C. Information concerning the use of bodily harm or assassination as a political weapon. This should include training and techniques used to carry out the act. D. Information on persons who insist upon personally contacting high Government officials for the purpose of redress of imaginary grievances, etc.

E. Information on any person who makes oral or written statements about high Government officials in the following categories: (1) threatening statements, (2) irrational statements, and (3) abusive statements.

F. Information on professional gate crashers.

G. Information pertaining to "Terrorist" bombings.

H. Information pertaining to the ownership or concealment by individuals or groups of caches of firearms, explosives, or other implements of war.

I. Information regarding anti-American or anti-U.S. Government demonstrations in the United States or overseas.

J. Information regarding civil disturbances.

2. COUNTERFEITING AND FORGERY INFORMATION

A. Information regarding counterfeiting of U.S. or foreign obligations, i.e., currency, coins, stamps, bonds, U.S. Treasurer's checks, Treasury securities, Department of Agriculture food stamp coupons, etc.

B. Information relating to the forgery, alteration and fraudulent negotiation of U.S. Treasurer's checks and U.S. Government bonds.

3. GOLD AND "GOLD COIN" INFORMATION

A. Gold regulations prohibiting the acquisition, holding, transportation, importing, and exporting of gold by persons subject to the jurisdiction of the United States. Gold in its natural state may be purchased, held, sold or transported within the United States and may also be imported without a license.

B. Gold coins of recognized special value to collectors may be acquired, held and transported within the United States and may be imported as permitted by the gold regulations.

Routine reports may be mailed to the U.S. Secret Service, Liaison Division, Room 825, 1800 G Street, N.W., Washington, D.C. 20226, or handled during personal liaison contact.

Emergency information, especially in reference to Presidential protection, should be reported immediately by telephone to the nearest U.S. Secret Service field office or the U.S. Secret Service Intelligence Division, Washington, D.C. Area Code 202-WO4-2481; (government Code 184-2481).

[70 Duke Law Journal (1970)]

COMPUTERS AND PRIVACY: A PROPOSAL FOR SELF-REGULATION*

(By Edward J. Grenier, Jr.*)

In framing the issues of its landmark Computer Inquiry, the Federal Communications Commission cited the critical importance of the preservation of information privacy :

"Privacy, particularly in the area of communications, is a well established policy and objective of the Communications Act. Thus, any threatened or potential invasion of privacy is cause for concern by the Commission and the industry. In the past, the invasion of information privacy was rendered difficult by the scattered and random nature of individual data. Now the fragmentary nature of information is becoming a relic of the past. Data centers and common memory drums housing competitive sales, inventory and credit information and untold amounts of personal information, are becoming common. This personal and proprietary information must remain free from unauthorized invasion or disclosure, whether at the computer, the terminal station, or the interconnecting communication link."

Congress, too, has demonstrated an increasing concern with the possible threats to individual privacy which might result from the establishment, by the federal government or by private industry, of a national data bank. In fact Paul Baran of Rand Corporation, testifying several years ago before a congressional

Footnotes at end of Article.

subcommittee, stated that the United States is unconsciously moving toward an integrated, nationwide, automated information system:

"My thesis is this: Today we are already building the bits and pieces of separate automated information systems in both the private and government sectors that so closely follow the pattern to the present integrated communications structure that a de facto version of the system you are now pondering is already into the construction phase. It is in many ways more dangerous than the single data bank now being considered."

Although the threat posed by automated information systems to the privacy of individuals is perhaps the most dramatic aspect of the "computer revolution," another very important aspect is the possibility of unauthorized disclosure of proprietary data. The "privacy problem" in both of these contexts is most acute where the separate proprietary data of a large number of businesses or sensitive personal information about thousands of individuals is stored or processed in multiprogrammed, time-sharing data processing systems and transmitted to and from the processing and storage units over common communications lines. In such systems there exists at numerous points a high potential for "information leakage," including leakage due to hardware and software failures and wire taps.*

In addition to examining both of these aspects of the privacy problem from the point of view of the computer system operator, this article proposes the establishment of a logical legal framework which would serve the public interest by assuring, first, that computer systems which handle sensitive individual or proprietary data will meet certain minimum standards established for the protection of privacy, and, second, that computer system operators will be able to continue to operate in a competitive economy unhindered by either overly restrictive governmental regulation or the fear of private legal liability. The analysis and suggestions herein set forth are relevant to all types of computer systems which store information or use computer programs belonging to persons or entities other than the computer system operator or which collect and store information about private individuals."

The computer industry, which when viewed in its broadest significance extends from manufacturers of main frame hardware to computer service bureaus and computerized information services, should now cooperate with the communications industry to adopt and implement, under the auspices of the federal government, a comprehensive system of self-regulation to ensure the privacy and security of data. As a corollary of such a scheme, computer systems complying with the established standards should be freed from certain types of civil legal liability for the unauthorized or accidental divulgence of individual or proprietary information."

6

THE PRESENT LEGAL SITUATION: A STUDY IN UNCERTAINTY

For the purpose of analyzing the present legal controls pertinent to privacy and the computer, it will be helpful to consider a few illustrative situations: "1. Computer service company A operates a multi-programmed, time-sharing, remote-access data processing system. It services 25 customers scattered over a wide area, each with at least one remote terminal device. Each of A's customers stores at least one proprietary program and a good deal of data in A's system. Companies X and Y are competitors and are both customers of A. Let us suppose that company X has been able to obtain confidential data belonging to Y at X's remote terminal.

"2. Assume the same basic set of facts with the exception that A has 500 customers, most of which are very small.

“3. Company A runs a computerized information service containing personal data about thousands of individuals, including credit data, medical data, employment data, and educational data. A offers this service to carefully selected classes of subscribers, each of whom promises to use the information for only circumscribed and legitimate purposes. Company A's subscribers are linked to its computer system by remote terminal. Mr. X, a nonsubscriber, manages to tap into company A's system and connect an unauthorized remote terminal, thereby gathering information about a number of individuals. The information so obtained is used in an article which he publishes in a national magazine.

"4. Assume the same facts as in example 3, except that a programmeremployee of company A, without authority, extracts information about some individual from the system and sells such information to Mr. X."

Footnotes at end of Article.

Although the number of possible variations is almost without limit, these four examples are sufficient to illustrate some of the difficulties which computer service companies may face.

From the point of view of the computer service company, the first two examples present issues of contractual or, possibly, tort liability. The customer whose proprietary data has been obtained without authority by some third party might well have a claim for breach of contract against the computer service company. However, the results in such a situation can be quite diverse. If the computer service company is dealing with large, sophisticated customers, service contacts are likely to be thorough and well-defined, specifying with detail the degree of privacy and security of data promised by the company and expected by its customer. On the other hand, if the computer service company's customers are small and perhaps less sophisticated, the contract between them may tend to be of the boiler plate variety and may not contain provisions adequate to protect the privacy and security of data. But uncertainty, rather than a complete absence of protection, is more likely to be the case.10 Unfortunately, the outcome in any specific situation will depend upon the prevailing business practices and governing standards in the state involved.

Examples 3 and 4 squarely raise the issue of the extent to which an individual's "right of privacy" will be afforded legal protection." Although most privacy cases involving the disclosure of individual information are likely to arise as tort actions, situations could arise in which an individual might have a claim based upon the law of contract. For example, assume that a computer service company enters into a contract with company X to store personal data concerning some one thousand employees of X and to furnish the data to X upon request. Assume further that the contract includes specific provisions for protecting the privacy of the individuals involved. If the computer company breaches the contract by allowing information to fall into the hands of a third person who uses it to the injury of the employees, the injured employee might seek recovery against the computer service company as a third party beneficiary of the computer service contract." In most situations, however, an individual's claim that his privacy had been . violated would have to be founded upon the tort of invasion of or interference with privacy. Although of relatively recent judicial recognition," this tort has developed to the point where one noted commentator has been able to discern the existence of four separate torts under the rubric "invasion of privacy";" (1) unreasonable intrusion upon the seclusion of another or into his private affairs:" (2) appropriation of an individual's name or likeness;1o (3) unreasonable publicity given to another's private life, or public disclosure of a private fact about an individual; and (4) publicity which places another in a false light in the public eye.18

The tort doctrine regarding the protection of privacy, in its present state of development, quite possibly would not provide a basis for a finding of liability against the computer service company in either example 3 or 4, where we have assumed that the computer company took no deliberate action to injure the plaintiff. However, the law of privacy has developed in response to the changing conditions of society, and the advent of the computer age is almost certain to result in a further judicial expansion of the doctrine-perhaps with legislative help.10 Although four states apparently still reject the right of privacy in its entirety," judicial expansion of the doctrine continues. In Griswold v. Connecticut," for example, the Supreme Court seemed to find, in a context quite far removed from the fourth amendment prohibition against unreasonable searches and seizures, a constitutionally protected right of privacy inherent in several amendments." Of special significance is the recent New York decision in Nader v. Generat Motors Corp., which extended the Griswold rationale prohibiting the violation of a constitutional right to privacy to invasions by private corporations, not the state. The court implicitly found that state inaction--the refusal by the state court to entertain a lawsuit alleging a violation by the corporation of the plaintiff's constitutional right to privacy-constituted sufficient "state action" to invoke the protection of the fourteenth amendment." If the holding in Nader survives, the implications for the computer industry could be far-reaching.25

23

There can be no doubt that the computer service industry, dealing as it does with personal data on hundreds or thousands of individuals, strongly affects the public interest." Indeed, against the background of expanding computer services the need for a further extension of the doctrine of right of privacy has been Footnotes at end of Article.

vigorously asserted." Thus, one commentator has recently noted that "[t]he concept of privacy held by most courts, considered revolutionary during the WarrenBrandeis era, seems more fitted for the 19th century rather than the 20th; a 'new privacy' must be formulated to protect the individual from the technological advances of the computer age." " Another commentator recently advanced the thesis that the fifth amendment prohibition against the taking of private property by the government without just compensation, applicable to the states through the fourteenth amendment, should be extended to a similar destruction or diminution of the right of individual privacy." Furthermore, actions by large public corporations which result in a diminution of an individual's privacy should be regarded as equivalent to state action and therefore subject to the payment of "just compensation." "30 The growing tendency to extend the bounds of privacy protection is thus manifest." If, because of their vast informational storage and ready access capabilities, computers and computer systems become generally regarded as great potential threats to the individual's right of privacy, it would not be surprising to find courts holding computer service companies liable for the unauthorized disclosure of information about an individual. Moreover, the court might go beyond the traditional concept that the defendant must be guilty of an intentional or deliberate wrongdoing in order to be held liable under an invasion of privacy theory and hold computer companies liable for negligently permitting an unauthorized release of information. Indeed, if the information is sensitive enough and the damage from release is devastating enough, a court might be tempted to dispense even with the requirement of negligence and simply hold the computer company absolutely liable for the unauthorized release. Whether the computer company's failure is technological or human should make no difference.

34

35

$3

The law usually has evolved to keep pace with changing social, political, moral, and economic circumstances. For those who might dismiss as "mere speculations" the above thoughts about the possible evolution of the law of privacy in response to the computer revolution, it would be instructive to consider a statement by Professor Arthur Miller during a recent symposium on the computer and privacy: "The computer is a many-splended animal. It is myopic to think of it as little more than a high speed calculator with a gland condition. It's much more than that. Modern information transfer technology in time will prove to be the heart of a new communications network, a communications network that differs from many of the communication networks that we are familiar with, such as telephones, telegraph, radio, television and newspapers, only in technological and media terms. Accordingly, the computer must be dealt with as a communications network.

"In short, I am suggesting that we are dealing with a problem of immense importance. [G]iven the large stakes, we should not think simply in terms of the ethical or moral implications of a National Data Center, or any other type of a data center. We must recognize that we are dealing with a new technology, whose applications are just beginning to be perceived and whose capacity to deprive us of our privacy simply cannot be measured in terms of existing systems or assumptions about the immutability of the technology.

36

It is apparent that the legal protection given to the right of privacy is far from static and may, within the reasonably foreseeable future, undergo marked changes. However, except insofar as the changes may be founded upon federal constitutional doctrines, the developing principles may vary markedly from state to state because the basic law involved will be state, not federal, law." For the computer service company, this could mean facing different standards of liability in fifty different jurisdictions for the unauthorized disclosure of informationan unhappy prospect for companies who do a national or regional business.

At present, there is no body of federal law governing privacy which might "preempt" state law as applied to computer systems. After receiving the many detailed and thoughtful comments in its Computer Inquiry and the analysis of the responses prepared by the Stanford Research Institute, as well as the Institute's own recommendations, the FCC has decided that it must await the collection of additional information before deciding whether to exercise its regulatory authority in the area of privacy and security of data during transmission and storage." Although it did take a significant step in the privacy area in Title III of the Omnibus Crime Control and Safe Streets Act of 1968. Congress has not acted decisively in this area. In Title III, Congress (1) outlawed the interception and disclosure of wire or oral communications, except as specifically authorized in Footnotes at end of Article.

40

(2) amended section 605 of the Comthe statute pursuant to court order; munications Act of 1934 " to take into account the foregoing addition to the federal criminal code;" and (3) established a "National Commission for the Review of Federal and State Laws Relating to Wire Tapping and Electronic Surveillance," which is to study the entire wiretapping and electronic surveillance situation and make a final report within seven years.13 One interesting feature of this act is that it gives a civil cause of action for damages to "any person whose wire or oral communication is intercepted, disclosed, or used in violation of this chapter. . . .” Although this provision for civil damages in Title III will provide a new, and perhaps potent, remedy to the individual citizen in protecting his privacy, the remedy reaches only one aspect of the privacy problem in data processing, and it certainly does not in any way preempt the various provisions of state law dealing with invasions of privacy. First, the remedy is limited only to persons 45 are intercepted, disclosed, or otherwise used whose wire or oral communications in violation of the act. Thus, this remedy on its face does not reach the problem of the unauthorized disclosure of stored information about an individual, which is not "communicated" by the individual himself to someone else." Secondly, it is not entirely clear whether the act's sanctions will even reach the problem of interception of data being transmitted to or from a data bank, or the disclosure of such data after interception. The term "intercept," as used in the act, means the "aural acquisition of the contents of any wire or oral communication through the use of any electronic, mechanical or other device." " Query whether transmitted data is subject to such "aural acquisition," at least in the case of data sent over a special digital communications network using time division multiplexing techniques; query whether courts would reach different conclusions depending upon the technical nature of the communications network over which the data traveled."

47

A RATIONAL SOLUTION: SELF-REGULATION BY THE COMPUTER INDUSTRY UNDER
GOVERNMENTAL AUSPICES

It is estimated that by the late 1970s, the traffic volume over the nation's telephone network will be about equally divided between voice and data transmission," representing a far greater use of the telephone network for data transmission than at present. By 1975 more than 60 percent of the computer hardware used in the United States will be tied into the public communications system, and estimates for 1984 have run as high as 90 percent.50 Thus, we are on the verge of an explosion in remote access data processing, including a great number of timesharing, real-time systems. The trends in the law discussed above" may well be accelerated by the quickening pace of technological progress.

The choice lies with the computer industry. It can go along and let events unfold in an unstructed, haphazard manner and thereby permit others to fashion for it the basic standards and rules governing the conduct of its business, or it can itself initiate rational means to control its own destiny and at the same time serve the public interest by assuring privacy and security of data, in both transmission and storage. In an industry whose whole thrust is to bring rational order out of the potential chaos unleased by the information explosion, the choice seems clear. Working from the foundations already laid, the computer industry should pull together, develop, and then enforce standards of construction and operation for computer systems which process data of such a nature that privacy or security are necessitated.

Before detailing the mechanics of this proposal it would be well to point out what is not being proposed. The regulation contemplated would not deal with such matters as the rates or prices to be charged by computer service companies, the rate of return they should earn, the terms and conditions of their sales to their customers, or other matters relating to traditional economic or rate regulation.52 Rather, the industry, under federal governmental auspices, would develop standards to assure that computer systems will incorporate a reasonable degree of privacy protection and will be operated to achieve the desired degree of privacy and security of data necessary in any given circumstances.53

Any program of self-regulation should include at least the following features: 1. The program should be specifically authorized and established by federal statute, a prerequisite which would avoid the antitrust problems that inevitably arise where competitors or potential competitors associate to formulate industry standards. Indeed, the statute should grant a specific antitrust exemption for activities within its scope.

54

Footnotes at end of Article.