10  PRIVACY IN A CYBER AGE

           registers. After the Supreme Court ruled in the 1976 case United States
           v. Miller that there was no reasonable expectation of privacy for records
           at financial institutions, Congress passed the Right to Financial Privacy
              33
           Act,  which extended protection to these records. As required by the 1996
           Health Insurance Portability and Accountability Act (HIPAA), in 2002 the
           Department of Health and Human Services published the final form of
           “the Privacy Rule,” which set the “standards for the electronic exchange,
                                               34
           privacy and security of health information.”  This accumulation of pri-
           vacy protections includes laws covering specific sectors—or responding
           to specific events—but not any overarching design. A well-known case in
           point is Congress’s enactment of the Video Privacy Protection Act after the
           video rental records of Supreme Court nominee Judge Robert Bork were
           obtained by a Washington, D.C., newspaper. 35
              Congress could help to establish a privacy doctrine for the cyber age by
           reviewing what by now has been fairly called an incomplete “patchwork of
           federal laws and regulations” and providing a comprehensive overall rank-
           ing of protections based on the sensitivity of the data. 36


                                     2. Volume

           The second dimension from which a cyber age privacy doctrine should
           draw is the volume of information collected. “Volume” refers to the total
           amount of information collected about one person by one agency or actor.
           Volume reflects the extent of time surveillance is applied (the issue raised
           in Jones), the amount of information collected at each point in time (e.g.,
           only e-mails sent to a specific person or all e-mails stored on a hard drive?),
           and the bandwidth of information collected at any one point in time (e.g.,
           only the addresses of e-mail sent or also their content?). A single piece of
           data deserves the least protection and a high volume of information should
           receive the most.
               Under such a cyber age privacy doctrine, surveillance and search tech-
           nologies differ in their intrusiveness. Least intrusive are those that collect
           only discrete pieces of information of the least sensitive kind. These include
           speed detection cameras, toll booths, and screening gates, because they all
           reveal, basically, one piece of information of relatively low sensitivity. Radi-
           ation detectors, heat reading devices and bomb- and drug-sniffing dogs
           belong in this category, not only because of the kind of information (i.e.,
           low or not sensitive) they collect, but also because the bandwidth of the
           information they collect is very low (i.e., just one facet, indeed a very nar-
           row one, and for a short duration). These volume rankings must be adapted
           as technologies change. The extent to which combining technologies is