1 / 44

“America Faces the World On Privacy: Four Years After 9/11”

“America Faces the World On Privacy: Four Years After 9/11”. Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh Privacy Conference September 5, 2005. Overview. Background The public sector & the Bush Doctrine of information sharing

mattien
Download Presentation

“America Faces the World On Privacy: Four Years After 9/11”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “America Faces the World On Privacy: Four Years After 9/11” Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh Privacy Conference September 5, 2005

  2. Overview • Background • The public sector & the Bush Doctrine of information sharing • The private sector & challenges to fair information practices • Ways to build trans-Atlantic understanding on privacy

  3. I. Before 9/11 • The 1998 baseline • The E.U. Directive went into effect fall, 1998 • My book was keyed to that date • Extensive interviews with EU and US experts • EU perspective • Human rights based • Need for harmonization in common market • US perspective • Cost/benefit based • Concerns about under- and over-regulation

  4. Chief Counselor for Privacy • My role in U.S. Executive Office of the President, 1999-early 2001 • Trying to “build privacy in” for policies/laws • HIPAA: medical privacy • Gramm-Leach: financial privacy • FTC enforcement of privacy promises • Especially for the Internet • Safe Harbor • Federal agency web policies & privacy impact assessments • Bipartisan interest in Congress to make email & wiretap laws stricter

  5. My Normative Baseline • My own views are roughly those reflected by the Clinton Administration, 1999-2000 • Achieve progress in building privacy into public and private systems • Fair information practices as the baseline • Be realistic about how laws are actually implemented in practice, avoiding over- and under-regulation

  6. II. The Public Sector • Moral view of the “precautionary principle”: if the consequences of an action are unknown but judged to have a high risk of being ethically negative, it is better to not carry out the action rather than risk the uncertain but possibly negative consequences • Principle best known for protecting the environment • Long run potential harm from action • Precaution (inaction) less likely to cause long-run harm

  7. Precautionary & Privacy • Instinct for privacy scholars is that protecting privacy is like protecting the environment • Precautionary principle: • Err on the side of human rights • When in doubt, be cautious about the use of data and the dangers caused by that use • Precaution against use of data & the long term effects of revealing private information

  8. Precautionary & Security • Consider a contrary view • Precautionary principle: • Err on the side of protecting society from attack • When in doubt, share data to avoid the dangers of attack • Precautions are against the long-term damage from the attacks

  9. Precautionary and Privacy • In the privacy debate, we are used to “balancing” privacy & security • “Balancing” is a term of utilitarian calculus • Use of the precautionary principle helps show that moral fervor is on both sides • Privacy protects human rights (no attacks by commercial or state interests) • Information sharing protects human rights (right to bodily integrity, not to be attacked)

  10. The Bush Doctrine of Information Sharing • Disclaimer – I often critique the Bush Administration on privacy & information sharing • It is important to understand the logic of the position • Axiom 1: The threat has changed • Was threat of Soviet tank or missile attack • Now is asymmetric threat – a few individuals with boxcutters or home-made explosives

  11. Bush Doctrine • Axiom 2: The threat is significant • The intellectual importance of WMDs • “One nuke can ruin your whole day” • Measures that are not justified by small attacks may be justified for asymmetric, large attacks

  12. Bush Doctrine • Axiom 3: Progress in IT dwarfs progress in defensive physical security • Price of sensors, storage, and sharing down sharply • Useful knowledge & patterns extracted from data • The efficient mix of security measures has a large & ongoing shift to information-intensive strategies

  13. Bush Doctrine • (1) The threat has changed • (2) The threat is significant • (3) Progress in IT shifts the best response • For privacy advocates, which of these assertions seems incorrect? • There is a powerful logic to this approach • Now we turn to possible responses

  14. Has the Threat Changed? • Yes. • Conventional threat, typified by satellite reconnaisance of military targets, is clearly less than before 1989 • Enemy mobilization often graduated and visible (levels of military alert) • Current threats from asymmetric attacks • No visibility of imminent attacks unless get information about the individual attackers

  15. How Significant is the Threat? • This topic is controversial • I address this in 2004 article on foreign intelligence & surveillance • No WMDs in Iraq • Nation states as havens likely much more dangerous than isolated individuals • Exception in my view – nuclear proliferation

  16. Significance of the Threat • Within the U.S., extremely difficult politically to question the threat • Republicans are loyal to Pres. Bush • Democrats can’t appear weak • Within U.S., privacy and civil liberties advocates can question the threat but are not likely to succeed much • European resistance can slow hasty actions by U.S. where threat is exaggerated

  17. Is the Shift to IT & Prevention Efficient? • Here is the battleground for privacy • (1) Ends/means rationality – does the proposed surveillance actually improve security? • Does security measure work? Cost effectively? • E.g., carry-ons over-broad (nail cutters) and under-broad (ingenious attackers can attack) • E.g., data mining may create so many false positives that the noise swamps the signal

  18. Shift to IT and Prevention? • (2) “Security theater” & Bruce Schneier • Perceive, and critique, measures that are taken for the sake of “doing something” • E.g., show ID to get into office buildings; this is worthless in a world of pervasive fake IDs • Important to have credible and effective technical critiques of proposed surveillance • U.S. State Dept. RFIDs on passports as “terrorist beacons” readable at 10 meters

  19. Shift to IT & Prevention • (3) Point out unprecedented nature of proposed surveillance • E.g., library records and chilling the right to read • “Gag rule” on foreign intelligence orders to get library and other databases • Some greater due process in Patriot Act revisions • E.g., national ID cards and build coalition of libertarians on left and right

  20. Shift to IT and Prevention • (4) Invoke historical abuses & ask for checks and balances • Prevention was tried by Hoover & the FBI • Prevention led, over time, to vast expansion of surveillance but little proven prevention • Political and other abuses from that expansion • Therefore, oversight and limits on new surveillance because human nature hasn’t changed

  21. Shift to IT and Prevention • (5) Fairness, discrimination, and effectiveness • If single out groups, such as young Arab males, then that can backfire • Is unfair, and perceived as unfair by many • Risk of creating resentment by communities who cooperation is needed – better to build bridges to communities than to treat everyone as a suspect

  22. Shift to IT and Prevention • (6) Show how proposed measures make the problem worse • E.g., trusted traveler programs will give greater powers for harm to the terrorists who get the credential • E.g., racial profiling that undermines assistance from the well-informed

  23. Shift to IT and Prevention • (7) International opposition to U.S. measures • Return to this below • Concerns from outside the U.S. do require a more fully developed policy process within U.S.

  24. Summary on Bush Doctrine • Significant moral & political logic to: new threat; threat is large; IT will help • Possible answers include: • Does proposal work? • It may be “security theater” • Unprecedented surveillance and not needed • Historical abuses show need for checks • Fairness and non-discrimination • Proposed measures make the problem worse • International realpolitik

  25. III. The Private Sector • “Security” as the source of new privacy protections • Compliance American style • Challenge to the FIPs • Government use of commercial data

  26. “Security” Helps Privacy • Recent U.S. privacy protections created in the name of “security” • American style of politics • “Death” tax and “estate” tax • “Security” is a winning word after 9/11 • “Privacy” sounds like one is not committed to winning the War on Terrorism

  27. New “Security” Measures • Security notifications for breach • At least 15 states with laws, 14 this year • Cybercrime measures • DOJ supports anti-wiretap law (Councilman) • Spyware as security threat • State, maybe federal, legislation • Spam as threat to availability and integrity of systems • CAN-SPAM and other laws

  28. Compliance American Style • 3 modes of compliance • Aspirational – the law expresses an ideal, but detailed compliance is not expected (E.U.?) • Gamesmanship – organizations minimize the effect of the law with compliance tricks (cynical view of U.S.?) • Defensive or Risk averse – organizations avoid even the risk of enforcement by over-complying (actual U.S. practice under medical privacy rule)

  29. Consequences of Compliance American Style • Policymakers learn that over-regulation is a major risk • For privacy, sensible data flows don’t happen • The family member picking up the prescription at the pharmacy • The historical researcher of the 18th C. poet • U.S. Ambassador David Aaron’s 1999 offer: • We’ll take E.U. privacy laws if you’ll take our plaintiffs’ lawyers

  30. Compliance: EU & US • In the 1998 book, we asked EU Commission if it was legal to carry a laptop on the plane to a country that lacked an adequacy determination • Answer from a Commission official: “It depends” • Practice within EU – of course the laptops are carried onto planes • Have had increase in enforcement actions in E.U. since then • I welcome your thoughts on how close E.U. is to full compliance with the law as written

  31. Compliance in U.S. • Major U.S. growth in CPOs and institutionalized privacy • CPO term not used until 1999 • In U.S., my experience since 2000 is that there is more risk-averse compliance than I anticipated -- sensible behavior is more chilled by rules than I expected • Policymakers learn to be cautious about aspirational or over-broad privacy laws

  32. More on Compliance • One thought on why compliance is so different • Belgium & the Netherlands – all the key actors in an industry gather in a room with officials • Ombudsman role of D.P. authorities • U.S. – major players are 5,000 km away from regulators • Formal/legal role of FTC and other regulators • Over 1 million HIPAA covered entities

  33. Fair Information Practices Under Challenge • E.U. Dir. Art. 6(e): data not kept in identified form “longer than is necessary” for purposes for which was collected • Technology challenge • Storage much, much cheaper • Forensics much better, and is hard to delete • U.S. has HIPAA & many contracts that say “take practicable measures”, but deletion will often not take place

  34. FIPs: Secondary Use • The major battleground is secondary use • U.S. is less sure it agrees with this FIP • Many public records, used widely • First Amendment, and data is generally publishable unless under a contract • Business & government belief that information sharing is often progress, not rights violation • Scope of data protection laws as shown in Swedish Lindqvist case would be most surprising to U.S. intuitions

  35. Secondary Use & Govt Access • Growing issues on rules for government access to private-sector data • Government purchases (e.g., subscriptions to do background checks) • Government asks or requires for law enforcement or intelligence

  36. Commercial Data & Govt. • U.S. rules for purchase are not well developed • Great interest from government as part of information sharing growth • Little legal framework for how that purchased data is handled by federal government • Answers to this will mirror answers to broader wish by agencies for information sharing in anti-terrorism efforts

  37. IV. Looking Ahead • Within the U.S., and I think globally, “security” will be an increasingly important way that new privacy protections will be implemented • Political and policy alliances to build both security and privacy into information systems

  38. Looking Ahead • Politically, the Bush Administration has sometimes been willing to go along with privacy initiatives • CPO for Homeland Security • Privacy Impact Assessments in 2002 law • It didn’t cancel HIPAA • The Administration has had no significant data privacy initiatives of its own • No distractions from the War on Terror

  39. Looking Ahead • Better privacy policy must then come from elsewhere • U.S. state legislation – spyware, breach, etc. • Privacy advocates & Congress – CPOs, PIAs • International realities that require the U.S. Administration to stop, look, and listen

  40. Looking Ahead • Europe & the role of the Directive • Educated U.S. policy & business leaders • Required the process that led to the Safe Harbor • Significant convergence; not harmonization • Similar effects on passenger name records • Mandates in non-U.S. law do create a possibility of negotiation and partial convergence

  41. Looking Ahead • The ebb & flow of politics • 2000 Clinton wiretap/privacy bill criticized for not being protective enough of privacy • 2001 Patriot Act much further toward surveillance • With time, the politics of 2001 will shift to something else • Perhaps the much-feared “next big attack’ • Perhaps closer to new normalcy & calm • I am hopeful of the latter

  42. Looking Ahead • As U.S. politics shift, U.S. policy likely to become more open to international practices and norms • The European rights approach will face continuing U.S. objections on secondary use • But the overall framework of checks against data abuse can have solid U.S. support • Especially if what is asked of the U.S. is a reasonable fit with the U.S. compliance realities

  43. In Closing • The Atlantic seems wider today than it did five years ago, on privacy, global warming, and other issues • Continuing, implementable privacy protections can grow over time in the U.S. • Better understanding across the Atlantic, such as this conference, will help that to occur

  44. Contact Information • Professor Peter P. Swire • Phone: (240) 994-4142 • Email: peter@peterswire.net • Web: www.peterswire.net

More Related