The U.S. Constitution does not explicitly guarantee a right to privacy, but the First, Fourth and Ninth Amendments have formed the legal basis for laws protecting privacy.
First Amendment: Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
Fourth Amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Ninth Amendment: The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
The federal Privacy Act of 1974 was passed in the wake of Watergate, amid public concern over abuses of government surveillance power and the computerization of government records. While its purview was comprehensive, the law is now frequently criticized as inadequate, even by the Justice Department itself in the introduction to the text on its Web site: "… the act's imprecise language, limited legislative history, and somewhat outdated regulatory guidelines have rendered it a difficult statute to decipher and apply."
Under the Privacy Act, federal agencies cannot keep secret records on U.S. citizens and must allow citizens to view the records kept about them. Agencies' records cannot describe "how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute," must be limited to the information the agency needs to carry out its responsibilities, and should be collected from the individual in question if the information may have a negative effect on that person's "rights, benefits and privileges." The act also places limitations on how agencies can share information to prevent the construction of what Clinton administration chief privacy counselor Peter Swire calls "the one database on all Americans run by the government."
The act also gives citizens the right to correct inaccurate information in their records and to sue the government for civil penalties in the case of a violation. A federal employee who violates the act can face criminal charges.
However, as the DOJ's Web site intimates, the act has significant weaknesses. On its Web page about the act, the Electronic Privacy Information Center points out that the law grants exemptions for vaguely defined "law enforcement purposes" and "routine use," and that definitions for important terms such as "record," "system of record" and "identifying particular" are too narrow to be useful in the changing technological landscape. Characterizing the act's efficacy, Swire told FRONTLINE, "… a lot of times today, you'll see the government say 'Well, we complied with the Privacy Act,' and that's like saying 'We have a fence that's six inches tall … in place, so you're still protected.'"
The Freedom of Information Act, enacted in 1966, is another useful privacy tool; it requires the government to release any federal records requested by members of the public, unless those records fall under the nine exemptions built into the law to protect privileged information. More information on FOIA is available from the University of Missouri's Freedom of Information Center, including sample letters to obtain information from the government under FOIA or the Privacy Act.
State-level privacy and electronic surveillance regulations vary across the country. The National Conference of State Legislatures provides an online list describing each state's laws, as does the Electronic Privacy Information Center
Much of the technology used in daily communications and financial transactions involves the submission or transmission of personal identifying information, which companies can then compile, store, and often sell to other companies or the government. In his book, Privacy Lost, former Navy cryptographic analyst David H. Holtzman examines how personal information gets transferred in everyday transactions.
Credit card companies record customers' purchases and some use that information to construct customer profiles. Those profiles include buying patterns, which can be used to prevent fraud, as well as predictions of future purchasing patterns, which can be sold to marketers or other companies.
The Federal Communication Commission's 2005 Enhanced 911 (E911) rule requires cell phone providers to be able to locate 911 callers "within 50 to 300 meters in most cases" and to provide that information within six months of a government request. To be compliant, most cell phone carriers have installed global positioning satellite chips into cell phones, which can track a user's position to within the mandated range.
Web sites use "cookies" and other software that can log the IP addresses of visitors' computers and other identifying data exchanged during use of the site. Major search engines keep records of searches along with the IP address or other identifying information of the computer from which the search originated. In 2006 the Justice Department subpoenaed search records from Yahoo, Google, MSN and AOL as part of a Supreme Court case over the Child Online Protection Act. Google was the only company to resist the subpoena, and in March, the company announced measures to make search information anonymous after 24 months.
In September 2001, the FBI Office of General Counsel authorized bureau personnel to begin using commercial databases such as LexisNexis and ChoicePoint in the course of counterintelligence investigations, as permitted under revised guidelines from then-Attorney General John Ashcroft. One document (found on page five of this collection of memos) set the tone for FBI investigators, with the instruction: "you may use ChoicePoint to your heart's content." A more comprehensive set of internal documents from the Office of General Counsel explained the legal justification for the new directive and provided guidelines for the use of databases such as ChoicePoint.
A report issued by the General Accounting Office (GAO) in May 2004 found 199 federal data-mining projects, of which 131 were operational and 68 were planned; 122 used "personal information," such as credit reports, student loan application data, bank account numbers or taxpayer identification numbers; and 14 were counterterrorism related. A little-noticed footnote in the report points out that the survey did not include programs at the National Security Agency or CIA; nor did it mention the Defense Department's controversial Total Information Awareness [TIA] program, which was shut down in 2003, but whose programs have secretly moved on to other agencies.
The report found that 52 of the 128 federal agencies surveyed were using or planning data-mining projects for purposes including:
This interactive map assembled by journalism students and professors at Northwestern University outlines the many data-mining programs being operated by branches of the federal government -- from the FBI and the Department of Defense to the Education Department and the Treasury -- along with their connections to private companies, such as ChoicePoint and LexisNexis. [To access the map, click through the introduction page, then choose "Data Mining Programs" at the bottom of the screen.]