440 likes | 452 Views
Explore the impact of the Bush Doctrine on information sharing, ethical implications, and the quest for trans-Atlantic privacy understanding. Delve into the dynamic balance between human rights, data security, and societal protection. Reflect on the evolving threat landscape and the interplay of precautionary measures in safeguarding privacy against potential risks. Keynote delivered at Edinburgh Privacy Conference in 2005.
E N D
“America Faces the World On Privacy: Four Years After 9/11” Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh Privacy Conference September 5, 2005
Overview • Background • The public sector & the Bush Doctrine of information sharing • The private sector & challenges to fair information practices • Ways to build trans-Atlantic understanding on privacy
I. Before 9/11 • The 1998 baseline • The E.U. Directive went into effect fall, 1998 • My book was keyed to that date • Extensive interviews with EU and US experts • EU perspective • Human rights based • Need for harmonization in common market • US perspective • Cost/benefit based • Concerns about under- and over-regulation
Chief Counselor for Privacy • My role in U.S. Executive Office of the President, 1999-early 2001 • Trying to “build privacy in” for policies/laws • HIPAA: medical privacy • Gramm-Leach: financial privacy • FTC enforcement of privacy promises • Especially for the Internet • Safe Harbor • Federal agency web policies & privacy impact assessments • Bipartisan interest in Congress to make email & wiretap laws stricter
My Normative Baseline • My own views are roughly those reflected by the Clinton Administration, 1999-2000 • Achieve progress in building privacy into public and private systems • Fair information practices as the baseline • Be realistic about how laws are actually implemented in practice, avoiding over- and under-regulation
II. The Public Sector • Moral view of the “precautionary principle”: if the consequences of an action are unknown but judged to have a high risk of being ethically negative, it is better to not carry out the action rather than risk the uncertain but possibly negative consequences • Principle best known for protecting the environment • Long run potential harm from action • Precaution (inaction) less likely to cause long-run harm
Precautionary & Privacy • Instinct for privacy scholars is that protecting privacy is like protecting the environment • Precautionary principle: • Err on the side of human rights • When in doubt, be cautious about the use of data and the dangers caused by that use • Precaution against use of data & the long term effects of revealing private information
Precautionary & Security • Consider a contrary view • Precautionary principle: • Err on the side of protecting society from attack • When in doubt, share data to avoid the dangers of attack • Precautions are against the long-term damage from the attacks
Precautionary and Privacy • In the privacy debate, we are used to “balancing” privacy & security • “Balancing” is a term of utilitarian calculus • Use of the precautionary principle helps show that moral fervor is on both sides • Privacy protects human rights (no attacks by commercial or state interests) • Information sharing protects human rights (right to bodily integrity, not to be attacked)
The Bush Doctrine of Information Sharing • Disclaimer – I often critique the Bush Administration on privacy & information sharing • It is important to understand the logic of the position • Axiom 1: The threat has changed • Was threat of Soviet tank or missile attack • Now is asymmetric threat – a few individuals with boxcutters or home-made explosives
Bush Doctrine • Axiom 2: The threat is significant • The intellectual importance of WMDs • “One nuke can ruin your whole day” • Measures that are not justified by small attacks may be justified for asymmetric, large attacks
Bush Doctrine • Axiom 3: Progress in IT dwarfs progress in defensive physical security • Price of sensors, storage, and sharing down sharply • Useful knowledge & patterns extracted from data • The efficient mix of security measures has a large & ongoing shift to information-intensive strategies
Bush Doctrine • (1) The threat has changed • (2) The threat is significant • (3) Progress in IT shifts the best response • For privacy advocates, which of these assertions seems incorrect? • There is a powerful logic to this approach • Now we turn to possible responses
Has the Threat Changed? • Yes. • Conventional threat, typified by satellite reconnaisance of military targets, is clearly less than before 1989 • Enemy mobilization often graduated and visible (levels of military alert) • Current threats from asymmetric attacks • No visibility of imminent attacks unless get information about the individual attackers
How Significant is the Threat? • This topic is controversial • I address this in 2004 article on foreign intelligence & surveillance • No WMDs in Iraq • Nation states as havens likely much more dangerous than isolated individuals • Exception in my view – nuclear proliferation
Significance of the Threat • Within the U.S., extremely difficult politically to question the threat • Republicans are loyal to Pres. Bush • Democrats can’t appear weak • Within U.S., privacy and civil liberties advocates can question the threat but are not likely to succeed much • European resistance can slow hasty actions by U.S. where threat is exaggerated
Is the Shift to IT & Prevention Efficient? • Here is the battleground for privacy • (1) Ends/means rationality – does the proposed surveillance actually improve security? • Does security measure work? Cost effectively? • E.g., carry-ons over-broad (nail cutters) and under-broad (ingenious attackers can attack) • E.g., data mining may create so many false positives that the noise swamps the signal
Shift to IT and Prevention? • (2) “Security theater” & Bruce Schneier • Perceive, and critique, measures that are taken for the sake of “doing something” • E.g., show ID to get into office buildings; this is worthless in a world of pervasive fake IDs • Important to have credible and effective technical critiques of proposed surveillance • U.S. State Dept. RFIDs on passports as “terrorist beacons” readable at 10 meters
Shift to IT & Prevention • (3) Point out unprecedented nature of proposed surveillance • E.g., library records and chilling the right to read • “Gag rule” on foreign intelligence orders to get library and other databases • Some greater due process in Patriot Act revisions • E.g., national ID cards and build coalition of libertarians on left and right
Shift to IT and Prevention • (4) Invoke historical abuses & ask for checks and balances • Prevention was tried by Hoover & the FBI • Prevention led, over time, to vast expansion of surveillance but little proven prevention • Political and other abuses from that expansion • Therefore, oversight and limits on new surveillance because human nature hasn’t changed
Shift to IT and Prevention • (5) Fairness, discrimination, and effectiveness • If single out groups, such as young Arab males, then that can backfire • Is unfair, and perceived as unfair by many • Risk of creating resentment by communities who cooperation is needed – better to build bridges to communities than to treat everyone as a suspect
Shift to IT and Prevention • (6) Show how proposed measures make the problem worse • E.g., trusted traveler programs will give greater powers for harm to the terrorists who get the credential • E.g., racial profiling that undermines assistance from the well-informed
Shift to IT and Prevention • (7) International opposition to U.S. measures • Return to this below • Concerns from outside the U.S. do require a more fully developed policy process within U.S.
Summary on Bush Doctrine • Significant moral & political logic to: new threat; threat is large; IT will help • Possible answers include: • Does proposal work? • It may be “security theater” • Unprecedented surveillance and not needed • Historical abuses show need for checks • Fairness and non-discrimination • Proposed measures make the problem worse • International realpolitik
III. The Private Sector • “Security” as the source of new privacy protections • Compliance American style • Challenge to the FIPs • Government use of commercial data
“Security” Helps Privacy • Recent U.S. privacy protections created in the name of “security” • American style of politics • “Death” tax and “estate” tax • “Security” is a winning word after 9/11 • “Privacy” sounds like one is not committed to winning the War on Terrorism
New “Security” Measures • Security notifications for breach • At least 15 states with laws, 14 this year • Cybercrime measures • DOJ supports anti-wiretap law (Councilman) • Spyware as security threat • State, maybe federal, legislation • Spam as threat to availability and integrity of systems • CAN-SPAM and other laws
Compliance American Style • 3 modes of compliance • Aspirational – the law expresses an ideal, but detailed compliance is not expected (E.U.?) • Gamesmanship – organizations minimize the effect of the law with compliance tricks (cynical view of U.S.?) • Defensive or Risk averse – organizations avoid even the risk of enforcement by over-complying (actual U.S. practice under medical privacy rule)
Consequences of Compliance American Style • Policymakers learn that over-regulation is a major risk • For privacy, sensible data flows don’t happen • The family member picking up the prescription at the pharmacy • The historical researcher of the 18th C. poet • U.S. Ambassador David Aaron’s 1999 offer: • We’ll take E.U. privacy laws if you’ll take our plaintiffs’ lawyers
Compliance: EU & US • In the 1998 book, we asked EU Commission if it was legal to carry a laptop on the plane to a country that lacked an adequacy determination • Answer from a Commission official: “It depends” • Practice within EU – of course the laptops are carried onto planes • Have had increase in enforcement actions in E.U. since then • I welcome your thoughts on how close E.U. is to full compliance with the law as written
Compliance in U.S. • Major U.S. growth in CPOs and institutionalized privacy • CPO term not used until 1999 • In U.S., my experience since 2000 is that there is more risk-averse compliance than I anticipated -- sensible behavior is more chilled by rules than I expected • Policymakers learn to be cautious about aspirational or over-broad privacy laws
More on Compliance • One thought on why compliance is so different • Belgium & the Netherlands – all the key actors in an industry gather in a room with officials • Ombudsman role of D.P. authorities • U.S. – major players are 5,000 km away from regulators • Formal/legal role of FTC and other regulators • Over 1 million HIPAA covered entities
Fair Information Practices Under Challenge • E.U. Dir. Art. 6(e): data not kept in identified form “longer than is necessary” for purposes for which was collected • Technology challenge • Storage much, much cheaper • Forensics much better, and is hard to delete • U.S. has HIPAA & many contracts that say “take practicable measures”, but deletion will often not take place
FIPs: Secondary Use • The major battleground is secondary use • U.S. is less sure it agrees with this FIP • Many public records, used widely • First Amendment, and data is generally publishable unless under a contract • Business & government belief that information sharing is often progress, not rights violation • Scope of data protection laws as shown in Swedish Lindqvist case would be most surprising to U.S. intuitions
Secondary Use & Govt Access • Growing issues on rules for government access to private-sector data • Government purchases (e.g., subscriptions to do background checks) • Government asks or requires for law enforcement or intelligence
Commercial Data & Govt. • U.S. rules for purchase are not well developed • Great interest from government as part of information sharing growth • Little legal framework for how that purchased data is handled by federal government • Answers to this will mirror answers to broader wish by agencies for information sharing in anti-terrorism efforts
IV. Looking Ahead • Within the U.S., and I think globally, “security” will be an increasingly important way that new privacy protections will be implemented • Political and policy alliances to build both security and privacy into information systems
Looking Ahead • Politically, the Bush Administration has sometimes been willing to go along with privacy initiatives • CPO for Homeland Security • Privacy Impact Assessments in 2002 law • It didn’t cancel HIPAA • The Administration has had no significant data privacy initiatives of its own • No distractions from the War on Terror
Looking Ahead • Better privacy policy must then come from elsewhere • U.S. state legislation – spyware, breach, etc. • Privacy advocates & Congress – CPOs, PIAs • International realities that require the U.S. Administration to stop, look, and listen
Looking Ahead • Europe & the role of the Directive • Educated U.S. policy & business leaders • Required the process that led to the Safe Harbor • Significant convergence; not harmonization • Similar effects on passenger name records • Mandates in non-U.S. law do create a possibility of negotiation and partial convergence
Looking Ahead • The ebb & flow of politics • 2000 Clinton wiretap/privacy bill criticized for not being protective enough of privacy • 2001 Patriot Act much further toward surveillance • With time, the politics of 2001 will shift to something else • Perhaps the much-feared “next big attack’ • Perhaps closer to new normalcy & calm • I am hopeful of the latter
Looking Ahead • As U.S. politics shift, U.S. policy likely to become more open to international practices and norms • The European rights approach will face continuing U.S. objections on secondary use • But the overall framework of checks against data abuse can have solid U.S. support • Especially if what is asked of the U.S. is a reasonable fit with the U.S. compliance realities
In Closing • The Atlantic seems wider today than it did five years ago, on privacy, global warming, and other issues • Continuing, implementable privacy protections can grow over time in the U.S. • Better understanding across the Atlantic, such as this conference, will help that to occur
Contact Information • Professor Peter P. Swire • Phone: (240) 994-4142 • Email: peter@peterswire.net • Web: www.peterswire.net