Despite the avalanche of laws and legislative proposals covering data security and privacy, new legislation continually finds its way into the Congressional hopper. That's mainly due to pressure from consumer advocacy groups who want business and government held to a higher standard.
The most controversial example at the moment is the Bush Administration's anti-terror eavesdropping program. Much of the focus is on operational details?how the National Security Agency (NSA) carries out this program.
As of this writing, the House Intelligence Committee says it plans to expand its oversight of the program and review whether the 1978 Foreign Intelligence Surveillance Act (FISA) needs to be modified to clarify the Administration's surveillance powers. Several members of Congress are even prepared to challenge what it considers the Administration's unconstitutional intrusions on the privacy of American citizens. The ultimate question is whether or not the NSA broke the law.
Some critics believe it is illegal, since FISA requires warrants for eavesdropping on conversations in the United States. However, the Administration argues that another law, the Authorization for Use of Military Force, supersedes FISA and gives the President a wide variety of intelligence-gathering options, including domestic spying.
The American Civil Liberties Union and the Citizens for Constitutional Rights have filed lawsuits against the Bush Administration. But these suits won't move forward unless one of the organizations can prove that an individual or group was harmed.
Then there's the much-publicized Patriot Act, which greatly expanded the federal government's investigative powers in the wake of the Sept. 11, 2001 terrorist attacks. Congress recently revisited the piece of legislation, as the law required.
In the end, the Partiot Act's 16 provisions were renewed. But Congress also added new civil rights protections, including judicial oversight. The new version also prevents most libraries from being subject to requests for information by the FBI or other U.S. government agencies.
And then there's personal data security. A consumer advocacy group known as the Privacy Rights Clearinghouse says that names, Social Security and credit-card numbers, home addresses, and other personal data have been lost by, or stolen from, companies that keep track of such information.
ChoicePoint, a major data broker, came under pressure from Congress and consumer groups early in 2005 when it announced that thieves somehow obtained personal data on 145,000 consumers. Partly as a result of this security breach, several bills were introduced, both in Congress and at the state level. Most focus on identity theft, but others provide broader protection of consumer and business data. Several bills are currently in play in Congress:
- Comprehensive Identity Theft Prevention Act (S. 768)
- Identitity Theft Protection Act (S. 1408)
- Consumer Identity Protection and Security Act (S. 1461)
- Notification of Risk to Personal Data Act (S. 1326)
- Data Accountability and Trust Act, or DATA (H.R. 4127)
- Financial Data Protection Act (H.R. 3997)
- Personal Data Privacy and Security Act of 2005 (S.1789/S.1332)
Congress passed the Identity Theft and Assumption Deterrence Act in 1998, which made identity theft a federal crime. But the newer proposals are more specific. In some cases, they require businesses to improve their data-security procedures and notify consumers if they face a ?significant risk? of ID theft.
Another proposed law that has specific implications for the electronics industry is the Digital Transmission Content Security Act (H.R. 4569). Known as the Analog Hole bill to those who oppose it (e.g., the Electronic Frontier Foundation, or EFF), the bill would force every video-digitizing device in the U.S. to watch for and obey a Video Encoded Invisible Light (VEIL) watermark?a proprietary signal embedded in video broadcasts.
The EFF believes the bill is part of a series of efforts by Hollywood film studios to impose federal regulations on new technology products. Effectively, the EFF says, it would require the redesign of all consumer devices that can digitize video.
One major concern is that little is known about the VEIL technology. Anyone who wants to learn more about it must pay $10,000 and sign a non-disclosure agreement with its creators.
On another level, several states are passing their own ID theft laws. New Jersey, for example, recently signed into law the Identity Theft Prevention Act. Among other regulations, it prohibits the use of scanning devices to gain access to encoded information on ATM, debit, or credit cards.
Also trying to stay ahead of the technology curve, the California legislature introduced a bill that protects personal information in state-issued ID cards. Fearing that the cards could be scanned without the cardholders' knowledge or permission, the proposed Identity Information Protection Act (SB 768) would prohibit the use of radio-frequency identification (RFID) tags in any state-issued ID.
Other states may follow with laws resembling California's statute. This is in reaction to the discovery by a group of European researchers that these tags, usually used in security applications and for tracking merchandise, are very vulnerable to software viruses.