Privacy Journal

What's 'Public' Can Be Private

There are many activities in public that are entitled to privacy protection, according to the clear implications of previous federal court holdings in the U.S. These include: going to and from a house of worship, an abortion clinic, or a medical facility; holding hands or embracing affectionately in public; participating in a political demonstration or wearing political symbols; reading a book or a magazine; mediating or praying, and perhaps chatting on a cell phone in a way that is audible nearby. The right to vote in the U.S. and Canada may be interpreted to prohibit videotaping citizens as they visit a polling place.

“The Fourth Amendment protects people, not places,” said the U.S. Supreme Court 1967.

Scroll down for PJ's Ranking of the States and more information about our advocacy for privacy protection

Year-by-Year: PJ's 35 Year History

November 2009 marked the 35th Anniversary of PRIVACY JOURNAL. Before passage of the Privacy Act and long before the development of email, the Internet, urinalysis testing, TV monitoring, search engines, and pervasive use of Social Security numbers and public TV monitoring, the newsletter began publishing in November 1974. It was the first publication anywhere in the world to report on privacy – that is, new technology and its impact on the confidentiality of personal information. It is by far one of the longest running newsletters on any subject in the U.S. The average age of newsletters is five years. Here is the story of the newsletter and the issues it has covered

November 1974: Robert Ellis Smith, a news reporter with ten years of experience with daily newspapers and then an official with the U.S. Department of Health, Education, and Welfare, begins the newsletter in Washington, D.C., as a small business. The inaugural issue reports the imminent passage of HR 16373, which, PRIVACY JOURNAL says, “would regulate federal government personal data collection and presumably set precedents for Congressional regulation of privacy in non-government data banks.” In the first issue there are also a report on Supreme Court Associate Justice Rehnquist’s “devil’s advocate” lecture challenging the common-law and constitutional recognition of a right to privacy; an article on political pressure affecting the National Commission to Study Wiretapping; and a story on enactment of a federal law requiring confidentiality of student records.
December 1974: President Ford signs HR 16373 as the Privacy Act of 1974 and cites the “routine use” exception in the law as weak.
February 1975: The first Compilation of State and Federal Privacy Laws appears, with 11 pages listing 150 laws.
June 1975: The newsletter is the first to reveal appointees to the Privacy Protection Study Commission created by the act.
October 1975: Circulation reaches 1000 within the first year.
February 1976: Congressional committee re¬commends limits on polygraphs in employment, after campaigning by Smith. A computer trade group points out to Congress that the federal wiretap law does not protect digital communications.
March 1977: PRIVACY JOURNAL reports on its subscribers: 16 percent are interested individuals; 14 percent are education/​libraries, general business, or government; 12 percent, press/​publishing; 6 percent, banking; 6 percent, insurance; 5 percent, civil liberties/​public interest; 5 per¬cent, lawyers; 4 percent health professionals; 3 per¬cent, law enforcement, and 2 percent credit bureaus. Circulation extends to 50 states, six Canadian provinces, and 14 foreign countries.
April 1977: Louis Harris reports that 59 percent of Americans surveyed express concern about too much data collection, as opposed to 33 percent a year earlier.
May 1977: In a major feature story, The New Yorker calls the newsletter “the most interesting publication to come out of the capital since I.F. Stone’s Weekly.” The Washington Post calls PRIVACY JOURNAL “Washington’s most talked-about publication.”
July 1977: The Privacy Protection Study Commission issues its report, with more than 150 recommendations, few of which have ever been adopted.
October 1978: Court records show that law-enforcement wiretaps have reached their lowest number since the first year of the Nixon Administration.
January 1979: Doubleday publishes Smith’s Privacy: How to Protect What’s Left of It, and it is nominated for a National Book Award.
May 1979: A Louis Harris survey finds another surge of public concern about privacy.
December 1980: After Ronald Reagan’s election, the House votes down a proposal to protect medical confidentiality.
April 1982: Congress debates an immigration reform bill requiring some form of proof of citizenship when applying for work.
August 1982: Canada enacts a strengthened access law and creates a privacy commissioner.
July 1983: New York becomes the first state in six years to enact a fair information practices act.
December 1983: The Harris Poll shows that concern for privacy has risen to 77 percent. Many organizations plan events to commemorate George Orwell’s 1984.
May 1984: Dutton publishes Smith’s Workrights.
September 1984: Two prospects for the U.S. Supreme Court, both on the U.S. Court of Appeals in the District of Columbia, attack the Supreme Court’s rationale for a constitutional right to privacy.
October 1984: Congress enacts the first privacy protections since 1978, as part of cable television regulation.
May 1985: PRIVACY JOURNAL, first among any national publication, scrutinizes employee drug testing as an invasion of privacy.
September 1985: PRIVACY JOURNAL, first among any national publication, examines the confidentiality issues prompted by the growing epidemic of AIDS. The newsletter moves its office to Providence, R.I.

June 1986: The newsletter launches a highly publicized campaign for an adequate name for what had become known as “the pound key” on telephone key pads.
July 1986: The newsletter puts a positive spin on the Supreme Court’s 5-4 ruling that the Constitution does not protect consensual homosexual activity in private.
December 1986: U.S. Surgeon General C. Everett Koop pleads for confidentiality in blood testing for the AIDS virus.
May 1987: After press surveillance of Presidential candidate Gary Hart, a front-page headline asks, WILL THE PENDULUM SHIFT FROM THE PRESS TO PRIVACY?
June 1987: A reader writes to publisher Robert Ellis Smith: “It occurs to me that you’re seen on television when there’s bad news.”
August 1987: The Reagan White House shuns a mandate in Congress to prepare a study on implementing a national identity card.
September 1987: A front-page news item reports for the first time a new telephone offering in New Jersey called “Call Identification,” which displays the telephone number of the incoming call.
December 1987: “The hearings on Judge Robert H. Bork did a spectacular public service by moving the debate over privacy into the popular consciousness,” says a guest essay.
April 1988: The newsletter publishes guidelines for press coverage of politicians.
May 1988: A front-page article on daring new practices by credit bureaus generates new pressures on the national credit bureaus to respond to consumer demands.
June 1988: A 12-year effort by Smith culminates in Congressional enactment of a virtual ban on polygraphs in employment.
March 1989: A front-page article focuses attention for the first time on “super bureaus,” which resell credit reports and other personal data.
May 1989: U.S. News and World Report calls PRIVACY JOURNAL “the paper of record for lawyers and others interested in privacy rights.”
May 1990: Louis Harris reports that concern over privacy has leaped to 79 percent.
June 1990: War Stories, documenting more than 500 cases of privacy invasions involving real people, debuts.
November 1990: Time calls PRIVACY JOURNAL “the watchdog newsletter.”
December 1990: A front-page essay notes the 100th anniversary of the landmark law review article by Louis D. Brandeis and Samuel D. Warren “inventing” the right to privacy in American law.
June 1991: PRIVACY JOURNAL initiates its first electronic edition.
July 1991: Publisher Robert Ellis Smith’s testimony in California leads to insistence by regulatory commissions in several states that phone companies offer free blocking whenever they offer Caller ID.
August 1991: After prodding by privacy advocates, Equifax Inc. discontinues its practice of using personal information from credit reports to create targeted marketing lists. In January, for the same reasons, it had reversed plans to provide personal data in its files to Lotus Development Co. to produce a CD-ROM for retail sales to computer users.
October 1991: After prodding by privacy advocates, TRW announces that without charge it will provide a consumer with a copy of his or her credit report for inspection.
November 1991: The New York Times reports, “For more than 15 years Mr. Smith has made an individual’s privacy his personal and professional obsession, helping to shape public policy in the process.”
December 1991: The Harris Poll reports that minority-group Americans show more concern about threats.
April 1992: Both TRW and Equifax credit bureaus are plagued by teenaged computer hackers infiltrating their systems.
June 1992: The seventh edition of Compilation of State and Federal Privacy Laws includes 136 pages describing more than 550 statutes affecting confidentiality.
July 1992: JUSTICE O’CONNOR PULLS PRIVACY BACK TO THE CENTER ON THE SUPREME COURT, reports the front-page headline.
September 1992: The House of Representatives kills long-standing reforms to the Fair Credit Reporting Act. The Federal Communications Commission begins enforcement of a federal law restricting telemarketing.
October 1992: A front-page essay decries the role of expatriate British journalists in cultivating the wave of gossip journalism in the U.S.
December 1992: Publications and back issues become available on-line.
January 1993: PRIVACY JOURNAL publishes The Law of Privacy Explained.
March 1993: The newsletter content increasingly reflects the role of the Internet global computer network and electronic mail in the lives of its readers.
May 1993: Loompanics Unlimited publishes Our Vanishing Privacy, by publisher Robert Ellis Smith.
November 1993: PRIVACY JOURNAL begins its twentieth year with a new streamlined format and logo.
June 1994: A story headlined IMPLANTING ID MICROCHIPS IN HUMANS NO LONGER FAR FETCHED brings accusations of “paranoia” or “speculation.”
June 1998: PJ opens its Web site.
October 1999: The PJ launches a ranking of the states in privacy protection.
May 2000: Smith’s book, Ben Franklin’s Web Site, is published, the first and only history of privacy in the U.S.
September 2001: The issue composed on Sept. 12 states, “We have to make sure that the strictures that will inevitably follow a calamity like this are not directed at our own citizens, but aimed precisely at the sources of the threats.”
October 2001: The newsletter publishes the first and, to this day, only analysis of the PATRIOT Act and pre-existing legal authorities for anti-terror investigations.
January 2002: Articles begin emphasizing TV surveillance, locational data, and a national ID card.
April 2002: PRIVACY JOURNAL’s National Conference of Privacy Activists convenes in Providence with 60 participants from 24 states.
October 2002: Our second rankings show California and Minnesota still at the top, but Texas out of the bottom.
February 2003: “20 Minutes,” a regular column of advice for protecting your own privacy or seeking protections in laws or regulations, makes its debut.
June 2003: A front-page article notes the 100th anniversary of the birth of George Orwell.
July 2003: The Supreme Court widens the constitutional right to privacy, overturning the 1986 decision on homosexuality.

INDEXES for PRIVACY JOURNAL are available, electronic or hard copy

May 2004: A revised edition of Ben Franklin’s Web Site is published.
December 2004: All three national credit bureaus finally agree to produce free credit reports upon request.
April 2005: PRIVACY JOURNAL publishes a special report on ChoicePoint, the Equifax-created information broker.
May 2005: PJ begins listing companies afflicted with breaches of personal data in their possession. Congress enacts REAL ID man¬dating a national ID card, without hearings or even floor debate.
September 2005: Owners of 100 million residential telephones have signed up for Do-Not-Call, the most popular privacy innovation to date.
September 2005: President Bush names a new Chief Justice, John Roberts Jr., who is even more hostile to the concept of privacy than his predecessor, William H. Rehnquist.
November 2005: The FTC fails to produce a required report on how well credit bureaus respond to consumers’ requests for corrections, the newsletter reports.
December 2005: PJ calls Deborah Davis “the Rosa Parks of Denver.” She refused to provide ID when asked on a public bus, was handcuffed, and tossed off the bus by police. Charges were dropped but the policy did not change.
February 2006: The newsletter cites Carnegie Mellon University as the new center of privacy scholarship.
July 2006: The newsletter publishes a “Hall of Shame” of stolen laptops with personal data in them. Publisher Robert Ellis Smith begins a regular column for forbes.com.
December 2006: PJ reports that after 15 years tolerating risks of identity theft, many government agencies and businesses are finally discouraging comparisons using Social Security numbers.
February 2007: Resistance to implementing REAL ID act intensifies.
April 2007: PJ reports that the FTC is issuing stiffer fines for privacy violations by businesses.
July 2007: GOOGLE IS IN THE CROSS HAIRS RIGHT NOW, according to a headline.
October 2007: IS THE PUBLIC GETTING ACCUSTOMED TO CAMERAS, asks a headline.
November 2007: FTC GETS NO COMPANY ANSWERS ON ‘eHAVIORAL’ MANIPULATION, says a headline.
October 2008: A new book by Colin Bennett of the University of Victoria, Canada, The Privacy Advocates, reports that PJ is “the most notable” of the privacy publications; that Smith “covers privacy in all of its aspects.” “It is still going strong more than 30 years later.”
November 2008: PERMISSION NOW NEEDED TO TRAVEL WITHIN U.S., says a headline.
November 2009: PRIVACY JOURNAL marks its 35th Anniversary.

* * * For Historians, Privacy Buffs
Researchers, Lawyers

Microform: Available since 1974, allowing rapid searches for the information you need. Other electronic formats available.

Order directly from
ProQuest, 800/​521-0600, ext. 2888
01-734-761-4700 (overseas)

www.il.proquest.com

CURRENT AS OF 2007:
California ranks highest in protecting its citizens against invasions of privacy, according to a ranking issued by Privacy Journal, the nation’s leading publication on privacy.

California finished at the top because its legislature passed a raft of new protections in the last two years; also, its courts and its constitution provide the strongest privacy protection in the nation.

In 1999, when the Providence, R.I.-based monthly newsletter announced its first ranking of the states, California and Minnesota tied for first. In 2002, after Privacy Journal considered laws and practices since 1999, California finished first and Minnesota finished second, both with numerical rankings 33 percent higher than the next ranked state. This updated ranking in 2007 is the latest.

The top ten states, according to the Providence R.I.-based monthly newsletter, are, in alphabetical order: California, Connecticut, Florida, Hawaii, Illinois, Massachusetts, Minnesota, New York, Washington, and Wisconsin. There was little change among the top ten states from Privacy Journal’s original ranking of the states, in 1999. California and Minnesota tied in 1999. California, Minnesota, and Hawaii – alone among the states – have state offices assigned to protect personal privacy.

In the “second tier” – better than average – are Alaska, Arizona, Colorado, Georgia, Maine, New Hampshire [added in 2007 and not reflected in the map above], Oklahoma, Rhode Island, Utah, and Vermont. Rhode Island was close to the top ten.

The ten states in the “third tier” – below average – are Indiana, Louisiana, Maryland, Michigan, Montana, New Jersey, Nevada, Ohio, Oregon, and Virginia. Below that, in the “fourth tier,” are Alabama, North Dakota, Nebraska, New Mexico, Pennsylvania, South Carolina, Tennessee, and West Virginia.

Privacy Journal judged 12 states at the bottom in protecting its citizens: Arkansas, Delaware, Idaho, Iowa, Kansas, Kentucky, Missouri, Mississippi, North Carolina, South Dakota, Texas, and Wyoming.

The most significant strides in protecting privacy were made by Vermont, whose courts and attorney general are vigorous in protecting privacy, and California and Minnesota, plus five states that have enacted laws protecting medical confidentiality. They are Arizona, Hawaii, Maine, New Hampshire, and Washington State.

There was some movement in Texas, one of four states adjudged “not on the radar screen” in 1999. The state legislature there enacted laws on use of genetic information by insurance companies and employers and use of automatic dialers by telemarketers and now requires telemarketers to consult a state do-not-call list.

"If the federal government had been ranked like a state it would have placed in the fourth tier," said Privacy Journal Publisher Robert Ellis Smith, who conducted the survey. Federal laws do not protect medical records nor provide access to them, they do not protect library records at all, and federal law has only partial protection for financial records. Protections against electronic surveillance were weakened in 2001 with the passage of anti-terrorism legislation. On the other hand, federal protection for personal information in government files exceeds the protections in nearly all states.

The ranking is based on the 2002 edition (and subsequent supplements) of Privacy Journal’s “Compilation of State and Federal Privacy Laws,” a 106-page reference book available for $35 from Privacy Journal, PO Box 28577, Providence RI 02908, 401/​274-7861, fax 401/​274-4747, email us

The 2002 book includes the current Supplement.

"Surprises?" asked Smith, a lawyer and journalist who has been monitoring the states' actions on privacy protection since he launched his popular newsletter in 1974. "Based on my experience, I would have said that Michigan, Pennsylvania, Oregon, and New Jersey had stronger recognition of their residents' privacy rights. As for the Top Ten, there were no surprises at all. Our systematic survey revealed what most privacy experts agree are the strongest states when it comes to privacy protection."

Privacy Journal rates the states on several factors, including whether they protect privacy in their constitutions, have laws protecting financial, medical, library, and government files, and have fair credit reporting laws stronger than the federal law. Points are added when the highest court in the state has a strong record on privacy and deducted for anti-privacy actions by state agencies or the state legislature.

Alphabetical within tiers

First Tier – 10 states
California
Minnesota

Connecticut
Florida
Hawaii
Illinois
Massachusetts
New York
Washington
Wisconsin

Second Tier - 10 states (RI was close to the top ten)
Alaska
Arizona
Colorado
Georgia
Maine
New Hampshire
Oklahoma
Rhode Island
Utah
Vermont

Third Tier 10 states
Indiana
Louisiana
Maryland
Michigan
Montana
New Jersey
Nevada
Ohio
Oregon
Virginia

Fourth Tier 8 states plus DC
Alabama
District of Columbia
North Dakota
Nebraska
New Mexico
Pennsylvania
South Carolina
Tennessee
West Virginia

Last tier 12 states
Arkansas
Delaware
Idaho
Iowa
Kansas
Kentucky
Missouri
Mississippi
North Carolina
South Dakota
Texas
Wyoming

CRITERIA
Does the state include a right to privacy in its constitution?

Does the state protect the right to privacy by statute?

Does the state permit access to a patient's own medical file by law?

Does the state protect medical records by law?

Does the state make the records of library patrons confidential by law?

Does the state either limit disclosure of personal information held by state agencies or permit a citizen to access and correct such information?

Does the state have a law on credit records stronger than federal law?

Does the state recognize the confidentiality of bank records by law or court decision?

Does the state have a law permitting erasure of arrest records of innocent persons or limiting their use by employers?

Did the state enact significant privacy protections since the last ranking?

Double credit is awarded to states with constitutional protection, and slightly less weight is given to library-records protection than to the other protections. Bonus points are awarded for an attentive legislature, assertive administrative enforcement, protective actions by the highest court in the state, or additional legal protections in a state's laws. Points are deducted for anti-privacy actions in the past two years.

Six Ethical Principles
For Information Brokers

1. Require of employees: If you are going to report
information on individuals, you owe it to them to be accurate, to use more than one source of information, to confirm information.

2. Devote an appropriate percentage of organizational resources to procedures for assuring accuracy.

3. Contact a portion of the persons in your database to confirm information on file about them.

4. Eliminate data from your systems that were gathered from illicit sources or by illicit means.

5. Accurately describe the nature of the information you sell. Information about adoptions, custody, Social Security numbers, and financial affairs is not “public record” information, even if it comes from government files.

6. Do not use fear about terrorism to hustle contracts from the federal government.

7. Regard your organization as a fiduciary with a duty of trust and confidentiality owed to the persons who are identified in your databases. A data bank should function like a monetary bank.

- From remarks by Robert Ellis Smith,
Publisher of Privacy Journal,
at Tuck School of Business,
Dartmouth College, N.H. Jan. 17, 2007.

All of us have to know that ID theft is a recent phenomenon. It has not always been with us and need not always be with us. It began in 1991 with a Federal Trade Commission decision permitting credit bureaus to disclose and rent Social Security numbers (as "header" information). To diminish (not totally eliminate) ID theft we have to work to reverse the decisions that created it.

The solution: Build on the "Andrews" court decision and amend the Fair Credit Reporting Act to (1) prohibit a credit bureau from basing a credit-inquiry match on a Social Security Number, (2) prohibit the disclosure of SSNs as "header information," and (3) require a credit bureau and credit grantor to send a notice of an address change to the consumer's old address (and prohibit the approval of any credit application for a ten-day period during which a consumer who has been victimized may respond).

On its own, with no Congressional action, the FTC can do Step (2); it can encourage Step (3), and it can cease ENCOURAGING credit bureaus to use the SSN to verify the identity of a consumer seeking a copy of her or her own credit report.

Most important, each of us must decline to provide Social Security numbers for transactions that raise no tax consequences or that do not involve state licenses. There is no need to provide Social Security numbers on applications for employment, insurance, credit, housing, and similar commercial transactions. If you do, you increase your risk of theft of identity.

An employer must articulate in advance in writing the purpose of the monitoring.

An employer must provide general notice at least once a year of the existence of monitoring, its type, and its general location.

Any tapes or electronic media that show no evidence of wrongdoing (as described in the employer’s written statement of purpose) must be destroyed or erased within six months. The names and job positions of any persons viewing or listening to the tapes or reading the electronic media should be documented and preserved.

Any viewing or listening must be only for the purpose stated in the original rationale. When the original rationale for the monitoring ceases, the monitoring should be discontinued.

An employee should have a right to sue for invasion of privacy for any monitoring that is contrary to the purpose as originally stated. The governing principles of the right of action will be the case law on the common law right to privacy in the state of the occurrence.

An employee should have a right to sue an employer or individual who uses or stores videotapes in violation of these principles.

Any monitoring in showers, dressing rooms, or other places where employees might disrobe may be installed only if the stated purpose is to document suspected criminal activity. The suspected criminal activity must be named with specificity. Any tapes that show no evidence of the specific criminal activity must be destroyed or erased within seven days and employees must then be notified of the monitoring, including the times and places.

PRIVACY JOURNAL Publisher Robert Ellis Smith is frequently asked by government officials how they can protect the privacy of individuals named in agency files when open-records laws require the disclosure of most information. "The law has always recognized that court documents were public, and theoretically they were, but the practical difficulty of reviewing those documents kept them effectively private," noted John Greacen, former director of New Mexico's courts. "Technology now makes those documents 'in fact' public." This is Smith’s response:

It is possible to reconcile the legal mandate for open disclosure of public documents with the demand for personal privacy, by:
1. Realizing that open access exempts from mandatory disclosure "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy."
2. Crafting exemptions that are narrowly drawn, yet scrupulously enforced.
3. Realizing that privacy principles protect information about natural persons, not "legal persons" or entities.
4. Realizing that privacy principles protect information that is individually identifiable, that is, information that can be traced to the identity of an individual person or that can be retrieved from a data system by way of some personal identifier, like a name, a number, or a collection of demographic categories. Privacy principles do not protect cumulative information that does not identify individuals. However, it is important to take precautions against "inferential disclosure" [see PJ May 98]. That is the disclosure of anonymous cumulative information that can still identify an individual by inference.
5. Recognizing that simply because information is collected and maintained by a public entity does not make it "public information." Governmental entities treat medical conditions, collect family information, counsel students, keep financial data on individuals, store information about adoptions, abortions, and heart disease. This sensitive data is not public information even though it is gathered by public entities.
Even within a public-disclosure environment mandated by law, there are precautions an agency can take to protect privacy:
A. Where possible, notify data subjects simultaneously of a disclosure of sensitive information. Where possible, get the consent of data subjects in advance.
B. Keep a record of requesters and their addresses.
C. Delete exempted information before a whole document is disclosed. Make some exemptions mandatory, not discretionary.
D. Gather less information in the first place, and destroy unnecessary data (before requests for disclosure are made, of course).
E. Notify requesters of the sensitivity of information and negotiate special precautions.
F. If possible within the law, negotiate voluntary agreements to prevent the further disclosure of information by a requester receiving it.
G. Agree on a third-party intermediary (a buffer, an inspector general, an auditor, a proxy) who will review sensitive personal information as a stand-in for the requester (like a news organization) and provide the specific analysis sought by the requester.
H. Take special care to protect records concerning children or other vulnerable populations.
I. Permit registrants, litigating parties, and others to provide "buffer addresses" on court documents - like a post office box, a landlord's office, an attorney's office, a next-of-kin, as California's law on motor-vehicle registration and licensing does.
J. Think twice before posting personal information in World Wide Web sites. There is a major difference between releasing information upon request in manual form and releasing it globally on a World Wide Web site where it can be downloaded, manipulated, or distorted though cutting and pasting, or where it will inevitably fall into the hands of illicit users. CERTAIN SENSITIVE PERSONAL INFORMATION, EVEN IF PART OF A PUBLIC RECORD, SHOULD NOT BE POSTED ON AN UNPROTECTED WEB SITE.