Crispin Cowan wrote: > The State may not have jurisdiction over SSC's, but it can have > jurisdiction over what kind of authentication various state-regulated > and state-operated orgs use. For instance, it would be easy for the > State to outlaw any state agency using SSC's for authentication. Hmmm... I'm not so sure. For purposes of taxation the various state tax agencies are so hooked into the IRS that they probably can't extricate themselves. But states could legislate on their own use of SSCs and leave tax collection as an exception. As I mentioned before the Federal Privacy Act appears to establish some Federal jurisdiction over identity number systems and privacy of personal records. State laws would have to fit into that framework, and with other Federal laws that address privacy and the use of identification systems. A State law that contradicts a Federal law runs into serious problems in the courts; the supremacy of Federal law was decided way back, even before the Civil War; look into the Nullification Crisis of 1832 and South Carolina's battle with Congress if you are interested. Do we really want privacy laws written at the state level, though? To combat identity theft and general abuse and neglect of personal privacy all states would have to pass very similar laws and cooperate to enforce those laws. I'm all for doing things at the state level when it makes sense, but if, say, Nevada didn't pass strong privacy laws that state would become a haven for data harvesters, spammers, etc. Before you could sue a Nevada-based entity in an Oregon court you'd have to deal with all kinds of jurisdiction issues, and of course the damage to you is already done. For comparison, state-by-state anti-spamming laws work to some degree, although enforcement seems spotty and the laws dump the problem into the civil courts. But spammers can and do take advantage of the patchwork of state laws and will continue to do so until a Federal-level law limits their activities. I don't know if that will ever happen. The Federal government regulates interstate commerce, and the FTC and Commerce depts. are the most likely enforcement agencies for future privacy laws. I don't think our personal privacy is what the Office Of Homeland Security will focus on; in fact that agency will probably have broad authority to ignore privacy laws. I think Federal legislation with some teeth might make more sense. Federal legislation could limit the Federal government's abuses of privacy, and at least set a minimum level for parallel state laws. State-level legislation would serve mainly to limit that state's own use and abuse, and to provide for state-level enforcement (because dragging a state government into Federal court is not a practical solution for most plaintiffs). All this is just talk unless the government really cares about enforcing the laws. We have some laws already, such as the 30-year-old Privacy Act, the two versions of the Fair Credit Reporting Act, limits on the IRS, and Federal-level rules concerning privacy of medical records (with Medicare eligibility used as the carrot & stick). But the cost and hassle of getting prosecutors interested in a case, and going through a lengthy and technical trial against a rich and powerful plaintiff (like a state government agency), effectively takes most of the teeth out of the laws. The FTC may come around and slap a $1,000 fine on an abuser, but they probably aren't going to shut anyone down or put anyone in jail. And the FTC can't even threaten states with dire consequences, like withholding Federal Medicare funds, because they don't have any authority to do so. -- Greg Jorgensen PDXperts LLC, Portland, Oregon, USA
This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 02:27:20 PDT