440 likes | 552 Views
“America Faces the World On Privacy: Four Years After 9/11”. Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh Privacy Conference September 5, 2005. Overview. Background The public sector & the Bush Doctrine of information sharing
E N D
“America Faces the World On Privacy: Four Years After 9/11” Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh Privacy Conference September 5, 2005
Overview • Background • The public sector & the Bush Doctrine of information sharing • The private sector & challenges to fair information practices • Ways to build trans-Atlantic understanding on privacy
I. Before 9/11 • The 1998 baseline • The E.U. Directive went into effect fall, 1998 • My book was keyed to that date • Extensive interviews with EU and US experts • EU perspective • Human rights based • Need for harmonization in common market • US perspective • Cost/benefit based • Concerns about under- and over-regulation
Chief Counselor for Privacy • My role in U.S. Executive Office of the President, 1999-early 2001 • Trying to “build privacy in” for policies/laws • HIPAA: medical privacy • Gramm-Leach: financial privacy • FTC enforcement of privacy promises • Especially for the Internet • Safe Harbor • Federal agency web policies & privacy impact assessments • Bipartisan interest in Congress to make email & wiretap laws stricter
My Normative Baseline • My own views are roughly those reflected by the Clinton Administration, 1999-2000 • Achieve progress in building privacy into public and private systems • Fair information practices as the baseline • Be realistic about how laws are actually implemented in practice, avoiding over- and under-regulation
II. The Public Sector • Moral view of the “precautionary principle”: if the consequences of an action are unknown but judged to have a high risk of being ethically negative, it is better to not carry out the action rather than risk the uncertain but possibly negative consequences • Principle best known for protecting the environment • Long run potential harm from action • Precaution (inaction) less likely to cause long-run harm
Precautionary & Privacy • Instinct for privacy scholars is that protecting privacy is like protecting the environment • Precautionary principle: • Err on the side of human rights • When in doubt, be cautious about the use of data and the dangers caused by that use • Precaution against use of data & the long term effects of revealing private information
Precautionary & Security • Consider a contrary view • Precautionary principle: • Err on the side of protecting society from attack • When in doubt, share data to avoid the dangers of attack • Precautions are against the long-term damage from the attacks
Precautionary and Privacy • In the privacy debate, we are used to “balancing” privacy & security • “Balancing” is a term of utilitarian calculus • Use of the precautionary principle helps show that moral fervor is on both sides • Privacy protects human rights (no attacks by commercial or state interests) • Information sharing protects human rights (right to bodily integrity, not to be attacked)
The Bush Doctrine of Information Sharing • Disclaimer – I often critique the Bush Administration on privacy & information sharing • It is important to understand the logic of the position • Axiom 1: The threat has changed • Was threat of Soviet tank or missile attack • Now is asymmetric threat – a few individuals with boxcutters or home-made explosives
Bush Doctrine • Axiom 2: The threat is significant • The intellectual importance of WMDs • “One nuke can ruin your whole day” • Measures that are not justified by small attacks may be justified for asymmetric, large attacks
Bush Doctrine • Axiom 3: Progress in IT dwarfs progress in defensive physical security • Price of sensors, storage, and sharing down sharply • Useful knowledge & patterns extracted from data • The efficient mix of security measures has a large & ongoing shift to information-intensive strategies
Bush Doctrine • (1) The threat has changed • (2) The threat is significant • (3) Progress in IT shifts the best response • For privacy advocates, which of these assertions seems incorrect? • There is a powerful logic to this approach • Now we turn to possible responses
Has the Threat Changed? • Yes. • Conventional threat, typified by satellite reconnaisance of military targets, is clearly less than before 1989 • Enemy mobilization often graduated and visible (levels of military alert) • Current threats from asymmetric attacks • No visibility of imminent attacks unless get information about the individual attackers
How Significant is the Threat? • This topic is controversial • I address this in 2004 article on foreign intelligence & surveillance • No WMDs in Iraq • Nation states as havens likely much more dangerous than isolated individuals • Exception in my view – nuclear proliferation
Significance of the Threat • Within the U.S., extremely difficult politically to question the threat • Republicans are loyal to Pres. Bush • Democrats can’t appear weak • Within U.S., privacy and civil liberties advocates can question the threat but are not likely to succeed much • European resistance can slow hasty actions by U.S. where threat is exaggerated
Is the Shift to IT & Prevention Efficient? • Here is the battleground for privacy • (1) Ends/means rationality – does the proposed surveillance actually improve security? • Does security measure work? Cost effectively? • E.g., carry-ons over-broad (nail cutters) and under-broad (ingenious attackers can attack) • E.g., data mining may create so many false positives that the noise swamps the signal
Shift to IT and Prevention? • (2) “Security theater” & Bruce Schneier • Perceive, and critique, measures that are taken for the sake of “doing something” • E.g., show ID to get into office buildings; this is worthless in a world of pervasive fake IDs • Important to have credible and effective technical critiques of proposed surveillance • U.S. State Dept. RFIDs on passports as “terrorist beacons” readable at 10 meters
Shift to IT & Prevention • (3) Point out unprecedented nature of proposed surveillance • E.g., library records and chilling the right to read • “Gag rule” on foreign intelligence orders to get library and other databases • Some greater due process in Patriot Act revisions • E.g., national ID cards and build coalition of libertarians on left and right
Shift to IT and Prevention • (4) Invoke historical abuses & ask for checks and balances • Prevention was tried by Hoover & the FBI • Prevention led, over time, to vast expansion of surveillance but little proven prevention • Political and other abuses from that expansion • Therefore, oversight and limits on new surveillance because human nature hasn’t changed
Shift to IT and Prevention • (5) Fairness, discrimination, and effectiveness • If single out groups, such as young Arab males, then that can backfire • Is unfair, and perceived as unfair by many • Risk of creating resentment by communities who cooperation is needed – better to build bridges to communities than to treat everyone as a suspect
Shift to IT and Prevention • (6) Show how proposed measures make the problem worse • E.g., trusted traveler programs will give greater powers for harm to the terrorists who get the credential • E.g., racial profiling that undermines assistance from the well-informed
Shift to IT and Prevention • (7) International opposition to U.S. measures • Return to this below • Concerns from outside the U.S. do require a more fully developed policy process within U.S.
Summary on Bush Doctrine • Significant moral & political logic to: new threat; threat is large; IT will help • Possible answers include: • Does proposal work? • It may be “security theater” • Unprecedented surveillance and not needed • Historical abuses show need for checks • Fairness and non-discrimination • Proposed measures make the problem worse • International realpolitik
III. The Private Sector • “Security” as the source of new privacy protections • Compliance American style • Challenge to the FIPs • Government use of commercial data
“Security” Helps Privacy • Recent U.S. privacy protections created in the name of “security” • American style of politics • “Death” tax and “estate” tax • “Security” is a winning word after 9/11 • “Privacy” sounds like one is not committed to winning the War on Terrorism
New “Security” Measures • Security notifications for breach • At least 15 states with laws, 14 this year • Cybercrime measures • DOJ supports anti-wiretap law (Councilman) • Spyware as security threat • State, maybe federal, legislation • Spam as threat to availability and integrity of systems • CAN-SPAM and other laws
Compliance American Style • 3 modes of compliance • Aspirational – the law expresses an ideal, but detailed compliance is not expected (E.U.?) • Gamesmanship – organizations minimize the effect of the law with compliance tricks (cynical view of U.S.?) • Defensive or Risk averse – organizations avoid even the risk of enforcement by over-complying (actual U.S. practice under medical privacy rule)
Consequences of Compliance American Style • Policymakers learn that over-regulation is a major risk • For privacy, sensible data flows don’t happen • The family member picking up the prescription at the pharmacy • The historical researcher of the 18th C. poet • U.S. Ambassador David Aaron’s 1999 offer: • We’ll take E.U. privacy laws if you’ll take our plaintiffs’ lawyers
Compliance: EU & US • In the 1998 book, we asked EU Commission if it was legal to carry a laptop on the plane to a country that lacked an adequacy determination • Answer from a Commission official: “It depends” • Practice within EU – of course the laptops are carried onto planes • Have had increase in enforcement actions in E.U. since then • I welcome your thoughts on how close E.U. is to full compliance with the law as written
Compliance in U.S. • Major U.S. growth in CPOs and institutionalized privacy • CPO term not used until 1999 • In U.S., my experience since 2000 is that there is more risk-averse compliance than I anticipated -- sensible behavior is more chilled by rules than I expected • Policymakers learn to be cautious about aspirational or over-broad privacy laws
More on Compliance • One thought on why compliance is so different • Belgium & the Netherlands – all the key actors in an industry gather in a room with officials • Ombudsman role of D.P. authorities • U.S. – major players are 5,000 km away from regulators • Formal/legal role of FTC and other regulators • Over 1 million HIPAA covered entities
Fair Information Practices Under Challenge • E.U. Dir. Art. 6(e): data not kept in identified form “longer than is necessary” for purposes for which was collected • Technology challenge • Storage much, much cheaper • Forensics much better, and is hard to delete • U.S. has HIPAA & many contracts that say “take practicable measures”, but deletion will often not take place
FIPs: Secondary Use • The major battleground is secondary use • U.S. is less sure it agrees with this FIP • Many public records, used widely • First Amendment, and data is generally publishable unless under a contract • Business & government belief that information sharing is often progress, not rights violation • Scope of data protection laws as shown in Swedish Lindqvist case would be most surprising to U.S. intuitions
Secondary Use & Govt Access • Growing issues on rules for government access to private-sector data • Government purchases (e.g., subscriptions to do background checks) • Government asks or requires for law enforcement or intelligence
Commercial Data & Govt. • U.S. rules for purchase are not well developed • Great interest from government as part of information sharing growth • Little legal framework for how that purchased data is handled by federal government • Answers to this will mirror answers to broader wish by agencies for information sharing in anti-terrorism efforts
IV. Looking Ahead • Within the U.S., and I think globally, “security” will be an increasingly important way that new privacy protections will be implemented • Political and policy alliances to build both security and privacy into information systems
Looking Ahead • Politically, the Bush Administration has sometimes been willing to go along with privacy initiatives • CPO for Homeland Security • Privacy Impact Assessments in 2002 law • It didn’t cancel HIPAA • The Administration has had no significant data privacy initiatives of its own • No distractions from the War on Terror
Looking Ahead • Better privacy policy must then come from elsewhere • U.S. state legislation – spyware, breach, etc. • Privacy advocates & Congress – CPOs, PIAs • International realities that require the U.S. Administration to stop, look, and listen
Looking Ahead • Europe & the role of the Directive • Educated U.S. policy & business leaders • Required the process that led to the Safe Harbor • Significant convergence; not harmonization • Similar effects on passenger name records • Mandates in non-U.S. law do create a possibility of negotiation and partial convergence
Looking Ahead • The ebb & flow of politics • 2000 Clinton wiretap/privacy bill criticized for not being protective enough of privacy • 2001 Patriot Act much further toward surveillance • With time, the politics of 2001 will shift to something else • Perhaps the much-feared “next big attack’ • Perhaps closer to new normalcy & calm • I am hopeful of the latter
Looking Ahead • As U.S. politics shift, U.S. policy likely to become more open to international practices and norms • The European rights approach will face continuing U.S. objections on secondary use • But the overall framework of checks against data abuse can have solid U.S. support • Especially if what is asked of the U.S. is a reasonable fit with the U.S. compliance realities
In Closing • The Atlantic seems wider today than it did five years ago, on privacy, global warming, and other issues • Continuing, implementable privacy protections can grow over time in the U.S. • Better understanding across the Atlantic, such as this conference, will help that to occur
Contact Information • Professor Peter P. Swire • Phone: (240) 994-4142 • Email: peter@peterswire.net • Web: www.peterswire.net