This article is Part 2 of a 2-part series
“Whoever the suspect turns out to be, he has effectively been tailed every moment of every day for five years, and the police may — in the Government’s view — call upon the results of that surveillance without regard to the constraints of the Fourth Amendment. Only the few without cell phones could escape this tireless and absolute surveillance.”
–Chief Justice Roberts, describing the time-travel capabilities of cell-site location information, Carpenter v. US, 585 US __ (2018).
Privacy is a constitutional right.
The word “privacy” isn’t in the Constitution, but it’s still a fundamental right. The right to privacy is rooted in the Fourth Amendment: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated…”
Privacy is so fundamental to American values that Supreme Court Chief Justice Roberts argued it ignited the American Revolution.[i] In the late 1700s, British officers would enter a private home, by force if necessary, and rummage through personal effects and papers, looking for a way to make a criminal case against the resident.
The Court tells us the basic purpose of the Fourth Amendment is “to safeguard the privacy and security of individuals against arbitrary invasions by governmental officials.”[ii] And that “a central aim of the framers was to place obstacles in the way of a too-permeating police surveillance.”[iii]
The scope of the Fourth Amendment’s guarantee of privacy has been debated over the centuries, but the intent of stopping tyranny — arbitrary power and 24/7 surveillance – is within the scope of constitutionally guaranteed privacy. SCOTUS has determined the government is involved in a Fourth Amendment search if it is collecting everything it can, engaging in 24/7 monitoring, using GPS tracking on a vehicle that can be turned on at will, “spike miking” your home to catch all the audio, and (most recently) collecting cell phone location data. The court always draws the line for privacy when information is gathered by “pervasive tracking,” “detailed and comprehensive record of a person’s movement,” “ever alert,” “exhaustive,” with a “memory that is nearly infallible.”
One of the most recent U.S. Supreme Court cases to address privacy declared it was unconstitutional for the federal government to get data from cell phone records without a warrant. The case was considered a curve ball in privacy jurisprudence because the government could simply subpoena information without a warrant if a defendant had shared that information with a third party like a bank or telephone company. The importance here is whether the government is going on a fishing expedition by requesting documents with court permission during an investigation (a subpoena), or whether they’re fairly certain the information is evidence of a crime but they don’t yet have access (a warrant).
When the Constitution was written in 1787, papers and effects were mostly physical objects, which would be safeguarded within the home. This is important because there was no internet at the time of the writing of the constitution. There was no cloud storage, no cell phones, and no GPS. Americans rejected tyranny through unfettered access to personal information at the time the Constitution was written and the Supreme Court has upheld that expectation. But the courts only uphold our rights once law is written, actions are taken, or harms are done. Laws diminishing privacy have been front and center in America for decades, especially after September 11, 2001.
The War on Terror became a war on privacy.
What does September 11, 2001, have to do with health privacy? In a word, surveillance. The laws that were enacted after the 9/11 attacks ushered in a new era of federal reach into our lives. The shock of the attack on American soil and the thousands of lives lost allowed tyrannical laws like the PATRIOT Act and Project Bioshield to sail through Congress as Americans grieved and tried to manage daily life amidst a national emergency. Stand for Health Freedom readers are familiar with how Project Bioshield set the stage for the Emergency Use Authorization pharmaceuticals that are now so widely known. To refresh your memory, see these two articles: Is the Government Weaponizing Data?, and You are Part of an Experiment in Consent and Choice.
The War on Terror declared by George W. Bush after the 9/11 attacks quickly morphed from a fear of bad actors to a fear of disease. In the month after the attacks, anthrax-laced letters were sent through the U.S. Postal Service to media outlets and two senators. Five Americans died and 17 others fell ill but recovered. The letters shut down Congress, which hastened emergency passage of the bill without much scrutiny.
The PATRIOT Act (Uniting and Strengthening American by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism), a 300-plus-page document, passed U.S. Congress with bipartisan support just five weeks after September 11th. The law was reauthorized in 2006 and amended in 2015.
The PATRIOT Act allowed the federal government the ability to place innocent Americans under surveillance in the name of safety in a way that had never before been allowed on American soil. As an example, former president Bill Clinton attempted to strengthen wiretap authority of the federal government after the 1995 Oklahoma City bombing, but “Congress refused, mainly because many felt loosening surveillance and records rules was unconstitutional.”[iv]
In 2002, the Homeland Security Act was passed, creating the Department of Homeland Security (DHS). DHS “boasts the first statutorily required privacy office within a federal agency.”[v]
HIPAA’s Privacy Rule was passed on April 14, 2003.
The Intelligence Reform and Terrorism Prevention Act of 2004 created the Office of the Director of National Intelligence (ODNI).
Fear of another attack and of secretive terrorists who could live among us brought the walls of privacy down in America. In exchange for a feeling of security, people were willing to ignore or accept levels of government surveillance that would have previously been unthinkable.
The CDC buys cell phone data and the DHS has an Office of Health Safety.
At a July 2022 U.S. Congressional hearing on the American Data Privacy and Protection Act (ADPPA), one lawmaker highlighted the importance of privacy in health by describing the CDC’s purchase of location data to track lockdown compliance and for other “numerous CDC priorities.”[vi] [vii] She cited the activity as a reason to pass the federal privacy legislation, but with HIPAA as an exception carved out in this bill, the CDC would not be affected because HIPAA doesn’t apply to public health (more on this below).
The ADPPA focuses on consumer protection from third-party data handlers, like social media, cell phones, and more. But you might be surprised at the access federal agencies have to your health information and the major push to deeply expand this reach in the name of public health and the greater good. The information may or may not be anonymous or “de-identified.” Some wonder if any data can truly be de-identified considering the exploding artificial intelligence (AI) field.[viii]
Some ways federal agencies outside of HHS utilize health data:
- The Census Bureau is a central hub for health data throughout government agencies. Americans have been filling out a census every 10 years since 1790, sometimes including economic and “social statistics,” or health information.[ix] The Census Bureau is busy every year though, conducting other voluntary surveys, including the National Health Interview Survey. “The main objective of the NHIS is to monitor the health of the U.S. population through the collection and analysis of data on a broad range of health topics such as medical conditions, health insurance, doctor’s office visits, physical activity, and other health behaviors.”[x] They also conducted Household Pulse Surveys to delve into the well-being of American households during the pandemic, which included questions on how stimulus checks were used.[xi]
- The Federal Trade Commission has a project called “Mapping Broadband Health in America,” which overlays broadband coverage with health access, quality, and behavior, based on data obtained from the Census Bureau, CDC, Geolytics, and the Robert Wood Johnson Foundation.[xii]
- The Department of Homeland Security (DHS) has a newly reorganized Office of Health Security,[xiii] as well as an Office of Biometric Identity Management (biometrics are considered PHI under HIPAA). The DHS also has a contract with Amazon to house biometric information on their servers.
- The Environmental Protection Agency collects health information to conduct environmental assessments of residential properties.[xiv]
- The National Archives contain numerous Systems of Records, one of which is a collection of requests for accommodations for religion or disability by their employees, recently revised to explicitly note religious exemption requests to COVID shot requirements.[xv] This is not the only federal agency that has updated or created a System of Records relating to COVID guidance or mandate compliance. Other agencies include the Department of the Interior,[xvi] the Selective Service System,[xvii] the United States Postal Service,[xviii] and the Securities and Exchange Commission,[xix] just to name a few. (If you’d like to see more, go to the federal register and search “SORN AND COVID.”)
The activities described above would be in the name of public health or national security, except the data the Census Bureau collects through voluntary participation in surveys. HIPAA doesn’t apply to these federal agencies; they would be governed by the Privacy Act of 1974, which does not require de-identification of data.
According to David Ferro of the National Archives, “The Privacy Act of 1974, as amended (5 U.S.C. 552a) (“Privacy Act”), provides certain safeguards for an individual against an invasion of personal privacy. It requires federal agencies that disseminate any record of personally identifiable information to do so in a manner that assures the action is for a necessary and lawful purpose, the information is current and accurate for its intended use, and the agency provides adequate safeguards to prevent misuse of such information. NARA intends to follow these principles when transferring information to another agency or individual as a “routine use,” including assuring that the information is relevant for the purposes for which it is transferred.”[xx]
Nothing to hide, nothing to fear?
Protecting the privacy of individuals protects society at large. When we mix fear of publicity with the idea that we can have privacy, we are making an assumption that the activity or information has some bad quality to it. But most things society values privacy for are not inherently bad. The health and medical decisions we make, the diagnoses, and the family history found in our DNA fall into this category.
If we allow our health data to be transferred, used, disclosed, or stored without our informed consent, we are opening the door for completely inappropriate or even dangerous actions to be taken against us. If we allow government and businesses to demand our COVID shot status, for example, we allow discrimination that destroys liberty.
“[T]he vast trove of information that is being accumulated about Americans is like a loaded weapon that can be trained on selected Americans at any time by officials hungry for power and control.”[xxi]
A person may think they have nothing to hide and thus are safe from being treated as a criminal or an outcast. What about when the rules change? What if the rules are enforced only against certain individuals? Who will be the suspect then?
Steps You Can Take
These lawmakers need your help. It is critical that we do not allow the federal government to have a monopoly on data privacy. Send a letter to your lawmaker telling them, “No preemption or no privacy law!”
Step One: Take action now to tell the U.S. Congress that Americans shouldn’t compromise on privacy.
References & Sources
[i] Carpenter V. United States, 585 US ___ (2018) at 5.
[ii] Carpenter V. United States, 585 US ___ (2018) at 4 (internal quotes omitted).
[iii] Carpenter V. United States, 585 US ___ (2018) at 4, citing US v. Di Re, 332 US 581, 595 (1948) (internal quotes omitted).