INFORMATION & TECHNOLOGY LAW

Privacy and Anonymity in an Age of Patriotism

By Jon M. Garon*
As published in Interface Tech News, March, 2002

On January 24, Howard Beales, director of the Bureau of Consumer Protection at the Federal Trade Commission presented a speech highlighting the new privacy initiative of the Consumer Protection Bureau. He stated that while the prior focus of the FTC enforcement policy toward privacy had been to limit the collection of private information, the future focus would be directed towards the misuse of that data. This change in emphasis comes on the heels of the Oct. 21, 2001 enactment of the USA Patriot Act, a sweeping change to electronic privacy law, federal law enforcement power, and privacy limitations now eliminated from a myriad of industry regulations.

As the year progresses, we will see the USA Patriot Act impact a startling variety of businesses in the technology industry. The law increases the ability of law enforcement to collect data, lowers the legal standards for collecting some evidence, streamlines inconsistent federal law enforcement practices, and expands criminal liability for misconduct and criminal activity.

Beales' comment signaled the FTC's endorsement in the new privacy priorities. "Our approach is built on an explicit recognition of the trade-offs involved in privacy regulation. The events of Sept. 11 make it clear that privacy is not, and cannot be, an absolute right. We are all willing to make practical compromises between privacy and other desirable goals, such as greater security."

Interestingly, criminal laws affect more than crimes or criminals. More than law enforcement, this sweeping amendment to federal law will change the way many of today's burgeoning industries develop. Every company must reassess its business plan and legal status in light of these changes. To illustrate the sweep of these new regulations, one need look no further than the changes coming to online auctions and peer-to-peer money transfers.

PayPal.com has become the service of choice among contenders that included eMoney Mail, PayMe, and PayPlace. The strong relationship between PayPal and auction center eBay.com has led to over 12 million users in 37 countries. Given the ease with which a person could create a false identity and fund it through phony auctions and electronic cash transfers, federal regulators included changes to the laws affecting money transmitters.

The Bank Secrecy Act has been expanded to include almost every conceivable electronic financial payment system. Although the law prior applied only to "a licensed sender of money," the USA Patriot Act expanded the definition to include "any other person who engages as a business in the transmission of funds, including any person who engages as a business in an informal money transfer system." This expanded definition clearly covers PayPal and all micro-payment systems. Conceivably, it could cover auction sites as well, if the auction site allows for auctions of coins, stamps or other goods of fixed face value. Similarly, it could include Web sites (and their hosts) who provide methods for setting up accounts to be used for Internet gaming or other purchases. In addition, it effectively bans all systems designed around anonymous transfers.

One provision of the USA Patriot Act, International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001, provides that a 'financial institution' such as PayPal must be able to provide the identity and address of the participants in each transaction, the description of the transaction, and the beneficial ownership of the parties to the transaction, meaning the real parties involved rather than just those whose names are used on the account.

Theoretically, these same obligations do not apply to transactions that can occur only within the U.S., but this limitation is illusory in the context of an Internet-based financial institution, since access is generally not physically limited to individuals residing in the U.S. To stay in business, the financial institution must show that the other transactions were not international by collecting the same information. Regulators are permitted to require additional information if there is any reason to believe the transactions are being used for money laundering, terrorism, or criminal activity.

I do not question the goals of Congress in passing this section of the USA Patriot Act. Terrorists cannot operate without funds and without anonymity. Strip them of these tools and their machinations will be crippled. The consequences, however, reach far beyond terrorists. Some of the consequences may be socially desirable. For example, most Internet gaming involves offshore banks, so any financial institution providing support for these banks will be required to disclose extensive details to law enforcement which will invariably discourage some of the gamblers from using these services. If Congress is correct that online gambling should be stopped, they may have found the way by painting casinos as terrorist cells and money-laundering fronts.

A significantly more troubling side effect will occur as the regulations force disclosure of increasingly detailed private information. Millions of individuals who sought the Internet as a means to live a more anonymous life — whether for personal reasons, because of their undocumented status, or to protect themselves from the scourge of identify theft — will find that electronic money transfer companies are now more demanding than the local banks.

For companies involved in online financial transfers, the pending regulations will dramatically change the information that needs to be collected and retained. This increases exposure to federal regulators if those companies fail to collect and report the required information. It also heightens the obligations to protect the data from misuse through stricter privacy policies and stepped-up security.

The new focus of the FTC is well timed. Soon, the once unregulated Internet will transform itself into the Orwellian model of total financial tracking. The potential for misuse is unlimited and its increase will be inevitable. The FTC's actions anticipate the demands placed by other federal regulators. Of course, the FTC has no jurisdiction over the other government agencies with their new, unlimited access to the data — it will enforce violations of privacy interests only by private parties. Given that financial services was one of dozens of industries that had its rules rewritten by the USA Patriots Act, it seems the world of Internet Privacy has now changed forever.

*Jon M. Garon is admitted in New Hampshire and California.

Return to top of page

Return to Technology Law Articles
Return to Firm Publications