersecurity expert who is chairman of SecurityFusion Solutions. "I consider it an attack on our personal right of free speech. Look what recently occurred in Egypt."


The disruption to communications and economic activity "could be catastrophic," says Marc Rotenberg, executive director of the Electronic Privacy Information Center.


Cyberthreats aside, deep questions persist over what critics claim is the bill's heavy-handed approach, what it means to free speech and whether it can be enforced practically.

The crux of the issue, to computer-law expert Fertik and others, is if the Internet is a national asset, should it be nationalized? "Determining where the Internet connects to infrastructure is hard to define and impose," Kagan says.

"In its current form, the legislation offers no clear means to check that power," says Timothy Karr, campaign director for media-policy group Free Press, a non-profit organization.


A provision in the bill lets the president take limited control during an emergency and decide restrictions. "It, essentially, gives the president a loaded gun," Fertik says.

"Say there is a mounted attack from a terrorist group on the Internet," Fertik says. "(The law) could present the president with a kill switch option. But what are the conditions, and how far does (the law) go?"

The debate extends to minutiae in the bill's wording. It neither expressly calls for the creation of an Internet kill switch nor does it exclude one. It only requires the president to notify Congress before taking action, and it specifically prohibits judicial review of the president's designation of critical infrastructure. The non-profit Center for Democracy and Technology, in a measured letter to Lieberman, Collins and others, wants more specifics on the sweep of "emergency" measures mentioned in the bill.

"In our constitutional system of checks and balances, that concentrates far too much power in one branch of government," says Karr. "The devil is always in the details, and here the details suggest that this is a dangerous bill that threatens our free-speech rights."

Giving the president broad power to "interfere" with the Internet - even bottling up chunks of it in the name of national security - would require him to go to court to stop communications, says Michelle Richardson, legislative counsel for the American Civil Liberties Union. What's more, a new law may be next to impossible to administer widely, technology experts say.
Read more here.

More generally, particularly on the issue of privacy on the internet, as I have written here before, the fact that we have next to no privacy standards as related to these technological innovations and trends is disturbing, and more than enough of a reason for some of the bills being offered here - like Speier's for instance.

What kind of control should we have over our own data? And, what kind of tools should be available for us to protect it? What about ownership of our data? Should we be compensated for the billions of dollars being made by corporations from their tracking of us? And of course, what of the government's access to this new world of data storage?

The argument by some, such as Mark Zuckerberg, is that all information should be public, and as time goes on we'll only be sharing more of it. In addition, we all will benefit from this communal sharing of private information in ways yet to even be discovered. Already, from this sharing, we forge more online friendships and connections, old friends are reconnected, distant parents see pictures of their kids' day-to-day activities, jobs might be more easily found due to our profiles being more public, internet services improve as companies like Facebook and Google learn about peoples' Web browsing histories, sites are able to tailor content to the user, and so on, and so forth.

That last point, has particular resonance with me. What concerns me is what are the side effects of living in a society without privacy? Not just on the next, about our personal habits, but from the watchful eye of government, be it the knowledge that we could be wiretapped, that smart grid monitors are daily in home habits, that our emails can be intercepted, that our naked bodies must be viewed at airports, that our book purchases can be accessed (particularly if Google gets its way and everything goes electronic), that street corner cameras are watching our every move, that RFID tags allow for the tracking of clothes, cars, and phones...and the list goes on.

Stay tuned...

Tuesday, February 15, 2011

GOP House Rams Through Patriot Act - Rejects Surveillance Comply with Constitution

I've always been just a little bit more than amused (or disgusted?) by the irony of today's GOP calling themselves a "small government", or worse, "Constitutionally concerned" Party.

This irony was on full display yesterday as the GOP House not only OVERWHELMINGLY voted to pass the Patriot Act extension (even though it gives their arch nemesis President Obama a victory!), they nearly unanimously voted again the Democrats efforts to require that Patriot Act surveillance be conducted in compliance with the Constitution.

That's right, the Party that can't stop misrepresenting the Constitution, or forcing it to be read on the House floor, also can't bring themselves to uphold it - at least when it comes to government snooping on average citizens (among MANY other examples).

Just last week I posted about the surprising and TEMPORARY blocking of the extension of some of the worst components of the Patriot Act. The surprise came in large part because a large majority of Democrats were willing to buck their own President's demands, and a very small minority of Republicans were willing to buck their leadership in the House. Of course, the real reason it didn't pass was because, due to procedural issues, it needed a super majority vote.

This time around, a majority was all that was needed. As such, we got the extension of those Patriot Act "unconstitutional greatest hits", including provisions allowing broad warrants to be issued by a secretive court for any type of record, from financial to medical, without the government having to declare that the information sought is connected to a terrorism or espionage investigation; the continuation of so-called “roving wiretaps”, allowing the FBI to obtain wiretaps from the secret court, known as the FISA court, without identifying the target or what method of communication is to be tapped. Finally, the so-called “lone wolf” measure that allows FISA court warrants for the electronic monitoring of a person for whatever reason — even without showing that the suspect is an agent of a foreign power or a terrorist.

This time around, while most Democrats opposed the extension of the surveillance authorities, rejecting aggressive lobbying by the Obama administration and its allies in the House GOP leadership, the overwhelming Republican support won approval of the legislation on a 275-144 vote.

As John Nichols of the Nation rightly points "Thus, the supposedly Constitution-obsessed House has endorsed a measure that is widely seen -- not just by Democrats and progressives but by Republicans and conservatives -- as a constant threat to privacy protections outlined in the document's 4th Amendment." 

Michelle Richardson, the legislative counsel for the American Civil Liberties Union, noted: “It has been nearly a decade since the Patriot Act was passed and our lawmakers still refuse to make any meaningful changes to this reactionary law. The right to privacy from government is a cornerstone of our country’s foundation and Americans must be free from the kind of unwarranted government surveillance that the Patriot Act allows. If Congress cannot take the time to insert the much needed privacy safeguards the Patriot Act needs, it should allow these provisions to expire.

For those keeping score, the 275 votes for extending the surveillance authorities came from 210 Republicans and 65 Democrats. The 144 votes against extending the authorities came from 127 Democrats (including Minority Leader Nancy Pelosi, D-California, and Michigan's John Conyers, the ranking Democrat on the House Judiciary Committee) and 27 Republicans.

What's more astounding than the GOP so overwhelmingly voting against the Constitution and WITH President Obama, was the Party's near unanimous vote against a motion offered by the Democrats seeking to recommit the bill with instructions to add language ensuring that surveillances would only be conducted in compliance with the U.S. Constitution. That motion lost on a 186-234 vote.

All 234 "no" votes came from Republicans, including two dozen members who minutes later would vote against extension of the surveillance authorities. The 186 "yes" votes came from 184 Democrats and 2 Republicans -- Ron Paul and South Caroilina Congressman Walter Jones Jr., a pair of stalwart civil libertarians who refused to put partisanship ahead of the rule of law.

As Nichols notes, "The message from the Republicans, aside from Paul and Jones, was clear enough: For all their talk about how much they revere the Constitution, they're cool with violations of the 4th Amendment."

Breaking News Update: Interestingly, after the House passed the above 10-month extension of key provisions of the Patriot Act last night, it was assumed that the Senate would follow suit quickly. And they will vote on the measure tonight. However, they will narrow the extension to three months, in a move with bipartisan support.

It's unclear exactly why this is, but, as David Dayen points out, "Ultimately, this probably only means that the Senate will spend a week of debate three months from now and then extend the whole thing past the Presidential election. But it’s so rare that civil libertarians see even a minor speed bump in the rush to deprive liberty, and even with the three-month extension, that’s what this represents. If we just changed the name of the Patriot Act to the “emergency law,” do you think we could get the President to call for lifting it, like he did with Egypt’s?"

Friday, February 11, 2011

CA Supreme Court Sides with Consumers - Zip Codes ARE Private

I'll be honest with you...this is a gratifying victory. I say that not only because its rare that corporate interests lose much of anything anymore, and it can be even more rare when consumer privacy is actually protected, but because we (Consumer Federation of California) were actively engaged in this case.

First,  let's get to just what the heck I'm talking about. The case in question is Pineda v. Williams-Sonoma Stores Inc, and it involved the retailer’s practice of gathering California consumers’ zip codes when they use their credit cards. This retailer was charged with violating California’s credit card privacy law, which specifically prohibits retailers from gathering and retaining personally identifiable information – including the consumer’s address - from a customer using a credit card.

Consumers sued Williams Sonoma, alleging that the retailer retained the consumer’s name and zip code, and supplied this information to data aggregation brokers. The data aggregators reconstructed the consumer’s complete residential address, by searching their data bases of billions of bits of information they collect on all Americans. The retailer then used the comprehensive consumer contact information for marketing purposes, without the customer’s consent.

A lower court ruled that since thousands of people share the same zip code, it is not a unique consumer identifier. Therefore, this court ruled, the retailer had not violated California privacy law. The case was appealed to the State Supreme Court.

Consumer Federation of California and Privacy Rights Clearinghouse filed a friend of the court brief, urging the Supreme Court to overturn the lower court ruling.

Yesterday, the Supreme Court agreed with us, ruling that zip codes are indeed personal identifiers. The Supreme Court found that California law prohibits retailers from retaining this information from customers making purchases with credit cards. The Supreme Court reinstated the suit against Williams Sonoma.

Now, before I get to some of the Sacramento Bee article about the case and ruling, I want to be sure we're all clear on what we're talking about here.

As part of the transaction process, this housewares retailer requested Pineda’s zip code. Unbeknownst to Pineda, Williams-Sonoma used a process called “reverse appending” to find out her mailing address. The retail giant then sent Pineda catalogs and used the information it had collected for other business purposes.

Reverse appending is an industry practice that looks up a person’s name, mailing address, phone number and other personal information using very limited data, such as a zip code or email address. Reverse appending is done without the consumer’s knowledge or permission.

In other words, and in laymen terms, a ZIP code can be a powerful tool that retailers use to specifically identify their customers and obtain their home addresses under false pretenses. This private information is then stockpiled by the retailer – without the consumers’ knowledge - in massive databases which are used to market their products as well as sell that information to third party data brokers and other retailers so they can target you too.

Collecting and maintaining consumers’ personal identification information is a practice that can put the physical safety of consumers at risk and jeopardize consumers’ financial security due to identify theft and credit card fraud. It was in response to this danger and threat that the Legislature enacted an amendment to the Song Beverly Credit Card Act in 1990 to protect privacy rights guaranteed to consumers by Article 1, Section 1 of the California Constitution.

But retailers have been bypassing this law using advances in database technology that essentially can turn a name plus a zip code into a full address. See, retailers then argue that they WEREN'T in the wrong because a zip code isn't a personal identifier - yet that's EXACTLY WHAT THEY WERE USING THEM FOR!!

It's astounding they even had the temerity to argue this, when the original law was passed specifically to STOP retailers from compiling this information under false pretenses and violating consumer privacy while increasing the likelihood of identity theft and fraud - in addition to getting more unwanted mailings and phone calls.

The court did not address the practice of some retailers, who request consumer zip codes for the limited legitimate purpose of assuring that the credit card is not stolen. This is most common at gas stations or other situations where there is no sales clerk present - but in these instances the zip code data is not retained by the retailer.

As Beth Givens, founder of Privacy Rights Clearinghouse, a consumer education and advocacy group said, "The ruling is significant because it confirms that the definition of PII includes part of a person’s address; the zip code. In ruling in favor of the plaintiff, the Justices acknowledge advances in technology, in which the use of databases can turn a name plus a zip code into a full address.” 

All in all, this is an important victory for common sense will prevent big retail chains from turning a credit card into another avenue for violating our financial privacy.

To read what the Sacramento Bee had to say, click here.

And, if you want to delve into the dark side, read Forbes magazines passionate OPPOSITION to this common sense protection.

Wednesday, February 9, 2011

Patriot Act Dealt (Temporary) Blow by House

Well here's a pleasant surprise, even if it is short lived. Believe it or not, yesterday the House blocked the bill to renew the Patriot Act - with 26 Republicans joining 122 Democrats in denying passage. Now, why do I say this is only a temporary victory? Unfortunately, because the House brought the bill to the floor under the suspension of the rules, they needed a 2/3 vote. In addition, nobody could offer amendments, and only 40 minutes were allowed for debate.

This of course is in itself troubling. What BETTER issue to have debate on then the Patriot Act?? Being how radical it is, and how unconstitutional many components of it clearly are, one would think this is ripe for debate, particularly by those in the GOP that can't say a sentence without mentioning the Constitution (which is actually a sign they don't understand it).

So it was shot down, but not by a majority. Still, I think this is something to at least take some pleasure in.

As I mentioned last week, this new version STILL contains provisions allowing broad warrants to be issued by a secretive court for any type of record, from financial to medical, without the government having to declare that the information sought is connected to a terrorism or espionage investigation; the continuation of so-called “roving wiretaps”, allowing the FBI to obtain wiretaps from the secret court, known as the FISA court, without identifying the target or what method of communication is to be tapped. Finally, also expected to be renewed is the so-called “lone wolf” measure that allows FISA court warrants for the electronic monitoring of a person for whatever reason — even without showing that the suspect is an agent of a foreign power or a terrorist.

It is true that Patrick Leahy offered a bill with some minor reforms,
including elements that the Justice Department promised to implement voluntarily. But, just as two years ago, the White House has put its weight behind the blanket extension - which happens to be the version defeated in the House today. But its not only the White House trying to undermine Leahy's modest efforts to protect privacy and civil liberties. Dianne Feinstein has engineered her own version, which will be able to bypass the Senate Judiciary Committee, chaired by Leahy, and move right to the floor.

As for the question regarding why we need more debate, and more protections, how about the report recently released in which the FBI admitted to the President’s Intelligence Oversight Board to violating the law at least 800 times on national security letters, going well beyond even the loose safeguards in the original provision. According to the report the FBI “may have violated the law or government policy as many as 3,000 times” between 2003 and 2007, according to the Justice Department Inspector General, while collecting bank, phone and credit card records using NSLs. Yet, knowing all that, the House spent a few minutes debating whether to extend the exact same authority to the FBI for another year, the Obama Administration wants this all to go away immediately, and Feinstein is undercutting Leahy.

Jon Nichols of the Nation has more on the vote,
and more from Dennis Kucinich, who's really been leading the opposition to this law since its inception:

But House Minority Leader Nancy Pelosi, D-California, led the vast majority of House Democrats in opposing any extension. In all, 122 Democrats—roughly two-thirds of the party's House caucus—voted "no" to extending surveillance authorities that the American Civil Liberties Union warns [2]  "give the government sweeping authority to spy on individuals inside the United States and, in some cases, without any suspicion of wrongdoing. All three should be allowed to expire if they are not amended to include privacy protections to protect personal information from government overreach."

Joining the Democrats in voting "no" were 26 Republicans, including Texas Congressman Ron Paul and a number of other senior Republicans with records of breaking with their party on civil liberties issues, such as Tennessee's John Duncan Jr. and South Carolina's Walter Jones Jr. Joining them were several new members of the GOP caucus, such as Illinois Congressman Randy Hultgren and Michigan Congressman Justin Amash.
"The PATRIOT Act is a destructive undermining of the Constitution," Kucinich told the House. "How about today we take a stand for the Constitution to say that all Americans should be free from unreasonable search and seizure, and to make certain that the attempt to reauthorize the Patriot Act is beat down."
Against the lobbying of the Obama administration and the determined efforts of House GOP leaders—who kept what was supposed to be a fifteen-minute discussion open for twenty-five minutes as they tried to corral the needed seven votes—Kucinich's argument carried the day [3]...“It is expected that the bill will be brought up again, but the opposition has now surfaced. I look forward to working with this new coalition to continue to rally support to defeat the PATRIOT Act."
ACLU leaders, celebrating a rare victory in the long fight against the PATRIOT Act, shared Kucinich's excitement about the prospects for blocking—or, at the very least, radically reforming—the measure [5].
“The House should be commended for refusing to rubberstamp the continuation of these provisions," declared Laura Murphy, director of the ACLU's Washington Legislative Office. "For the nearly 10 years it has been law, the over-reaching Patriot Act has been abused by law enforcement to violate innocent Americans’ privacy. We urge both the House and the Senate to keep up this momentum and continue to fight the extension of these provisions that put Americans’ privacy at risk.”
Of course, this will eventually happen, particularly because the White House and the GOP leadership support passage without amending the provisions whatsoever. There will be no committee markup, no hearings, no major deliberation. Similarly, Leahy's modest changes which are aimed at heightening oversight include language requiring the government to list the facts and circumstances that justify obtaining a court order to retrieve records. Current law states the records are presumed relevant, so long as they are associated with a foreign power, the activities of a suspected agent of a foreign power, or an individual in contact with such an agent.

In addition, the Senate proposal raises the standard for gaining permission to conduct wiretaps. Existing law mandates that the government certify the information sought is foreign intelligence data or relevant to a terrorist investigation. The new measure would demand the government provide facts that substantiate the belief that the information gleaned will likely be relevant - including greater restrictions to the so-called library provision. 

But, as I said, today represented a temporary, though a potentially meaningful defeat of the very worst version of the Patriot Act - a version given no debate or amendments. Until we can get a White House and/or the leadership in the House and Senate to actively and aggressively put an end to the Patriot Act, it will continue to be renewed in increasingly un-democratic ways.

But don't take my word for it, here's the ACLU's analysis of all that is wrong with this abomination:

On behalf of the American Civil Liberties Union, a non-partisan organization with over half a million members, countless additional activists and supporters, and 53 affiliates nationwide, we urge you to vote ‘NO’ on H.R. 514, a bill that reauthorizes three expiring provisions of the USA Patriot Act and the Intelligence Reform and Terrorism Prevention Act (IRTPA) until December 8, 2011. This bill reauthorizes and extends these laws without making common sense amendments to protect Americans‟ privacy. Because of the importance of this vote to civil liberties principles, we will be scoring this vote.

The three expiring provisions of the Patriot Act and IRTPA give the government sweeping authority to spy on individuals inside the United States and, in some cases, without any suspicion of wrongdoing. All three should be allowed to expire if they are not amended to include privacy protections to protect personal information from government overreach.

Section 215 of the Patriot Act authorizes the government to obtain “any tangible thing” relevant to a terrorism investigation, even if there is no showing that the “thing” pertains to suspected terrorists or terrorist activities. This provision is contrary to traditional notions of search and seizure, which require the government to show reasonable suspicion or probable cause before undertaking an investigation that infringes upon a person‟s privacy. Congress must ensure that things collected with this power have a meaningful nexus to suspected terrorist activity or the provision should be allowed to expire.

Section 206 of the Patriot Act, also known as “roving John Doe wiretap” provision, permits the government to obtain intelligence surveillance orders that identify neither the person nor the facility to be tapped. This provision is contrary to traditional notions of search and seizure, which require government to state with particularity what it seeks to search or seize. Section 206 should be amended to mirror similar and longstanding criminal laws that permit roving wiretaps, but require the naming of a specific target. Otherwise, it should expire.

Section 6001 of the Intelligence Reform and Terrorism Prevention Act of 2004, or the so-called ‘lone wolf’ provision, permits secret intelligence surveillance of non-US persons who are not affiliated with a foreign organization. Such an authorization, granted only in secret courts, is subject to abuse and threatens our longtime understandings of the limits of the government’s investigatory powers within the borders of the United States. According to government testimony, this provision has never been used and should be allowed to expire outright.

The bill also fails to amend other portions of the Patriot Act in dire need of reform, most notably those relating to the issuance and use of national security letters (NSLs). NSLs permit the government to obtain the communication, financial and credit records of anyone deemed relevant to a terrorism investigation even if that person is not suspected of unlawful behavior. Numerous Department of Justice Inspector General reports have confirmed that tens of thousands of these letters are issued every year and they are used to collect information on people two and three times removed from a terrorism suspect. NSLs also come with a nondisclosure requirement that precludes a court from determining whether the gag is necessary to protect national security. The NSL provisions should be amended so that they collect information only on suspected terrorists and the gag should be modified to permit meaningful court review for those who wish to challenge nondisclosure orders.

Instead of reauthorizing these provisions, Congress should conduct robust, public oversight of all surveillance tools and craft reforms that will better protect private communications from overbroad government surveillance. Because of the negative privacy implications of extending all of these laws, we strongly urge you to vote “no” on H.R. 514. We will track this vote and add its result to our Congressional scorecard.

Thursday, February 3, 2011

Protecting Your Private, Prescription Drug Records

As I have written about on this blog in the past, the reality that our most private prescription drug records are not in fact private should be of increasing concern to consumers, legislators, and the courts. In fact, this dispute has now reached the Supreme Court. 

Now, I don’t want to belabor this point, particularly being that this is a privacy blog, but its more than just a privacy issue…its about the damage that the drugs themselves can do to people due to a pharmaceutical industry that is concerned far more about profit and deception than they are patient good health.

So when you’re talking about efforts to sell private prescription drug records to third parties, so drug manufacturers can better target their products to you (often times in an invasive and dangerous way), its more than just the violation of privacy – it’s the products themselves that should also be of concern.

So before I get to an LA Times editorial on this big Supreme Court court battle, let me first share just a few of my concerns about our nation’s growing addiction to pharmaceutical drugs in hopes of establishing the importance of strict privacy protections when it comes to our prescription records.

First, recent studies indicate that a whopping sixty-five percent of the country takes a prescription drug. In 2005 alone, we spent $250 billion on them. Another 100,000 Americans die each year from prescription drugs — that’s 270 per day - more than twice as many who are killed in car accidents each day.

Unfortunately, thousands of patients die from prescribed mistakes too, but this study looked only at deaths where our present medical system wouldn’t fault anyone. Tens of thousands of people are dying every year from drugs they took just as the doctor directed. This shows you how dangerous medications are – and why, as you’ll see, privacy is paramount.

Before I get to more of Big Pharma’s marketing strategies to further illustrate the importance of this issue, let me get into what exactly we are talking about in terms of prescription records privacy. For Californians, the good news is we have stricter protections against the selling and sharing of our prescription records than just about any other state (aside from New Hampshire, Maine and Vermont).

It was just a couple years ago that we (Consumer Federation of California) actively opposed (and successfully) legislation that would have allowed the sharing of confidential patient drug prescription information among pharmacies, third party corporations and pharmaceutical companies without a patient's consent. 

Californians rightly expect that their private medical records will be held in confidence by their doctors and pharmacists. But, if we had lost this fight, pharmacies could share prescription information with businesses that provide mailings to the patient – ostensibly reminders that patients should continue to take their medications. The reminder would appear to come from the pharmacy, but in fact it would be paid for by the drug manufacturer. 

The bill's main backer, Adheris Inc., is a subsidiary of inVentiv Health Inc., a drug marketing company currently being sued for privacy breaches related to patient prescription records. 

A patient’s doctor - not a third party marketing company - is the best source for informing a patient about how to manage his or her health condition. By intruding upon and confusing this relationship, this bill could have put patients’ health, as well as privacy, at risk.

For example, a physician might discontinue a prescription if a patient complained of an adverse reaction. Unaware of the changed course of treatment, the drug marketing company would continue sending reminders that appear to come from the drug store, urging the patient to keep taking the old prescription. The bill placed no liability on drug markets that provide bad information to patients.

The victory was an important milestone for California’s landmark medical records privacy law – a fight that is now playing out nationwide and in the Supreme Court.

The issue is a stark one: failing to protect prescription records would be a windfall for corporations seeking to track, buy and sell a patient's private medical records. This would represent a significant intrusion by pharmaceutical companies into the privacy of patients. By opening this Pandora's Box, consumers could wind up receiving mailings designed to look as if they came from the pharmacy yet conflict with what their pharmacist or doctor has recommended. Such a scenario would be a threat to their health.

At the time of this battle, Brian Leubitz of Calitics gave an exceptional description of exactly what we’re talking about. He wrote:
“But nowhere does the bill stop manufacturers from purchasing the data from pharmacies. In fact, the bill explicitly contemplates that "manufacturers and distributors" will be paying for these letters by requiring a disclosure on the letter. Furthermore, I'm not sure having 3rd party data brokers like Adheris (aka Elansys ) having the data is really that much more comforting than having Merck or Eli Lilly having it. In effect, this bill would moot a court case brought against Adheris for doing this already…

But to the greater issue, that of privacy….Mr. Rushing (worked on passing this bill for state senator Calderon) makes the argument that 49 other states have this rule to allow sales of pharmaceutical records, and why is California the outlier? There is a simple response to this: Californians value their privacy. We have the toughest privacy laws in the nation, thank you, Representative Speier, precisely because we feel that data warehousersWe needn't join that race to the privacy floor that HIPAA provides. Our privacy laws are, and should be, a model for other states.

That being said, there are health benefits of reminder communications for chronic conditions. However, they do not need to be sponsored. The pharmacy can send out these mailings now as could the prescribing doctor. In fact, despite whatever arguments the National Association of Chain Drug Stores and the California Retailers Association makes on the policy arguments that this is substantially better for public health (Rushing gave me a $150bn figure for nationwide savings if everybody took their meds on schedule), the fact is that the risk involved in the sales of these records outweighs the benefits. We can already provide reminders without sales of medical records financed by manufacturers or distributors. Even the California Medical Association agrees that we needn't travel this risky ground in the name of possible results.
So that’s a detailing of the fight we had in California, now let’s go to what the LA Times had to say in their editorial Your Rx or your privacy:
IMS Health Inc. operates in the shadows of the healthcare industry, gathering data that drug makers can use to sell medications more effectively. The data, however, are taken from the prescriptions that doctors write for their patients. That information is at the heart of a dispute over how far states can go to protect privacy — a dispute that has reached the Supreme Court, and one that could broaden the reach of the 1st Amendment in troubling ways.

IMS and a handful of market research competitors pay pharmacists for the details contained in prescriptions, including the name of the doctor and the patient, the drug prescribed and the dosage. They compile that information into databases that track individual doctors' prescribing habits, replacing patients' names with "de-identified" numbers. Such databases can be valuable to the public, potentially helping to enforce drug laws, find patterns in the spread of disease and spot variations in how medications are used. But the main use — and the one that pays for the databases — is to help pharmaceutical companies persuade physicians to prescribe more of their products.

That's one of the reasons states across the country have proposed or enacted regulations governing prescription data mining. Drug makers hire legions of sales representatives to pitch physicians in person about new products and new applications for older medications. They pay market researchers millions of dollars for information on individual doctors' prescriptions because it helps them find sick people (chronically sick people in particular) who could be treated with their drugs or who are taking their competitors' medications.
This month the Supreme Court agreed to consider Vermont's appeal, and we hope the justices will be guided by the dissent written by 2nd Circuit Judge Debra Ann Livingston. As Livingston noted, pharmacies obtain sensitive information about doctors and prescriptions only because the state orders them to gather it for law enforcement reasons. Otherwise, doctors and patients might insist that the data be kept confidential. That information is every bit as sensitive as a hospital chart or a doctor's notes, and should be subject to equally effective protection.

Just because IMS doesn't supply patients' names to drug companies, that doesn't mean they can't be tracked individually. According to Meredith Jacob of the American University Washington College of Law, the databases assign unique numbers to pharmacies' customers that can be used to follow their prescriptions over time, helping drug makers spot the patients most likely to be customers for their new drugs and market those medicines to their physicians.

What's worse, the data about prescriptions could conceivably be combined with other records to reveal some patients' names. That's because "de-identified" data may provide clues that enable it to be matched against names in other databases. In one example of this technique cited in a brief by the Electronic Privacy Information Center, a researcher was able to use public records to name more than a third of the supposedly anonymized victims in Chicago's homicide database.

So let me just conclude by once again highlighting the practices and products of the pharmaceutical industry. There’s the cozy relationship they foster with the doctors themselves. For instance, the industry spends hundreds of millions of dollars on physicians every year. In one survey, 9 out of 10 doctors said they had recently taken something of value from the drug industry. And some of those doctors take hundreds of thousands of dollars each year from the industry. 

Melody Petersen, author of Our Daily Meds, discussed some of this, stating:
“The drug companies pay doctors to be their so-called consultants. They also pay them to sit on corporate advisory boards and to give lectures to other doctors. They pay for up to 80 percent of the continuing medical education that doctors need to maintain their licenses. If you ask a doctor if this is a problem, they will more than likely tell you no. But the studies show that even a small gift will sway doctors to write a prescription for a certain drug. The truth is that doctors are no longer independent gatekeepers who keep us safe from drugs we don’t need. Far too many of them are financially tied to the industry. They are writing the prescriptions that their financial backers want them to write.

The industry’s unlimited hikes in prices have helped make health insurance unaffordable. This is also why wages of American workers have stagnated. When health premiums rise, employers must get the extra money.

…The answer is that we really don’t need many of those kinds of drugs, those lifestyle drugs that don’t save or lengthen lives. But the drug companies have discovered there are billions of dollars to be made by selling pills to Americans who worry about getting old, but are otherwise healthy. It’s so easy to fall for the marketers’ claim that a little pill will enhance our lives and keep us young forever. 

It is a common sales tactic in the industry to have sales reps push doctors to prescribe a drug for many uses and patient conditions. The drug companies do this even though it is illegal to promote a drug for anything other than the condition the FDA has approved it for…The drug companies have made Americans believe that almost anything should be treated with a pill.

The prescriptions are driven by the promotional efforts of the industry. Today, the companies start promoting a drug years before it even goes to the FDA for approval. Some drugs have promotional campaigns funded by more than a billion dollars. It was around 1980 when the big drug companies learned that they could make far more profit by focusing their efforts on marketing rather than on the truly hard work of scientific research and finding new drugs.

In America, if you’re lucky enough to have health insurance, you can easily get too much medicine, too much health care. Many Americans don’t understand that all of health care has risks and that too much of it can actually shorten your life. Is this one of the reasons why we’re falling fast in the world rankings on life expectancy? No one knows for sure. But it’s obvious that all that money we spend on prescriptions and doctors is not giving us an advantage.
Overall, the biggest problem is that the news media is not objective when reporting on medicines. Much of the news coverage on prescription drugs exaggerates their potential benefits and glosses over their risks. Many news stories about new drugs don’t even mention the side effects. People are getting distorted information on prescription drugs. Many of these news stories are little more than press releases that come straight out of the drug companies’ marketing departments.
With that all said, a pharmacist friend of mine made a point I thought I should reiterate: That being there's no reason to believe that most pharmacists knowingly participate in sharing prescribing information or are aware of how Verispan or IMS gets their data. Chains and PBMs, which make up a majority of the business, are more suspect and don't make it a habit of involving their pharmacy staff.

My point in all this is simply that the LAST THING Americans need is EVEN MORE aggressive drug marketing techniques…and more of their private, prescription records becoming increasingly public – and sold for profit.