PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Police Officer on Cell Phone

It seems to happen way too often. Despite policies and laws that forbid law enforcement officials from mentioning the names of suspects who are not yet formally accused or even arrested, leaks invariably seem to happen. The leaks can wreak havoc in the lives of those whose names are mentioned. Many of these people wind up never being charged with any crime, yet their reputations are destroyed by the leaks and resulting media attention.

One example of this is Andrew Speaker, the TB patient whose name was apparently leaked by a law enforcement official and a “medical official” (presumably a medical official of the government). These officials probably committed tortious conduct — there is a good argument that the leaks might be violations of the breach of confidentiality tort. There is also a good argument that the leaks violated Speaker’s constitutional right to information privacy (for a discussion of this right, see my post here) and the Privacy Act (if they were federal officials).

Another example is Steven Hatfill, the so-called “person of interest” that government officials identified as involved in the Anthrax attacks. Hatfill’s reputation was annihilated when these leaks took place. He was never charged with any crime. Hatfill is now suing the federal government for the leaks. But one of the difficulties in suing is identifying the government officials who made the leaks. Hatfill is seeking the names of the officials from several journalists, who are claiming that the names are protected by journalist privilege. From the Washington Post:

Hatfill, a physician and bioterrorism expert, has not been charged in the attacks, in which five people were killed and 17 were sickened by anthrax bacteria mailed in envelopes. In a lawsuit, he accuses the Justice Department of violating the federal Privacy Act by giving the news media information about the FBI’s investigation of him.

To help prove their case, in which Hatfill is seeking an unspecified monetary award, his attorneys want several reporters, including Allan Lengel of The Washington Post, to reveal the identities of law enforcement officials who were cited anonymously in stories about the investigation. The journalists contend that the First Amendment and a federal common-law privilege shield them from having to disclose the names. . . .

No one has been arrested in the attacks, which took place in the fall of 2001. Hatfill, who worked at the Army’s infectious diseases laboratory at Fort Detrick in Frederick County from 1997 to 1999, was publicly identified as “a person of interest” in the investigation by then-Attorney General John D. Ashcroft.

Hatfill’s lead attorney, Charles Thomas Kimmett Jr., said his client has met the requirements of “a two-pronged test,” established in case law, under which the reporters should be compelled to disclose the identities of their sources.

He said Hatfill has shown that the names of the law enforcement officials are “at the heart of the matter” in his lawsuit — that to prevail in the case, Hatfill needs to know who the sources were. Kimmett said Hatfill also has “exhausted all reasonable alternatives” for finding out the names and can learn them only from the reporters.

Hatfill’s complaint against the government is available here. The complaint alleges violations of the Privacy Act, which provides that “[n]o agency shall disclose any record which is contained in a system of records by any means of communication to any person … except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains,” and that “prior to disseminating any record about an individual[,] … [the agency must] make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for agency purposes.” 5 U.S.C. § 552a(b), (e)(6).

I previously blogged about my own normative views about when the journalist privilege should and should not protect against disclosure here. Basically, I argued that the privilege should protect against disclosure when disclosure is in the public interest. In other words, there are leaks we want (government whisleblowing — Pentagon Papers) and leaks we don’t want (leaking Valerie Plame’s name as a CIA agent).

Courts, however, often look to the plaintiff’s need for the information, not the public interest. According to the law in the District of Columbia Circuit, a journalist has a qualified First Amendment privilege to withhold anonymous sources. But plaintiffs can overcome the privilege if (1) disclosure goes “to the heart of” the case and (2) plaintiffs have exhausted “every reasonable alternative source of information.” Zerilli v. Smith, 656 F.2d 705 (D.C.Cir.1981). In Lee v. DOJ, 401 F.Supp.2d 123 (D.D.C. 2005), a similar case involving Wen Ho Lee’s Privacy Act suit against the government, the court held that reporters had to reveal the names of their sources.

I have a number of thoughts and questions about the Hatfill case:

1. Since it is already known that Attorney General Ashcroft disclosed, does Hatfill really need to know the other sources? Such sources might be important, however, if the government is arguing that the information was already leaked when Ashcroft called Hatfill a “person of interest” or if the sources disclosed other information beyond the fact Hatfill was a person of interest. If either of the above is the case, then I think that Hatfill has a good case under the Zerillitest.

2. Is it a privacy violation or libel to reveal that a person is a suspect or a person of interest? This information can be terribly damaging to a person’s reputation. Yet it is true — the person is a suspect or “of interest” to the law enforcement officials. And is it revealing private facts about a person or merely revealing the opinions and beliefs of law enforcement officials?

3. The Privacy Act prohibits disclosures of information in record systems. Hatfill’s name was almost certainly contained in a system of records, but does this mean that government officials can never reveal his name or information about their investigation of him? Suppose Hatfill was arrested and charged with a crime in connection with the Anthrax attacks. Could FBI officials then disclose his name? The Privacy Act has an exception allowing disclosure for a “routine use”, which means any use “for a purpose which is compatible with the purpose for which [the information] was collected.” Perhaps disclosure after arrest should be viewed as a routine use. Leaking information about mere persons of interest should not be a routine use, especially since such leaks generally contravene law enforcement agency policies.

4. An interesting facet about the Privacy Act is that its disclosure restriction doesn’t require that the information be private for a disclosure to be improper. So suppose that it was widely known that Hatfill was a person of interest. FBI officials repeat this fact. Would this be a violation of the Privacy Act? Or suppose that the FBI has a file about you. In it, the FBI has newspaper clippings of your activities. The FBI discloses the newspaper clippings. Privacy Act violation?

5. I wonder why a violation of the constitutional right to information privacy wasn’t among the causes of action in the complaint.

6. If we were to apply my proposed public interest test for the disclosure, how should it apply in this case? On the one hand, we don’t want law enforcement officials leaking suspects’ names. It can harm the suspects and impede investigations. That’s why we have laws like the Privacy Act as well as internal policies of non-disclosure to prevent such leaks. But on the other hand, the information might enable the media to do some of their own investigating about the named suspects and alert people as to how an investigation is proceeding.

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
LinkedIn Influencer blog
*
Twitter
*
Newsletter

TeachPrivacy Ad Privacy Training Security Training 01